HijackThis Analyzer And ComboFix

mihir

mihir

VIP Member
First Part
I recently cleaned up my Parent's computer.
I used Malwarebytes and Hijackthis and CCleaner and MSE.
I believe it is clean now.It is running pretty fast.The CPU idles at 1%.Core 2 Duo 2.0GHz with Windows 7.

So I am too inexperienced to check the hijack this log personally except the processes part so I searched for a guide on how to analyze the hijackthis log.
So google came up with this Hijackthis online analyzer automated - http://www.2-spyware.com/hjt.php
and
http://hjt.networktechs.com/
I analysed my log and then did exactly what it suggested.

SO I wanted to know how good is it?
Is it trustable and usable for the future.Is it any good and worth recommending.





Second Part
I read a lot of posts on the forum about combofix, and how it is not recommended for amateurs and should not be run without an expert advice.I wanted to know why??
And also should I run it.

I recently scanned my computer using MBAM(updated) and cleaned everything,and my computer is running pretty fast since then so should I run Combofix.

HIJACKTHIS LOG
I put it in code tags so that it takes lesser space.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:59:15 AM, on 5/17/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\BitTorrent\BitTorrent.exe
C:\Users\Naman\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Naman\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Naman\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Naman\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smartwebsearch.net/index.php?from=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\system32\StikyNot.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6602 bytes
 
Last edited by a moderator:
Those analyzers should be taken like a grain of salt. They can be used as a reference but you should be somewhat familiar with infections and the way hiackthis works before actually fixing anything. I would have to see a before hijackthis log and then the after fix log.

As far as running combofix, if the user is no longer experiencing issues then I don't have them run it. But it they are still having issues or I know for a fact that there still may be some hidden infections, then I'll have them run it. Running combofix has a very minute chance of it screwing up the system(hence the reason why it has become unavailable a few times in the past couple years.) Some has a better chance of taking the data from the log and doing more damage to your system if they perform unneeded scripts and delete something that shouldn't be.

I don't see any issues in your log though.
 
johnb35 said:
Those analyzers should be taken like a grain of salt. They can be used as a reference but you should be somewhat familiar with infections and the way hiackthis works before actually fixing anything. I would have to see a before hijackthis log and then the after fix log.

As far as running combofix, if the user is no longer experiencing issues then I don't have them run it. But it they are still having issues or I know for a fact that there still may be some hidden infections, then I'll have them run it. Running combofix has a very minute chance of it screwing up the system(hence the reason why it has become unavailable a few times in the past couple years.) Some has a better chance of taking the data from the log and doing more damage to your system if they perform unneeded scripts and delete something that shouldn't be.

I don't see any issues in your log though.
Click to expand...

Ok Thanks.
I overwrote the older hijackthis log with the new one so I don't have it.
But currently I am not facing any problems with the computer.But can you guide me how am I supposed to analyze the hijackthis log,any guide or something.I can just see the processes and tell which ones are un needed nothing more than that.
Also why did you remove my code tags. :confused:
 
Because logs in code makes them much much harder to read. I would suggest starting here first

http://www.bleepingcomputer.com/tutorials/tutorial42.html

, then possibly undergoing bootcamp at one of the following malware universities.

SpywareInfo - http://forums.spywareinfo.com/
Boot Camp - http://forums.spywareinfo.com/index.php?showtopic=34

MalWare Removal - http://www.malwareremoval.com/
Malware Removal University - http://www.malwareremoval.com/forum/viewtopic.php?t=233

TechSupportForum - http://www.techsupportforum.com/
The Academy - http://www.techsupportforum.com/sec...please-read-before-applying-join-academy.html

WhatTheTech - http://forums.whatthetech.com/forums.html
Classroom - http://forums.whatthetech.com/What_the_Tech_Classroom_t80368.html

GeeksToGo - http://www.geekstogo.com/
The Geek University - http://www.geekstogo.com/forum/index.php?showtopic=4817
 
johnb35 said:
Because logs in code makes them much much harder to read. I would suggest starting here first

http://www.bleepingcomputer.com/tutorials/tutorial42.html

, then possibly undergoing bootcamp at one of the following malware universities.

SpywareInfo - http://forums.spywareinfo.com/
Boot Camp - http://forums.spywareinfo.com/index.php?showtopic=34

MalWare Removal - http://www.malwareremoval.com/
Malware Removal University - http://www.malwareremoval.com/forum/viewtopic.php?t=233

TechSupportForum - http://www.techsupportforum.com/
The Academy - http://www.techsupportforum.com/sec...please-read-before-applying-join-academy.html

WhatTheTech - http://forums.whatthetech.com/forums.html
Classroom - http://forums.whatthetech.com/What_the_Tech_Classroom_t80368.html

GeeksToGo - http://www.geekstogo.com/
The Geek University - http://www.geekstogo.com/forum/index.php?showtopic=4817
Click to expand...

Bookmarked. :good:

Thank You. :good: :D


Also My brother was sneaky and had put in a keylogger.I discovered that when I did the scans,MBAM removed all the infected files anyways but I was not able to find it in the Control Panel Program List.
I guess it was built that way but now how do I remove the entire thing making sure that it doesn't update itself someway through the internet or whatever,I want to remove all traces and log files stored by it.


LOG

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6587

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

5/16/2011 12:53:24 PM
mbam-log-2011-05-16 (12-53-24).txt

Scan type: Full scan (C:\|D:\|H:\|)
Objects scanned: 359300
Time elapsed: 1 hour(s), 58 minute(s), 55 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 24
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 15
Files Infected: 184

Memory Processes Infected:
c:\Windows\SysWOW64\MPK\MPK.exe (Refog.Keylogger) -> 2580 -> Unloaded process successfully.

Memory Modules Infected:
c:\Windows\SysWOW64\MPK\sqlite3.dll (Refog.Keylogger) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2863E737-DD3F-4280-9AF8-E9E79C16F312} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{27BA317E-7BBD-4EBE-A06A-47F076D9D6F7} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2574231F-9D6F-4B0E-9041-5DD7484564AD} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MinBHO.ShowBarObj.1 (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MinBHO.ShowBarObj (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2863E737-DD3F-4280-9AF8-E9E79C16F312} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2863E737-DD3F-4280-9AF8-E9E79C16F312} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2863E737-DD3F-4280-9AF8-E9E79C16F312} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{A1A1E70D-58C5-4349-83B6-BE9682B9874D} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4BF423F5-1689-4003-8A05-829048C7D869} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\SearchBHO.CSearchBHO.1 (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\SearchBHO.CSearchBHO (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{F334C7B0-8774-4d5b-BD7A-4F448D03A1AE} (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{70EF8B2A-3A34-4913-AAFC-5A2827E0B1B1} (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{AD49CE2B-B922-4E2A-AAD9-C1565855C7BC} (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\KBBar.KBBarBand.1 (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\KBBar.KBBarBand (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F334C7B0-8774-4D5B-BD7A-4F448D03A1AE} (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F334C7B0-8774-4D5B-BD7A-4F448D03A1AE} (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SkyMedia (Adware.SkyMedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Value: {D7BE8ED1-B138-48FD-BB22-9779A39130B1} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{F334C7B0-8774-4D5B-BD7A-4F448D03A1AE} (Adware.SkyLab) -> Value: {F334C7B0-8774-4D5B-BD7A-4F448D03A1AE} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Value: {D7BE8ED1-B138-48FD-BB22-9779A39130B1} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{F334C7B0-8774-4d5b-BD7A-4F448D03A1AE} (Adware.SkyLab) -> Value: {F334C7B0-8774-4d5b-BD7A-4F448D03A1AE} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\CPDA (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\CPDM (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\refog personal monitor (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Images (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Images (Refog.Keylogger) -> Quarantined and deleted successfully.

Files Infected:
c:\program files (x86)\youtubedownloader.org\youtubedownloader\MinBHO.dll (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
c:\program files (x86)\youtubedownloader.org\youtubedownloader\searchbho.dll (Redir.GSearch) -> Quarantined and deleted successfully.
c:\program files (x86)\youtubedownloader.org\youtubedownloader\youtubedownloader.dll (Adware.SkyLab) -> Quarantined and deleted successfully.
c:\downloads\adobe.photoshop.cs5.extended.v12.keygen.only.embrace-deantjah\Keygen\keygen.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Users\Naman\downloads\battlefield.bad.company.2.keygen-reloaded\rld-bbc2.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
d:\downloads\software\ultrasurf 9.4.exe (HackTool.Proxy) -> Quarantined and deleted successfully.
d:\downloads\software\assassin’s creed 2 keygen\assassin’s creed 2 keygen.exe (Adware.Agent) -> Quarantined and deleted successfully.
d:\downloads\software\eset nod32 antivirus & smart security 4.0.467 x32 & x64\key finder\eset special key finder v.1.exe (Riskware.KG) -> Quarantined and deleted successfully.
d:\downloads\software\eset nod32 antivirus & smart security 4.0.467 x32 & x64\key finder\nodlogin10b (nod32 serial input)\nl10b_32bits\setup.exe (Riskware.Tool.CK) -> Quarantined and deleted successfully.
d:\downloads\software\eset nod32 antivirus & smart security 4.0.467 x32 & x64\key finder\nodlogin10b (nod32 serial input)\nl10b_64bits\setup.exe (Riskware.Tool.CK) -> Quarantined and deleted successfully.
d:\Naman\tools\u998.exe (Trojan.UltraSurf) -> Quarantined and deleted successfully.
d:\Windows\System32\nsvBED7.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\programdata\MPK\key.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7149017940 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7185678125 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7220400463 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7255124074 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7289846065 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7324569329 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7359292245 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7394015278 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7428738079 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7463460764 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7498184491 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7532906944 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7567629977 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7602352662 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7637075347 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7671798032 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7706520833 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7741243403 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7775966667 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7810690509 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7845412153 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7880135995 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7914858681 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_7949581366 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8400978009 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8435700463 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8470423148 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8574592824 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8609315856 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8644038194 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8678760301 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8713483218 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8748206250 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8782928935 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8921821528 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_8956544213 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9373218403 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9407940972 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9442663310 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9477387153 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9512109144 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9546832176 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9581554861 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9616278125 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9651001042 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40678_9685723264 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\i40679_4254981134 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\1\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\CPDM\cpfm.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\refog personal monitor\order now!.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\refog personal monitor\refog personal monitor on the web.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\refog personal monitor\refog personal monitor.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\programdata\MPK\refog personal monitor\uninstall refog personal monitor.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\French.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\German.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\icon_1.ico (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\key.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\libeay32.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\logstart.vbs (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\loguninstall.vbs (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\MPK.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\mpknetinstall.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Romanian.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Spanish.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\sqlite3.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\ssleay32.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\temp1.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\trial_pro.ini (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\unins000.dat (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\unins000.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\zlib1.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\file.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\imhelp.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\need_update_net.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\update.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\English\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Help\Spanish\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Images\english.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Images\german.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Images\russian.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Images\vista_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\System32\MPK\Images\xp_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\French.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\German.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\icon_1.ico (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\key.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\libeay32.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\logstart.vbs (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\loguninstall.vbs (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\MPK.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\mpknetinstall.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Romanian.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Spanish.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\sqlite3.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\ssleay32.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\temp1.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\trial_pro.ini (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\unins000.dat (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\unins000.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\zlib1.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\file.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\imhelp.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\need_update_net.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\update.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\English\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Help\Spanish\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Images\english.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Images\german.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Images\russian.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Images\vista_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\MPK\Images\xp_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
Click to expand...
 
You may want to download and install spybot-search and destroy. However, it seems malwarebytes took care of it for the most part.

The reason why I'm saying to run spybot is that this was the only thing that fully removed it back in july of last year for one of our users. Malwarebytes wouldn't fully clean it but it looks like it has this time. May be worth it to install and scan with spybot just to be sure.

http://www.computerforum.com/179306-software-removal-problem.html
 
You must log in or register to reply here.
Back
Top