bobxx

Hi, I had a keylogger on my computer that was stealing my password for my wow account, so therefor i followed a keylogger remover guide from the blizzard forums. I did as told and cleaned my computer with some programs, but I am not sure if it's all gone, so im posting a Hijack-this log here and hope you can help and tell me if you can see if the keylogger is gone, or not, and then what to do to remove it.


ps link to the guide http://forums.wow-europe.com/thread....83442401&sid=1


Posting the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:04, on 2009-01-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE
C:\VIRUSfighter\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Programmer\Fighters\configservice.exe
C:\Programmer\Spyware Doctor\pctsAuxs.exe
C:\Programmer\Spyware Doctor\pctsSvc.exe
C:\Programmer\BullGuard Ltd\BullGuard\support\bgrasvc.exe
C:\Programmer\Fighters\licenseservice.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre6\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\VIRUSfighter\Npm\bin\ZLH.EXE
C:\Programmer\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Windows Live\Messenger\msnmsgr.exe
C:\Programmer\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE
C:\Documents and Settings\Angelo\Skrivebord\Spywarefri\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Programmer\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programmer\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Programmer\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [spywarefighterguard] C:\Programmer\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\VIRUSfighter\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [ISTray] "C:\Programmer\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Programmer\BullGuard Ltd\BullGuard\BullGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Programmer\Curse\CurseClient.exe
O4 - HKCU\..\Run: [RGSC] C:\programmer\steam\steamapps\common\grand theft auto iv\RGSC\RGSCLauncher.exe /silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Windows WebMedia - {E0106D22-FF99-4a7d-A13E-1B71A7DE6F21} - C:\PROGRA~1\WI8A2F~1\WINWEB~1.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1214390103953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1228299563640
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - https://secure2.comned.com/signuptem...ogin-devel.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/a.../e-Safekey.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Programmer\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard Ltd. - C:\Programmer\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\VIRUSfighter\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\VIRUSfighter\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\VIRUSfighter\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\VIRUSfighter\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PTK License-FIGHTERS-37333603 - SPAMfighter - C:\Programmer\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-37333603 - SPAMfighter - C:\Programmer\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-37333603 - SPAMfighter - C:\Programmer\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-37333603 - SPAMfighter - C:\Programmer\Fighters\configservice.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmer\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmer\Spyware Doctor\pctsSvc.exe

--
End of file - 8539 bytes


*EDIT posting a mbam-log aswell.



Malwarebytes' Anti-Malware 1.32
Database version: 1621
Windows 5.1.2600 Service Pack 3

2009-01-06 14:51:11
mbam-log-2009-01-06 (14-51-11).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 177925
Tid tilbagelagt: 10 hour(s), 43 minute(s), 29 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 1
Inficerede Registeringsdatabase Nøgler: 11
Inficerede Registeringsdatabase Værdier: 1
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 2
Inficerede Filer: 37

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
C:\WINDOWS\system32\midadDrv.dll (Spyware.Agent) -> Delete on reboot.

Inficerede Registeringsdatabase Nøgler:
HKEY_CLASSES_ROOT\CLSID\{6ecb0be8-933c-91d2-c901-9a81e135d25a} (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\contexttool (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\browsingsoftware (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6ecb0be8-933c-91d2-c901-9a81e135d25a} (Spyware.Agent) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
C:\Programmer\contexttool (Adware.PlayaZ) -> Quarantined and deleted successfully.
C:\Programmer\BrowsingSoftware (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.

Inficerede Filer:
C:\WINDOWS\system32\midadDrv.dll (Spyware.Agent) -> Delete on reboot.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172073.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172091.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172072.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172074.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172076.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172077.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172078.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172080.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172081.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172083.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172084.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172090.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172092.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172093.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172094.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172095.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172096.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172097.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172098.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172099.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172100.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172101.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172102.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172103.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DFB12066-03A9-4301-A3B7-F3AA3F5993EE}\RP202\A0172104.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Programmer\contexttool\pcre3.dll (Adware.PlayaZ) -> Quarantined and deleted successfully.
C:\Programmer\contexttool\uninstall.exe (Adware.PlayaZ) -> Quarantined and deleted successfully.
C:\Programmer\BrowsingSoftware\BrowsingSoftware.dat (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\Programmer\BrowsingSoftware\pcre3.dll (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\Programmer\BrowsingSoftware\uninstall.exe (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0bf5d362.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0bf5d362.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Programmer\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.