Tech Support Forum banner

Clean keyloggers

1016 Views 1 Reply 2 Participants Last post by  Jintan
I have already checked my PC.
Could you tell me if now it is secure?
Two logfile generated by Hijackthi and MBAM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.29.54, on 03/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\Programmi\BitDefender\BitDefender 2009\vsserv.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\BitDefender\BitDefender 2009\bdagent.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Creative\Shared Files\CTSched.exe
C:\documents and settings\cesare\impostazioni locali\dati applicazioni\gwmge.exe
C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Programmi\ 3\program\soffice.exe
C:\Programmi\ 3\program\soffice.bin
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\BitDefender\BitDefender 2009\seccenter.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmi\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmi\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmi\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Programmi\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Programmi\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Programmi\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Programmi\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Programmi\DNA\btdna.exe"
O4 - HKCU\..\Run: [gwmge] "c:\documents and settings\cesare\impostazioni locali\dati applicazioni\gwmge.exe" gwmge
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: 3.0.lnk = C:\Programmi\ 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. - C:\Programmi\File comuni\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programmi\File comuni\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Programmi\BitDefender\BitDefender 2009\vsserv.exe

End of file - 7851 bytes

Malwarebytes' Anti-Malware 1.36
Versione del database: 1945
Windows 5.1.2600 Service Pack 2

02/05/2009 12.38.14
mbam-log-2009-05-02 (12-38-14).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 137730
Tempo trascorso: 23 minute(s), 39 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 2
Chiavi di registro infette: 1
Valori di registro infetti: 2
Elementi dato del registro infetti: 1
Cartelle infette: 0
File infetti: 15

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnLineGames) -> Delete on reboot.
C:\WINDOWS\system32\gasretyw0.dll (Spyware.OnlineGames) -> Delete on reboot.

Chiavi di registro infette:
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kamsoft (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Trojan.Agent) -> Quarantined and deleted successfully.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\em8tqm.cmd (Trojan.OnlineGames) -> Quarantined and deleted successfully.
D:\em8tqm.cmd (Trojan.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kamsoft.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\jm3cx96.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\o.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olhrwef.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\i6g6x.cmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\minm.cmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\gyn.cmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\2fiy.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\xsia.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnLineGames) -> Delete on reboot.
C:\WINDOWS\system32\nmdfgds1.dll (Spyware.OnLineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gasretyw0.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\gasretyw1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Thank you
Best regards
See less See more
Not open for further replies.
1 - 2 of 2 Posts
Benvenuti a TSF cesmom,

Infection is still showing here. Let's get more details and then start some repairs.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that as an attachment to your next reply please.

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.
See less See more
1 - 2 of 2 Posts
Not open for further replies.