Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

think i have a key logger

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

think i have a key logger

Unread postby Bwise » October 15th, 2007, 6:58 am

Hi,
i recently got a account stolen from me after downloading a .exe file from the web i read about key loggers and now think i have one i just want to know if you think that there is any thing suspicious here

My log

Logfile of HijackThis v1.99.1
Scan saved at 11:56:28, on 15/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20544)

Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\W\Explorer.EXE
C:\W\system32\RUNDLL32.EXE
C:\p\Dell AIO 810\dlcgmon.exe
C:\p\Microsoft Office\Office12\GrooveMonitor.exe
C:\p\Grisoft\AVG7\avgcc.exe
C:\p\DAEMON Tools\daemon.exe
C:\p\Skype\Phone\Skype.exe
C:\p\Skype\Plugin Manager\skypePM.exe
C:\p\Grisoft\AVG7\avgamsvr.exe
C:\p\Grisoft\AVG7\avgupsvc.exe
C:\W\system32\nvsvc32.exe
C:\W\system32\svchost.exe
C:\W\system32\dlcgcoms.exe
C:\p\Mozilla Firefox\firefox.exe
C:\p\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\u\A\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\p\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\p\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\W\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\W\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\p\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\W\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [GrooveMonitor] "C:\p\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\p\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Elite Antikeylogger] C:\p\Widestep Software\Elite Antikeylogger\wseakadm.exe
O4 - HKLM\..\Run: [SpyHunter] C:\p\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\p\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Skype] "C:\p\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\p\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\p\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\p\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\p\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\p\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\p\Microsoft Expression\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\p\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\c\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\c\Skype\Skype4COM.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\c\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\W\system32\wpdshserviceobj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\p\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\p\Grisoft\AVG7\avgupsvc.exe
O23 - Service: dlcg_device - - C:\W\system32\dlcgcoms.exe
O23 - Service: Elite Antikeylogger monitoring service - Widestep Security Software - C:\p\Widestep Software\Elite Antikeylogger\wseaksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\W\system32\nvsvc32.exe

if you could offer any help it would be much appreciated as im now scared to type anything :(
Bwise
Active Member
 
Posts: 1
Joined: October 15th, 2007, 6:45 am
Advertisement
Register to Remove

Unread postby askey127 » October 18th, 2007, 6:44 am

Hi BWise,
SpyHunter is an Anti-Spy program of dubious repute. I would just use Add/Remove and get rid if it.
Your log does not show anything obvious.
Let's run a couple other scans.
-----------------------------------------------------------
We need to rename HijackThis.exe to reveal.exe
Use My Computer (Windows Explorer) to go to the HiJackThis folder
In your case, the HiJackThis folder is: C:\u\A\My Documents\Downloads\HijackThis\
(double click C:, then double click u, double click A, double click Downloads,then double click the HijackThis folder)
In the top menu, click View, Details
Right button-click on the file named HijackThis.exe and select Rename.
Type in the new filename as reveal.exe
Hit <Enter> and close MyComputer
-----------------------------------------------------------
Run AVG Anti-Rootkit Scan
Download the AVG Anti Rootkit© by Grisoft Setup file and save it to your desktop.
Double-click on avgarkt-setup-1xxxxx.exe (the x's are the exact version number), and run it.
Click I Agree to the License Agreement (EULA).
Let it Install to the default location.
Click Next to begin the installation then click Install
It will then ask you to reboot now to finish the installation.
Click Finish and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Free icon that is now on your desktop.
Click on the Perform in-depth search button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the Save result to file button.
Save the scan results to your desktop
Copy and Paste the contents of the scan results in your reply.

At the end of the scan, if a box pops up and says "Scan Finished. No rootkits found" then the "Save result to file" button will be grayed out.
In that case just post a note that nothing was found.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scanner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Please post the results of the Anti-Rootkit scan, the contents of KAV.TXT, and a new HijackThis (reveal.exe) log
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » November 8th, 2007, 3:55 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 509 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware