Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Clicked on a Keylogger Clicked on a Keylogger
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Closed Thread
 
Thread Tools
Old 05-01-2008, 02:44 PM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 1
OS: XP


Clicked on a Keylogger
Yesterday I was browsing the World of Warcraft forums and clicked on a keylogger from not paying attention. The url was mostly jibberish, but looked something like this jn343242.cn/random/random/lolret.jpg

When I clicked the url it took me to a picture. I didn't click on it or anything, but didn't realize the url was suspicious until I had already loaded up the page. I've done a system restore and I've run Ad-aware and Spybot Search and Destroy. So far I've come up with nothing on my scanners.

At the time when I clicked the url, nothing popped up. I was using Firefox, but with no added plugins like NoScript. Usually Spybot asks for registry changes or my firewall (ZoneAlarm) asks for me to allow or deny internet related things. My Avast! Anti-Virus didn't pop up with a message either. It did however come up with a trojan message a few minutes later when I was no longer on the website. I moved that to the chest.

I heard a HiJack This log would be able to help. I've read through the stickies and used Deckard like it told me to.

Just a few notes before I post it. I'm sure these will be brought up. My computer has a few problems currently that I can't get rid of, but can live with. They don't seem to be doing any major damage to it, but are mostly just annoyances. It's mostly just that my computer takes a while from load from windows starting up to the login screen. I also can't seem to download SP2. I get a message about update.inf and cryptographic. It's running and I've tried fixes, but none worked.

Right now my biggest concern is the keylogger. So here is my hijack this log.

Deckard's System Scanner v20071014.68
Run by Robert on 2008-05-01 14:26:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Robert.exe) ----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-01 14:27:31
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://www.fileplanet.com (HKCU)
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1161811685234
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{040C73BB-3533-400B-B7AF-934FFF9BECDF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{35C27FE3-DCFE-4FE7-AA99-68E945F81BEB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{37DACD9F-5F92-473F-8B0B-0B3BDD9D67E5}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{4A459CA3-01CF-470E-B3ED-DABF8E0E8C62}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{6D01127B-3620-47A2-863E-391BCB6CD662}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 11799 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 A3AB (D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB)) - c:\windows\system32\drivers\a3ab.sys <Not Verified; D-Link Corporation; D-Link Wireless Network adapter>
2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
2 IOPort - c:\windows\system32\drivers\ioport.sys <Not Verified; Erik Salaj; IOPort>
3 jnv4_mib - c:\docume~1\robert\locals~1\temp\jnv4_mib.sys (file missing)
3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
3 npkcrypt - c:\program files\gravity\ro\npkcrypt.sys (file missing)
2 NvNdis (NVIDIA NDIS IO Control Driver) - c:\windows\system32\drivers\nvndis.sys (file missing)
1 nvport (NVIDIA PORT IO Control Driver) - c:\windows\system32\drivers\nvport.sys (file missing)
2 nvtvSND (nVidia WDM TVAudio Crossbar) - system32\drivers\nvtvsnd.sys (file missing)
3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
3 USB20L (Linksys USB 2.0 10/100 Adapter) - c:\windows\system32\drivers\usb200m.sys <Not Verified; Linksys; Windows (R) 2000 DDK driver>
1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>
2 npkcsvc - c:\windows\system32\npkcsvc.exe <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Service>
3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - c:\program files\winpcap\rpcapd.exe
2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe
3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe
2 Viewpoint Manager Service - c:\program files\viewpoint\common\viewpointservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-04-01 and 2008-05-01 -----------------------------

2008-05-01 14:08:39 0 d-------- C:\WINDOWS\LastGood
2008-04-28 00:22:46 0 --a------ C:\WINDOWS\System32\drivers\dump_wmimmc.sys
2008-04-22 14:15:59 0 d-------- C:\Program Files\UnH Solutions
2008-04-21 00:01:12 9453568 --a------ C:\Documents and Settings\Robert\ntuser.dat
2008-04-20 14:55:04 0 d-------- C:\Program Files\Screen Recorder
2008-04-20 02:12:51 0 d------c- C:\Logs
2008-04-10 23:34:02 0 d-------- C:\Program Files\Registry Easy
2008-04-09 04:03:42 23600 --a------ C:\WINDOWS\System32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-04-09 03:46:17 0 d-------- C:\WINDOWS\System32\CatRoot2
2008-04-09 03:24:10 0 d-------- C:\WINDOWS\System32\oldcatroot2
2008-04-09 03:21:28 0 --a------ C:\WINDOWS\System32\wmsoft84540.exe
2008-04-09 03:00:07 0 --a------ C:\WINDOWS\System32\wmsoft45550.exe
2008-04-09 02:59:53 0 d-------- C:\WINDOWS\System32\oldcatrt2
2008-04-09 02:57:16 0 --a------ C:\WINDOWS\System32\wmsoft68325.exe
2008-04-09 02:37:14 0 d-------- C:\WINDOWS\System32\oldcatr2
2008-04-09 02:29:26 0 --a------ C:\WINDOWS\System32\wmsoft46883.exe
2008-04-09 02:28:16 0 --a------ C:\WINDOWS\System32\wmsoft72377.exe
2008-04-09 02:28:15 80 --a------ C:\WINDOWS\System32\i
2008-04-07 02:24:34 0 d-------- C:\Program Files\GameSpy Arcade
2008-04-07 02:14:08 0 d-------- C:\Program Files\EA GAMES
2008-04-03 23:44:05 0 d-------- C:\Documents and Settings\Robert\Application Data\.purple
2008-04-03 23:41:04 0 d-------- C:\Program Files\Aspell
2008-04-03 23:39:34 0 d-------- C:\Program Files\Pidgin
2008-04-03 23:39:09 0 d-------- C:\Program Files\Common Files\GTK
2008-04-03 20:27:01 0 d-------- C:\Documents and Settings\Robert\Application Data\Aim
2008-04-03 20:07:57 0 d-------- C:\Program Files\AIM
2008-04-03 17:58:44 0 d------c- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-03 17:58:19 0 d------c- C:\Documents and Settings\All Users\Application Data\AOL OCP


-- Find3M Report ---------------------------------------------------------------

2008-05-01 12:57:49 0 d-------- C:\Program Files\Winamp Remote
2008-05-01 05:55:38 0 d-------- C:\Program Files\SpywareBlaster
2008-05-01 04:38:50 0 d-------- C:\Program Files\CohTest
2008-05-01 01:55:35 0 d-------- C:\Program Files\World of Warcraft
2008-04-30 22:41:59 0 d-------- C:\Program Files\City of Heroes
2008-04-28 21:23:02 0 d-------- C:\Program Files\VideoLAN
2008-04-23 18:21:54 0 d-------- C:\Program Files\Azureus
2008-04-23 18:21:52 0 d-------- C:\Documents and Settings\Robert\Application Data\Azureus
2008-04-18 22:16:10 0 d-------- C:\Documents and Settings\Robert\Application Data\gtk-2.0
2008-04-14 20:09:33 0 d-------- C:\Documents and Settings\Robert\Application Data\Intuit
2008-04-14 20:07:44 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-14 20:07:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-14 19:44:45 0 d-------- C:\Program Files\TurboTax
2008-04-11 02:02:04 0 d-------- C:\Program Files\StepMania
2008-04-09 04:03:41 8509 --a----c- C:\WINDOWS\mozver.dat
2008-04-07 03:00:28 0 d-------- C:\Program Files\Common Files\EasyInfo
2008-04-03 23:39:09 0 d-------- C:\Program Files\Common Files
2008-04-03 20:24:25 0 d-------- C:\Program Files\Common Files\AOL
2008-04-03 20:24:09 0 d-------- C:\Program Files\AOD
2008-04-03 18:39:44 0 d-------- C:\Program Files\PAL SPYREM
2008-04-03 17:58:47 0 d-------- C:\Program Files\Viewpoint
2008-03-21 18:09:39 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-03-21 18:09:34 0 d-------- C:\Program Files\ZoneAlarmSB
2008-03-08 01:23:28 0 d-------- C:\Program Files\Warcraft III
2008-03-07 15:40:21 0 d-------- C:\Documents and Settings\Robert\Application Data\Adobe
2008-03-04 19:49:28 0 d-------- C:\Program Files\WC3Banlist
2008-03-04 17:33:43 0 d-------- C:\Program Files\Java
2008-02-12 06:02:46 65536 --a------ C:\WINDOWS\IFinst27.exe
2008-02-06 23:15:19 148854 --a----c- C:\WINDOWS\War3Unin.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 01:06 PM 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
03/21/2008 06:09 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 01:06 PM 1135968]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [03/21/2008 06:09 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [07/16/2003 01:22 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" []
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [02/14/2003 12:59 PM C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [12/09/2002 05:19 PM]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [03/18/2005 04:34 AM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [12/16/2004 05:49 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/23/2005 06:50 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [12/05/2007 02:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 02:41 AM C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 11:37 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/18/2006 05:12 AM]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [08/04/2004 05:00 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 08:40 PM]
"VX6000"="C:\WINDOWS\vVX6000.exe" [10/13/2006 05:04 PM]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [10/13/2006 05:01 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [12/05/2007 02:41 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/19/2005 07:34 PM]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [01/07/2008 01:02 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [9/25/2006 3:40:23 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csvtm.exe"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8325 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-01 14:29:41 ------------

This is what I've done after clicking on the url. I haven't logged onto anything accept this. I've ran ad-aware twice, spybot twice, avast and downloaded noscript for firefox. I also got Spyblaster and had it protect everything. I made sure to update all my things before running them as well.

When I ran Avast it came up with a few alerts about a Other: Malware called vmain.class. I moved all of those to the chest like I do with any alerts.

One more question. Is there a way to log into WoW safely? I'm guessing that since I clicked on a keylogger url on WoW's forums, its aiming for my login info. I heard that if you mix up your password, like p1a2s3s4w1o2r3d4 and then highlight+delete the extras, it would be safe. Should I just do this for everything if I need to log into something?
Attached Files
File Type: txt extra.txt (16.1 KB, 0 views)
Last edited by Dreemerz : 05-01-2008 at 02:49 PM.
Dreemerz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-03-2008, 09:34 PM   #2 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Re: Clicked on a Keylogger
Download the program HostsXpert

Unzip HostsXpert.zip
It will create a folder named HostsXpert in whatever folder you extract it to.
Run HostsXpert.exe by double clicking on it.
Click the Make Writeable? button.
Click Restore Microsoft's Hosts File and then click OK.
Click the X to exit the program

=============================

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads Save the text that will open (report.txt) to your desktop.


Should you have problems connecting to the internet after the fix, follow these instrutions.

Please go to Start -> Control Panel Network Connections. Rightclick on your default connection (usually Local Area Connection or Dial-up Connection if you are using Dial-up) and leftclick on Properties. Doubleclick on the Internet Protocol (TCP/IP) item and select the button that says "Obtain DNS servers automatically". Click OK twice, and restart your computer.


In your next reply, please include a fresh Hijackthis log and report.txt. Thanks
__________________
An Australian Member of



Eddy
Last edited by Pancake : 05-03-2008 at 09:36 PM.
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Closed Thread

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 08:59 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2008, Tech Support Forum

Search Engine Friendly URLs by vBSEO

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82