Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: i cant figure out if i have a keylogger or trojan :(


05 Feb 2010   #11

win 7 ultimate 64
 
 

here is the silent runners log as well with the supplementry scan

im not sure how to read this either, and its tough to determine if anything is "fishy" this way either.
searching the web on many of these files implies that any of the programs ive used would detect a tampered file


"Silent Runners.vbs", revision 60, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows 7
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DAEMON Tools Lite" = ""C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun" ["DT Soft Ltd"]
"SpybotSD TeaTimer" = "C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RtHDVCpl" = "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s" ["Realtek Semiconductor"]
"MSSE" = ""C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgssiea.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}" = "NVIDIA Play On My TV Context Menu Extension"
-> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" ["NVIDIA Corporation"]
"{83238FAE-D346-4E12-8734-D42F7554B3E6}" = "DivX Thumbnail Provider"
-> {HKLM...CLSID} = "DivX Thumbnail Provider"
\InProcServer32\(Default) = "C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXThumbnailProvider.dll" ["DivX, Inc."]
"{D8D1CE8C-B1EB-4E95-B63B-1531BA60E992}" = "DivX Property Handler"
-> {HKLM...CLSID} = "DivX Property Handler"
\InProcServer32\(Default) = "C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXPropertyHandler.dll" ["DivX, Inc."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech, Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MSOHEVI.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG Shell Extension"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "avgrssta.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
<<!>> linkscanner\CLSID = "{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}"
-> {HKLM...CLSID} = "XPLPPFilter Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgppa.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
MSSE\(Default) = "{0365FE2C-F183-4091-AC82-BFC39FB75C49}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\shellext.dll" [MS]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
MSSE\(Default) = "{0365FE2C-F183-4091-AC82-BFC39FB75C49}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\shellext.dll" [MS]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
NvCplDesktopContext\(Default) = "{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}"
-> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]

Default executables:
--------------------
HKLM\SOFTWARE\Classes\.hta\(Default) = "htafile"
<<!>> HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "C:\Windows\SysWOW64\mshta.exe "%1" %*" [MS]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoActiveDesktop" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"ForceActiveDesktopOn" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\blitz\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"

Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
MSPlayCDAudioOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.AudioCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"" [MS]
MSPlayDVDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.DVD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L"" [MS]
MSPlaySuperVideoCDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.VCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]
MSPlayVideoCDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.VCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]
MSWMPBurnCDOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.BurnCD"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L"" [MS]
WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files (x86)\Winamp\winamp.exe" "%1"" ["Nullsoft"]

Startup items in "blitz" & "All Users" startup folders:
-------------------------------------------------------
C:\Users\blitz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
<<!>> "CurseClientStartup.ccip" [null data]

Non-disabled Scheduled Tasks:
-----------------------------
C:\Users\blitz\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
C:\Windows\System32\Tasks
"{498F800C-9AA0-44D5-B5B5-47ED713147EE}" -> launches: "C:\Program Files (x86)\Skype\Phone\Skype.exe" ["Skype Technologies S.A."]
C:\Windows\System32\Tasks\Microsoft\Microsoft Antimalware
"MP Scheduled Scan" -> (HIDDEN!) launches: "C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience
"AitAgent" -> launches: "aitagent" [MS]
"ProgramDataUpdater" -> launches: "%windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Autochk
"Proxy" -> launches: "%windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"KernelCeipTask" -> (HIDDEN!) launches: "{e7ed314f-2816-4c26-aeb5-54a34d02404c}"
-> {HKLM...CLSID} = "KernelCeipCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\kernelceip.dll" [MS]
"UsbCeip" -> (HIDDEN!) launches: "{c27f6b1d-fe0b-45e4-9257-38799fa69bc8}"
-> {HKLM...CLSID} = "UsbCeip"
\InProcServer32\(Default) = "C:\Windows\System32\usbceip.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
"Scheduled" -> (HIDDEN!) launches: "{c1f85ef8-bcc2-4606-bb39-70c523715eb3}"
-> {HKLM...CLSID} = "ScheduledDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\sdiagschd.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Location
"Notifications" -> launches: "%windir%\System32\LocationNotifications.exe" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance
"WinSAT" -> launches: "{A9A33436-678B-4C9C-A211-7CC38785E79D}"
-> {HKLM...CLSID} = "WinSAT Task Manger Task"
\InProcServer32\(Default) = "C:\Windows\system32\WinSATAPI.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ActivateWindowsSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch" [MS]
"ConfigureInternetTimeService" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService" [MS]
"DispatchRecoveryTasks" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)" [MS]
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"InstallPlayReady" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0)" [MS]
"MediaCenterRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask" [MS]
"ObjectStoreRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)" [MS]
"PBDADiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery" [MS]
"PBDADiscoveryW1" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery" [MS]
"PBDADiscoveryW2" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery" [MS]
"PvrRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask" [MS]
"PvrScheduleTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrSchedule" [MS]
"RegisterSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)" [MS]
"ReindexSearchRoot" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot" [MS]
"SqlLiteRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
"CorruptionDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"
-> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]
"DecompressionFailureDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"
-> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace
"GatherNetworkInfo" -> launches: "%windir%\system32\gatherNetworkInfo.vbs" [null data]
C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
"AnalyzeSystem" -> launches: "%SystemRoot%\System32\powercfg.exe -energy -auto" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RacTask" -> (HIDDEN!) launches: "{42060D27-CA53-41f5-96E4-B1E8169308A6}"
-> {HKLM...CLSID} = "ReliabilityAnalysisCustomHandler"
\InProcServer32\(Default) = "C:\Windows\system32\RacEngn.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Ras
"MobilityManager" -> launches: "{c463a0fc-794f-4fdf-9201-01938ceacafa}"
-> {HKLM...CLSID} = "RasMobilityManager"
\InProcServer32\(Default) = "C:\Windows\system32\rasmbmgr.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Registry
"RegIdleBackup" -> (HIDDEN!) launches: "{ca767aa8-9157-4604-b64b-40747123d5f2}"
-> {HKLM...CLSID} = "RegistryIdleBackupHandler"
\InProcServer32\(Default) = "C:\Windows\System32\regidle.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager
"Interactive" -> (HIDDEN!) launches: "{855fec53-d2e4-4999-9e87-3414e9cf0ff4}"
-> {HKLM...CLSID} = "RunTask"
\InProcServer32\(Default) = "C:\Windows\system32\wdc.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
"SynchronizeTime" -> launches: "%windir%\system32\sc.exe start w32time task_started" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
"BfeOnServiceStartTypeChange" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
"UpdateLibrary" -> launches: ""%ProgramFiles%\Windows Media Player\wmpnscfg.exe"" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup
"ConfigNotification" -> launches: "%systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION" [MS]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 10

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Free E-mail Scanner, avg9emc, ""C:\Program Files (x86)\AVG\AVG9\avgemc.exe"" ["AVG Technologies CZ, s.r.o."]
AVG Free WatchDog, avg9wd, ""C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe"" ["AVG Technologies CZ, s.r.o."]
Elite Antikeylogger monitoring service, Elite Antikeylogger monitoring service, "C:\Program Files (x86)\Widestep Software\Elite Antikeylogger\wseaksrv.exe /service" ["Widestep Security Software"]
Microsoft Antimalware Service, MsMpSvc, ""C:\Program Files\Microsoft Security Essentials\MsMpEng.exe"" [MS]
PnkBstrA, PnkBstrA, "C:\Windows\system32\PnkBstrA.exe" [file not found]

Accessibility Tools:
--------------------
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp\
"osk" = dword:0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\osk\
"Description" = "On-screen Keyboard"
"StartExe" = "C:\Windows\System32\osk.exe" [MS]

Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
BJ Fax Language Monitor1\Driver = "CNHF1LM.DLL" ["CANON INC."]
BJ Language Monitor4\Driver = "CNBLM4.DLL" ["CANON INC."]

---------- (launch time: 2010-02-05 12:23:23)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 95 seconds.
---------- (total run time: 130 seconds)

My System SpecsSystem Spec
.

05 Feb 2010   #12

win 7 ultimate 64
 
 

yeah, i tried to but it only runs on win2k and nt, and i havent uninstalled it yet
My System SpecsSystem Spec
05 Feb 2010   #13

Win 7 Ultimate SP1 x64
 
 

Details on the suspicious process mentioned earlier by jav.

WSEAKADM.EXE, Prevx

EDIT - i analyzed TS HJT log in HiJackThis site log analysis,it states the process as "Nasty".

Screenshot below.


Attached Thumbnails
i cant figure out if i have a keylogger or trojan :(-untitled.jpg  
My System SpecsSystem Spec
.


05 Feb 2010   #14

 

You're missing some things... but I noticed a couple things so I have a couple more questions:

1. When did you install the "anti Keylogger" and where did you get it from?
2. can you run netstat -ano from cmd and paste contents into a post?
3. are you the only person that uses this computer or that has direct access to it?


I see the "infection" but I'm still trying to figure out how it's communicating.

Are you running outlook or outlook express on your machine?

The netstat -ano will tell me what it's using to communicate.
My System SpecsSystem Spec
05 Feb 2010   #15

win 7 ultimate 64
 
 

i installed the anti-key logger after the fact
you can find it at elite-antikeylogger.com or widestep.com/anti-keylogger

im not sure if it was meant to clean up their personal key logger or just another business, or if it is malware. i want to say i got the link from an old wow account security post or where exactly i got the referal about it (ill look after i post this)

my wife has access to this computer, but she only uses it for the printer. she has her own laptop


here is my netstat -ano:

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:554 0.0.0.0:0 LISTENING 1064
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:10243 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 508
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 460
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 424
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 568
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 588
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 1484
TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 4964
TCP 127.0.0.1:56916 0.0.0.0:0 LISTENING 4268
TCP 192.168.0.2:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.2:60848 96.17.8.33:80 ESTABLISHED 3552
TCP 192.168.0.2:60849 96.17.8.33:80 ESTABLISHED 3552
TCP [::]:135 [::]:0 LISTENING 924
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:554 [::]:0 LISTENING 1064
TCP [::]:2869 [::]:0 LISTENING 4
TCP [::]:3587 [::]:0 LISTENING 2992
TCP [::]:5357 [::]:0 LISTENING 4
TCP [::]:10243 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 508
TCP [::]:49153 [::]:0 LISTENING 460
TCP [::]:49154 [::]:0 LISTENING 424
TCP [::]:49155 [::]:0 LISTENING 568
TCP [::]:49156 [::]:0 LISTENING 588
TCP [::]:49157 [::]:0 LISTENING 1484
UDP 0.0.0.0:500 *:* 424
UDP 0.0.0.0:3702 *:* 1116
UDP 0.0.0.0:3702 *:* 1636
UDP 0.0.0.0:3702 *:* 1636
UDP 0.0.0.0:3702 *:* 1116
UDP 0.0.0.0:4500 *:* 424
UDP 0.0.0.0:5004 *:* 1064
UDP 0.0.0.0:5005 *:* 1064
UDP 0.0.0.0:5355 *:* 1360
UDP 0.0.0.0:54071 *:* 1636
UDP 0.0.0.0:59921 *:* 1116
UDP 0.0.0.0:64160 *:* 1116
UDP 127.0.0.1:1900 *:* 1636
UDP 127.0.0.1:44301 *:* 1684
UDP 127.0.0.1:50005 *:* 1540
UDP 127.0.0.1:51271 *:* 4796
UDP 127.0.0.1:52504 *:* 1636
UDP 127.0.0.1:63515 *:* 3552
UDP 127.0.0.1:64336 *:* 4360
UDP 192.168.0.2:137 *:* 4
UDP 192.168.0.2:138 *:* 4
UDP 192.168.0.2:1900 *:* 1636
UDP 192.168.0.2:52503 *:* 1636
UDP [::]:500 *:* 424
UDP [::]:3540 *:* 2992
UDP [::]:3702 *:* 1116
UDP [::]:3702 *:* 1636
UDP [::]:3702 *:* 1636
UDP [::]:3702 *:* 1116
UDP [::]:4500 *:* 424
UDP [::]:5004 *:* 1064
UDP [::]:5005 *:* 1064
UDP [::]:5355 *:* 1360
UDP [::]:54072 *:* 1636
UDP [::]:59922 *:* 1116
UDP [::]:64161 *:* 1116
UDP [::1]:1900 *:* 1636
UDP [::1]:52502 *:* 1636
UDP [fe80::c418:7c92:c209:721f%13]:1900 *:*
1636
UDP [fe80::c418:7c92:c209:721f%13]:52501 *:*
1636
C:\Windows\system32>

I do not use outlook
My System SpecsSystem Spec
05 Feb 2010   #16

 

ok now "netstat -a -b" for comparison. please copy paste into post.
My System SpecsSystem Spec
05 Feb 2010   #17

win 7 ultimate 64
 
 

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>netstat -a -b
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 blitz-PC:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:554 blitz-PC:0 LISTENING
[wmpnetwk.exe]
TCP 0.0.0.0:2869 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:5357 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:10243 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:49152 blitz-PC:0 LISTENING
[wininit.exe]
TCP 0.0.0.0:49153 blitz-PC:0 LISTENING
eventlog
[svchost.exe]
TCP 0.0.0.0:49154 blitz-PC:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 blitz-PC:0 LISTENING
[services.exe]
TCP 0.0.0.0:49156 blitz-PC:0 LISTENING
[lsass.exe]
TCP 0.0.0.0:49157 blitz-PC:0 LISTENING
[spoolsv.exe]
TCP 127.0.0.1:10110 blitz-PC:0 LISTENING
[avgemc.exe]
TCP 127.0.0.1:56916 blitz-PC:0 LISTENING
[CurseClient.exe]
TCP 192.168.0.2:139 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP 192.168.0.2:61077 65.55.184.27:http ESTABLISHED
wuauserv
[svchost.exe]
TCP 192.168.0.2:61079 65.55.184.27:https ESTABLISHED
wuauserv
[svchost.exe]
TCP [::]:135 blitz-PC:0 LISTENING
RpcSs
[svchost.exe]
TCP [::]:445 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP [::]:554 blitz-PC:0 LISTENING
[wmpnetwk.exe]
TCP [::]:2869 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP [::]:3587 blitz-PC:0 LISTENING
p2pimsvc
[svchost.exe]
TCP [::]:5357 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP [::]:10243 blitz-PC:0 LISTENING
Can not obtain ownership information
TCP [::]:49152 blitz-PC:0 LISTENING
[wininit.exe]
TCP [::]:49153 blitz-PC:0 LISTENING
eventlog
[svchost.exe]
TCP [::]:49154 blitz-PC:0 LISTENING
Schedule
[svchost.exe]
TCP [::]:49155 blitz-PC:0 LISTENING
[services.exe]
TCP [::]:49156 blitz-PC:0 LISTENING
[lsass.exe]
TCP [::]:49157 blitz-PC:0 LISTENING
[spoolsv.exe]
UDP 0.0.0.0:500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:3702 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:*
FDResPub
[svchost.exe]
UDP 0.0.0.0:3702 *:*
FDResPub
[svchost.exe]
UDP 0.0.0.0:3702 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:4500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5004 *:*
[wmpnetwk.exe]
UDP 0.0.0.0:5005 *:*
[wmpnetwk.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:54071 *:*
FDResPub
[svchost.exe]
UDP 0.0.0.0:59921 *:*
EventSystem
[svchost.exe]
UDP 0.0.0.0:64160 *:*
EventSystem
[svchost.exe]
UDP 127.0.0.1:1900 *:*
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:44301 *:*
[PnkBstrA.exe]
UDP 127.0.0.1:52504 *:*
SSDPSRV
[svchost.exe]
UDP 192.168.0.2:137 *:*
Can not obtain ownership information
UDP 192.168.0.2:138 *:*
Can not obtain ownership information
UDP 192.168.0.2:1900 *:*
SSDPSRV
[svchost.exe]
UDP 192.168.0.2:52503 *:*
SSDPSRV
[svchost.exe]
UDP [::]:500 *:*
IKEEXT
[svchost.exe]
UDP [::]:3540 *:*
p2pimsvc
[svchost.exe]
UDP [::]:3702 *:*
EventSystem
[svchost.exe]
UDP [::]:3702 *:*
FDResPub
[svchost.exe]
UDP [::]:3702 *:*
FDResPub
[svchost.exe]
UDP [::]:3702 *:*
EventSystem
[svchost.exe]
UDP [::]:4500 *:*
IKEEXT
[svchost.exe]
UDP [::]:5004 *:*
[wmpnetwk.exe]
UDP [::]:5005 *:*
[wmpnetwk.exe]
UDP [::]:5355 *:*
Dnscache
[svchost.exe]
UDP [::]:54072 *:*
FDResPub
[svchost.exe]
UDP [::]:59922 *:*
EventSystem
[svchost.exe]
UDP [::]:64161 *:*
EventSystem
[svchost.exe]
UDP [::1]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [::1]:52502 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::c418:7c92:c209:721f%13]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::c418:7c92:c209:721f%13]:52501 *:*
SSDPSRV
[svchost.exe]
C:\Windows\system32>^X
C:\Windows\system32>
C:\Windows\system32>
My System SpecsSystem Spec
05 Feb 2010   #18

Win 7 Ultimate SP1 x64
 
 

Need help on solving TS's issue. Looks serious. Any suggestions would be greatly appreciated, thanks.
My System SpecsSystem Spec
05 Feb 2010   #19
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

What is *TS's issue*?
My System SpecsSystem Spec
05 Feb 2010   #20

Win 7 Ultimate SP1 x64
 
 

I am clueless at the moment. And unable to solve this. Possible keylogger/malware as his WOW account got hacked twiced.
My System SpecsSystem Spec
Reply

 i cant figure out if i have a keylogger or trojan :(




Thread Tools



Similar help and support threads for2: i cant figure out if i have a keylogger or trojan :(
Thread Forum
Keylogger detection System Security
Solved Detecting keylogger System Security
Keylogger issue System Security
Problems with Keylogger System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:17 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33