Keylogging problem, all my fault.

[the_god_of_soup]

Well, I will cut down on the intro, because I sorta just want answers, not to be selfish, but... So I downloaded a .zip file sent to me, unzipped it, and found it contained no video. I have evidence to believe that the "hacker" is inexperienced, he thought he changed my I.P... :wall: .

 

 

 

So I have scanned my computer with AVG virus scanner, and have completescanned my computer, start to finish, with Avast! virus scanner. It pulled up a few objects deep in my computer, which were promptly taken out. He logged on, took my inventory items(but left my fletching cape, strangely, dropped my defender and barrows gloves...), tried ti disable my bankpin, and left. So long story short, now I have 7.8 black marks, and my account is muted and banned for 3 days. I have told them my account was stolen, and they have locked it.

 

 

 

I have everything needed to unlock it, and I know, for a fact, that the hacker does not. I tried to unlock it foolishly, but it didn't work, saying I needed more info that I know, only in my head. But now, the real question; what should I do to get rid of it? Any suggestions of free software?

[blade995]

Well, I will cut down on the intro, because I sorta just want answers, not to be selfish, but... So I downloaded a .zip file sent to me, unzipped it, and found it contained no video. I have evidence to believe that the "hacker" is inexperienced, he thought he changed my I.P... :wall: .

 

 

 

So I have scanned my computer with AVG virus scanner, and have completescanned my computer, start to finish, with Avast! virus scanner. It pulled up a few objects deep in my computer, which were promptly taken out. He logged on, took my inventory items(but left my fletching cape, strangely, dropped my defender and barrows gloves...), tried ti disable my bankpin, and left. So long story short, now I have 7.8 black marks, and my account is muted and banned for 3 days. I have told them my account was stolen, and they have locked it.

 

 

 

I have everything needed to unlock it, and I know, for a fact, that the hacker does not. I tried to unlock it foolishly, but it didn't work, saying I needed more info that I know, only in my head. But now, the real question; what should I do to get rid of it? Any suggestions of free software?

 

 

 

Download Ad-aware 2007 and Spybot. Both are free.

 

 

 

Update the definitions and scan. Both programs will get everything AVG missed. If you really want to be safe afterwards you can post a hijackthis log.

 

 

 

P.S. The hacker could change you IP address, but not easily and I don't know why he would want to. Most change on their own anyway.

[the_god_of_soup]

Thank-you =). I have taken the liberty of downloading every anti-virus software recommended, ad-aware 2007, hijackthis(I will post the log), snoopfree or something, SUPERANTISPYWARE!, and spybot S&D. I will restart my computer to verify everything, and start scanning, I will post the hijackthis log shortly. I know that that will get everything =).

[blade995]

Thank-you =). I have taken the liberty of downloading every anti-virus software recommended, ad-aware 2007, hijackthis(I will post the log), snoopfree or something, SUPERANTISPYWARE!, and spybot S&D. I will restart my computer to verify everything, and start scanning, I will post the hijackthis log shortly. I know that that will get everything =).

 

 

 

Be careful what you download. Some antivirus programs are viruses themselves.

 

 

 

You should only have 1 active antivirus scanner. If you have more than that there might be conflicts and make your protection worse.

[the_god_of_soup]

Okay, thank-you again, and that was just for scanning. I know that Ad-Aware, Avast!, AVG, Hijackthis!, and Spybot S&D don't have problems, so I'll delete SUPERANTISPYWARE and Snoopfree(tt didn't even work anyway). Well, every program found about 20-30 things, mostly cookies, some things with trojan in the name, and I rebooted after each one, and it still found more. So now, I scanned as much as possible, and here is my Hijackthis! log:

 

[hide=Hijackthis! log, I think, large amounts of text]

 

"Logfile of Trend Micro HijackThis v2.0.0 (BETA)

 

Scan saved at 9:02:20 PM, on 8/28/2007

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

Boot mode: Normal

 

 

 

Running processes:

 

C:\WINDOWS\System32\smss[Caution: Executable File]

 

C:\WINDOWS\system32\winlogon[Caution: Executable File]

 

C:\WINDOWS\system32\services[Caution: Executable File]

 

C:\WINDOWS\system32\lsass[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice[Caution: Executable File]

 

C:\WINDOWS\system32\spoolsv[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgemc[Caution: Executable File]

 

C:\WINDOWS\system32\CTsvcCDA[Caution: Executable File]

 

C:\WINDOWS\system32\nvsvc32[Caution: Executable File]

 

C:\WINDOWS\System32\SnoopFreeSvc[Caution: Executable File]

 

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService[Caution: Executable File]

 

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC[Caution: Executable File]

 

C:\WINDOWS\Explorer[Caution: Executable File]

 

C:\WINDOWS\system32\Rundll32[Caution: Executable File]

 

C:\Program Files\Java\jre1.6.0_02\bin\jusched[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgcc[Caution: Executable File]

 

C:\WINDOWS\SnoopFreeUI[Caution: Executable File]

 

C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray[Caution: Executable File]

 

C:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware[Caution: Executable File]

 

C:\Documents and Settings\Lucas\Desktop\HiJackThis_v2[Caution: Executable File]

 

C:\WINDOWS\system32\NOTEPAD[Caution: Executable File]

 

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

 

C:\Program Files\Creative\MediaSource5\CTCMSU[Caution: Executable File]

 

C:\Program Files\AIM6\aim6[Caution: Executable File]

 

C:\Program Files\AIM6\aolsoftware[Caution: Executable File]

 

C:\Program Files\Creative\MediaSource5\CtDetctu[Caution: Executable File]

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

O4 - HKLM\..\Run: [nwiz] nwiz[Caution: Executable File] /install

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched[Caution: Executable File]"

 

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc[Caution: Executable File] /STARTUP

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime

 

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl[Caution: Executable File]"

 

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution: Executable File]

 

O4 - HKLM\..\Run: [snoopFreeUI] SnoopFreeUI[Caution: Executable File]

 

O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray[Caution: Executable File]

 

O4 - HKCU\..\Run: [ctfmon[Caution: Executable File]] C:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware[Caution: Executable File]

 

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd[Caution: Executable File] /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd[Caution: Executable File] /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'SYSTEM')

 

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd[Caution: Executable File] /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'Default user')

 

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd[Caution: Executable File] /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

 

O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Lucas\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)

 

O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Lucas\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)

 

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: Executable File] (file missing)

 

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: Executable File] (file missing)

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6271791765

 

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

 

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

 

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice[Caution: Executable File]

 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution: Executable File]

 

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ[Caution: Executable File]

 

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution: Executable File]

 

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv[Caution: Executable File]

 

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File]

 

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File]

 

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc[Caution: Executable File]

 

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA[Caution: Executable File]

 

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32[Caution: Executable File]

 

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux[Caution: Executable File]

 

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc[Caution: Executable File]

 

O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc[Caution: Executable File]

 

O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService[Caution: Executable File]

 

 

 

--

 

End of file - 7774 bytes"

 

 

 

[/hide]

[the_god_of_soup]

It think that is it, it is the text that popped up in notepad when I scanned.

[JoeDaStudd]

Ok, first off reboot your pc and when windows is loading hit F8, and select boot in safe mode.

 

Log on as you normally would.

 

Now run AVG and scan your whole pc.

 

Once AVG has scanned run Spybot search and destroy

 

Then Ad-Aware.

 

If you get any virus' with Trojan in there name write down the name.

 

Reboot your pc as you normally would and do another scan. If the same virus pops up google the name of the virus (hence why you wrote this down).

 

Then follow the instructions on how to remove the virus.

[r2d2]

The only thing I can see that would worry me is NOTEPAD, it is in the right location, but should say notepad[Caution: Executable File] in lowercased, try opening notepad, leave it open, then run another scan with hijackthis. if notepad appears in lowercased and NOTEPAD is still there, we may have found the problem. unless your OS makes it caps...

 

What os are you using?

[mikercool]

NOTEPAD is weird, it should only come up on that log if it is open and even then it should be lower case. Is it me or is it higher (lower) on the list then the StartUP programs? Shouldn't it be after the programs that started at start up? It make NOTEPAD look like it started from boot.

 

 

 

C:\WINDOWS\system32\notepad[Caution: Executable File]

[blade995]

Unnecessary

 

 

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution]" -atboottime

 

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl[Caution]"

 

 

 

If snoopfree is un-installed then remove these.

 

O4 - HKLM\..\Run: [snoopFreeUI] SnoopFreeUI[Caution]

 

O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc[Caution]

 

 

 

O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Lucas\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)

 

O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Lucas\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)

 

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution] (file missing)

 

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution] (file missing)

 

 

 

Nothing I see nasty but the following can go because most are file missing or unneeded startups (quicktime which can be started when you use the program)

 

 

 

The notepad thing that others are talking about may or not be a problem. It could be a semi-smart hacker disguising his program as notepad so people would never come across it as suspicious. Or it may be nothing and the program is just written in caps.

[the_god_of_soup]

Thank-you everyone for your advice, I have done what JoeDaStudd has told me, and found only a few cookies. I deleted those. And I will run another Hijackthis! scan, and post it with Notepad running. It is odd that it showed up in all caps, and it is weird that it booted before startup processes, but it may have had something to do with the fact that the log file appeared in Notepad. It opened like the second it started the scan. But I will post the new log soon. Any ideas on what to do with it if it's still in caps? How do I remove it? Notepad isn't important to me, so could I just uninstall it?

[the_god_of_soup]

[hide=Hijackthis! log with Notepad running]

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

 

Scan saved at 3:50:53 PM, on 8/29/2007

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

Boot mode: Normal

 

 

 

Running processes:

 

C:\WINDOWS\System32\smss[Caution: Executable File]

 

C:\WINDOWS\system32\winlogon[Caution: Executable File]

 

C:\WINDOWS\system32\services[Caution: Executable File]

 

C:\WINDOWS\system32\lsass[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice[Caution: Executable File]

 

C:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution: Executable File]

 

C:\Program Files\Alwil Software\Avast4\ashServ[Caution: Executable File]

 

C:\WINDOWS\Explorer[Caution: Executable File]

 

C:\WINDOWS\system32\spoolsv[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgemc[Caution: Executable File]

 

C:\WINDOWS\system32\CTsvcCDA[Caution: Executable File]

 

C:\WINDOWS\system32\nvsvc32[Caution: Executable File]

 

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService[Caution: Executable File]

 

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC[Caution: Executable File]

 

C:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution: Executable File]

 

C:\Program Files\Alwil Software\Avast4\ashWebSv[Caution: Executable File]

 

C:\WINDOWS\system32\wscntfy[Caution: Executable File]

 

C:\WINDOWS\system32\Rundll32[Caution: Executable File]

 

C:\Program Files\Java\jre1.6.0_02\bin\jusched[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgcc[Caution: Executable File]

 

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution: Executable File]

 

C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray[Caution: Executable File]

 

C:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware[Caution: Executable File]

 

C:\WINDOWS\system32\OSK[Caution: Executable File]

 

C:\WINDOWS\system32\MSSWCHX[Caution: Executable File]

 

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

 

C:\Program Files\Creative\MediaSource5\CTCMSU[Caution: Executable File]

 

C:\Program Files\AIM6\aim6[Caution: Executable File]

 

C:\Program Files\AIM6\aolsoftware[Caution: Executable File]

 

C:\Program Files\Creative\MediaSource5\CtDetctu[Caution: Executable File]

 

C:\Documents and Settings\Lucas\Desktop\HiJackThis_v2[Caution: Executable File]

 

C:\WINDOWS\system32\notepad[Caution: Executable File]

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

O4 - HKLM\..\Run: [nwiz] nwiz[Caution: Executable File] /install

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched[Caution: Executable File]"

 

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc[Caution: Executable File] /STARTUP

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime

 

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl[Caution: Executable File]"

 

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution: Executable File]

 

O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray[Caution: Executable File]

 

O4 - HKCU\..\Run: [ctfmon[Caution: Executable File]] C:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware[Caution: Executable File]

 

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd[Caution: Executable File] /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd[Caution: Executable File] /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'SYSTEM')

 

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd[Caution: Executable File] /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'Default user')

 

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd[Caution: Executable File] /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

 

O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Lucas\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)

 

O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Lucas\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)

 

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: Executable File] (file missing)

 

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: Executable File] (file missing)

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6271791765

 

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

 

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

 

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice[Caution: Executable File]

 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution: Executable File]

 

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ[Caution: Executable File]

 

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution: Executable File]

 

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv[Caution: Executable File]

 

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File]

 

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File]

 

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc[Caution: Executable File]

 

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA[Caution: Executable File]

 

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32[Caution: Executable File]

 

O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService[Caution: Executable File]

 

 

 

--

 

End of file - 7666 bytes

 

[/hide]

[the_god_of_soup]

Blade995, I have removed all of those. Does anyone know how to test to make sure I don't have the keylogger anymore?

[mikercool]

MSSWCHX - That wasn't on the old Hijack This... and now the NOTEPAD is notepad...

 

 

 

Did you run both of these soon as you turned on your PC?

[the_god_of_soup]

Well, pretty soon after, both within the first 10 minutes or so of start up. Should I delete that one thing? And just make a backup before I do so?

[r2d2]

NOTEPAD obviously isn't the problem...

 

I don't see anything out of the ordinary...

 

If you want to be sure it isn't actively keylogging you, start the scan then IMMEDIATELY log into runescape, though you must login before the scan is done... if you can do that and post the results, I can check to make sure nothing changes.

 

if not, you just have to ride on it no longer keylogging you, or your needing to format your hard disk, though we can probably assume the former. if that is the case, make a new account and play with it for a while, if you get 8 marks on it too you will need to format your drive.

[the_god_of_soup]

Thank-you r2d2, I will try that soon! By the way, I have logged onto a very old second account of mine, and a newly made one, and nobody else has logged on to them, and I've been logging onto them, with my real keyboard(not the on-screen one) for about 3 days.

[blade995]

Thank-you r2d2, I will try that soon! By the way, I have logged onto a very old second account of mine, and a newly made one, and nobody else has logged on to them, and I've been logging onto them, with my real keyboard(not the on-screen one) for about 3 days.

 

 

 

Just a quick note, the onscreen keyboard will note stop a keylogger.

[the_god_of_soup]

Oh, it won't? I thought keyloggers only tracked keystrokes in the literal sense. Does it just sense it the same? Or do keyloggers actually have like another thing to sense what buttons you press? And I know it wouldn't work if I had the screenshot-taking kind of keylogger thing, but I didn't think I had that. So yeah, no hacking on either of those accounts, no even logging on except from me in 3 days. Any verdict?

[runescapeloser22]

Norton Anti-Virus hasn't failed me yet, and it's free!

 

 

 

Or Ad-Aware 2007, it's the top download on Download.com

 

 

 

^^its not a virus, don't worry :wink:

[r2d2]

Oh, it won't? I thought keyloggers only tracked keystrokes in the literal sense. Does it just sense it the same? Or do keyloggers actually have like another thing to sense what buttons you press? And I know it wouldn't work if I had the screenshot-taking kind of keylogger thing, but I didn't think I had that. So yeah, no hacking on either of those accounts, no even logging on except from me in 3 days. Any verdict?

 

how long ago was the keylog?

 

 

 

keyloggers don't sense what buttons you press, they sense the input from HID's, onscreen keyboards are "plugged in" to the HID reciever.

 

Screenshot viruses aren't keyloggers, and they really don't work, as any password field in any login form written by anybody (with an IQ > 50 :mrgreen: ) will display *'s instead of the password.

 

 

 

I think you're probably clear, though you should post back here as soon as you think it is happening again...

[the_god_of_soup]

Thank-you =). And I did not know that, that's actually pretty helpful =p. And the keylog was about a week ago. but yeah, I too think I'm clear, no other accounts have been hacked, my virus software(AVG, Ad-Aware, SUPERANTISPYWARE!, AVAST!, Sypbot, and the Snoopfree shield) seem to suggest that I am also clear. I will get my account back tonight, and keep everyone posted. Thanks again to everyone who helped! =D>