TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Moe C on May 26, 2007, 07:09:10 AM

Title: Keylogger
Post by: Moe C on May 26, 2007, 07:09:10 AM

I just downloaded a game mod from GW. I knew something bad was gonna happen but i just downloaded it i wanted it badly. I started a scan with AVG and here is what I found.


(http://i63.photobucket.com/albums/h133/moataz339/scan4.jpg)


(http://i63.photobucket.com/albums/h133/moataz339/scan2.jpg)


The first 3 only but i dont know if the rest are removed.

--


(http://i63.photobucket.com/albums/h133/moataz339/scan3.jpg)


It says it's healed but i really want to make sure.

These are 2 files that appear EVERYTIME I scan with AVG.


(http://i63.photobucket.com/albums/h133/moataz339/scan1.jpg)




Here is a HJT log.




Logfile of HijackThis v1.99.1
Scan saved at 5:07:39 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Documents and Settings\Ahmed\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.811.com/saecs.html (http://\"http://search.811.com/saecs.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html (http://\"http://www.yahoo.com/search/ie.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - > - (no file)
O2 - BHO: (no name) - @> - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb103\Dealio.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O2 - BHO: (no name) - > - (no file)
O2 - BHO: (no name) - ¨
 - (no file)
O3 - Toolbar: (no name) - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb103\Dealio.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Scr Bait] C:\DOCUME~1\Ahmed\APPLIC~1\SENDAM~1\popaudiodog.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Wi-Fi Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O9 - Extra 'Tools' menuitem: Wi-Fi Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb103\Dealio.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel� PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel� PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel� PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe (file missing)

I do have a system recovery disk but i don't want to delete all my things.

Thx.


I am using an on screen kryboard to type my passwords

When i try to uninstall it, it says


(http://i63.photobucket.com/albums/h133/moataz339/scan5.jpg)

When im not even using it.

Title: Keylogger
Post by: guestolo on May 26, 2007, 10:25:10 AM

The 2 files that appear when scanning with AVG are normal and safe

Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

Title: Keylogger
Post by: Moe C on May 26, 2007, 11:09:55 AM

Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
Advanced System Optimizer 2.10
Apple Software Update
ArcSoft Software Suite
Athan Pro 3.0
AVG 7.5
BitComet 0.86
CD/DVD Drive Acoustic Silencer
Combined Community Codec Pack 2007-02-22
Conexant HD Audio
Data Lifeguard Tools
DivX Player
DivX Pro Codec
eMusic - 50 Free MP3 offer
ESPNMotion
FaceOnBody
Flash Catcher
Fly DVD Ripper V4.0
Freedom Force Demo
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
HipHop 6
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB894871)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB926239)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Update
HyperCam 2
iMesh
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 4
Java(tm) SE Runtime Environment 6 Update 1
K-Lite Codec Pack 2.85 Full
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Flash MX 2004
Macromedia Flash Player 8
mCore
mDrWiFi
Metamail (Toshiba Registration Utility)
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta 96 Encyclopedia
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Web Publishing Wizard 1.52
mIWA
mLogView
mMHouse
Mozilla Firefox (2.0.0.3)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
mWlsSafe
mXML
MyConnect Special Offer
mZConfig
Nero Suite
NetBus Pro
New.net Domains 7.48
Nokia Connectivity Cable Driver
Nokia PC Suite
Office 2003 Trial Assistant
Otto
PC Connectivity Solution
PlayLinc
Pocket Tanks 1.00b
PPLive 1.6.28
Quicken 2006
QuickTime
RealPlayer
RocketDock 1.2.5
SD Secure Module
SecuExpress 2 Deluxe
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SMS box
Sonic DLA
Sonic Encoders
Sonic RecordNow!
Souptoys
Steam
Swift 3D v4.50
Syberia
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Weather Channel Desktop
TOSHIBA Assist
Toshiba Controls Utility
TOSHIBA Game Console
TOSHIBA PC Diagnostic Tool
TOSHIBA SD Memory Card Format
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Touchpad Utility
TOSHIBA TV Tuner 4.0.12.73
Toshiba Utility
TOSHIBA Zooming Utility
Uniblue SpeedUpMyPC
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Virtual DJ - Atomix Productions
Weather Services
WildTangent Web Driver
Winamp (remove only)
Windows Driver Package - Nokia (WUDFRd) WPD  (11/03/2006 6.82.26.2)
Windows Driver Package - Nokia Modem  (11/03/2006 6.82.0.1)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Windows XP Hotfix - KB893086
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
WinHTTrack Website Copier 3.40
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Widget Engine

there im sure the 1 i underlined is bad and cant get uninstalled

Title: Keylogger
Post by: Moe C on May 26, 2007, 11:12:24 AM

btw do i have a keylogger on my comp?

Title: Keylogger
Post by: guestolo on May 26, 2007, 11:42:53 AM

Can you do me a favor
I want to remove some entries with Hijackthis, but I want to keep it orderly in one folder for you
Right click an empty spot on your desktop and select
NEW>>FOLDER
A new folder will be placed on desktop, name it
HJT

Now right click on HijackThis.exe and select CUT
Then open the HJT folder and select PASTE

Can you Print the rest of these instructions, or save them to a text file on desktop for reference

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.811.com/saecs.html (http://\"http://search.811.com/saecs.html\")

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html\")

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
O2 - BHO: (no name) - > - (no file)
O2 - BHO: (no name) - @> - (no file)
O2 - BHO: (no name) - rsion - (no file)

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb103\Dealio.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - > - (no file)
O2 - BHO: (no name) - ¨
 - (no file)
O3 - Toolbar: (no name) - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb103\Dealio.dll (file missing)

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Scr Bait] C:\DOCUME~1\Ahmed\APPLIC~1\SENDAM~1\popaudiodog.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Wi-Fi Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O9 - Extra 'Tools' menuitem: Wi-Fi Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)

O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb103\Dealio.dll (file missing)



After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Access your add/remove programs via Control panel
Remove all the following
Remove old version of Java
J2SE Runtime Environment 5.0 Update 4

If you didn't purposely install the next one, or not needed, Uninstall it also
WildTangent Web Driver

Continue Removing (Uninstalling the following)
Viewpoint Media Player

Finally remove
New.net Domains 7.48
Follow the prompts for removal

Afterwards, it's important that you reboot your computer if any of the above was successfully uninstalled

Back in Windows

Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe (http://\"http://www.spywareedge.net/nolop/NoLop.exe\")
http://www.spywaretimes.com/To...3ca2625ab6208a197bcc5/ (http://\"http://www.spywaretimes.com/To...3ca2625ab6208a197bcc5/\")
http://www.thespykiller.co.uk/...action=tpmod;dl=item16 (http://\"http://www.thespykiller.co.uk/...action=tpmod;dl=item16\")
Note that it will require a reboot so close all open windows.

• Double click NoLop.exe to run it
  
• Now click the button labelled "Search and Destroy"
  
  <<your computer will now be scanned for infected files>>
  
  
• When scanning is finished you will be prompted to reboot only if infected, Click OK
  
• Now click the "REBOOT" Button.
  
• A Message should popup from NoLop. If not, double click the program again and it will finish

Can you also do the following

Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Can you post back all the following please
1. Post the log from Combofix
2. Can you post the log from NoLop located here >>>> C:\NoLop.txt
3. Can you post a fresh hijackthis log

4. Can you also
Download fl.zip (http://\"http://www.fbeej.ctrlaltdel.dk/Programmer/fl.zip\")
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.


NOTE: IF, any only if you have problems connecting to the Internet after doing any of the above
Do the following
Close down any open windows
Go to Start>>Run>>type in cmd
At the prompt type in the following exactly as posted below in bold


netsh winsock reset catalog

Hit Enter on your keyboard
Restart your computer

Title: Keylogger
Post by: Moe C on May 26, 2007, 12:33:10 PM

combofix log:

"Ahmed" - 2007-05-26 10:28:47    Service Pack 2  
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Ahmed\Desktop\"


(((((((((((((((((((((((((((((((   Files Created from 2007-04-26 to 2007-05-26  ))))))))))))))))))))))))))))))))))


2007-05-26 10:21   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-05-26 10:06   <DIR>   d--------   C:\NoLopBackups
2007-05-26 04:43   <DIR>   d--------   C:\HJT
2007-05-26 03:48   <DIR>   d--------   C:\Program Files\NetBus Pro
2007-05-20 07:59   <DIR>   d--------   C:\Program Files\Electric Rain
2007-05-20 04:37   <DIR>   d--------   C:\Program Files\Common Files\Macromedia Shared
2007-05-20 04:37   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2007-05-18 08:21   172,032   --a------   C:\WINDOWS\system32\cncs32.dll
2007-05-18 08:21   <DIR>   d--------   C:\WINDOWS\SuperCS
2007-05-14 14:50   <DIR>   d--------   C:\Program Files\Yahoo Funny 2.1
2007-05-14 07:27   <DIR>   d--------   C:\WINDOWS\.jagex_cache_34
2007-05-14 04:39   <DIR>   d--------   C:\Program Files\Game_Maker7
2007-05-07 03:48   <DIR>   d--------   C:\Program Files\BPK
2007-05-06 01:34   <DIR>   d--------   C:\DOCUME~1\Ahmed\APPLIC~1\iMesh
2007-05-05 11:32   <DIR>   d--------   C:\Program Files\Firaxis Games
2007-05-05 11:26   <DIR>   d--------   C:\WINDOWS\Cache
2007-05-05 05:39   <DIR>   d--------   C:\Program Files\HyCam2
2007-05-04 00:25   <DIR>   d--------   C:\Program Files\BitComet Accelerator
2007-05-01 02:53   98,381   --a------   C:\WINDOWS\system32\SWEncoder.dll
2007-05-01 02:53   40,960   --a------   C:\WINDOWS\ASWComp.dat
2007-05-01 02:53   131,149   --a------   C:\WINDOWS\system32\SWDecoder.dll
2007-05-01 02:53   <DIR>   d--------   C:\Program Files\accordiva
2007-05-01 02:49   <DIR>   d--------   C:\Program Files\SMS box
2007-05-01 02:48   <DIR>   d--------   C:\Program Files\Western Digital
2007-05-01 01:15   466,944   --a------   C:\WINDOWS\SouthPark.scr
2007-05-01 01:15   28,672   --a------   C:\WINDOWS\system32\ssconfig.exe
2007-05-01 01:15   180,224   --a------   C:\WINDOWS\UninstallWSST.exe
2007-05-01 01:15   1,598,599   --a------   C:\WINDOWS\SouthPark.dat
2007-05-01 00:09   9,464   ---------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-01 00:09   9,336   ---------   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-01 00:09   129,784   ---------   C:\WINDOWS\system32\pxafs.dll
2007-05-01 00:09   <DIR>   d--------   C:\DOCUME~1\Ahmed\APPLIC~1\MusicIP
2007-05-01 00:08   <DIR>   d--------   C:\Program Files\Winamp
2007-04-29 09:45   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-29 06:15   <DIR>   d--------   C:\DOCUME~1\Ahmed\APPLIC~1\RadialPoint
2007-04-29 04:42   <DIR>   d--------   C:\DOCUME~1\Ahmed\APPLIC~1\GetRightToGo
2007-04-28 13:37   <DIR>   d--------   C:\Program Files\iWin
2007-04-28 10:09   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-04-28 10:07   <DIR>   d--------   C:\Program Files\Common Files\HP
2007-04-28 10:06   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2007-04-28 10:05   <DIR>   d--------   C:\Program Files\Common Files\Hewlett-Packard
2007-04-28 10:04   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-28 10:03   94,208   --a------   C:\WINDOWS\system32\HPZipt12.dll
2007-04-28 10:03   69,632   --a------   C:\WINDOWS\system32\HPZipm12.exe
2007-04-28 10:03   61,440   --a------   C:\WINDOWS\system32\HPZinw12.exe
2007-04-28 10:03   57,344   --a------   C:\WINDOWS\system32\HPZisn12.dll
2007-04-28 10:03   278,584   --a------   C:\WINDOWS\system32\HPZidr12.dll
2007-04-28 10:03   204,800   --a------   C:\WINDOWS\system32\HPZipr12.dll
2007-04-28 10:03   <DIR>   d--------   C:\Program Files\HP
2007-04-28 10:02   19,696   ---------   C:\WINDOWS\hpomdl05.dat
2007-04-28 09:53   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-28 09:49   51,120   --a------   C:\WINDOWS\system32\drivers\HPZid412.sys
2007-04-28 09:49   21,744   --a------   C:\WINDOWS\system32\drivers\HPZius12.sys
2007-04-28 09:49   16,496   --a------   C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-04-28 09:48   581,632   --a------   C:\WINDOWS\system32\hpotscl.dll
2007-04-28 09:48   278,528   --a------   C:\WINDOWS\system32\hpgwiamd.dll
2007-04-28 09:48   274,432   --a------   C:\WINDOWS\system32\HPZc3212.dll
2007-04-28 09:48   229,376   --a------   C:\WINDOWS\system32\hpovst08.dll
2007-04-28 09:47   393,216   --a------   C:\WINDOWS\system32\hpzcon12.dll
2007-04-28 09:47   196,608   --a------   C:\WINDOWS\system32\hpzcoi12.dll
2007-04-28 09:47   139,345   --a------   C:\WINDOWS\system32\hpzlnt12.dll
2007-04-28 09:45   <DIR>   d--------   C:\temp\HP_WebRelease
2007-04-28 09:45   <DIR>   d--------   C:\temp
2007-04-28 02:43   59,264   --a------   C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-04-28 02:43   585,824   -ra------   C:\WINDOWS\system32\drivers\lvcm.sys
2007-04-28 02:43   53,760   --a------   C:\WINDOWS\system32\vfwwdm32.dll
2007-04-28 02:43   372,736   -ra------   C:\WINDOWS\system32\LVUI2RC.dll
2007-04-28 02:43   22,016   -ra------   C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-04-28 02:43   204,800   -ra------   C:\WINDOWS\system32\LVUI2.dll
2007-04-28 02:43   204,800   -ra------   C:\WINDOWS\system32\lvcodec2.dll
2007-04-28 02:43   106,496   -ra------   C:\WINDOWS\system32\lvcoinst.dll
2007-04-28 02:43   1,206,272   -ra------   C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-04-28 02:42   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2007-04-28 02:42   <DIR>   d--------   C:\Program Files\Common Files\FotoWire
2007-04-28 02:42   <DIR>   d--------   C:\DOCUME~1\Ahmed\APPLIC~1\FotoWire
2007-04-28 02:41   53,248   -ra------   C:\WINDOWS\system32\InstMed.exe
2007-04-28 02:40   90,112   --a------   C:\WINDOWS\system32\LQCUI2.dll
2007-04-28 02:40   856,064   --a------   C:\WINDOWS\system32\Ltwvc12n.dll
2007-04-28 02:40   78,336   --a------   C:\WINDOWS\system32\lffax12n.dll
2007-04-28 02:40   466,944   --a------   C:\WINDOWS\system32\QCUI2.dll
2007-04-28 02:40   462,848   --a------   C:\WINDOWS\system32\LCamCpl.dll
2007-04-28 02:40   406,016   --a------   C:\WINDOWS\system32\ltkrn12n.dll
2007-04-28 02:40   328,704   --a------   C:\WINDOWS\system32\LFCMP12n.DLL
2007-04-28 02:40   30,720   --a------   C:\WINDOWS\system32\lfbmp12n.dll
2007-04-28 02:40   259,072   --a------   C:\WINDOWS\system32\LTDIS12n.dll
2007-04-28 02:40   215,552   --a------   C:\WINDOWS\system32\Lvkrn12n.dll
2007-04-28 02:40   207,872   --a------   C:\WINDOWS\system32\ltefx12n.dll
2007-04-28 02:40   164,864   --a------   C:\WINDOWS\system32\ltimg12n.dll
2007-04-28 02:40   141,312   --a------   C:\WINDOWS\system32\lftif12n.dll
2007-04-28 02:40   131,072   --a------   C:\WINDOWS\system32\ltfil12n.DLL
2007-04-28 02:40   <DIR>   d--------   C:\Program Files\Common Files\Logitech
2007-04-28 02:39   81,920   -r-------   C:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2007-04-28 02:39   <DIR>   d--------   C:\Program Files\Logitech
2007-04-27 05:28   <DIR>   d--------   C:\DOCUME~1\Ahmed\APPLIC~1\bang


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 13:40:58   --------   d-----w   C:\Program Files\Steam
2007-05-25 22:59:04   --------   d-----w   C:\Program Files\BitComet
2007-05-25 09:47:26   --------   d-----w   C:\Program Files\MSN Messenger
2007-05-20 11:35:10   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-05-14 14:48:05   --------   d-----w   C:\Program Files\iPod
2007-05-07 15:32:20   --------   d-----w   C:\Program Files\PFG
2007-05-07 15:32:20   --------   d-----w   C:\Program Files\A8GSdsApp
2007-04-30 18:40:50   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\AdobeUM
2007-04-29 16:45:34   --------   d--h--r   C:\DOCUME~1\Ahmed\APPLIC~1\yahoo!
2007-04-29 14:16:48   --------   d-----w   C:\Program Files\Yahoo!
2007-04-29 13:10:29   --------   d-----w   C:\Program Files\Verizon
2007-04-29 11:34:02   --------   d-----w   C:\Program Files\VirtualDJ
2007-04-28 10:04:00   2,560   ----a-w   C:\WINDOWS\system32\BitCometRes.dll
2007-04-24 14:00:32   --------   d-----w   C:\Program Files\Pocket Tanks
2007-04-24 12:28:59   --------   d-----w   C:\Program Files\PPLive
2007-04-24 11:55:19   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\PPLive
2007-04-24 07:55:37   --------   d-----w   C:\Program Files\EA GAMES
2007-04-21 16:49:53   --------   d-----w   C:\Program Files\Web Publish
2007-04-21 00:02:14   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\Opera
2007-04-20 23:31:29   --------   d-----w   C:\Program Files\Doom 3
2007-04-20 23:29:46   --------   d-----w   C:\Program Files\Windows Media Connect 2
2007-04-20 23:29:46   --------   d-----w   C:\Program Files\Wi-Fi Toolbar
2007-04-20 23:29:46   --------   d-----w   C:\Program Files\Messenger
2007-04-20 23:29:46   --------   d-----w   C:\Program Files\JiWire
2007-04-20 23:29:45   --------   d-----w   C:\Program Files\ESPNMotion
2007-04-20 23:29:45   --------   d-----w   C:\Program Files\EnglishOtto
2007-04-20 23:29:45   --------   d-----w   C:\Program Files\Combined Community Codec Pack
2007-04-20 23:29:45   --------   d-----w   C:\Program Files\Athan
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 19:31:27   --------   d-----w   C:\Program Files\RGB
2007-04-16 21:31:54   --------   d-----w   C:\Program Files\iMesh Applications
2007-04-16 20:39:26   0   ----a-w   C:\WINDOWS\PowerReg.dat
2007-04-16 18:20:45   98,304   ----a-w   C:\WINDOWS\system32\CmdLineExt.dll
2007-04-15 20:19:38   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\uTorrent
2007-04-15 19:52:52   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\Sonic
2007-04-13 11:44:16   359,808   ----a-w   C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-04-13 08:40:36   --------   d-----w   C:\Program Files\HT MPEG Encoder 6.0
2007-04-13 08:40:06   --------   d-----w   C:\Program Files\LimeWire
2007-04-13 08:39:25   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\MSNInstaller
2007-04-13 08:28:56   --------   d-----w   C:\Program Files\Google
2007-04-13 08:27:00   --------   d-----w   C:\Program Files\e frontier
2007-04-13 07:25:57   --------   d-----w   C:\Program Files\Common Files\Adobe Systems Shared
2007-04-13 05:58:14   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\e frontier
2007-04-13 02:15:53   --------   d-----w   C:\Program Files\Microids
2007-04-11 23:23:36   --------   d-----w   C:\Program Files\Real
2007-04-11 23:21:59   --------   d-----w   C:\Program Files\Curious Labs
2007-04-10 09:15:04   249,856   ------w   C:\WINDOWS\Setup1.exe
2007-04-10 09:15:03   73,216   ----a-w   C:\WINDOWS\ST6UNST.EXE
2007-04-10 07:21:46   737,280   ----a-w   C:\WINDOWS\iun6002.exe
2007-04-08 17:09:24   --------   d-----w   C:\Program Files\QuickTime
2007-04-08 16:49:06   --------   d-----w   C:\Program Files\WinAVI MP4 Converter
2007-04-08 13:20:27   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\LimeWire
2007-04-06 21:25:36   --------   d-----w   C:\Program Files\Apple Software Update
2007-04-05 16:41:06   --------   d-----w   C:\Program Files\Toy Trouble
2007-03-31 18:37:06   --------   d-----w   C:\DOCUME~1\Ahmed\APPLIC~1\WebCompiler3
2007-03-31 14:23:53   --------   d-----w   C:\Program Files\The Weather Channel FW
2007-03-31 14:21:33   --------   d-----w   C:\Program Files\Common Files\xing shared
2007-03-31 14:21:17   --------   d-----w   C:\Program Files\Common Files\Real
2007-03-18 11:26:46   926,241   ----a-w   C:\WINDOWS\system32\model.dat
2007-03-18 00:04:11   245,760   ----a-w   C:\WINDOWS\system32\rlxf.dll
2007-03-17 13:43:01   292,864   ----a-w   C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28   577,536   ----a-w   C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28   40,960   ----a-w   C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28   281,600   ----a-w   C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48   1,843,584   ----a-w   C:\WINDOWS\system32\win32k.sys
2007-02-21 17:13:13   952   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll [2007-03-29 07:31]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 13:32]
{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}=C:\Program Files\Common Files\Justdo\Jd2002.dll [2006-03-16 17:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 16:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2006-08-16 08:00]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe" [2007-01-12 09:26]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
   
*Newly Created Service* -PROCEXP90

Contents of the 'Scheduled Tasks' folder
2007-05-24 13:49:00  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-12-25 13:37:41  C:\WINDOWS\tasks\Registration reminder 1.job
2006-12-25 13:37:42  C:\WINDOWS\tasks\Registration reminder 2.job
2006-12-25 13:37:42  C:\WINDOWS\tasks\Registration reminder 3.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-05-26 10:29:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-26 10:29:48
C:\ComboFix-quarantined-files.txt ... 2007-05-26 10:29
C:\ComboFix2.txt ... 2007-05-26 10:21

   --- E O F ---

nolop log i couldnt find the search C:\NoLop.txt so i just searched nolop and found a document here it is:



NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Ahmed\Desktop
[5/26/2007]
[10:05:51 AM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\A8FAF1E29185683A.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Aol  -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Intel
C:\Documents and Settings\Administrator\Application Data\Intervideo
C:\Documents and Settings\Administrator\Application Data\Intuit
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Toshiba
C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Ahmed\Application Data\Adobe
C:\Documents and Settings\Ahmed\Application Data\Adobeum
C:\Documents and Settings\Ahmed\Application Data\Aol  -- EMPTY Directory
C:\Documents and Settings\Ahmed\Application Data\Apple Computer
C:\Documents and Settings\Ahmed\Application Data\Avant Profiles
C:\Documents and Settings\Ahmed\Application Data\Avg7
C:\Documents and Settings\Ahmed\Application Data\Bang
C:\Documents and Settings\Ahmed\Application Data\Desknote
C:\Documents and Settings\Ahmed\Application Data\Dvdcss
C:\Documents and Settings\Ahmed\Application Data\E Frontier
C:\Documents and Settings\Ahmed\Application Data\Fotowire
C:\Documents and Settings\Ahmed\Application Data\Getrighttogo
C:\Documents and Settings\Ahmed\Application Data\Google
C:\Documents and Settings\Ahmed\Application Data\Help  -- EMPTY Directory
C:\Documents and Settings\Ahmed\Application Data\Identities
C:\Documents and Settings\Ahmed\Application Data\Imesh
C:\Documents and Settings\Ahmed\Application Data\Intel
C:\Documents and Settings\Ahmed\Application Data\Intervideo
C:\Documents and Settings\Ahmed\Application Data\Intuit
C:\Documents and Settings\Ahmed\Application Data\Leadertech
C:\Documents and Settings\Ahmed\Application Data\Limewire
C:\Documents and Settings\Ahmed\Application Data\Lost Marble
C:\Documents and Settings\Ahmed\Application Data\Macromedia
C:\Documents and Settings\Ahmed\Application Data\Media Player Classic
C:\Documents and Settings\Ahmed\Application Data\Microsoft
C:\Documents and Settings\Ahmed\Application Data\Mozilla
C:\Documents and Settings\Ahmed\Application Data\Msninstaller
C:\Documents and Settings\Ahmed\Application Data\Musicip
C:\Documents and Settings\Ahmed\Application Data\Myspace
C:\Documents and Settings\Ahmed\Application Data\Nokia
C:\Documents and Settings\Ahmed\Application Data\Nokia Multimedia Player
C:\Documents and Settings\Ahmed\Application Data\Opera  -- EMPTY Directory
C:\Documents and Settings\Ahmed\Application Data\Pc Suite
C:\Documents and Settings\Ahmed\Application Data\Pc Tools
C:\Documents and Settings\Ahmed\Application Data\Pplive  -- EMPTY Directory
C:\Documents and Settings\Ahmed\Application Data\Radialpoint
C:\Documents and Settings\Ahmed\Application Data\Real
C:\Documents and Settings\Ahmed\Application Data\Securom
C:\Documents and Settings\Ahmed\Application Data\Send Amen Sign
C:\Documents and Settings\Ahmed\Application Data\Sonic
C:\Documents and Settings\Ahmed\Application Data\Souptoys  -- EMPTY Directory
C:\Documents and Settings\Ahmed\Application Data\Sun
C:\Documents and Settings\Ahmed\Application Data\Systweak
C:\Documents and Settings\Ahmed\Application Data\Talkback
C:\Documents and Settings\Ahmed\Application Data\Toshiba
C:\Documents and Settings\Ahmed\Application Data\Uniblue
C:\Documents and Settings\Ahmed\Application Data\Utorrent
C:\Documents and Settings\Ahmed\Application Data\Verizon
C:\Documents and Settings\Ahmed\Application Data\Webcompiler3
C:\Documents and Settings\Ahmed\Application Data\Yahoo!
C:\Documents and Settings\Ahmed\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Aol  -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Broderbund Llc
C:\Documents and Settings\All Users\Application Data\Broderbund Software
C:\Documents and Settings\All Users\Application Data\Digstream
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Intel
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Corporation  -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Motive  -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Pc Suite
C:\Documents and Settings\All Users\Application Data\Pure Networks
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sendfreelicenseskip
C:\Documents and Settings\All Users\Application Data\Souptoys
C:\Documents and Settings\All Users\Application Data\Temp  -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Winzip  -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Yahoo  -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Default User\Application Data\Adobe
C:\Documents and Settings\Default User\Application Data\Aol  -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Intel
C:\Documents and Settings\Default User\Application Data\Intervideo
C:\Documents and Settings\Default User\Application Data\Intuit
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Toshiba
C:\Documents and Settings\Default User\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Localservice\Application Data\Avg7  -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft




HJT log:



Logfile of HijackThis v1.99.1
Scan saved at 10:32:11 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ahmed\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe (file missing)



and heres a fl log it wasnt called fl.bat it was just fl.

 Volume in drive C is SQ004155P01
 Volume Serial Number is E483-E8C8

 Directory of C:\Documents and Settings\Administrator\Application Data

05/11/2006  11:56 AM    <DIR>          Adobe
02/11/2007  09:30 AM    <DIR>          AOL
03/02/2006  02:28 PM    <DIR>          Identities
12/25/2006  06:37 AM    <DIR>          Intel
03/03/2006  11:22 AM    <DIR>          InterVideo
03/02/2006  04:54 PM    <DIR>          Intuit
03/02/2006  05:29 PM    <DIR>          toshiba
03/02/2006  05:03 PM    <DIR>          You've Got Pictures Screensaver
               0 File(s)              0 bytes
               8 Dir(s)  48,349,454,336 bytes free
 Volume in drive C is SQ004155P01
 Volume Serial Number is E483-E8C8

 Directory of C:\Documents and Settings\Ahmed\Application Data

05/09/2007  03:26 AM    <DIR>          Adobe
04/30/2007  11:40 AM    <DIR>          AdobeUM
02/11/2007  09:30 AM    <DIR>          AOL
02/20/2007  05:12 AM    <DIR>          Apple Computer
03/21/2007  12:29 AM    <DIR>          Avant Profiles
05/26/2007  04:55 AM    <DIR>          AVG7
04/27/2007  05:47 AM    <DIR>          bang
03/06/2007  02:30 PM    <DIR>          DeskNote
03/04/2007  01:10 PM    <DIR>          dvdcss
04/12/2007  10:58 PM    <DIR>          e frontier
04/28/2007  02:42 AM    <DIR>          FotoWire
04/29/2007  04:56 AM    <DIR>          GetRightToGo
02/10/2007  07:33 AM    <DIR>          Google
02/21/2007  10:17 AM    <DIR>          Help
03/02/2006  02:28 PM    <DIR>          Identities
05/23/2007  05:40 AM    <DIR>          iMesh
12/25/2006  06:37 AM    <DIR>          Intel
03/03/2006  11:22 AM    <DIR>          InterVideo
03/02/2006  04:54 PM    <DIR>          Intuit
02/08/2007  04:02 PM    <DIR>          Leadertech
04/08/2007  06:20 AM    <DIR>          LimeWire
03/20/2007  12:32 PM    <DIR>          Lost Marble
05/20/2007  04:39 AM    <DIR>          Macromedia
03/19/2007  09:02 AM    <DIR>          Media Player Classic
02/05/2007  09:01 AM    <DIR>          Mozilla
04/13/2007  01:39 AM    <DIR>          MSNInstaller
05/01/2007  12:09 AM    <DIR>          MusicIP
02/20/2007  02:28 AM    <DIR>          MySpace
02/18/2007  08:01 AM             5,692 NMM-MetaData.db
02/06/2007  07:51 AM    <DIR>          Nokia
02/16/2007  11:44 AM    <DIR>          Nokia Multimedia Player
04/20/2007  05:02 PM    <DIR>          Opera
02/18/2007  07:58 AM    <DIR>          PC Suite
03/13/2007  05:30 PM    <DIR>          PC Tools
04/24/2007  04:55 AM    <DIR>          PPLive
04/29/2007  06:15 AM    <DIR>          RadialPoint
02/11/2007  11:44 PM    <DIR>          Real
03/21/2007  12:34 AM    <DIR>          Send Amen Sign
04/15/2007  12:52 PM    <DIR>          Sonic
03/05/2007  10:09 AM    <DIR>          Souptoys
04/17/2007  11:08 AM    <DIR>          Sun
03/14/2007  03:33 PM    <DIR>          Systweak
03/23/2007  02:18 AM    <DIR>          Talkback
02/28/2007  03:48 PM    <DIR>          toshiba
03/14/2007  03:07 PM    <DIR>          Uniblue
04/15/2007  01:19 PM    <DIR>          uTorrent
03/08/2007  05:34 AM    <DIR>          Verizon
03/31/2007  11:37 AM    <DIR>          WebCompiler3
03/02/2006  05:03 PM    <DIR>          You've Got Pictures Screensaver
               1 File(s)          5,692 bytes
              48 Dir(s)  48,349,450,240 bytes free
 Volume in drive C is SQ004155P01
 Volume Serial Number is E483-E8C8

 Directory of C:\Documents and Settings\All Users\Application Data

04/13/2007  12:24 AM    <DIR>          Adobe
04/13/2007  12:26 AM    <DIR>          Adobe Systems
04/11/2007  04:17 PM    <DIR>          AOL
04/06/2007  02:25 PM    <DIR>          Apple Computer
03/21/2007  12:09 AM    <DIR>          avg7
02/11/2007  02:50 AM    <DIR>          Broderbund LLC
02/11/2007  03:02 AM    <DIR>          Broderbund Software
03/02/2006  04:16 PM    <DIR>          DIGStream
02/11/2007  09:33 AM    <DIR>          Google
03/21/2007  12:06 AM    <DIR>          Grisoft
04/28/2007  10:09 AM    <DIR>          HP
04/28/2007  10:46 AM             1,643 hpzinstall.log
04/28/2007  02:42 AM               770 Installer.log
12/25/2006  06:38 AM    <DIR>          Intel
03/02/2006  04:54 PM    <DIR>          Intuit
05/20/2007  04:37 AM    <DIR>          Macrovision
03/13/2007  04:09 PM    <DIR>          McAfee.com
04/13/2007  01:50 AM    <DIR>          Microsoft Corporation
03/08/2007  05:30 AM    <DIR>          Motive
02/06/2007  07:50 AM    <DIR>          PC Suite
03/02/2006  05:02 PM    <DIR>          Pure Networks
02/20/2007  02:45 AM    <DIR>          QuickTime
03/21/2007  12:34 AM    <DIR>          Sendfreelicenseskip
03/05/2007  10:09 AM    <DIR>          Souptoys
04/13/2007  01:50 AM    <DIR>          TEMP
02/06/2007  04:04 AM    <DIR>          Windows Genuine Advantage
03/17/2007  03:27 PM    <DIR>          WinZip
04/29/2007  05:11 AM    <DIR>          Yahoo
04/29/2007  07:17 AM    <DIR>          yahoo!
04/29/2007  09:45 AM    <DIR>          Yahoo! Companion
               2 File(s)          2,413 bytes
              28 Dir(s)  48,349,446,144 bytes free
 Volume in drive C is SQ004155P01
 Volume Serial Number is E483-E8C8

 Directory of C:\Documents and Settings\Default User\Application Data

12/25/2006  06:37 AM    <DIR>          .
12/25/2006  06:37 AM    <DIR>          ..
03/02/2006  06:19 AM                62 desktop.ini
               1 File(s)             62 bytes
               2 Dir(s)  48,349,446,144 bytes free
 Volume in drive C is SQ004155P01
 Volume Serial Number is E483-E8C8

 Directory of C:\Documents and Settings\LocalService\Application Data

 Volume in drive C is SQ004155P01
 Volume Serial Number is E483-E8C8

 Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AppleSoftwareUpdate.job'
[TRACE] Printing all job properties

  ApplicationName:    'C:\Program Files\Apple Software Update\SoftwareUpdate.exe'
  Parameters:         '-Task'
  WorkingDirectory:   ''
  Comment:            ''
  Creator:            'SYSTEM'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      05/24/2007  6:49:00
  NextRun:            05/31/2007  6:49:00
  StartError:         S_OK
  ExitCode:           0
  Status:             SCHED_S_TASK_READY
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 0
    SystemRequired          = 0
    Hidden                  = 0
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Weekly
    WeeksInterval:   1
    DaysOfTheWeek:   ....R..
    StartDate:       04/06/2007
    EndDate:         00/00/0000
    StartTime:       06:49
    MinutesDuration: 0
    MinutesInterval: 0
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


[TRACE] Activating job 'Registration reminder 1.job'
[TRACE] Printing all job properties

  ApplicationName:    'C:\WINDOWS\system32\OOBE\oobebaln.exe'
  Parameters:         '/sys /r /n:1'
  WorkingDirectory:   ''
  Comment:            ''
  Creator:            'SYSTEM'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            00/00/0000  0:00:00
  StartError:         SCHED_S_TASK_HAS_NOT_RUN
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 0
    SystemRequired          = 0
    Hidden                  = 0
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Once
    StartDate:       12/26/2006
    EndDate:         00/00/0000
    StartTime:       00:05
    MinutesDuration: 1440
    MinutesInterval: 15
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


[TRACE] Activating job 'Registration reminder 2.job'
[TRACE] Printing all job properties

  ApplicationName:    'C:\WINDOWS\system32\OOBE\oobebaln.exe'
  Parameters:         '/sys /r /n:2'
  WorkingDirectory:   ''
  Comment:            ''
  Creator:            'SYSTEM'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            00/00/0000  0:00:00
  StartError:         SCHED_S_TASK_HAS_NOT_RUN
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 0
    SystemRequired          = 0
    Hidden                  = 0
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Once
    StartDate:       12/27/2006
    EndDate:         00/00/0000
    StartTime:       00:05
    MinutesDuration: 1440
    MinutesInterval: 15
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


[TRACE] Activating job 'Registration reminder 3.job'
[TRACE] Printing all job properties

  ApplicationName:    'C:\WINDOWS\system32\OOBE\oobebaln.exe'
  Parameters:         '/sys /r /n:3'
  WorkingDirectory:   ''
  Comment:            ''
  Creator:            'SYSTEM'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            00/00/0000  0:00:00
  StartError:         SCHED_S_TASK_HAS_NOT_RUN
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 0
    SystemRequired          = 0
    Hidden                  = 0
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Once
    StartDate:       01/01/2007
    EndDate:         00/00/0000
    StartTime:       00:05
    MinutesDuration: 1440
    MinutesInterval: 15
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0

Title: Keylogger
Post by: Moe C on May 26, 2007, 12:34:38 PM

NOTE: IF, any only if you have problems connecting to the Internet after doing any of the above
Do the following
Close down any open windows
Go to Start>>Run>>type in cmd
At the prompt type in the following exactly as posted below in bold


netsh winsock reset catalog

Hit Enter on your keyboard
Restart your computer
[/quote]


i didnt do that part cause i dunno if i had too im still useing internet now.






And just 1 q im worried do i have a keylogger?




edit
And i still cant uninstall netbus pro it says the same thing

Title: Keylogger
Post by: guestolo on May 26, 2007, 01:20:21 PM

Quote

Go to Start>>Run>>type in cmd
At the prompt type in the following exactly as posted below in bold


netsh winsock reset catalog

Hit Enter on your keyboard
Restart your computer

As I mentioned, IF, any only if you have problems connecting to the Internet after doing any of the above
You have no Internet connection problems, so Don't worry about it

I still want you to do the following

Download [color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
  ================================================
  
  C:\WINDOWS\system32\rlxf.dll
  C:\Program Files\NetBus Pro
  C:\Documents and Settings\Ahmed\Application Data\Send Amen Sign
  C:\Documents and Settings\All Users\Application Data\Sendfreelicenseskip
  
  ======================================================
  
• Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  
• Click the red "[color=\"red\"]MoveIt![/color]" button.
  
• Close OTMoveIt.
  

[color=\"red\"]Note[/color]:  If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

OTMoveIt will create a log here

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.
I'll need to see it later

Here's some info on Netbus
http://www.symantec.com/avcenter/attack_sigs/s20316.html (http://\"http://www.symantec.com/avcenter/attack_sigs/s20316.html\")
I would opt to change passwords to online accounts, such as email, etc.. later after we do the below
Just to be safe

Can we run one more scanner on your computer
I see you use AVG7 AV scan, can we run it's Anti-spyware scanner also
==Download [color=\"#FF0000\"]AVG Anti-Spyware 7.5[/color] (http://\"http://www.ewido.net/en/download/\")

• Save the installer to desktop
• Double click the installer, select your language, and then select "OK"
• Click NEXT>>>Select I Agree>>>NEXT>>>INSTALL
     
  
• AVG will now install and afterwards click FINISH
     
  
• AVG Anti-Spyware 7.5 should now Load
• Click the Update tab at the top. Under Manual Update click Start update.
     
  
• After the update finishes (the status bar at the bottom will display "Update successful")
• Click on the Scanner tab at the top
     
  
• Click the "Settings" tab and then change the recommended action under "How to Act" to Quarantine and ensure that "Automatically generate report after every scan" IS selected and
  "Only if Threats are found" IS NOT selected
  

CLOSE AVG-Antispyware for now, as we will need it later
An AVG icon will be placed in your system tray next to your clock, can you right on it and uncheck
"Resident Shield" , "Automatic updates" and "Start with Windows"

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

Load AVG Anti-Spyware 7.5

• Click on the Scanner tab at the top
     
  
• Cick on Complete System Scan.
  This scan can take a while to run, let it run uninterrupted
   
  
• When the scan is complete it will list any infections found on the left hand side.
• Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
   
  
• Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file  (like on the Desktop).
  

I will need to see this log later

Restart the computer back to Normal windows
Post back all the following please

1. Post a fresh hijackthis log
2. Post the whole report from AVG Anti-Spyware
3. You appeared to have run Combofix twice, can you navigate to this file
C:\ComboFix-quarantined-files.txt>>Post the contents
4. Post the contents of the log from OTMoveIT>>C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Title: Keylogger
Post by: Moe C on May 26, 2007, 01:51:53 PM

i did everything when i got to the part i have to install AVG, i downloaded it 100% but when i tryed installing it said:

(http://i63.photobucket.com/albums/h133/moataz339/SCANN.jpg)

Title: Keylogger
Post by: guestolo on May 26, 2007, 02:02:24 PM

Try redownloading it and try again, it looks as if the download was corrupt or incomplete
If still no joy try this direct download location
http://free.grisoft.com/softw/70free/setup...up-7.5.0.50.exe (http://\"http://free.grisoft.com/softw/70free/setup/avgas-setup-7.5.0.50.exe\")

Title: Keylogger
Post by: Moe C on May 26, 2007, 02:23:15 PM

i went to direct link... downlaoded 100%

still no luck. /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

Title: Keylogger
Post by: guestolo on May 26, 2007, 02:35:58 PM

Try the following instead then
Temporarily disable AVG realtime protection
Double click on AVG icon by the clock
Right click on Resident Shield>>left click Properties
Uncheck "Turn On AVG Resident Shield..."
Apply and OK out of there

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found: (http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  (http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Title: Keylogger
Post by: Moe C on May 26, 2007, 04:09:38 PM

here is dr cureit's log:



backup-20070526-095615-660.dll;C:\Documents and Settings\Ahmed\Desktop\HJT\backups;Adware.NewDotNet;Incurable.Moved.;
bpk.exe;C:\Program Files\BPK;Trojan.Peflog.148;Deleted.;
bpkhk.dll;C:\Program Files\BPK;Trojan.Peflog.148;Deleted.;
bpkr.exe;C:\Program Files\BPK;Trojan.Peflog.152;Deleted.;
bpkun.exe;C:\Program Files\BPK;Trojan.Peflog.149;Deleted.;
funny.exe;C:\Program Files\Yahoo Funny 2.1;Modification of BackDoor.Generic.870;Moved.;
NDNuninstall6_38.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
NDNuninstall7_48.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
A0040102.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP101;Adware.Relevant;Incurable.Moved.;
A0040104.dll;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP101;Adware.NewDotNet;Incurable.Moved.;
A0042220.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP102;Trojan.Swizzor;Deleted.;
A0042222.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP102;Trojan.Swizzor;Deleted.;
A0044651.dll;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP105;Adware.Whenu;Incurable.Moved.;
A0044652.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP105;Adware.SaveNow;Incurable.Moved.;
A0044666.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP105;Adware.Hotbar;Incurable.Moved.;
A0044671.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP105;Adware.Hotbar;Incurable.Moved.;
A0044672.dll;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP105;Adware.Hotbar;Incurable.Moved.;
A0049214.EXE;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP121;Adware.NewDotNet;Incurable.Moved.;
A0049575.ocx;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP122;Adware.Gdown;Incurable.Moved.;
A0051616.dll;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP138;Trojan.Hooker.31;Deleted.;
A0066765.ocx;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP180;Trojan.Isbar.439;Deleted.;
A0077192.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP200;BackDoor.NetBus.20;Deleted.;
A0077202.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP201;BackDoor.NetBus.20;Deleted.;
A0077208.dll;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP201;BackDoor.NetBus.210;Deleted.;
A0077209.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP201;BackDoor.NetBus.20;Deleted.;
A0077409.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Adware.NewDotNet;Incurable.Moved.;
A0077410.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Adware.NewDotNet;Incurable.Moved.;
A0077412.dll;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Adware.NewDotNet;Incurable.Moved.;
A0077444.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Adware.NewDotNet;Incurable.Moved.;
A0077445.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Adware.NewDotNet;Incurable.Moved.;
A0077522.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Trojan.Peflog.148;Deleted.;
A0077523.dll;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Trojan.Peflog.148;Deleted.;
A0077524.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Trojan.Peflog.152;Deleted.;
A0077525.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Trojan.Peflog.149;Deleted.;
A0077526.exe;C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP202;Modification of BackDoor.Generic.870;Moved.;
actskn45.ocx;C:\WINDOWS\system32;Trojan.Isbar.439;Deleted.;
glsateg.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;



I also turned AVG on again after the scan.

Title: Keylogger
Post by: guestolo on May 26, 2007, 04:33:32 PM

Let's go back a couple replies and post these other logs

1. Post a fresh hijackthis log
2. Post the whole report from AVG Anti-Spyware
3. You appeared to have run Combofix twice, can you navigate to this file
C:\ComboFix-quarantined-files.txt>>Post the contents
4. Post the contents of the log from OTMoveIT>>C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Title: Keylogger
Post by: Moe C on May 26, 2007, 04:52:46 PM

HJT LOG





Logfile of HijackThis v1.99.1
Scan saved at 2:48:26 PM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Documents and Settings\Ahmed\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe (file missing)

COBOFIX:

Code: [Select]

2007-03-17 16:59  50688 --a------ C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir
2007-03-17 17:02  183808 --a------ C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall7_48.exe.vir


Folder PATH listing for volume SQ004155P01
Volume serial number is E483-E8C8
C:\QOOBOX
\---Quarantine
+---C
|   \---WINDOWS
|   NDNuninstall6_38.exe.vir
|   NDNuninstall7_48.exe.vir
|  
\---Registry_backups


MOVEIT:






LoadLibrary failed for C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\rlxf.dll NOT unregistered.
C:\WINDOWS\system32\rlxf.dll moved successfully.
C:\Program Files\NetBus Pro\Skin moved successfully.
C:\Program Files\NetBus Pro moved successfully.
C:\Documents and Settings\Ahmed\Application Data\Send Amen Sign moved successfully.
C:\Documents and Settings\All Users\Application Data\Sendfreelicenseskip moved successfully.
 
Created on 05/26/2007 11:29:02

Title: Keylogger
Post by: guestolo on May 26, 2007, 05:07:26 PM

I don't think your running Hijackthis properly, let's try another run with it

double-click OTMoveIt.exe to run it.

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
  ================================================
  
  C:\Program Files\BPK
  C:\Program Files\A8GSdsApp
  
  ======================================================
  
• Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  
• Click the red "[color=\"red\"]MoveIt![/color]" button.
  
• Close OTMoveIt.
  

[color=\"red\"]Note[/color]:  If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

OTMoveIt will create a log here

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Can you do this again, and read this closely

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Come back here and post a fresh hijackthis logfile
and again the new log from OTMoveIt

Let me also know how things are running

Title: Keylogger
Post by: Moe C on May 26, 2007, 05:19:20 PM

hjy log



Logfile of HijackThis v1.99.1
Scan saved at 3:17:38 PM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ahmed\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Ahmed\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\dumprep.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart (http://\"http://www.toshibadirect.com/dpdstart\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe (file missing)

moveit


C:\Program Files\BPK moved successfully.
C:\Program Files\A8GSdsApp\report moved successfully.
C:\Program Files\A8GSdsApp\output moved successfully.
C:\Program Files\A8GSdsApp\help moved successfully.
C:\Program Files\A8GSdsApp moved successfully.
 
Created on 05/26/2007 15:08:24



i dunno wat i done worng in hijack this i followed ur directions

Title: Keylogger
Post by: guestolo on May 26, 2007, 05:28:42 PM

How are things running now??
The last 2 folders we removed were related to keyloggers

I suggest that you change your passwords to online gaming, forums, email,etc....

Do the above and let me know how things are running and we'll do some final steps

Title: Keylogger
Post by: guestolo on May 26, 2007, 05:34:11 PM

EDIT>>>I see you deleted your last reply
I'll just leave this post anyways

Quote

I suggest that you change your passwords to online gaming, forums, email,etc....

Do the above and let me know how things are running and we'll do some final steps

Did you change passwords??? <--Don't hesitate to do this
How are things running??

Final steps, clear restore points, remove unneeded tools, etc..

Title: Keylogger
Post by: Moe C on May 26, 2007, 05:37:08 PM

ok changed yhaoo pass etc... But there is 1 problem...... NetBus Pro still cant get uninstalled /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

Title: Keylogger
Post by: guestolo on May 26, 2007, 05:41:10 PM

We removed Netbus Pro folder, some programs just refuse to go away the uninstall method

Let's remove it from add/remove programs list

Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Hightlight NetBus Pro and then select "Delete this entry"
Ok the prompt

How are things running?

Title: Keylogger
Post by: Moe C on May 26, 2007, 05:43:11 PM

ok its gone we can run some final steps as u said

Title: Keylogger
Post by: guestolo on May 26, 2007, 06:00:41 PM

By the way, AVG looks like it quarantined the related uninstaller .dll
That's probably the main reason it won't uninstall, it is probably safer removing manually as we did
Some programs don't like to wholely remove anyways

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Find and delete these files/ folders
FILES
c:\findlop.txt <-file
C:\ComboFix-quarantined-files.txt
C:\ComboFix2.txt
C:\NoLop.txt
Dr.Webcureit.exe on desktop
Combofix.exe on desktop

Folders:
C:\_OTMoveIt
C:\Documents and Settings\Ahmed\DoctorWeb
C:\Combofix
C:\Qoobox
C:\NoLopBackups

Reset Windows to Hide hidden files and folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Do Not Show hidden files and folders.
    * Check the Hide protected operating system files (recommended) option.
    * Click OK.

If everything is running better
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

 Spybot 1.4, this is a free spyware scanner, I suggest that you install it and keep it
You can download it from
HERE (http://\"http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1\")

Install with default settings that are selected
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
RIGHT CLICK in the download results and click Select All
OR
Individually Check, and then download all updates
Ensure all updates are successful, a GREEN check will indicate this
If you have an error updating, search for updates again and retry the download until all updates are successfully installed
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process
In addition, utilize the Immunization feature
After every update
Click the "Immunize" button>>OK the prompt>>Immunize again at the top green cross

If there are other user profiles on the computer, have them login and enable all protections with Spywareblaster
and Immunize with Spybot after every update

Be very careful what you download, before you open a file, right click on it and scan it with your Virus scanner

I hope that helps

Title: Keylogger
Post by: Moe C on May 26, 2007, 06:26:26 PM

i tryed for along time to download spyware blaster from most of the links and it dosnt work

Title: Keylogger
Post by: guestolo on May 26, 2007, 06:30:41 PM

Not sure what you mean, try this link
http://www.javacoolsoftware.net.nyud.net:8...tersetup351.exe (http://\"http://www.javacoolsoftware.net.nyud.net:8090/downloads/spywareblastersetup351.exe\")

Title: Keylogger
Post by: Moe C on May 26, 2007, 07:12:49 PM

ok i done everything finally is my comp safe now?

Title: Keylogger
Post by: guestolo on May 26, 2007, 07:49:22 PM

[quote name=\'Moe C\' post=\'331268\' date=\'May 26 2007, 05:12 PM\']ok i done everything finally is my comp safe now?[/quote]

Should be, but I asked this question 3 or 4 times and you never gave me a reply
HOW IS EVERYTHING RUNNING NOW>>????

Title: Keylogger
Post by: Moe C on May 26, 2007, 07:51:59 PM

sry yea i noticed that

it was slow when i downlaoded all the stuff u told me but now its ok

THX ALOT U R BEST


all done in 1 day

Title: Keylogger
Post by: guestolo on May 26, 2007, 07:56:20 PM

Good work
Remember, be careful on what you download

Keep AVG updated and occasionally let it scan your computer

I'll lock this topic as your problems appear to be resolved
Take care Moe C