bloody keyloggers

[oldstoat]

I had a problem with a keylogger (discovered by the fact that my WoW account has hacked)and other associated nasties. I have followed the Tech-dump spyware removal guide to the best of my ability (thereby showing the depths of my ignorance when it comes to computers). I attach two logs one for before following and one for after I would there be grateful if anyone can tell me if i am now clean or if there is anything else i need to do.

pre scan is hijackthis and post scan is hijackthis2

Cheers in advance of any help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:32, on 21/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
d:\PROGRA~1\AVG\AVG8\avgrsx.exe
d:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\iTunesHelper.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\TomTom HOME 2\HOMERunner.exe
C:\Program Files\iPod\bin\iPodService.exe
d:\PROGRA~1\AVG\AVG8\avgscanx.exe
D:\my documents\Downloads\windows-kb890830-v2.3.exe
d:\353027d727f15cbc71b25f2a4335\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Welcome to Karoo, the local portal for Hull and East Yorkshire
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Auto Auto EPSON Stylus CX3600 Series on BIGBOX on YOUR-B77BFAFE16] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P65 "Auto Auto EPSON Stylus CX3600 Series on BIGBOX on YOUR-B77BFAFE16" /O26 "\\YOUR-B77BFAFE16\AutoEPSO" /M "Stylus CX3600"
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P35 "EPSON Stylus CX3600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "D:\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142025461359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - D:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 9421 bytes


HIJACKTHIS2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:50:38, on 21/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
d:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\devldr32.exe
d:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\iTunesHelper.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\TomTom HOME 2\HOMERunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Auto Auto EPSON Stylus CX3600 Series on BIGBOX on YOUR-B77BFAFE16] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P65 "Auto Auto EPSON Stylus CX3600 Series on BIGBOX on YOUR-B77BFAFE16" /O26 "\\YOUR-B77BFAFE16\AutoEPSO" /M "Stylus CX3600"
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P35 "EPSON Stylus CX3600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "D:\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142025461359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 8885 bytes

 

[Redmo0n]

Do you mean this guide?: http://www.techist.com/forums/f51/spyware-removal-guide-osiris-updated-8-18-2008-a-165828/

If not, go through it.

 

[oldstoat]

thats the one i meant and i have gone through it the two logs are the result but i think i still have problem as someonhe is still trying to get into my WoW account

 

[Osiris]

Please run rootkit revealer

Download Rootkit Revealer 1.71 - FileHippo.com

 

[oldstoat]

i have run the program and the log is as follows
HKU\.DEFAULT\Control Panel\International 21/10/2008 13:37 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 21/10/2008 13:37 0 bytes Security mismatch.
HKU\S-1-5-21-1343024091-1580818891-725345543-1004\Control Panel\International 21/10/2008 13:37 0 bytes Security mismatch.
HKU\S-1-5-21-1343024091-1580818891-725345543-1004\Control Panel\International\Geo 21/10/2008 13:37 0 bytes Security mismatch.
HKU\S-1-5-21-1343024091-1580818891-725345543-1004\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 31/10/2007 19:28 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International 21/10/2008 13:37 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 21/10/2008 13:37 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 06/03/2006 23:13 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 06/03/2006 23:13 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 21/10/2008 18:45 80 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Don & Chris\Application Data\Skype\donald.mckernan\chatsync\88\887e6dc7a8a7f2ae.dat 21/10/2008 19:00 1.84 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Application Data\Skype\donald.mckernan\chatsync\9c 21/10/2008 19:03 0 bytes Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Application Data\Skype\donald.mckernan\chatsync\9c\9c31e6a734c36f0e.dat 21/10/2008 19:03 1.87 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000380 21/10/2008 18:51 21.76 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000381 21/10/2008 19:05 16.07 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000382 21/10/2008 19:06 20.01 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000383 21/10/2008 19:06 18.89 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000384 21/10/2008 19:06 19.43 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000385 21/10/2008 19:06 16.75 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000386 21/10/2008 19:06 224.02 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000387 21/10/2008 19:06 21.90 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000388 21/10/2008 19:06 357.50 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000389 21/10/2008 19:06 357.62 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00038a 21/10/2008 19:06 18.68 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00038b 21/10/2008 19:06 37.17 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00038c 21/10/2008 19:06 17.71 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00038d 21/10/2008 19:06 95.02 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00038e 21/10/2008 19:06 28.05 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00038f 21/10/2008 19:06 16.58 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000391 21/10/2008 19:06 25.99 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000392 21/10/2008 19:06 18.11 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000393 21/10/2008 19:07 40.57 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000394 21/10/2008 19:07 22.38 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000395 21/10/2008 19:07 16.15 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000396 21/10/2008 19:07 22.58 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000397 21/10/2008 19:07 78.57 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000398 21/10/2008 19:08 26.34 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000399 21/10/2008 19:08 31.34 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00039a 21/10/2008 19:08 27.21 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00039b 21/10/2008 19:13 32.45 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00039c 21/10/2008 19:13 44.17 KB Hidden from Windows API.
C:\Documents and Settings\Don & Chris\Local Settings\temp\_iu14D2N.tmp 21/10/2008 19:00 704.28 KB Hidden from Windows API.
C:\sccfg.sys 21/10/2008 13:25 358 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\_IU14D2N.TMP-326611CD.pf 21/10/2008 19:00 14.81 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf 21/10/2008 18:57 75.19 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf 21/10/2008 18:58 14.43 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\SPYWARECEASE.EXE-2100A446.pf 21/10/2008 18:55 36.19 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\SPYWARECEASE_SETUP.EXE-1E4B0CBF.pf 21/10/2008 18:55 14.58 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\SPYWARECEASE_SETUP.TMP-089ECF54.pf 21/10/2008 18:55 19.27 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\UNINS000.EXE-22881BBD.pf 21/10/2008 19:00 16.21 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\RKHit.sys 08/10/2008 16:29 28.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\e26e5105-fe41-4e09-b1aa-600fbdf34659.tmp 02/10/2008 12:16 0 bytes Hidden from Windows API.

 

[Osiris]

remove

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

How do you know someone is getting into your wow account?

 

[oldstoat]

i know because when i logged in one day most of my stuff had been sold and i also received a warning from blizzard. that it had been compromised

 

[Osiris]

How long ago was this? Has your password been changed? Getting emails from Blizzard about your account, password changes, etc?

 

[Osiris]

Years of hard work gone. Someone else accessed your account and stripped your main of all his gold, bank items and tradable equipment. "But I don't give my password to anyone!" you wail. You don't have to, the keylogger program knows it anyway.

What's a keylogger? It's a small, virus-type program that can accidentally be installed on your computer. How might a keylogger be installed on your system?

• Visiting an untrustworthy web site. Some sites may have code in them that exploit your web browser and cause it to quietly install a keylogging application without your permission. (Note: even turstworthy sites can be hacked! The same hackers who are after your information can hack what you think of as trustworthy sites and add exploit code to them which could give you a keylogger.)
• Downloading addons (or other files) from an untrustworthy site. Any executable file you download could contain a keylogger or virus, so before you download a file, be sure you're downloading it from a source you trust!

Once a keylogger gets installed, it starts recording every keystroke you make. And when you type in your account name and password for your WoW account, it captures that, too. The next time you access the Internet, it sends your private information to the hackers who use it to log into WoW and strip all your characters of everything valuable leaving you with a penniless toon wearing nothing but his trousers.

This all sounds pretty scary, but don't worry -- there are ways to protect yourself from keylogging programs!

A WoW European Hunter, Eldariel, has written a great guide to defend your computer from keyloggers, spyware and viruses. Here's a run-down of what you can do to keep your computer safe and sound:

• Get a virus scanner. Grisoft provides one for free. Be sure to configure it to scan your system regularly and to check for updates. (Even the best anti-virus software won't do you any good if it doesn't know about the latest virus information -- so keep it updated!)
• Get a free anti-spyware program and run it. Spy Sweeper is a good one. As with your anti-virus software, be sure to configure it to scan your system regularly and check for updates.
• Install firewall software that prevents any unauthorized access between your computer and the Internet. Comodo is recommended. Again, its free and well regarded.
• Be sure to run the latest version of your browser software. Whether it's Internet Explorer or Firefox, keep it patched and up to date! Many exploits that hackers used have already been patched by the software vendors -- all you have to do is stay updated!
• On the subject of browsers, consider using Firefox. There's plenty of room for debate on whether it's more secure than Internet Explorer, but for now, at least, there are more viruses and exploits out there that target Internet Explorer, simply because it's more widely-used.
• Keep your OS up to date. Just like with browsers, many hackers will try to install keyloggers on your system using exploits that have long since been patched by the software vendor. If you run Windows, be sure to run Windows Update regularly -- in fact, I recommend setting it up to run automatically on a daily basis.
• Be careful downloading files! While your anti-virus and anti-spyware software should catch anything that gets installed, it's better to catch them before they get installed and have a chance to cause damage. Never download files from sites you don't trust and be wary of opening unexpected e-mail attachments.
• You can configure your WoW client to remember your user name. In this case, even if you get a keylogger installed, they'll find your password, but won't know your account name. The password is useless without the account name, and if you don't type the account name, a keylogger won't see it.
• And, of course, never share your password. You may just give it to one person, but who knows where it could go from there. (For all you know they've got it on a post-it note on their monitor where anyone can see it.)

And if the worst scenario happens and your account is stolen, contact Blizzard support immediately. It can be a painful process to restore your account (Blizzard will immediately cut off access to the account until they can confirm your identity as the account-holder), but once your account has been compromised, it's the only way to get your stuff back and re-secure your account.

How to protect your system from keyloggers [Updated] - WOW Insider

The easiest protection against any keylogger scam is to never type you account name.


When you have time read up on LowLevelKeyboardProc, SetWindowsHookEx, GetWinText,and Clipboard.GetText. Then go install a firewall (Comodo.com (FREE)) with your virus scanner and quit using/downloading every stupid little thing you find to use as an addon, cheat, hack, or update to WOW.

World of Warcraft - English (NA) Forums -> Protecting Yourself From Keyloggers v1.0

 

[Ethan_Kaizer]

My friends who play WoW got keylogged a few times, and had to make reports about all the stuff stolen from the account. They were fortunately refunded their gold and items and had their passwords reset. For safety, they would type out a sentence in Word that contained all of the letters in the password, and then copy and paste them into the password box. That way, the keylogger wouldn't pick up on the letters in their password.