TROJ_KEYLOGGE.Kq

View previous topic View next topic Go down

TROJ_KEYLOGGE.Kq

Post by shaheen on Wed Jun 17, 2009 8:31 pm

I'm not sure what this is but it hasnt been removed.
have used Spybot..Advanced system care pro and house call virus scan which is the program that found the infection.

shaheen
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJ_KEYLOGGE.Kq

Post by shaheen on Wed Jun 17, 2009 8:33 pm

This is on my laptop

Sony Vaio

Windows Vista

Only thing that i believe is infected is my builtin webcam which remains black when turned on

shaheen
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJ_KEYLOGGE.Kq

Post by Belahzur on Wed Jun 17, 2009 8:35 pm

Post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJ_KEYLOGGE.Kq

Post by shaheen on Wed Jun 17, 2009 8:40 pm

I'm gunnna need the links for eveything again to download all the programs and wut not

thanks

shaheen
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJ_KEYLOGGE.Kq

Post by Belahzur on Wed Jun 17, 2009 9:01 pm

Actually, lets use this.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJ_KEYLOGGE.Kq

Post by shaheen on Wed Jun 17, 2009 9:08 pm

DDS

DDS (Ver_09-05-14.01) - NTFSx86
Run by Shaheen at 14:11:18.82 on Wed 06/17/2009
Internet Explorer: 7.0.6000.16851
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.872 [GMT -7:00]

AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Spy Sweeper *enabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
SP: Norton 360 *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Shaheen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NDO2RRFS\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - Yahoo! IE Services Button
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [RunSpySweeperScheduleAtStartup] "c:\windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{485AC12E-AC25-4079-8069-C53AE8029662}
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
uRun: [Explorer] c:\users\shaheen\appdata\local\temp\explorer.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB7376] command /c del "c:\windows\system32\zipfldr.dll"
uRunOnce: [SpybotDeletingD4277] cmd /c del "c:\windows\system32\zipfldr.dll"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA7096] command /c del "c:\windows\system32\zipfldr.dll"
mRunOnce: [SpybotDeletingC1274] cmd /c del "c:\windows\system32\zipfldr.dll"
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
Notify: WRNotifier - WRLogonNTF.dll

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090129.001\IDSvix86.sys [2009-1-29 270384]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-11-4 149352]
R2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\nikon\wireless camera setup utility\NkPtpEnum.exe [2007-7-31 25600]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-1-3 11032]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-6-16 810320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-26 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2007-3-30 74240]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2007-3-30 43904]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2007-3-30 30976]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-3-30 807424]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [2007-7-31 17632]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 Creative ALchemy AL1 Licensing Service;Creative ALchemy AL1 Licensing Service;c:\program files\common files\creative labs shared\service\AL1Licensing.exe [2009-3-3 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2009-3-3 79360]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-8-2 22784]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\sony\image converter 3\ICScsiSV.exe [2007-4-14 75952]
S3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\sony\image converter 3\IcVzMonLauncher.exe [2007-4-14 67760]
S3 skfiltv;skfiltv;c:\windows\system32\drivers\skfiltv.sys [2009-3-3 20480]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2007-4-14 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2007-4-14 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2007-4-14 1089536]

=============== Created Last 30 ================

2009-06-17 02:04 --d----- c:\program files\common files\Software Update Utility
2009-06-17 02:04 --d----- c:\programdata\AIM Toolbar
2009-06-17 02:04 --d----- c:\program files\AIM Toolbar
2009-06-17 02:04 --d----- c:\progra~2\AIM Toolbar
2009-06-17 02:04 --d----- c:\programdata\acccore
2009-06-17 02:04 --d----- c:\progra~2\acccore
2009-06-16 15:05 142 a------- c:\windows\wininit.ini
2009-06-15 02:59 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-15 02:59 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-15 02:58 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-15 02:58 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-15 02:58 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-06-15 02:58 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-06-15 02:58 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-15 02:58 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-06-15 02:53 827,392 a------- c:\windows\system32\wininet.dll

==================== Find3M ====================

2009-06-16 04:42 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-16 04:42 51,200 a------- c:\windows\inf\infpub.dat
2009-06-16 04:42 86,016 a------- c:\windows\inf\infstor.dat
2009-04-24 09:14 56,320 a------- c:\windows\system32\iesetup.dll
2009-04-24 09:14 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:14 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-04-24 09:11 72,704 a------- c:\windows\system32\admparse.dll
2009-04-24 06:53 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-24 05:25 48,128 a------- c:\windows\system32\mshtmler.dll
2009-04-23 06:01 788,992 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 05:56 696,832 a------- c:\windows\system32\localspl.dll
2009-04-21 05:04 2,028,032 a------- c:\windows\system32\win32k.sys
2008-12-10 05:25 174 a--sh--- c:\program files\desktop.ini
2008-06-14 14:03 665,600 a------- c:\windows\inf\drvindex.dat
2007-08-14 22:32 20 ----h--- c:\programdata\PKP_DLec.DAT
2007-08-14 22:32 20 ----h--- c:\progra~2\PKP_DLec.DAT
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:12:13.89 ===============

shaheen
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-13
OS OS : XP
Points Points : 27347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJ_KEYLOGGE.Kq

Post by Belahzur on Wed Jun 17, 2009 9:15 pm

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\zipfldr.dll
    c:\users\shaheen\appdata\local\temp\explorer.exe

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingA7096"=-
    "SpybotDeletingC1274"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingB7376"=-
    "SpybotDeletingD4277"=-
    "Explorer"=-

    :commands
    [emptytemp]
    [reboot]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum