PLEASE HELP...do i have a keylogger?

[death666bl00ms]

hi all,

 

 

 

i clicked on a link from another site to look at a pic of someones character...right after i did it i realized i should not have done that =\

 

 

 

now, i am not computer savvy, however, i did know enough to run ad-aware and delete the critical files it found.

 

 

 

This is the url to the picture:

 

 

 

am i ok, or is this a keylogger?

 

 

 

please please PLEASE dont click the link if you dont know anything about computers (like me). if it is a keylogger, i dont want to hurt anyone else...

 

 

 

 

 

 

 

thanks,

 

bobby

[Albosky]

yes the link in question was a keylogger , and has been removed from your post.

 

 

 

For instructions on how to safegaurd yourself against such threats.

 

http://forum.tip.it/viewtopic.php?t=521604

[death666bl00ms]

arg...

 

 

 

what do i do?

 

 

 

i ran ad-aware and deleted the critical files, and i ran spybot

 

 

 

am i ok now?

[blade995]

Post a hijackthis log. You can get the program here

[death666bl00ms]

as requested:

 

 

 

Logfile of HijackThis v1.99.1

 

Scan saved at 11:45:32 PM, on 8/17/2006

 

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

 

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

 

 

Running processes:

 

C:\WINNT\System32\smss[Caution: Executable File]

 

C:\WINNT\system32\winlogon[Caution: Executable File]

 

C:\WINNT\system32\services[Caution: Executable File]

 

C:\WINNT\system32\lsass[Caution: Executable File]

 

C:\WINNT\system32\svchost[Caution: Executable File]

 

C:\WINNT\System32\CTsvcCDA[Caution: Executable File]

 

C:\WINNT\System32\svchost[Caution: Executable File]

 

C:\Program Files\Ahead\InCD\InCDsrv[Caution: Executable File]

 

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm[Caution: Executable File]

 

C:\WINNT\system32\nvsvc32[Caution: Executable File]

 

C:\WINNT\system32\regsvc[Caution: Executable File]

 

C:\WINNT\system32\MSTask[Caution: Executable File]

 

C:\WINNT\system32\stisvc[Caution: Executable File]

 

C:\WINNT\System32\WBEM\WinMgmt[Caution: Executable File]

 

C:\WINNT\System32\MsPMSPSv[Caution: Executable File]

 

C:\WINNT\system32\svchost[Caution: Executable File]

 

C:\WINNT\Explorer[Caution: Executable File]

 

C:\WINNT\system32\ctfmon[Caution: Executable File]

 

C:\WINNT\system32\rundll32[Caution: Executable File]

 

C:\Program Files\Southwest Airlines\Ding\Ding[Caution: Executable File]

 

C:\WINNT\system32\wuauclt[Caution: Executable File]

 

C:\WINNT\system32\LEXBCES[Caution: Executable File]

 

C:\WINNT\system32\LEXPPS[Caution: Executable File]

 

C:\WINNT\system32\spoolsv[Caution: Executable File]

 

C:\Program Files\Dell AIO Printer A940\dlbabmgr[Caution: Executable File]

 

C:\Program Files\Dell AIO Printer A940\dlbabmon[Caution: Executable File]

 

C:\Program Files\AIM\aim[Caution: Executable File]

 

C:\Program Files\Internet Explorer\IEXPLORE[Caution: Executable File]

 

C:\Program Files\Internet Explorer\IEXPLORE[Caution: Executable File]

 

C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter[Caution: Executable File]

 

C:\WINNT\regedit[Caution: Executable File]

 

C:\PROGRA~1\WINZIP\winzip32[Caution: Executable File]

 

C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis[Caution: Executable File]

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtdecklok.com/

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

 

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

 

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

 

O4 - HKLM\..\Run: [synchronization Manager] mobsync[Caution: Executable File] /logon

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: Executable File] C:\WINNT\system32\NvCpl.dll,NvStartup

 

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER[Caution: Executable File]

 

O4 - HKLM\..\Run: [updReg] C:\WINNT\UpdReg[Caution: Executable File]

 

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet[Caution: Executable File]"

 

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl[Caution: Executable File] /run

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime

 

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD[Caution: Executable File]

 

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck[Caution: Executable File]

 

O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor[Caution: Executable File]

 

O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20[Caution: Executable File]

 

O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a[Caution: Executable File]

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched[Caution: Executable File]

 

O4 - HKLM\..\Run: [nwiz] nwiz[Caution: Executable File] /install

 

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr[Caution: Executable File]

 

O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr[Caution: Executable File]"

 

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter[Caution: Executable File]

 

O4 - HKCU\..\Run: [ctfmon[Caution: Executable File]] ctfmon[Caution: Executable File]

 

O4 - HKCU\..\Run: [NVIEW] rundll32[Caution: Executable File] nview.dll,nViewLoadHook

 

O4 - Global Startup: AT&T Plug&Share 54Mbps Wireless PCI Adapter Utility.lnk = C:\Program Files\AT&T Plug&Share 54Mbps Wireless PCI Adapter\WLANMON[Caution: Executable File]

 

O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding[Caution: Executable File]

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA[Caution: Executable File]

 

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate[Caution: Executable File]

 

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

 

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

 

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

 

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

 

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

 

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: Executable File]

 

O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20[Caution: Executable File]

 

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

 

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

 

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

 

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4456010070

 

O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll

 

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA[Caution: Executable File]

 

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin[Caution: Executable File]

 

O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv[Caution: Executable File]

 

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES[Caution: Executable File]

 

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32[Caution: Executable File]

[Albosky]

No AntiVirus , no Firewall :shame:

[blade995]

I don't know to much above Windows 2000 but I think there is a SP5 out. Go to windowsupdate.microsoft.com and install everything critical. This will patch a lot of security holes in Windows and posibly stop some viruses from installing.

[death666bl00ms]

will do...but what about the keylogger?

 

 

 

i have a PIN, and i changed my pass on a safe comp...so my char is safe for now.

 

 

 

anything else i should do?

 

 

 

when can i play on this comp again?

 

 

 

thanks

[blade995]

I don't see anything bad in your log. Although get antivirus and a firewall ASAP.

 

 

 

It's even easier for your brother to put this stuff on without anything to stop him.

 

I suggest AVG antivirus and Zonealarm firewall. Both are free programs.

 

 

 

Also if you havn't already, use the imuninize feture in Spybot.

 

 

 

If you want full protection, beat up you brother :wink:

[death666bl00ms]

haha, ok...

 

 

 

i guess runnin ad-aware and spybot worked then...

 

 

 

thanks again.

 

 

 

 

 

p.s....sorry about the late reply, was at the beach