WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Closed] Possible keylogged? :/

Started by jsmith , Sep 24 2009 05:58 AM

This topic is locked

12 replies to this topic

#1 jsmith

Authentic Member

Authentic Member
31 posts

Posted 24 September 2009 - 05:58 AM

Hello everyone,

First of all I would like to thank you "oldman" for previously helping me out with another pc I had problems with

Seems to be working great.
The last 2-3 weeks though it seems that I keep "loosing" my wow accounts and I was thinking that I could have a keylogger in this pc. Of course the keylogger might only work on specific times but still I have no idea what to do so I made a HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:33 μμ, on 24/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\conime.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 67.225.160.218:1111
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) - http://www.worldwinn...i/mysterypi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: RealChat - Unknown owner - C:\Inetpub\RealChat\realchat.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe

--
End of file - 7314 bytes

Please let me know what I should do..
Thank you very much!

Advertisements

Register to Remove

#2 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 27 September 2009 - 10:20 PM

Hi jsmith,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Nothing showing. Let's dig a little deeper.

Download DDS and save it to your desktop from
Here
here or
here.
- Disable any script blocking protection (How to Disable your Security Programs)
- Double click DDS icon to run the tool (may take up to 3 minutes to run)
- When done, DDS.txt will open.
- After a few moments, attach.txt will open in a second window.
- Save both reports to your desktop.
We Need to check for Rootkits with RootRepeal
- Download RootRepeal from one of the following locations and save it to your desktop.
- Open on your desktop.
- Click the tab.
- Click the button.
- In the Select Scan dialog, check
- Push Ok
- Check the box for your main system drive (Usually C:), and press Ok.
- Allow RootRepeal to run a scan of your system. This may take some time.
- Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
Copy/paste the log (that you've previously saved to your desktop) from RootRepeal onto your post.
Copy/paste the DDS.txt log (that you've previously saved to your desktop) onto your post.
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#3 jsmith

Authentic Member

Authentic Member
31 posts

Posted 28 September 2009 - 04:20 AM

Hello TomK, Thank you for your help. So here we go: RootRepeal log: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/28 13:15 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\Windows\System32\Drivers\dump_atapi.sys Address: 0x903D5000 Size: 32768 File Visible: No Signed: - Status: - Name: dump_dumpata.sys Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys Address: 0x903CA000 Size: 45056 File Visible: No Signed: - Status: - Name: dump_dumpfve.sys Image Path: C:\Windows\System32\Drivers\dump_dumpfve.sys Address: 0x903DD000 Size: 69632 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0xA3F11000 Size: 49152 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: spvv.sys Image Path: C:\Windows\System32\Drivers\spvv.sys Address: 0x80601000 Size: 1036288 File Visible: No Signed: - Status: - Processes ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1220 Status: Locked to the Windows API! SSDT ------------------- #: 072 Function Name: NtCreateProcess Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x832e8282 #: 073 Function Name: NtCreateProcessEx Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x832e8474 #: 334 Function Name: NtTerminateProcess Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x832e7f32 #: 383 Function Name: NtCreateUserProcess Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x832e867c ==EOF== DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by NwS at 13:11:27,99 on ƒœ¬ 28/09/2009 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15 Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1253.30.1033.18.3071.1690 [GMT 3:00] SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\Ati2evxx.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Steam\Steam.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Hotspot Shield\bin\openvpnas.exe C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Inetpub\RealChat\realchat.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\ehome\ehmsas.exe C:\Windows\system32\NOTEPAD.EXE C:\Program Files\Safari\Safari.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\DllHost.exe C:\Program Files\Common Files\Steam\SteamService.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\conime.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\NwS\Desktop\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = 67.225.160.218:1111 BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter uRun: [Steam] "c:\program files\steam\Steam.exe" -silent uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com...rowsing/update? client={moz:client}&appver={moz:version}&"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com...rowsing/lookup? sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com...owsing/report?"); ============= SERVICES / DRIVERS =============== R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-11 130936] R1 be22410c-d108-4527-a871-8a7d1a52e4bf;be22410c-d108-4527-a871-8a7d1a52e4bf;c:\windows\iprot\be22410c-d108-4527-a871-8a7d1a52e4bf\PhysMem.sys [2009-4-20 3584] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256] R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840] R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-3-19 93312] R2 HssSrv;Hotspot Shield Helper Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-6-1 331312] R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712] R2 RealChat;RealChat;c:\inetpub\realchat\realchat.exe [2009-3-16 138752] R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-6-1 33840] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-19 1028432] S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-6-1 34352] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-24 348752] =============== Created Last 30 ================ 2009-09-26 01:06 <DIR> --d----- c:\windows\Hot Item Finder 2009-09-26 01:06 <DIR> --d----- c:\program files\HotItemFinder 2009-09-24 14:54 <DIR> --d----- c:\program files\Trend Micro 2009-09-23 02:19 <DIR> --d----- c:\program files\MassArticleCreator 2009-09-23 01:29 <DIR> --dsh--- c:\users\nws\appdata\roaming\.# 2009-09-23 01:29 <DIR> --d----- c:\program files\The Action Machine 2009-09-09 23:54 897,608 a------- c:\windows\system32\drivers\tcpip.sys 2009-09-09 23:54 104,960 a------- c:\windows\system32\netiohlp.dll 2009-09-09 23:54 27,136 a------- c:\windows\system32\NETSTAT.EXE 2009-09-09 23:54 19,968 a------- c:\windows\system32\ARP.EXE 2009-09-09 23:54 11,264 a------- c:\windows\system32\MRINFO.EXE 2009-09-09 23:54 10,240 a------- c:\windows\system32\finger.exe 2009-09-09 23:54 9,728 a------- c:\windows\system32\TCPSVCS.EXE 2009-09-09 23:54 8,704 a------- c:\windows\system32\HOSTNAME.EXE 2009-09-09 23:54 17,920 a------- c:\windows\system32\ROUTE.EXE 2009-09-09 23:54 17,920 a------- c:\windows\system32\netevent.dll 2009-09-09 23:51 2,868,224 a------- c:\windows\system32\mf.dll 2009-09-09 23:51 2,501,921 a------- c:\windows\system32\wlan.tmf 2009-09-09 23:51 293,376 a------- c:\windows\system32\wlanmsm.dll 2009-09-09 23:51 127,488 a------- c:\windows\system32\L2SecHC.dll 2009-09-09 23:51 302,592 a------- c:\windows\system32\wlansec.dll 2009-09-09 23:51 513,024 a------- c:\windows\system32\wlansvc.dll 2009-09-03 00:11 28,672 a------- c:\windows\system32\Apphlpdm.dll 2009-09-03 00:11 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-09-01 16:13 <DIR> --d----- C:\My Web Sites 2009-09-01 16:12 <DIR> --d----- c:\program files\WinHTTrack 2009-09-01 13:40 <DIR> --d----- c:\program files\Tensons ==================== Find3M ==================== 2009-09-28 11:37 609,938 a------- c:\windows\system32\perfh008.dat 2009-09-28 11:37 110,956 a------- c:\windows\system32\perfc008.dat 2009-08-28 15:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2009-08-28 15:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll 2009-08-28 15:38 541,696 a------- c:\windows\apppatch\AcLayers.dll 2009-08-28 15:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll 2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-18 19:06 827,904 a------- c:\windows\system32\wininet.dll 2009-07-18 19:01 78,336 a------- c:\windows\system32\ieencode.dll 2009-07-18 12:46 26,624 a------- c:\windows\system32\ieUnatt.exe 2009-07-17 17:35 71,680 a------- c:\windows\system32\atl.dll 2009-07-14 16:00 313,344 a------- c:\windows\system32\wmpdxm.dll 2009-07-14 15:59 4,096 a------- c:\windows\system32\dxmasf.dll 2009-07-14 15:58 7,680 a------- c:\windows\system32\spwmp.dll 2009-07-14 13:59 8,147,456 a------- c:\windows\system32\wmploc.DLL 2009-04-30 02:20 86,016 a------- c:\windows\inf\infstrng.dat 2009-04-30 02:20 51,200 a------- c:\windows\inf\infpub.dat 2009-04-30 02:20 86,016 a------- c:\windows\inf\infstor.dat 2008-10-08 16:40 0 a------- c:\users\nws\jagex_runescape_preferences.dat 2008-09-18 15:19 174 a--sh--- c:\program files\desktop.ini 2008-09-18 15:08 665,600 a------- c:\windows\inf\drvindex.dat 2008-02-02 02:43 364,862 a------- c:\windows\inf\perflib\0408\perfi.dat 2008-02-02 02:43 364,862 a------- c:\windows\inf\perflib\0408\perfh.dat 2008-02-02 02:43 43,928 a------- c:\windows\inf\perflib\0408\perfd.dat 2008-02-02 02:43 43,928 a------- c:\windows\inf\perflib\0408\perfc.dat 2006-11-02 15:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 15:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 15:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 15:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2008-06-26 18:36 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2008-06-26 18:36 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5 \index.dat 2008-06-26 18:36 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat ============= FINISH: 13:12:20,57 =============== Thank you!

Attached Files

Attach.txt 9.02KB 744 downloads

#4 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 28 September 2009 - 08:03 AM

jsmith,

Have you set this proxy server?

ProxyServer = 67.225.160.218:1111

JavaRa ...by: Paul McLain and Fred de Vries

Please download JavaRa (Copyright © 2008 RaProducts.org) and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
Print these instructions...you won't have Internet access during this particular phase!

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English or the appropriate language...and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Copy and paste the contents of the JavaRa log, in your next reply.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#5 jsmith

Authentic Member

Authentic Member
31 posts

Posted 28 September 2009 - 09:04 AM

Hello Tomk, I haven't set up any proxy server (I think :/) I got WAMP installed but I wasn't running it by that time so it shouldn't be a problem.. I run the JavaRa.exe like you told me and removed the old versions of Java but then when it said that will make a log never did :/ Any ideas what happened? :/ Thank you!

#6 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 28 September 2009 - 09:27 AM

jsmith,

For now, we will just assume JavaRa got all the old orphaned entries.

Please open HijackThis and run Do a system scan only
Check the boxes next to ONLY the entries listed below(if present):
- R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 67.225.160.218:1111
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
  O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
  O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
Close all programs except for HijackThis.
Click on Fix checked
A box will pop up asking you if you wish to fix the selected items. Please choose YES.
Once it has fixed them, please exit/close HijackThis.

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#7 jsmith

Authentic Member

Authentic Member
31 posts

Posted 29 September 2009 - 02:49 AM

Hello again TomK, Remembered what was the Proxy for (I used a VPN a few months ago and the IP was saved in the IE settings) so removed that and now I can only find the line: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local but not the one with the IP one.. I wanted to ask you will that remove the welcome center? Because I like it to open on the start up

I also wanted to ask you now that we removed the Java will we install a new version later on? And last Q. I tried to run the Kaspersky but failed a few times :/ It said I had a different windows vista version and couldn't continue.. Any suggestion? Plus any specific browser I should use? Thank you and I am sorry for all these Qs :/

#8 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 29 September 2009 - 10:31 AM

jsmith,

but not the one with the IP one..

That's perfect. :thumbup:

I wanted to ask you will that remove the welcome center? Because I like it to open on the start up

You are the first person I've met who wanted that. :blush:

To keep it, we will need to restore these entries:

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

Double click HijackThis to start.

Click on View the list of backups

Put a check mark in front of those two entries and then click Restore

Then close HijackThis.

I also wanted to ask you now that we removed the Java will we install a new version later on?

We didn't remove current Java. We just removed the out of date remnants of former versions.

Let's replace Kaspersky with Eset.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on:

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#9 jsmith

Authentic Member

Authentic Member
31 posts

Posted 30 September 2009 - 08:08 AM

Hello Tomk, Ok great thanks

Here is the log: C:\$Recycle.Bin\S-1-5-21-2414175864-1477810159-2859244854-1000\$R04IK0D.7\MySpce__FrndBlstrPro10.1.7\MySpace FriendBlaster Pro v10.1.7\Patch\FriendBlasterPro v10.1.5 Patch.exe probably a variant of Win32/HackTool.Patcher.A application C:\games\WoW\wowmimicii-3.0.0.55.326.exe a variant of Win32/Packed.Themida application C:\games\WoW\on\Launcher.exe a variant of Win32/Packed.Themida application C:\Program Files\Cheat Engine\dbk32.sys Win32/HackTool.CheatEngine application C:\Program Files\ESET\ESET NOD32 Antivirus\ESET fix.exe multiple threats C:\Program Files\FriendBlasterPro\FriendBlasterPro v10.1.5 Patch.exe probably a variant of Win32/HackTool.Patcher.A application C:\Program Files\SmartFTP Client\SmartFTP patch.exe a variant of Win32/HackTool.Patcher.A application C:\Users\NwS\Desktop\Desktop\Games\Simcity Societies Deluxe\rld-scsd.iso probably a variant of Win32/Adware.Agent application C:\Users\NwS\Desktop\Desktop\Games\The Sims 3 - Razor1911 Final MAXSPEED\The Sims 3 - Razor1911 MAXSPEED www.torentz.3xforum.ro\The Sims 3 - Razor1911 MAXSPEED www.torentz.3xforum.ro.iso probably a variant of Win32/Hupigon trojan C:\Users\NwS\Downloads\70Facebook_Friend_Bomber_2.0.1.rar probably a variant of Win32/PSW.Agent.NLW trojan C:\Users\NwS\Downloads\CheatEngine55-1.exe Win32/HackTool.CheatEngine application C:\Users\NwS\Downloads\CheatEngine55.exe Win32/HackTool.CheatEngine application C:\Users\NwS\Downloads\Smart FTP 2.5.1006.10 + working patch.rar a variant of Win32/HackTool.Patcher.A application C:\Users\NwS\Downloads\vdownloader.zip a variant of Win32/Adware.ADON application C:\Users\NwS\Downloads\wowmimicii-3.0.0.55.326.exe.download a variant of Win32/Packed.Themida application C:\Users\NwS\Downloads\ESET NOD32 Antivirus & Smart Security 4.0.417 x32 & x64\[LATEST] box, mara-fix v1.1\ESET fix.exe multiple threats C:\Users\NwS\Downloads\NOD32.3.0.621-TemDono (Silver Team)\NOD32_v3_FiX_1.1-TemDono.exe Win32/HackAV.AJ application C:\Users\NwS\Downloads\NOD32.3.0.621-TemDono (Silver Team)\NOD32.3.0.621-TemDono\NOD32_v3_FiX_1.1-TemDono.exe Win32/HackAV.AJ application C:\Users\NwS\Downloads\Smart FTP 2.5.1006.10 + working patch\Smart FTP 2.5.1006.10 + working patch\SmartFTP patch.exe a variant of Win32/HackTool.Patcher.A application Ehm a lot of downloads I know.. :blush:

#10 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 30 September 2009 - 10:28 AM

jsmith, You have no hope to keep your system clean if you are going to continue to download garbage onto your system. It would make no sense to me for someone to not use trustworthy security programs but based upon what shows I have to ask... Is your ESET AV legit or is it pirated? If it isn't legit we need to get it off and you can install one of several excellent free AV programs. There is no point to further cleaning until that question is answered. :popcorn:

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#11 jsmith

Authentic Member

Authentic Member
31 posts

Posted 30 September 2009 - 10:36 AM

Hello Tomk, These programs are either not used (never opened) or clean and NOD finds them as viruses due to the backdoors they leave open to run the apps. NOD version is pirated atm.

#12 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 30 September 2009 - 10:41 AM

jsmith,

OK. Let's take care of that. It's asking a little much if you think an infected program is going to protect you from other infections. :pullhair:

Please download the OTM by OldTimer.

Save it to your desktop.
Please double-click OTM.exe to run it.
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Files
C:\games\WoW\wowmimicii-3.0.0.55.326.exe
C:\games\WoW\on\Launcher.exe
C:\Program Files\Cheat Engine\dbk32.sys
C:\Program Files\FriendBlasterPro\FriendBlasterPro v10.1.5 Patch.exe
C:\Program Files\SmartFTP Client\SmartFTP patch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ESET fix.exe
C:\Users\NwS\Desktop\Desktop\Games\Simcity Societies Deluxe\rld-scsd.iso
C:\Users\NwS\Desktop\Desktop\Games\The Sims 3 - Razor1911 Final MAXSPEED\The Sims 3 - Razor1911 MAXSPEED www.torentz.3xforum.ro\The Sims 3 - Razor1911 MAXSPEED www.torentz.3xforum.ro.iso
C:\Users\NwS\Downloads\70Facebook_Friend_Bomber_2.0.1.rar
C:\Users\NwS\Downloads\CheatEngine55-1.exe
C:\Users\NwS\Downloads\CheatEngine55.exe
C:\Users\NwS\Downloads\Smart FTP 2.5.1006.10 + working patch.rar
C:\Users\NwS\Downloads\vdownloader.zip
C:\Users\NwS\Downloads\wowmimicii-3.0.0.55.326.exe.download
C:\Users\NwS\Downloads\ESET NOD32 Antivirus & Smart Security 4.0.417 x32 & x64\[LATEST] box, mara-fix v1.1\ESET fix.exe
C:\Users\NwS\Downloads\NOD32.3.0.621-TemDono (Silver Team)\NOD32_v3_FiX_1.1-TemDono.exe
C:\Users\NwS\Downloads\NOD32.3.0.621-TemDono (Silver Team)\NOD32.3.0.621-TemDono\NOD32_v3_FiX_1.1-TemDono.exe
C:\Users\NwS\Downloads\Smart FTP 2.5.1006.10 + working patch\Smart FTP 2.5.1006.10 + working patch\SmartFTP patch.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Have a look here and pick one of the free Anti-Virus programs listed. Download and install it.

Then run a scan with it and let me know how it goes.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#13 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 05 October 2009 - 07:15 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

Body Background

skin color theme