i cant figure out if i have a keylogger or trojan :(

Page 2 of 3 FirstFirst 123 LastLast

  1. blitzgp
    Posts : 17
    win 7 ultimate 64
    Thread Starter
       New #11

    here is the silent runners log as well with the supplementry scan

    im not sure how to read this either, and its tough to determine if anything is "fishy" this way either.
    searching the web on many of these files implies that any of the programs ive used would detect a tampered file


    "Silent Runners.vbs", revision 60, Silent Runners - Adware? Disinfect, don't reformat!
    Operating System: Windows 7
    Output limited to non-default values, except where indicated by "{++}"

    Startup items buried in registry:
    ---------------------------------
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "DAEMON Tools Lite" = ""C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun" ["DT Soft Ltd"]
    "SpybotSD TeaTimer" = "C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "RtHDVCpl" = "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s" ["Realtek Semiconductor"]
    "MSSE" = ""C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide" [MS]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
    -> {HKLM...CLSID} = "AVG Safe Search"
    \InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgssiea.dll" ["AVG Technologies CZ, s.r.o."]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {HKLM...CLSID} = "DesktopContext Class"
    \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}" = "NVIDIA Play On My TV Context Menu Extension"
    -> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension"
    \InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" ["NVIDIA Corporation"]
    "{83238FAE-D346-4E12-8734-D42F7554B3E6}" = "DivX Thumbnail Provider"
    -> {HKLM...CLSID} = "DivX Thumbnail Provider"
    \InProcServer32\(Default) = "C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXThumbnailProvider.dll" ["DivX, Inc."]
    "{D8D1CE8C-B1EB-4E95-B63B-1531BA60E992}" = "DivX Property Handler"
    -> {HKLM...CLSID} = "DivX Property Handler"
    \InProcServer32\(Default) = "C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXPropertyHandler.dll" ["DivX, Inc."]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
    -> {HKLM...CLSID} = "NVIDIA CPL Extension"
    \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
    -> {HKLM...CLSID} = "KbLogiExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech, Inc."]
    "{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
    -> {HKLM...CLSID} = "LogiExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech, Inc."]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MSOHEVI.DLL" [MS]
    "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
    -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
    "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
    -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG Shell Extension"
    -> {HKLM...CLSID} = "AVG Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
    <<!>> "AppInit_DLLs" = "avgrssta.dll" ["AVG Technologies CZ, s.r.o."]
    HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
    HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
    <<!>> linkscanner\CLSID = "{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}"
    -> {HKLM...CLSID} = "XPLPPFilter Class"
    \InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgppa.dll" ["AVG Technologies CZ, s.r.o."]
    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
    AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
    MSSE\(Default) = "{0365FE2C-F183-4091-AC82-BFC39FB75C49}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\shellext.dll" [MS]
    WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
    MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
    -> {HKLM...CLSID} = "MBAMShlExt Class"
    \InProcServer32\(Default) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
    HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
    MSSE\(Default) = "{0365FE2C-F183-4091-AC82-BFC39FB75C49}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\shellext.dll" [MS]
    WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
    HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\
    WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
    HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
    NvCplDesktopContext\(Default) = "{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}"
    -> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension"
    \InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" ["NVIDIA Corporation"]
    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
    AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
    MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
    -> {HKLM...CLSID} = "MBAMShlExt Class"
    \InProcServer32\(Default) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
    WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
    HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\
    WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]

    Default executables:
    --------------------
    HKLM\SOFTWARE\Classes\.hta\(Default) = "htafile"
    <<!>> HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "C:\Windows\SysWOW64\mshta.exe "%1" %*" [MS]

    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------
    Note: detected settings may not have any effect.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
    "NoActiveDesktop" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}
    "NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}
    "ForceActiveDesktopOn" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    Active Desktop and Wallpaper:
    -----------------------------
    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Users\blitz\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"

    Windows Portable Device AutoPlay Handlers
    -----------------------------------------
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
    MSPlayCDAudioOnArrival\
    "Provider" = "@wmploc.dll,-6502"
    "InvokeProgID" = "WMP.AudioCD"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"" [MS]
    MSPlayDVDMovieOnArrival\
    "Provider" = "@wmploc.dll,-6502"
    "InvokeProgID" = "WMP.DVD"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L"" [MS]
    MSPlaySuperVideoCDMovieOnArrival\
    "Provider" = "@wmploc.dll,-6502"
    "InvokeProgID" = "WMP.VCD"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]
    MSPlayVideoCDMovieOnArrival\
    "Provider" = "@wmploc.dll,-6502"
    "InvokeProgID" = "WMP.VCD"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]
    MSWMPBurnCDOnArrival\
    "Provider" = "@wmploc.dll,-6502"
    "InvokeProgID" = "WMP.BurnCD"
    "InvokeVerb" = "Burn"
    HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L"" [MS]
    WinampPlayMediaOnArrival\
    "Provider" = "Winamp"
    "InvokeProgID" = "Winamp.File"
    "InvokeVerb" = "Play"
    HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files (x86)\Winamp\winamp.exe" "%1"" ["Nullsoft"]

    Startup items in "blitz" & "All Users" startup folders:
    -------------------------------------------------------
    C:\Users\blitz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    <<!>> "CurseClientStartup.ccip" [null data]

    Non-disabled Scheduled Tasks:
    -----------------------------
    C:\Users\blitz\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
    C:\Windows\System32\Tasks
    "{498F800C-9AA0-44D5-B5B5-47ED713147EE}" -> launches: "C:\Program Files (x86)\Skype\Phone\Skype.exe" ["Skype Technologies S.A."]
    C:\Windows\System32\Tasks\Microsoft\Microsoft Antimalware
    "MP Scheduled Scan" -> (HIDDEN!) launches: "C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
    "AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
    -> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
    \InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience
    "AitAgent" -> launches: "aitagent" [MS]
    "ProgramDataUpdater" -> launches: "%windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Autochk
    "Proxy" -> launches: "%windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
    "UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
    "SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
    -> {HKLM...CLSID} = "Certificate Services Client Task Handler"
    \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
    "UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
    -> {HKLM...CLSID} = "Certificate Services Client Task Handler"
    \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
    "Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
    "KernelCeipTask" -> (HIDDEN!) launches: "{e7ed314f-2816-4c26-aeb5-54a34d02404c}"
    -> {HKLM...CLSID} = "KernelCeipCustomHandler"
    \InProcServer32\(Default) = "C:\Windows\System32\kernelceip.dll" [MS]
    "UsbCeip" -> (HIDDEN!) launches: "{c27f6b1d-fe0b-45e4-9257-38799fa69bc8}"
    -> {HKLM...CLSID} = "UsbCeip"
    \InProcServer32\(Default) = "C:\Windows\System32\usbceip.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
    "ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
    "Scheduled" -> (HIDDEN!) launches: "{c1f85ef8-bcc2-4606-bb39-70c523715eb3}"
    -> {HKLM...CLSID} = "ScheduledDiagnosticCustomHandler"
    \InProcServer32\(Default) = "C:\Windows\System32\sdiagschd.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Location
    "Notifications" -> launches: "%windir%\System32\LocationNotifications.exe" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance
    "WinSAT" -> launches: "{A9A33436-678B-4C9C-A211-7CC38785E79D}"
    -> {HKLM...CLSID} = "WinSAT Task Manger Task"
    \InProcServer32\(Default) = "C:\Windows\system32\WinSATAPI.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
    "ActivateWindowsSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch" [MS]
    "ConfigureInternetTimeService" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService" [MS]
    "DispatchRecoveryTasks" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)" [MS]
    "ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
    "InstallPlayReady" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)" [MS]
    "mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0)" [MS]
    "MediaCenterRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask" [MS]
    "ObjectStoreRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask" [MS]
    "OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
    "OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)" [MS]
    "PBDADiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery" [MS]
    "PBDADiscoveryW1" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery" [MS]
    "PBDADiscoveryW2" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery" [MS]
    "PvrRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask" [MS]
    "PvrScheduleTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrSchedule" [MS]
    "RegisterSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)" [MS]
    "ReindexSearchRoot" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot" [MS]
    "SqlLiteRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask" [MS]
    "UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
    "CorruptionDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"
    -> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"
    \InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]
    "DecompressionFailureDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"
    -> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"
    \InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
    "HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
    -> {HKLM...CLSID} = "HotStart User Agent"
    \InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\MUI
    "LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
    "SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
    -> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
    \InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace
    "GatherNetworkInfo" -> launches: "%windir%\system32\gatherNetworkInfo.vbs" [null data]
    C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
    "AnalyzeSystem" -> launches: "%SystemRoot%\System32\powercfg.exe -energy -auto" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\RAC
    "RacTask" -> (HIDDEN!) launches: "{42060D27-CA53-41f5-96E4-B1E8169308A6}"
    -> {HKLM...CLSID} = "ReliabilityAnalysisCustomHandler"
    \InProcServer32\(Default) = "C:\Windows\system32\RacEngn.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Ras
    "MobilityManager" -> launches: "{c463a0fc-794f-4fdf-9201-01938ceacafa}"
    -> {HKLM...CLSID} = "RasMobilityManager"
    \InProcServer32\(Default) = "C:\Windows\system32\rasmbmgr.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Registry
    "RegIdleBackup" -> (HIDDEN!) launches: "{ca767aa8-9157-4604-b64b-40747123d5f2}"
    -> {HKLM...CLSID} = "RegistryIdleBackupHandler"
    \InProcServer32\(Default) = "C:\Windows\System32\regidle.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
    "RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
    "GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
    -> {HKLM...CLSID} = "GadgetsManager Class"
    \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
    "SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager
    "Interactive" -> (HIDDEN!) launches: "{855fec53-d2e4-4999-9e87-3414e9cf0ff4}"
    -> {HKLM...CLSID} = "RunTask"
    \InProcServer32\(Default) = "C:\Windows\system32\wdc.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
    "IpAddressConflict1" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
    "IpAddressConflict2" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
    "MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
    -> {HKLM...CLSID} = "MsCtfMonitor task handler"
    \InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
    "SynchronizeTime" -> launches: "%windir%\system32\sc.exe start w32time task_started" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
    "UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\WDI
    "ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
    -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
    \InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
    "QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
    "BfeOnServiceStartTypeChange" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
    "UpdateLibrary" -> launches: ""%ProgramFiles%\Windows Media Player\wmpnscfg.exe"" [MS]
    C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup
    "ConfigNotification" -> launches: "%systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION" [MS]

    Winsock2 Service Provider DLLs:
    -------------------------------
    Namespace Service Providers
    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
    000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
    000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
    Transport Service Providers
    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 10

    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------
    AVG Free E-mail Scanner, avg9emc, ""C:\Program Files (x86)\AVG\AVG9\avgemc.exe"" ["AVG Technologies CZ, s.r.o."]
    AVG Free WatchDog, avg9wd, ""C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe"" ["AVG Technologies CZ, s.r.o."]
    Elite Antikeylogger monitoring service, Elite Antikeylogger monitoring service, "C:\Program Files (x86)\Widestep Software\Elite Antikeylogger\wseaksrv.exe /service" ["Widestep Security Software"]
    Microsoft Antimalware Service, MsMpSvc, ""C:\Program Files\Microsoft Security Essentials\MsMpEng.exe"" [MS]
    PnkBstrA, PnkBstrA, "C:\Windows\system32\PnkBstrA.exe" [file not found]

    Accessibility Tools:
    --------------------
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp\
    "osk" = dword:0x00000000
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\osk\
    "Description" = "On-screen Keyboard"
    "StartExe" = "C:\Windows\System32\osk.exe" [MS]

    Print Monitors:
    ---------------
    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
    BJ Fax Language Monitor1\Driver = "CNHF1LM.DLL" ["CANON INC."]
    BJ Language Monitor4\Driver = "CNBLM4.DLL" ["CANON INC."]

    ---------- (launch time: 2010-02-05 12:23:23)
    <<!>>: Suspicious data at a malware launch point.
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 95 seconds.
    ---------- (total run time: 130 seconds)
      My Computer
    Quote Quote

  3. blitzgp
    Posts : 17
    win 7 ultimate 64
    Thread Starter
       New #12

    yeah, i tried to but it only runs on win2k and nt, and i havent uninstalled it yet
      My Computer
    Quote Quote

  4. D3ftOn3Z
    Posts : 1,443
    Win 7 Ultimate SP1 x64
       New #13

    Details on the suspicious process mentioned earlier by jav.

    WSEAKADM.EXE, Prevx

    EDIT - i analyzed TS HJT log in HiJackThis site log analysis,it states the process as "Nasty".

    Screenshot below.
    Attached Thumbnails Attached Thumbnails i cant figure out if i have a keylogger or trojan :(-untitled.jpg  
      My Computer
    Quote Quote

  6. brady
    Posts : 1,426
    7 Pro
       New #14

    You're missing some things... but I noticed a couple things so I have a couple more questions:

    1. When did you install the "anti Keylogger" and where did you get it from?
    2. can you run netstat -ano from cmd and paste contents into a post?
    3. are you the only person that uses this computer or that has direct access to it?


    I see the "infection" but I'm still trying to figure out how it's communicating.

    Are you running outlook or outlook express on your machine?

    The netstat -ano will tell me what it's using to communicate.
      My Computer
    Quote Quote

  7. blitzgp
    Posts : 17
    win 7 ultimate 64
    Thread Starter
       New #15

    i installed the anti-key logger after the fact
    you can find it at elite-antikeylogger.com or widestep.com/anti-keylogger

    im not sure if it was meant to clean up their personal key logger or just another business, or if it is malware. i want to say i got the link from an old wow account security post or where exactly i got the referal about it (ill look after i post this)

    my wife has access to this computer, but she only uses it for the printer. she has her own laptop


    here is my netstat -ano:

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.
    C:\Windows\system32>netstat -ano
    Active Connections
    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 924
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:554 0.0.0.0:0 LISTENING 1064
    TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:10243 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 508
    TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 460
    TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 424
    TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 568
    TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 588
    TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 1484
    TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 4964
    TCP 127.0.0.1:56916 0.0.0.0:0 LISTENING 4268
    TCP 192.168.0.2:139 0.0.0.0:0 LISTENING 4
    TCP 192.168.0.2:60848 96.17.8.33:80 ESTABLISHED 3552
    TCP 192.168.0.2:60849 96.17.8.33:80 ESTABLISHED 3552
    TCP [::]:135 [::]:0 LISTENING 924
    TCP [::]:445 [::]:0 LISTENING 4
    TCP [::]:554 [::]:0 LISTENING 1064
    TCP [::]:2869 [::]:0 LISTENING 4
    TCP [::]:3587 [::]:0 LISTENING 2992
    TCP [::]:5357 [::]:0 LISTENING 4
    TCP [::]:10243 [::]:0 LISTENING 4
    TCP [::]:49152 [::]:0 LISTENING 508
    TCP [::]:49153 [::]:0 LISTENING 460
    TCP [::]:49154 [::]:0 LISTENING 424
    TCP [::]:49155 [::]:0 LISTENING 568
    TCP [::]:49156 [::]:0 LISTENING 588
    TCP [::]:49157 [::]:0 LISTENING 1484
    UDP 0.0.0.0:500 *:* 424
    UDP 0.0.0.0:3702 *:* 1116
    UDP 0.0.0.0:3702 *:* 1636
    UDP 0.0.0.0:3702 *:* 1636
    UDP 0.0.0.0:3702 *:* 1116
    UDP 0.0.0.0:4500 *:* 424
    UDP 0.0.0.0:5004 *:* 1064
    UDP 0.0.0.0:5005 *:* 1064
    UDP 0.0.0.0:5355 *:* 1360
    UDP 0.0.0.0:54071 *:* 1636
    UDP 0.0.0.0:59921 *:* 1116
    UDP 0.0.0.0:64160 *:* 1116
    UDP 127.0.0.1:1900 *:* 1636
    UDP 127.0.0.1:44301 *:* 1684
    UDP 127.0.0.1:50005 *:* 1540
    UDP 127.0.0.1:51271 *:* 4796
    UDP 127.0.0.1:52504 *:* 1636
    UDP 127.0.0.1:63515 *:* 3552
    UDP 127.0.0.1:64336 *:* 4360
    UDP 192.168.0.2:137 *:* 4
    UDP 192.168.0.2:138 *:* 4
    UDP 192.168.0.2:1900 *:* 1636
    UDP 192.168.0.2:52503 *:* 1636
    UDP [::]:500 *:* 424
    UDP [::]:3540 *:* 2992
    UDP [::]:3702 *:* 1116
    UDP [::]:3702 *:* 1636
    UDP [::]:3702 *:* 1636
    UDP [::]:3702 *:* 1116
    UDP [::]:4500 *:* 424
    UDP [::]:5004 *:* 1064
    UDP [::]:5005 *:* 1064
    UDP [::]:5355 *:* 1360
    UDP [::]:54072 *:* 1636
    UDP [::]:59922 *:* 1116
    UDP [::]:64161 *:* 1116
    UDP [::1]:1900 *:* 1636
    UDP [::1]:52502 *:* 1636
    UDP [fe80::c418:7c92:c209:721f%13]:1900 *:*
    1636
    UDP [fe80::c418:7c92:c209:721f%13]:52501 *:*
    1636
    C:\Windows\system32>

    I do not use outlook
      My Computer
    Quote Quote

  8. brady
    Posts : 1,426
    7 Pro
       New #16

    ok now "netstat -a -b" for comparison. please copy paste into post.
      My Computer
    Quote Quote

  10. blitzgp
    Posts : 17
    win 7 ultimate 64
    Thread Starter
       New #17

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.
    C:\Windows\system32>netstat -a -b
    Active Connections
    Proto Local Address Foreign Address State
    TCP 0.0.0.0:135 blitz-PC:0 LISTENING
    RpcSs
    [svchost.exe]
    TCP 0.0.0.0:445 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP 0.0.0.0:554 blitz-PC:0 LISTENING
    [wmpnetwk.exe]
    TCP 0.0.0.0:2869 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP 0.0.0.0:5357 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP 0.0.0.0:10243 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP 0.0.0.0:49152 blitz-PC:0 LISTENING
    [wininit.exe]
    TCP 0.0.0.0:49153 blitz-PC:0 LISTENING
    eventlog
    [svchost.exe]
    TCP 0.0.0.0:49154 blitz-PC:0 LISTENING
    Schedule
    [svchost.exe]
    TCP 0.0.0.0:49155 blitz-PC:0 LISTENING
    [services.exe]
    TCP 0.0.0.0:49156 blitz-PC:0 LISTENING
    [lsass.exe]
    TCP 0.0.0.0:49157 blitz-PC:0 LISTENING
    [spoolsv.exe]
    TCP 127.0.0.1:10110 blitz-PC:0 LISTENING
    [avgemc.exe]
    TCP 127.0.0.1:56916 blitz-PC:0 LISTENING
    [CurseClient.exe]
    TCP 192.168.0.2:139 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP 192.168.0.2:61077 65.55.184.27:http ESTABLISHED
    wuauserv
    [svchost.exe]
    TCP 192.168.0.2:61079 65.55.184.27:https ESTABLISHED
    wuauserv
    [svchost.exe]
    TCP [::]:135 blitz-PC:0 LISTENING
    RpcSs
    [svchost.exe]
    TCP [::]:445 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP [::]:554 blitz-PC:0 LISTENING
    [wmpnetwk.exe]
    TCP [::]:2869 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP [::]:3587 blitz-PC:0 LISTENING
    p2pimsvc
    [svchost.exe]
    TCP [::]:5357 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP [::]:10243 blitz-PC:0 LISTENING
    Can not obtain ownership information
    TCP [::]:49152 blitz-PC:0 LISTENING
    [wininit.exe]
    TCP [::]:49153 blitz-PC:0 LISTENING
    eventlog
    [svchost.exe]
    TCP [::]:49154 blitz-PC:0 LISTENING
    Schedule
    [svchost.exe]
    TCP [::]:49155 blitz-PC:0 LISTENING
    [services.exe]
    TCP [::]:49156 blitz-PC:0 LISTENING
    [lsass.exe]
    TCP [::]:49157 blitz-PC:0 LISTENING
    [spoolsv.exe]
    UDP 0.0.0.0:500 *:*
    IKEEXT
    [svchost.exe]
    UDP 0.0.0.0:3702 *:*
    EventSystem
    [svchost.exe]
    UDP 0.0.0.0:3702 *:*
    FDResPub
    [svchost.exe]
    UDP 0.0.0.0:3702 *:*
    FDResPub
    [svchost.exe]
    UDP 0.0.0.0:3702 *:*
    EventSystem
    [svchost.exe]
    UDP 0.0.0.0:4500 *:*
    IKEEXT
    [svchost.exe]
    UDP 0.0.0.0:5004 *:*
    [wmpnetwk.exe]
    UDP 0.0.0.0:5005 *:*
    [wmpnetwk.exe]
    UDP 0.0.0.0:5355 *:*
    Dnscache
    [svchost.exe]
    UDP 0.0.0.0:54071 *:*
    FDResPub
    [svchost.exe]
    UDP 0.0.0.0:59921 *:*
    EventSystem
    [svchost.exe]
    UDP 0.0.0.0:64160 *:*
    EventSystem
    [svchost.exe]
    UDP 127.0.0.1:1900 *:*
    SSDPSRV
    [svchost.exe]
    UDP 127.0.0.1:44301 *:*
    [PnkBstrA.exe]
    UDP 127.0.0.1:52504 *:*
    SSDPSRV
    [svchost.exe]
    UDP 192.168.0.2:137 *:*
    Can not obtain ownership information
    UDP 192.168.0.2:138 *:*
    Can not obtain ownership information
    UDP 192.168.0.2:1900 *:*
    SSDPSRV
    [svchost.exe]
    UDP 192.168.0.2:52503 *:*
    SSDPSRV
    [svchost.exe]
    UDP [::]:500 *:*
    IKEEXT
    [svchost.exe]
    UDP [::]:3540 *:*
    p2pimsvc
    [svchost.exe]
    UDP [::]:3702 *:*
    EventSystem
    [svchost.exe]
    UDP [::]:3702 *:*
    FDResPub
    [svchost.exe]
    UDP [::]:3702 *:*
    FDResPub
    [svchost.exe]
    UDP [::]:3702 *:*
    EventSystem
    [svchost.exe]
    UDP [::]:4500 *:*
    IKEEXT
    [svchost.exe]
    UDP [::]:5004 *:*
    [wmpnetwk.exe]
    UDP [::]:5005 *:*
    [wmpnetwk.exe]
    UDP [::]:5355 *:*
    Dnscache
    [svchost.exe]
    UDP [::]:54072 *:*
    FDResPub
    [svchost.exe]
    UDP [::]:59922 *:*
    EventSystem
    [svchost.exe]
    UDP [::]:64161 *:*
    EventSystem
    [svchost.exe]
    UDP [::1]:1900 *:*
    SSDPSRV
    [svchost.exe]
    UDP [::1]:52502 *:*
    SSDPSRV
    [svchost.exe]
    UDP [fe80::c418:7c92:c209:721f%13]:1900 *:*
    SSDPSRV
    [svchost.exe]
    UDP [fe80::c418:7c92:c209:721f%13]:52501 *:*
    SSDPSRV
    [svchost.exe]
    C:\Windows\system32>^X
    C:\Windows\system32>
    C:\Windows\system32>
      My Computer
    Quote Quote

  11. D3ftOn3Z
    Posts : 1,443
    Win 7 Ultimate SP1 x64
       New #18

    Need help on solving TS's issue. Looks serious. Any suggestions would be greatly appreciated, thanks.:)
      My Computer
    Quote Quote

  12. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #19

    What is *TS's issue*?
      My Computer
    Quote Quote

  13. D3ftOn3Z
    Posts : 1,443
    Win 7 Ultimate SP1 x64
       New #20

    I am clueless at the moment. And unable to solve this. Possible keylogger/malware as his WOW account got hacked twiced.
      My Computer
    Quote Quote

 
Page 2 of 3 FirstFirst 123 LastLast

  Related Discussions
Hi, I have Window7 Ultimate 64 bit on my system. I use Bitfender as my antivirus software. This morning it informed me that it has found a file infected with a virus called 'Trojan.Generic.2582177' which it cannot clean. I've contacted Bitfender to see if they know what I should do but haven't...
Keylogger detection
in System Security

This hasn't come up for me in a very long time so I'm looking for a little input. I have a client whose email and a online account of another nature were both hacked. I am fairly sure whoever did it simply compromised the hotmail account password somehow. I have been scanning the machine...
Spyware, keylogger?
in System Security

Can someone please explain how spyware and keylogger be put in some software you downloaded? Can they steal your credit card #? Is it done through programming please? Thanks for your advice.
Problems with Keylogger
in System Security

Fauls alert!
Keylogger question.
in System Security

Hey, Does anyone know if it is possible for a keylogger to survive/persist a complete hard drive wipe using DBAN? Darik's Boot And Nuke | Hard Drive Disk Wipe and Data Clearing I ran the program with DoD short wipe and 3 passes from a bootable DVD. The system only contains one drive.
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 17:30.
Find Us