Possible Keylogger [Closed]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Possible Keylogger [Closed], Need help verifying that it's gone (pdated with OTL log)

Options

Baggaviagra View Member Profile	Jul 25 2009, 03:01 PM Post #1
New Member Posts: 2 OS: Windows 7	I think I may have obtained a keylogger from a malicious link on the World of Warcraft forums. I've run NOD32 antivirus scans, as well as windows defender and spybot seek&destroy. I want to make sure it's gone. Here is my OTL log. I've also attached the log file itself. OTL logfile created on: 7/25/2009 11:48:26 AM - Run 1 OTL by OldTimer - Version 3.0.10.3 Folder = C:\Users\Patrick\Desktop 64bit- Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation Internet Explorer (Version = 8.0.7100.0) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 4.00 Gb Total Physical Memory \| 2.49 Gb Available Physical Memory \| 62.25% Memory free 4.00 Gb Paging File \| 4.00 Gb Available in Paging File \| 100.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\Windows \| %ProgramFiles% = C:\Program Files (x86) Drive C: \| 222.15 Gb Total Space \| 154.05 Gb Free Space \| 69.35% Space Free \| Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: PATRICK-PC Current User Name: Patrick Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Include 64bit Scans Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2009/04/09 15:19:08 \| 00,731,840 \| ---- \| M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe PRC - [2009/06/05 06:40:20 \| 00,056,680 \| ---- \| M] (Absolute Software Corp.) -- C:\Windows\SysWOW64\rpcnet.exe PRC - [2009/07/25 08:06:53 \| 00,148,888 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jusched.exe PRC - [2009/03/05 16:07:20 \| 02,260,480 \| RHS- \| M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe PRC - [2009/07/25 11:44:26 \| 00,513,536 \| ---- \| M] (OldTimer Tools) -- C:\Users\Patrick\Desktop\OTL.exe ========== Win32 Services (SafeList) ========== SRV:64bit: - [2009/04/21 19:38:59 \| 00,032,256 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\appidsvc.dll -- (AppIDSvc [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:38:59 \| 00,193,024 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:39:03 \| 00,114,688 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\AxInstSV.dll -- (AxInstSV [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:39:06 \| 00,100,864 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\bdesvc.dll -- (BDESVC [Unknown \| Stopped]) SRV:64bit: - [2009/04/21 19:39:08 \| 00,083,968 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\bthserv.dll -- (bthserv [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:39:25 \| 00,689,152 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\cscsvc.dll -- (CscService [Auto \| Running]) SRV:64bit: - [2009/04/21 19:39:29 \| 00,291,328 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\defragsvc.dll -- (defragsvc [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:39:30 \| 00,314,880 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\dhcpcore.dll -- (Dhcp [Auto \| Running]) SRV:64bit: - [2009/04/09 15:29:24 \| 00,023,296 \| ---- \| M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv [On_Demand \| Stopped]) SRV:64bit: - [2009/04/09 15:19:08 \| 00,731,840 \| ---- \| M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn [Auto \| Running]) SRV:64bit: - [2009/04/21 19:38:06 \| 00,689,152 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\fxssvc.exe -- (Fax [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:39:46 \| 01,126,400 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\FntCache.dll -- (FontCache [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:40:08 \| 00,235,520 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\ListSvc.dll -- (HomeGroupListener [On_Demand \| Running]) SRV:64bit: - [2009/04/21 19:40:56 \| 00,187,392 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\provsvc.dll -- (HomeGroupProvider [On_Demand \| Running]) SRV:64bit: - [2009/04/21 19:40:54 \| 00,327,168 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\pnrpsvc.dll -- (p2pimsvc [On_Demand \| Running]) SRV:64bit: - [2009/04/21 19:40:52 \| 01,361,920 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\peerdistsvc.dll -- (PeerDistSvc [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:40:54 \| 00,025,088 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\pnrpauto.dll -- (PNRPAutoReg [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:40:54 \| 00,327,168 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\pnrpsvc.dll -- (PNRPsvc [On_Demand \| Running]) SRV:64bit: - [2009/04/21 19:41:29 \| 00,164,352 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\umpo.dll -- (Power [Auto \| Running]) SRV:64bit: - [2009/04/21 19:40:58 \| 00,067,072 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\RpcEpMap.dll -- (RpcEptMapper [Unknown \| Running]) SRV:64bit: - [2009/04/21 19:41:01 \| 00,029,184 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\sensrsvc.dll -- (SensrSvc [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:38:24 \| 03,524,608 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\sppsvc.exe -- (sppsvc [Auto \| Stopped]) SRV:64bit: - [2009/04/21 19:41:20 \| 00,065,536 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\sppuinotify.dll -- (sppuinotify [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:41:26 \| 00,044,544 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\themeservice.dll -- (Themes [Auto \| Running]) SRV:64bit: - [2009/04/21 19:41:29 \| 00,195,072 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:38:44 \| 01,503,744 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\wbengine.exe -- (wbengine [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:41:31 \| 00,201,216 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\wbiosrvc.dll -- (WbioSrvc [On_Demand \| Stopped]) SRV:64bit: - [2009/04/21 19:40:14 \| 01,011,200 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto \| Running]) SRV:64bit: - [2009/04/21 19:38:49 \| 01,529,856 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto \| Running]) SRV:64bit: - [2009/04/21 19:41:48 \| 00,228,352 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysNative\wwansvc.dll -- (WwanSvc [On_Demand \| Stopped]) SRV - [2009/04/04 10:05:06 \| 00,067,424 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand \| Stopped]) SRV - [2009/04/04 10:04:26 \| 00,090,976 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand \| Stopped]) SRV - [2009/04/21 19:20:14 \| 00,252,928 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysWow64\dhcpcore.dll -- (Dhcp [Auto \| Running]) SRV - [2009/04/21 19:38:04 \| 00,696,832 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand \| Stopped]) SRV - [2009/04/21 19:38:04 \| 00,128,512 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand \| Stopped]) SRV - [2009/04/04 10:04:48 \| 00,043,904 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand \| Stopped]) SRV - [2009/04/21 19:21:43 \| 00,164,864 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysWow64\provsvc.dll -- (HomeGroupProvider [On_Demand \| Running]) SRV - [2009/04/04 10:04:14 \| 00,857,440 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown \| Stopped]) SRV - [2009/04/21 19:20:43 \| 00,019,456 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysWow64\keyiso.dll -- (KeyIso [On_Demand \| Running]) SRV - [2006/10/27 00:47:54 \| 00,065,824 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand \| Stopped]) SRV - [2009/04/21 21:16:43 \| 00,000,000 \| ---D \| M] -- C:\Windows\SysWow64\Msdtc -- (MSDTC [Unknown \| Stopped]) SRV - [2009/04/21 19:21:18 \| 00,561,152 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\SysWow64\netlogon.dll -- (Netlogon [On_Demand \| Stopped]) SRV - [2006/10/26 19:49:34 \| 00,441,136 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand \| Stopped]) SRV - [2006/10/26 14:03:08 \| 00,145,184 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand \| Stopped]) SRV - [2009/06/05 06:40:20 \| 00,056,680 \| ---- \| M] (Absolute Software Corp.) -- C:\Windows\SysWOW64\rpcnet.exe -- (rpcnet [Auto \| Running]) SRV - [2009/04/21 14:32:06 \| 00,061,056 \| ---- \| M] () -- C:\Windows\SysWow64\Wbem\vds.mof -- (vds [On_Demand \| Stopped]) SRV - [2009/04/21 21:16:44 \| 00,000,000 \| ---D \| M] -- C:\Windows\Vss -- (VSS [On_Demand \| Stopped]) SRV - [2009/01/26 15:31:10 \| 01,153,368 \| ---- \| M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService [Auto \| Stopped]) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 50 C4 7A 10 CF 07 CA 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "www.drudgereport.com" FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14 FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1 FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.7 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.1 FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/04/21 23:45:19 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2009/07/17 20:37:25 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2009/07/25 08:07:02 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2009/07/10 17:17:49 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\mozilla\Extensions [2009/07/10 17:17:49 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/07/25 11:16:14 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\mozilla\Firefox\Profiles\4xv99m0y.default\extensions [2009/07/11 10:55:29 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\mozilla\Firefox\Profiles\4xv99m0y.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2009/07/25 11:16:11 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\mozilla\Firefox\Profiles\4xv99m0y.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} [2009/07/14 12:24:35 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\mozilla\Firefox\Profiles\4xv99m0y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2009/07/25 08:07:06 \| 00,000,000 \| ---D \| M] -- C:\Program Files (x86)\mozilla firefox\extensions [2009/07/17 20:37:25 \| 00,000,000 \| ---D \| M] -- C:\Program Files (x86)\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/07/25 08:07:06 \| 00,000,000 \| ---D \| M] -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [2009/07/17 20:37:24 \| 00,023,544 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browserdirprovider.dll [2009/07/17 20:37:24 \| 00,137,208 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\brwsrcmp.dll [2009/07/25 08:06:54 \| 00,410,984 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeploytk.dll [2009/07/20 09:33:17 \| 00,226,816 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\npdrmv2.dll [2009/07/20 09:31:29 \| 00,364,544 \| ---- \| M] (Microsoft Corporation (written by Digital Renaissance Inc.)) -- C:\Program Files (x86)\mozilla firefox\plugins\npdsplay.dll [2009/07/17 20:37:24 \| 00,065,016 \| ---- \| M] (mozilla.org) -- C:\Program Files (x86)\mozilla firefox\plugins\npnul32.dll [2009/07/20 09:32:12 \| 00,010,240 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\npwmsdrm.dll [2009/06/24 01:27:00 \| 00,001,394 \| ---- \| M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom.xml [2009/06/24 01:27:00 \| 00,002,193 \| ---- \| M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml [2009/06/24 01:27:00 \| 00,001,534 \| ---- \| M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml [2009/06/24 01:27:00 \| 00,002,344 \| ---- \| M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay.xml [2009/06/24 01:27:00 \| 00,002,371 \| ---- \| M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\google.xml [2009/06/24 01:27:00 \| 00,001,178 \| ---- \| M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia.xml [2009/06/24 01:27:00 \| 00,000,792 \| ---- \| M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo.xml O1 HOSTS File: (824 bytes) - C:\Windows\SysNative\drivers\etc\Hosts O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.DLL (NVIDIA Corporation) O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\SysNative\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files (x86)\QuickTime\QTTask.exe (Apple Inc.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files (x86)\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKCU..\Run: [Google Update] C:\Users\Patrick\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.) O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17 O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.25.227.55 66.75.160.63 24.25.227.56 O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18:64bit: - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O18 - Protocol\Filter: - text/xml - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation) O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\Windows\SysWow64\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: () - File not found ========== Files/Folders - Created Within 14 Days ========== [2009/07/25 11:44:20 \| 00,513,536 \| ---- \| C] (OldTimer Tools) -- C:\Users\Patrick\Desktop\OTL.exe [2009/07/25 10:31:32 \| 00,002,097 \| ---- \| C] () -- C:\Users\Patrick\Desktop\HijackThis.lnk [2009/07/25 10:31:31 \| 00,000,000 \| ---D \| C] -- C:\Program Files (x86)\Trend Micro [2009/07/25 10:20:14 \| 00,001,158 \| ---- \| C] () -- C:\Users\Public\Desktop\Keylogger Detector.lnk [2009/07/25 10:20:13 \| 00,000,000 \| ---D \| C] -- C:\Program Files (x86)\Flyos [2009/07/25 08:43:30 \| 00,001,262 \| ---- \| C] () -- C:\Users\Patrick\Desktop\Spybot - Search & Destroy.lnk [2009/07/25 08:43:22 \| 00,000,000 \| ---D \| C] -- C:\ProgramData\Spybot - Search & Destroy [2009/07/25 08:43:22 \| 00,000,000 \| ---D \| C] -- C:\Program Files (x86)\Spybot - Search & Destroy [2009/07/25 08:34:15 \| 00,000,000 \| ---D \| C] -- C:\Users\Patrick\AppData\Local\ESET [2009/07/25 08:06:51 \| 00,000,000 \| ---D \| C] -- C:\Program Files (x86)\Java [2009/07/25 08:06:24 \| 00,000,000 \| ---D \| C] -- C:\ProgramData\McAfee [2009/07/24 10:32:37 \| 00,000,000 \| ---D \| C] -- C:\Users\Patrick\AppData\Local\ElevatedDiagnostics [2009/07/16 15:53:22 \| 00,000,000 \| ---D \| C] -- C:\Users\Patrick\AppData\Roaming\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1 [2009/07/16 15:53:20 \| 00,000,000 \| ---D \| C] -- C:\Program Files (x86)\Seesmic Desktop [2009/06/04 16:59:11 \| 00,000,262 \| ---- \| C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini [2009/06/04 09:57:58 \| 00,017,408 \| ---- \| C] () -- C:\Windows\SysWow64\rpcnetp.dll [2009/04/21 20:37:02 \| 00,000,478 \| ---- \| C] () -- C:\Windows\win.ini [2009/04/21 20:37:02 \| 00,000,219 \| ---- \| C] () -- C:\Windows\system.ini [2009/04/21 17:40:32 \| 00,064,000 \| ---- \| C] () -- C:\Windows\SysWow64\BWContextHandler.dll [2009/04/21 15:04:20 \| 00,364,544 \| ---- \| C] () -- C:\Windows\SysWow64\msjetoledb40.dll [2008/10/09 20:36:28 \| 00,003,584 \| ---- \| C] () -- C:\Windows\SysWow64\wceprv.dll [2008/10/07 09:13:30 \| 00,197,912 \| ---- \| C] () -- C:\Windows\SysWow64\physxcudart_20.dll [2008/10/07 09:13:22 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll [2008/10/07 09:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll [2008/10/07 09:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll [2008/10/07 09:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll [2008/10/07 09:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll [2008/10/07 09:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll [2008/10/07 09:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll [2008/10/07 09:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll [2008/10/07 09:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll ========== Files - Modified Within 14 Days ========== [2009/07/25 11:44:26 \| 00,513,536 \| ---- \| M] (OldTimer Tools) -- C:\Users\Patrick\Desktop\OTL.exe [2009/07/25 11:02:02 \| 00,000,916 \| ---- \| M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3000932347-3461257071-3217081654-1000UA.job [2009/07/25 10:31:32 \| 00,002,097 \| ---- \| M] () -- C:\Users\Patrick\Desktop\HijackThis.lnk [2009/07/25 10:20:14 \| 00,001,158 \| ---- \| M] () -- C:\Users\Public\Desktop\Keylogger Detector.lnk [2009/07/25 08:43:30 \| 00,001,262 \| ---- \| M] () -- C:\Users\Patrick\Desktop\Spybot - Search & Destroy.lnk [2009/07/25 08:42:40 \| 00,013,392 \| -H-- \| M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2009/07/25 08:42:40 \| 00,013,392 \| -H-- \| M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2009/07/25 08:39:41 \| 00,713,888 \| ---- \| M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2009/07/25 08:39:41 \| 00,615,360 \| ---- \| M] () -- C:\Windows\SysNative\perfh009.dat [2009/07/25 08:39:41 \| 00,103,702 \| ---- \| M] () -- C:\Windows\SysNative\perfc009.dat [2009/07/25 08:35:30 \| 00,017,408 \| ---- \| M] () -- C:\Windows\SysNative\rpcnetp.exe [2009/07/25 08:35:28 \| 00,056,680 \| ---- \| M] (Absolute Software Corp.) -- C:\Windows\SysWow64\rpcnet.dll [2009/07/25 08:35:22 \| 00,000,006 \| -H-- \| M] () -- C:\Windows\tasks\SA.DAT [2009/07/25 08:35:19 \| 00,067,584 \| --S- \| M] () -- C:\Windows\bootstat.dat [2009/07/25 08:35:12 \| 32,205,25056 \| -HS- \| M] () -- C:\hiberfil.sys [2009/07/25 08:34:20 \| 01,988,084 \| -H-- \| M] () -- C:\Users\Patrick\AppData\Local\IconCache.db [2009/07/24 13:02:01 \| 00,000,864 \| ---- \| M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3000932347-3461257071-3217081654-1000Core.job ========== LOP Check ========== [2009/07/16 15:53:22 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming [2009/06/04 18:29:10 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\Acreon [2009/07/16 15:53:22 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1 [2009/04/22 02:34:59 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\Media Center Programs [2009/07/11 08:12:35 \| 00,000,000 \| RH-D \| M] -- C:\Users\Patrick\AppData\Roaming\SecuROM [2009/06/11 08:41:28 \| 00,000,000 \| ---D \| M] -- C:\Users\Patrick\AppData\Roaming\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1 [2009/07/24 13:02:01 \| 00,000,864 \| ---- \| M] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3000932347-3461257071-3217081654-1000Core.job [2009/07/25 11:02:02 \| 00,000,916 \| ---- \| M] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3000932347-3461257071-3217081654-1000UA.job [2009/07/25 08:35:22 \| 00,000,006 \| -H-- \| M] () -- C:\Windows\Tasks\SA.DAT [2009/04/21 23:23:15 \| 00,003,658 \| ---- \| M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > This post has been edited by Baggaviagra: Jul 25 2009, 03:50 PM Attached File(s)* OTL.Txt ( 61.83K ) Number of downloads: 127

Baggaviagra View Member Profile	Jul 26 2009, 11:50 AM Post #2
New Member Posts: 2 OS: Windows 7	Would really appreciate some help with this.

emeraldnzl View Member Profile	Jul 28 2009, 09:55 PM Post #3
Trusted Helper Posts: 8,065 OS: XP Pro	Hello Baggaviagra, Welcome to Geekstogo. Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job. Kaspersky works with Internet Explorer and Firefox 3. Go to Kaspersky website and perform an online antivirus scan. Note: you will need to turn off your security programs to allow Kaspersky to do its job. Read through the requirements and privacy statement and click on Accept button. It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Copy and paste that information in your next post.

emeraldnzl View Member Profile	Aug 10 2009, 05:38 PM Post #4
Trusted Helper Posts: 8,065 OS: XP Pro	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal possible keylogger! ; ; hjt log [CLOSED]	4 / 198	1st July 2006 - 02:51 PM Syztem started - last by greyknight17
Virus, Spyware and Trojan Removal Possible Keylogger? [CLOSED]	2 / 451	17th January 2008 - 12:30 PM jack768 started - last by Essexboy
Virus, Spyware and Trojan Removal WoW Password stolen, possible keylogger [CLOSED]	7 / 1,050	8th July 2008 - 07:06 PM Dome started - last by Chopin
Virus, Spyware and Trojan Removal Concerned about possible keylogger? [CLOSED]	6 / 472	27th July 2008 - 03:14 AM Magneto started - last by sage5