1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Keylogger? :|

Discussion in 'Virus & Other Malware Removal' started by Devlix, Apr 16, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    So I play WoW and one day the window was just randomly closed I opened it up and tried to login and it says wrong info I was still able to log on the battle.net and change my pass so I think it might be a keylogger that is preventing my login I just don't know how to get rid of it!

    this has several logs created by: RootRepeal, ComboFix, hijackthis, Malware bytes, and OTS
     

    Attached Files:

  2. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    Updated HijackThis log




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:14:08 PM, on 4/16/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\PING.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Andrew\My Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101760&l=dis
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: BigSeekPro Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\BigSeekPro Toolbar\tbcore3.dll (file missing)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [BCU] "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: CurseClientStartup.ccip
    O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
    O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
    O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{237A50C4-76E8-4E11-82D5-06E544EB5631}: NameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{440C1FA6-F7B4-490F-8DC4-E36CD3FA1928}: NameServer = 192.168.1.1
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\HmelyoffLabs\VHToolkit\Skype4COM.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apache2.2 - Unknown owner - C:\Legendary Repack\Server\apache\bin\apache.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate1c9e0c9b4832243) (gupdate1c9e0c9b4832243) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: mysql - Unknown owner - C:\Documents.exe (file missing)
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - c:\Program Files\Zune\ZuneNss.exe (file missing)
    O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Andrew\My Documents\My Pictures\photoshop\1680-1050-74054.jpg
    O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Andrew\My Documents\My Pictures\photoshop\75003.jpg
    O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Andrew\My Documents\My Pictures\multi devlix.jpg
    O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Andrew\My Documents\My Pictures\photoshop\1680-1050-16669.jpg
    O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Andrew\My Documents\My Pictures\1680-1050-53089.jpg
    O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Andrew\My Documents\My Pictures\photoshop\1024-768-65261.jpg

    --
    End of file - 12641 bytes
     
  3. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    You need to fully update Windows to be sure you're not vulnerable to this kind of infection.

    STEP 1

    Run OTS

    • Under the Paste Fix Here box on the right, paste in the contents of following code box

    Code:
    [Unregister Dlls]
    [Modules - Safe List]
    YY -> 955311328.dll -> C:\WINDOWS\Temp\955311328.dll
    [Win32 Services - Safe List]
    YY -> (wmcmgc) Windows Management Configuration [Auto | Running] -> C:\Program Files\Common Files\\System\icm64.dll
    [Registry - Safe List]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YN -> *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YY -> C:\WINDOWS\TEMP\955311328.dll -> C:\WINDOWS\Temp\955311328.dll
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    YN -> \{1ac837e4-efd6-11de-be41-806d6172696f} -> 
    [Registry - Additional Scans - Safe List]
    < Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
    YY -> C:^Documents and Settings^All Users^Start Menu^Programs^Startup^test.bat -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\test.bat
    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> 
    *netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs
    YY -> wmcmgc -> C:\Program Files\Common Files\\System\icm64.dll
    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> 
    [Files/Folders - Created Within 30 Days]
    NY ->  kabaker.dll -> C:\WINDOWS\System32\kabaker.dll
    NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    [Files/Folders - Modified Within 30 Days]
    NY ->  1 C:\Documents and Settings\Andrew\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Andrew\Local Settings\temp\*.tmp
    [Empty Temp Folders]
    [EmptyFlash]
    [ClearAllRestorePoints]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • This will create a log in C:\_OTS\MovedFiles\<date>_<time>.log where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

    Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
    If it seems to get stuck, give it some time. It's probably still working.


    STEP 2

    Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.



    STEP 3


    Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

    1. Click Accept, when prompted to download and install the program files and database of malware definitions.



    2. To optimize scanning time and produce a more sensible report for review:
    • Close any open programs
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
    3. Click Run at the Security prompt.


    The program will then begin downloading and installing and will also update the database.


    Please be patient as this can take quite a long time to download.
    • Once the update is complete, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

      • [*]Spyware, adware, dialers, and other riskware
        [*]Archives
        [*]E-mail databases
    • Click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Click View report... at the bottom.
    • Click the Save report... button.

      [​IMG]
    • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
     
  4. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    this was the paste fix here results

    All Processes Killed
    [Modules - Safe List]
    [Win32 Services - Safe List]
    Service wmcmgc stopped successfully!
    Service wmcmgc deleted successfully!
    DllUnregisterServer procedure not found in C:\Program Files\Common Files\\System\icm64.dll
    File move failed. C:\Program Files\Common Files\\System\icm64.dll scheduled to be moved on reboot.
    [Registry - Safe List]
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows not found.
    File C:\WINDOWS\Temp\955311328.dll not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ac837e4-efd6-11de-be41-806d6172696f}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ac837e4-efd6-11de-be41-806d6172696f}\ not found.
    [Registry - Additional Scans - Safe List]
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^test.bat\ deleted successfully.
    File C:\WINDOWS\pss\est.bat not found.
    File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\test.bat not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs:wmcmgc deleted successfully.
    DllUnregisterServer procedure not found in C:\Program Files\Common Files\\System\icm64.dll
    File move failed. C:\Program Files\Common Files\\System\icm64.dll scheduled to be moved on reboot.
    [Files/Folders - Created Within 30 Days]
    DllUnregisterServer procedure not found in C:\WINDOWS\System32\kabaker.dll
    C:\WINDOWS\System32\kabaker.dll moved successfully.
    C:\WINDOWS\D56B0E274A3E46C9B5C1D93D580C099C.TMP\WiseCustomCalla.dll deleted successfully.
    C:\WINDOWS\D56B0E274A3E46C9B5C1D93D580C099C.TMP folder deleted successfully.
    C:\WINDOWS\msdownld.tmp folder deleted successfully.
    C:\WINDOWS\SET3.tmp deleted successfully.
    C:\WINDOWS\SET4.tmp deleted successfully.
    C:\WINDOWS\SET8.tmp deleted successfully.
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    [Files/Folders - Modified Within 30 Days]
    C:\Documents and Settings\Andrew\Local Settings\temp\~DF7047.tmp deleted successfully.
    C:\Documents and Settings\Andrew\Local Settings\temp\~DFBB7D.tmp deleted successfully.
    [Empty Temp Folders]


    User: All Users

    User: Andrew
    ->Temp folder emptied: 3214560 bytes
    ->Temporary Internet Files folder emptied: 590377 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 56768090 bytes
    ->Google Chrome cache emptied: 350689960 bytes
    ->Flash cache emptied: 56863 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 41620 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 110 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 2338773 bytes

    Total Files Cleaned = 395.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Andrew
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    Restorepoints cleared and new OTS Restore Point set!
    < End of fix log >
    OTS by OldTimer - Version 3.1.28.1 fix logfile created on 04172010_083712

    Files\Folders moved on Reboot...
    File move failed. C:\Program Files\Common Files\\System\icm64.dll scheduled to be moved on reboot.
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_1f8.dat not found!

    Registry entries deleted on Reboot...
     
  5. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    this is the quick scan with OTS

    and when should I go ahead and update windows? Thanks :D
     

    Attached Files:

  6. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    uhm now my audio isnt working and when i try to go into volume controls it says i have no active mixer devices available :|
     
  7. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    I don't see why that would happen after the OTS fix. I removed nothing I shouldn't have and everything I did was obviously bad. It's possible ComboFix removed something it shouldn't have and it's for this reason that we ask users to never run it unless someone who is trained in its use asks them to.

    Please attach C:\QooBox\ComboFix-quarantined-files.txt for me.

    Reinstalling your audio drivers will probably fix the problem. What is the exact make and model of your system?


    Let me know when you have the results from the online scan. Please don't update Windows until I give you my cleanup instructions when we're done.
     
  8. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    Kapersky report

    and my computer was built by me made from parts by new egg the motherboard is gigabyte with realtek drivers I found a fix which was going to run and typing services.msc and finding windows audio it wasnt started i tried to and got error 1053 this happened after i ran the OTS fix but I will try to restart the pc and check.
     

    Attached Files:

  9. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    There does seem to be a false positive. Please do the following to upload the file to the developer:

    Please do the following:

    1. Close any open open programs before running the fix.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

    Code:
    http://forums.techguy.org/malware-removal-hijackthis-logs/917352-keylogger.html
    
    Suspect::
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ss.sys.vir
    NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
  10. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    I looked up error 1053 and it says that I have to obtaion Microsoft .NET Framework 1.1 Service Pack 1
     
  11. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    You will get that when you update Windows later.


    Please also attach any ComboFix#.txt files found in C:\QooBox
     
  12. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    Combofix was sorta weird this time it restarted to disable cd emulators and when it started up there were 2 ComboFix one of them needed to update and the other one needed the user agreement and did the regular scan but it closed the updating combofix

    also zipped up the other combofix.txt
     

    Attached Files:

  13. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Alright. Before I dequarantine that file, humor me with something:


    Please do the following:

    1. Close any open open programs before running the fix.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

    Code:
    DirLook::
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers
    NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
  14. Devlix

    Devlix Thread Starter

    Joined:
    Apr 16, 2010
    Messages:
    32
    heres the new log
     

    Attached Files:

  15. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Please do the following:

    1. Close any open open programs before running the fix.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

    Code:
    Dequarantine::
    c:\qoobox\Quarantine\C\WINDOWS\system32\drivers\ss.sys.vir
    
    Quit::
    NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    It might save the log as C:\Dequarantine.txt
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Keylogger
  1. FreeLander98
    Replies:
    44
    Views:
    3,118
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/917352

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice