Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible Keylogger

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible Keylogger

Unread postby xsnipersgox » September 26th, 2009, 1:58 pm

Hi, i normally keep spybot sd resident on and active and fully immunized 24/7
lately also added avg free virus

never had a problem with spyware/torjan/keylogger before but last week i allowed my parent to use my computer while i was out and 2 days ago, my world of warcraft account was hacked with username changed and character mid transfer before i stopped it with their service. I am positive i saw an e-mail in my google account concerning password change, and later could not find it, so i am positive they had access to my e-mail address also. and was deleting the red-flag e-mails, i have did a quick scan with avg and spybot with no result, i then changed my password and from then on used onscreen keyboard to input my passwords. however earlier today i noticed i got hacked again on my world of warcraft account with the new password (password was changed without my knowledge), (i did entered it once with keyboard) and i have recently changed the password again and changed my e-mail account pass/recovery pass with a different clean computer, i tried to look over the processes myself but alas am not well educated enough to find anything. so now i am going along with the steps. below is the log.


here is my netstat - an log for what it's worth
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\xsnipersgox>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3260 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3261 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP 127.0.0.1:10080 0.0.0.0:0 LISTENING
TCP 127.0.0.1:10080 127.0.0.1:51404 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51408 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51410 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51412 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51413 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51415 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51418 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51420 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51421 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51424 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51426 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51428 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51430 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51432 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51438 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51440 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51442 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51443 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51444 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51448 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51450 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51452 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51454 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51456 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51465 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51467 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51468 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51471 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51473 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51475 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51477 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51479 TIME_WAIT
TCP 127.0.0.1:13128 0.0.0.0:0 LISTENING
TCP 127.0.0.1:18080 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 127.0.0.1:49174 ESTABLISHED
TCP 127.0.0.1:49174 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:51404 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51408 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51421 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51428 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51438 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51440 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51442 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51443 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51444 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51448 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51450 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51459 127.0.0.1:10080 TIME_WAIT
TCP 127.0.0.1:51461 127.0.0.1:10080 TIME_WAIT
TCP 127.0.0.1:51463 127.0.0.1:10080 TIME_WAIT
TCP 127.0.0.1:51465 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51471 127.0.0.1:10080 ESTABLISHED
TCP 192.168.1.111:139 0.0.0.0:0 LISTENING
TCP 192.168.1.111:51405 74.125.157.139:80 ESTABLISHED
TCP 192.168.1.111:51409 74.125.159.133:80 ESTABLISHED
TCP 192.168.1.111:51423 74.125.159.139:80 ESTABLISHED
TCP 192.168.1.111:51429 12.20.40.89:80 ESTABLISHED
TCP 192.168.1.111:51437 74.125.47.106:80 TIME_WAIT
TCP 192.168.1.111:51439 74.125.65.101:80 ESTABLISHED
TCP 192.168.1.111:51441 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51445 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51446 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51447 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51449 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51451 65.55.98.41:80 ESTABLISHED
TCP 192.168.1.111:51458 65.54.166.122:443 ESTABLISHED
TCP 192.168.1.111:51464 132.203.239.16:80 TIME_WAIT
TCP 192.168.1.111:51466 132.203.239.16:80 ESTABLISHED
TCP 192.168.1.111:51472 12.20.40.80:80 ESTABLISHED
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:49152 *:*
UDP 0.0.0.0:49154 *:*
UDP 0.0.0.0:51927 *:*
UDP 0.0.0.0:65204 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:59152 *:*
UDP 192.168.1.111:137 *:*
UDP 192.168.1.111:138 *:*
UDP 192.168.1.111:1900 *:*
UDP 192.168.1.111:5353 *:*
UDP 192.168.1.111:59151 *:*
UDP [::]:123 *:*
UDP [::]:500 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:5355 *:*
UDP [::]:49153 *:*
UDP [::]:49155 *:*
UDP [::1]:1900 *:*
UDP [::1]:59149 *:*
UDP [fe80::20c1:68e:9c63:5bdc%12]:1900 *:*
UDP [fe80::20c1:68e:9c63:5bdc%12]:59150 *:*
UDP [fe80::54a2:9da3:8d59:2bd2%11]:1900 *:*
UDP [fe80::54a2:9da3:8d59:2bd2%11]:59146 *:*
UDP [fe80::6920:94fa:d876:acd2%8]:1900 *:*
UDP [fe80::6920:94fa:d876:acd2%8]:59148 *:*
UDP [fe80::ec7c:a18e:b89e:6bfc%10]:1900 *:*
UDP [fe80::ec7c:a18e:b89e:6bfc%10]:59147 *:*

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:10 PM, on 9/26/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP Laser Gaming Mouse with VoodooDNA\hid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [DirectMessenger] "C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP VoodooDNA Mouse] "C:\Program Files\HP Laser Gaming Mouse with VoodooDNA\hid.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] C:\Users\xsnipersgox\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk.disabled
O4 - Startup: SolidWorks Task Scheduler Engine.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Citrix XenApp.lnk.disabled
O4 - Global Startup: MultiFrame.lnk.disabled
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9b65fdc7dfe1e) (gupdate1c9b65fdc7dfe1e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - D:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - D:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10026 bytes
xsnipersgox
Active Member
 
Posts: 3
Joined: September 26th, 2009, 1:42 pm
Advertisement
Register to Remove

Re: Possible Keylogger

Unread postby MWR 3 day Mod » October 1st, 2009, 1:25 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Possible Keylogger

Unread postby Cyborg » October 2nd, 2009, 11:05 pm

Hi, Welcome to the Malware Removal.


My nickname is Cyborg, and I'll be helping you with your malware problems.
HijackThis logs can take a while to research, so please be patient.

We are really sorry about the late response, our forum has been really busy.


Please note the following important guidelines
  • The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  • If you have any questions concerning any of the steps mentioned, ASK, don't guess or assume.
  • Please onlypost your problem at one help site. Applying fixes from multiple help sites can cause problems.
  • Please reply to this thread, do not start another!
  • Please do not run any other fix/removal tools unless instructed to do so!
  • Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  • Please, continue responding, until I give you the "All Clean"


No reply after 3 days in your thread will result in your topic being closed
Please notify me in advance if you are not able to reply me within 3 days


If you agree with the above terms and condition, we shall begin

Disclaimer: Given the nature of the infections that were present on the machine, I give no guarantees about the security of this computer and have to the best of my abilities tried to both identify and eradicate all malware.

Please note that I'm still under active training which means that all infections are first checked by a teacher/admin before I post them here, this could cause a slight delay in my replies.
However, this guarantees that the advises you get from me are sound and will not in most cases cause damage to your computer.
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Possible Keylogger

Unread postby xsnipersgox » October 2nd, 2009, 11:19 pm

agree, lets do it =)
xsnipersgox
Active Member
 
Posts: 3
Joined: September 26th, 2009, 1:42 pm

Re: Possible Keylogger

Unread postby Cyborg » October 5th, 2009, 11:07 pm

Hi xsnipersgox,

Disable TeaTimer
The Resident TeaTimer tool of Spybot-S&D, may interfere with the fix, so we need to temporarily disable it.
  1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  2. Choose Exit Spybot S&D Resident
  3. Open Spybot S&D
  4. Click Mode, check Advanced Mode
  5. Go To Left Panel, Click Tools, then also in left panel, click Resident
  6. If your firewall raises a question, say "OK"
  7. Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  8. Use File, Exit to terminate Spybot.
  9. Reboot your machine for the changes to take effect.
Spybot's Tea-Timer is now disabled.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Download GMER and save to your desktop.
The file is randomly named, but it is legit, so please do not worry about the random characters.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on the random-named file which you have downloaded to open GMER.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..


SUMMARY
Please post the following :
  • RSIT log.
  • GMER log.
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Possible Keylogger

Unread postby NonSuch » October 9th, 2009, 1:05 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 488 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware