Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: How can I find out if my machine has a keylogger?  (Read 12815 times)

0 Members and 1 Guest are viewing this topic.

jim.mar

    Topic Starter


    Apprentice
  • Long in the tooth, shy between the ears
    • Yes
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 7
How can I find out if my machine has a keylogger?
« on: June 29, 2011, 10:55:57 AM »
How can I find out if my machine has been loaded with a  keylogger and what can I do about it?    ???
I am using wndows 7 64 bit..   Any help would be apprciated.    :D  JIM
Logged
You are much appreciated..     Thank you ,

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: How can I find out if my machine has a keylogger?
« Reply #1 on: June 29, 2011, 05:09:03 PM »
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
The only way to tell is to run some scans and take a look.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*******************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

Logged
Windows 8 and Windows 10 dual boot with two SSD's

jim.mar

    Topic Starter


    Apprentice
  • Long in the tooth, shy between the ears
    • Yes
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 7
Re: How can I find out if my machine has a keylogger?
« Reply #2 on: July 01, 2011, 03:34:38 PM »
SUPER DAVE: Thank you for replying.  I hav done as you asked and I hope taht every thing is here:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2011 at 11:37 AM

Application Version : 4.46.1000

Core Rules Database Version : 7363
Trace Rules Database Version: 5175

Scan type       : Complete Scan
Total Scan Time : 02:11:14

Memory items scanned      : 572
Memory threats detected   : 0
Registry items scanned    : 13825
Registry threats detected : 0
File items scanned        : 293793
File threats detected     : 83

Adware.Tracking Cookie
   C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Cookies\Low\jim@bizrate[2].txt
   C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Cookies\Low\jim@insightexpressai[1].txt
   C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Cookies\Low\jim@invitemedia[1].txt
   C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Cookies\Low\jim@revsci[2].txt
   C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   *Blocked Russian URL* [ C:\Users\vue 3\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GL4SHS9N ]
   media.mtvnservices.com [ C:\Users\vue 3\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GL4SHS9N ]
   media1.break.com [ C:\Users\vue 3\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GL4SHS9N ]
   secure-us.imrworldwide.com [ C:\Users\vue 3\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GL4SHS9N ]
   static.xxxmatch.com [ C:\Users\vue 3\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GL4SHS9N ]
   vidii.hardsextube.com [ C:\Users\vue 3\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GL4SHS9N ]
   www.alphaporno.com [ C:\Users\vue 3\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GL4SHS9N ]
   www.xxxelfxxx.com [ C:\Users\vue 3\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GL4SHS9N ]
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@adbrite[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@adultfriendfinder[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@advertising[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@adxpansion[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@alphaporno[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@apmebf[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@atdmt[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@chokertraffic[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@collective-media[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@doubleclick[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@ero-advertising[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@fastclick[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@hardsextube[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@hornymatches[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@imrworldwide[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@indieclick[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@insightexpressai[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@interclick[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@intermundomedia[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@invitemedia[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@media6degrees[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@mediabrandsww[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@mediaplex[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@pointroll[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@pornopet[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@prettyporntube[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@realmedia[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@serving-sys[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@specificclick[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@specificmedia[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@trafficholder[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@tribalfusion[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@tube1sex[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@tubesexmovies[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@vidsfucker[2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@xxxmatch[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@yieldmanager[1].txt
   C:\Users\vue 3\AppData\Roaming\Microsoft\Windows\Cookies\Low\vue_3@zedo[2].txt

Trojan.Agent/Gen-Frauder
   C:\USERS\VUE 3\DOWNLOADS\SETUP.EXE

-------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6998

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/1/2011 2:12:42 PM
mbam-log-2011-07-01 (14-12-41).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 495168
Time elapsed: 50 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files (x86)\hunting unlimited\sys\input.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\JIM\downloads\dailybibleguide.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
e:\great outdoors\Setup\sys\input.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------------------------------
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by JIM at 14:32:29 on 2011-07-01
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4095.2533 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: PC Tools Firewall Plus *Enabled* {175D0B73-9F8F-2CA9-8BF1-62277A276DC9}
.
============== Running Processes ===============
.
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Stickies\stickies.exe
C:\Program Files (x86)\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
svchost.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe
svchost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: H - No File
uURLSearchHooks: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll
uURLSearchHooks: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll
mURLSearchHooks: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll
mURLSearchHooks: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files (x86)\NCH\tbNCH.dll
mWinlogon: Userinit=userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
BHO: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll
BHO: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files (x86)\NCH\tbNCH.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll
TB: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files (x86)\NCH\tbNCH.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: {00000000-0000-0000-0000-000000000000} - No File
TB: {00F2C0C6-2194-484E-9064-44E57787867B} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {B9B97401-98E1-4942-930D-C36652DAB7F2} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Creative MediaSource Go] "C:\Program Files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
StartupFolder: C:\Users\JIM\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Stickies.lnk - C:\Program Files (x86)\Stickies\stickies.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9F8D9178-14EC-465A-9768-9E35F078DAD7} : DhcpNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
mASetup: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
mASetup: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
mASetup: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
mASetup: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64:     0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64:     HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
BHO-X64: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll
BHO-X64: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files (x86)\NCH\tbNCH.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: NetAssistantBHO Class: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll
BHO-X64:     NetAssistantBHO - No File
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64:     HP Smart BHO Class - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB-X64: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll
TB-X64: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files (x86)\NCH\tbNCH.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: {00000000-0000-0000-0000-000000000000} - No File
TB-X64: {00F2C0C6-2194-484E-9064-44E57787867B} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB-X64: {B9B97401-98E1-4942-930D-C36652DAB7F2} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [00PCTFW] "C:\Program Files (x86)\PC Tools Firewall Plus\FirewallGUI.exe" -s
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\JIM\AppData\Roaming\Mozilla\Firefox\Profiles\w7ayk5sh.default\
FF - prefs.js: browser.startup.homepage - hxxp://mgs.asksearch.com/?cfg=2-384-0-2e5iv
FF - prefs.js: browser.search.selectedEngine - Ask
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Users\JIM\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 pctgntdi;pctgntdi;\??\C:\Windows\System32\drivers\pctgntdi64.sys --> C:\Windows\System32\drivers\pctgntdi64.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-6-28 42184]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;C:\Program Files (x86)\PC Tools Firewall Plus\FWService.exe [2011-3-20 287024]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;\??\C:\Windows\system32\drivers\pctNdis-PacketFilter64.sys --> C:\Windows\system32\drivers\pctNdis-PacketFilter64.sys [?]
R3 pctNdisMP;PC Tools Driver;C:\Windows\system32\DRIVERS\pctNdis64.sys --> C:\Windows\system32\DRIVERS\pctNdis64.sys [?]
R3 pctplfw;pctplfw;\??\C:\Windows\System32\drivers\pctplfw64.sys --> C:\Windows\System32\drivers\pctplfw64.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-21 136176]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-21 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\6D4.tmp --> C:\Windows\system32\6D4.tmp [?]
S3 pctNdis;PC Tools Firewall Intermediate Filter Service;C:\Windows\system32\DRIVERS\pctNdis64.sys --> C:\Windows\system32\DRIVERS\pctNdis64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-07-01 16:15:09   8873296   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{82AD8914-64D5-4787-A143-7BAEB41BEB63}\mpengine.dll
2011-06-29 16:05:18   404992   ----a-w-   C:\Windows\System32\umpnpmgr.dll
2011-06-29 16:05:18   252928   ----a-w-   C:\Windows\SysWow64\drvinst.exe
2011-06-29 16:05:18   145920   ----a-w-   C:\Windows\SysWow64\cfgmgr32.dll
2011-06-29 16:05:17   64512   ----a-w-   C:\Windows\SysWow64\devobj.dll
2011-06-29 16:05:17   44544   ----a-w-   C:\Windows\SysWow64\devrtl.dll
2011-06-26 21:38:14   --------   d-----w-   C:\Users\JIM\God on the mountain
2011-06-26 21:36:54   --------   d-----w-   C:\Program Files (x86)\Common Files\Akamai
2011-06-16 18:29:58   197120   ----a-w-   C:\Windows\System32\d3d10_1.dll
2011-06-16 18:29:58   161792   ----a-w-   C:\Windows\SysWow64\d3d10_1.dll
2011-06-16 18:29:57   461312   ----a-w-   C:\Windows\System32\drivers\srv.sys
2011-06-16 18:29:57   399872   ----a-w-   C:\Windows\System32\drivers\srv2.sys
2011-06-16 18:29:57   161792   ----a-w-   C:\Windows\System32\drivers\srvnet.sys
2011-06-16 18:29:56   861184   ----a-w-   C:\Windows\System32\oleaut32.dll
2011-06-16 18:29:56   571904   ----a-w-   C:\Windows\SysWow64\oleaut32.dll
2011-06-16 18:29:55   976896   ----a-w-   C:\Windows\System32\inetcomm.dll
2011-06-16 18:29:55   740864   ----a-w-   C:\Windows\SysWow64\inetcomm.dll
2011-06-06 18:01:36   --------   d-----w-   C:\Program Files (x86)\DailyBibleGuideEI
.
==================== Find3M  ====================
.
2011-06-28 17:37:06   639   ----a-w-   C:\Windows\uninstallstickies.bat
2011-05-28 03:25:16   1638912   ----a-w-   C:\Windows\System32\mshtml.tlb
2011-05-28 03:07:01   3133952   ----a-w-   C:\Windows\System32\win32k.sys
2011-05-28 03:00:02   1638912   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2011-05-25 02:14:10   270720   ------w-   C:\Windows\System32\MpSigStub.exe
2011-05-10 12:10:59   40112   ----a-w-   C:\Windows\avastSS.scr
2011-05-10 12:04:08   600920   ----a-w-   C:\Windows\System32\drivers\aswSnx.sys
2011-05-10 11:59:48   64344   ----a-w-   C:\Windows\System32\drivers\aswMonFlt.sys
2011-05-04 05:30:38   2326016   ----a-w-   C:\Windows\System32\tquery.dll
2011-05-04 05:28:07   779264   ----a-w-   C:\Windows\System32\mssvp.dll
2011-05-04 05:28:07   2228224   ----a-w-   C:\Windows\System32\mssrch.dll
2011-05-04 05:28:06   75264   ----a-w-   C:\Windows\System32\msscntrs.dll
2011-05-04 05:28:06   491520   ----a-w-   C:\Windows\System32\mssph.dll
2011-05-04 05:28:06   288256   ----a-w-   C:\Windows\System32\mssphtb.dll
2011-05-04 05:24:09   593408   ----a-w-   C:\Windows\System32\SearchIndexer.exe
2011-05-04 05:24:09   249856   ----a-w-   C:\Windows\System32\SearchProtocolHost.exe
2011-05-04 05:24:09   113664   ----a-w-   C:\Windows\System32\SearchFilterHost.exe
2011-05-04 04:53:10   1553920   ----a-w-   C:\Windows\SysWow64\tquery.dll
2011-05-04 04:52:59   666624   ----a-w-   C:\Windows\SysWow64\mssvp.dll
2011-05-04 04:52:59   59392   ----a-w-   C:\Windows\SysWow64\msscntrs.dll
2011-05-04 04:52:59   337408   ----a-w-   C:\Windows\SysWow64\mssph.dll
2011-05-04 04:52:59   197120   ----a-w-   C:\Windows\SysWow64\mssphtb.dll
2011-05-04 04:52:59   1401856   ----a-w-   C:\Windows\SysWow64\mssrch.dll
2011-05-04 04:52:12   86528   ----a-w-   C:\Windows\SysWow64\SearchFilterHost.exe
2011-05-04 04:52:12   428032   ----a-w-   C:\Windows\SysWow64\SearchIndexer.exe
2011-05-04 04:52:12   164352   ----a-w-   C:\Windows\SysWow64\SearchProtocolHost.exe
2011-05-04 02:51:08   287744   ----a-w-   C:\Windows\System32\drivers\mrxsmb10.sys
2011-05-04 02:51:08   157696   ----a-w-   C:\Windows\System32\drivers\mrxsmb.sys
2011-05-04 02:51:05   126464   ----a-w-   C:\Windows\System32\drivers\mrxsmb20.sys
2011-04-27 02:57:40   102400   ----a-w-   C:\Windows\System32\drivers\dfsc.sys
2011-04-25 05:32:22   1896832   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
2011-04-25 02:44:02   499712   ----a-w-   C:\Windows\System32\drivers\afd.sys
2011-04-22 20:18:47   27008   ----a-w-   C:\Windows\System32\drivers\Diskdump.sys
2011-04-22 20:18:28   1197056   ----a-w-   C:\Windows\System32\wininet.dll
2011-04-22 20:14:08   57856   ----a-w-   C:\Windows\System32\licmgr10.dll
2011-04-22 19:31:50   981504   ----a-w-   C:\Windows\SysWow64\wininet.dll
2011-04-22 19:31:26   44544   ----a-w-   C:\Windows\SysWow64\licmgr10.dll
2011-04-22 18:49:57   482816   ----a-w-   C:\Windows\System32\html.iec
2011-04-22 18:23:59   386048   ----a-w-   C:\Windows\SysWow64\html.iec
2011-04-09 06:58:56   142336   ----a-w-   C:\Windows\System32\poqexec.exe
2011-04-09 06:45:48   5509504   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2011-04-09 06:13:06   3957632   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13:06   3901824   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56:38   123904   ----a-w-   C:\Windows\SysWow64\poqexec.exe
.
============= FINISH: 14:33:35.18 ===============
Logged
You are much appreciated..     Thank you ,

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: How can I find out if my machine has a keylogger?
« Reply #3 on: July 01, 2011, 05:08:37 PM »
What makes you feel that your computer has a keylogger? Any evidence? You do know that a lot of keyloggers are legit programs the most common being a program that a parent may install to monitor their children's on-line habits.

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.
*************************************************
There should also be a Attach.txt which is the second DDS log. Could you please find it and post it in your next reply.

You do have Elf 1.13 Toolbar which is a product of Conduit Community Toolbar which has certain level of trackability. There is also Freeze.com which is also spyware.

Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]
:OTL
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {00000000-0000-0000-0000-000000000000} - No File
TB: {00F2C0C6-2194-484E-9064-44E57787867B} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {B9B97401-98E1-4942-930D-C36652DAB7F2} - No File
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64:     0x1 - No File
BHO-X64:     HP Print Enhancer - No File
BHO-X64:     AcroIEHelperStub - No File
BHO-X64:     NetAssistantBHO - No File
BHO-X64:     HP Smart BHO Class - No File
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {00000000-0000-0000-0000-000000000000} - No File
TB-X64: {00F2C0C6-2194-484E-9064-44E57787867B} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB-X64: {B9B97401-98E1-4942-930D-C36652DAB7F2} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
FF - prefs.js: browser.search.selectedEngine - Ask

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
***********************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
Logged
Windows 8 and Windows 10 dual boot with two SSD's

jim.mar

    Topic Starter


    Apprentice
  • Long in the tooth, shy between the ears
    • Yes
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 7
Re: How can I find out if my machine has a keylogger?
« Reply #4 on: July 02, 2011, 10:23:20 AM »
SUPER DAVE:  Thank you for your response.  Yes I was aware that parental  control programs exist.   However this machine was assembled new.  I heard about keyloggers some time ago and lately began to worry about it.  I have recently had two of my credit card numbers used fraudulently and I have never determined how they got my numbers.  So I thought that I would try to find out if I had a keylogger installed..

I cannot find the second DDS log Attach.txt.    When I run DDs it informs me that two logs will be available but only one pops up after the scan.

I will now open OTL and follow your instructions..   
----------------------------------
OTL logfile created on: 7/2/2011 9:10:08 AM - Run 1
OTL by OldTimer - Version 3.2.25.0     Folder = C:\Users\JIM\Desktop
64bit- Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
4.00 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 58.78% Memory free
8.00 Gb Paging File | 6.21 Gb Available in Paging File | 77.60% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 244.04 Gb Total Space | 188.32 Gb Free Space | 77.16% Space Free | Partition Type: NTFS
Drive D: | 352.03 Gb Total Space | 269.07 Gb Free Space | 76.43% Space Free | Partition Type: NTFS
Drive E: | 63.48 Gb Total Space | 31.19 Gb Free Space | 49.13% Space Free | Partition Type: NTFS
Drive F: | 12.86 Gb Total Space | 8.70 Gb Free Space | 67.67% Space Free | Partition Type: NTFS
 
Computer Name: ROSIE | User Name: JIM | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2011/07/02 09:08:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\JIM\Desktop\OTL.exe
PRC - [2011/06/28 10:37:06 | 001,101,824 | ---- | M] (Zhorn Software) -- C:\Program Files (x86)\Stickies\stickies.exe
PRC - [2011/05/10 05:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/05/01 19:32:25 | 000,235,168 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe
PRC - [2010/11/29 11:55:44 | 002,676,696 | ---- | M] (PC Tools) -- C:\Program Files (x86)\PC Tools Firewall Plus\FirewallGUI.exe
PRC - [2009/07/13 18:14:44 | 000,360,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\WerFault.exe
PRC - [2006/11/09 10:19:14 | 000,204,800 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2011/07/02 09:08:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\JIM\Desktop\OTL.exe
MOD - [2010/08/27 11:09:16 | 000,324,032 | ---- | M] (PC Tools) -- C:\Program Files (x86)\Common Files\PC Tools\KDS\pctESPHooking32.dll
MOD - [2010/08/20 22:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2010/06/29 10:49:27 | 000,128,752 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/06/29 10:52:10 | 003,435,096 | ---- | M] () [Auto | Running] -- c:\Program Files (x86)\Common Files\Akamai\netsession_win_e477fed.dll -- (Akamai)
SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/11/17 10:29:38 | 000,287,024 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files (x86)\PC Tools Firewall Plus\FWService.exe -- (PCToolsFirewallPlus)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/05/21 21:35:32 | 000,923,136 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2011/05/10 04:59:48 | 000,064,344 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2011/03/10 23:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 23:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/25 10:42:10 | 000,179,464 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pctplfw64.sys -- (pctplfw)
DRV:64bit: - [2010/11/24 09:18:16 | 000,119,688 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pctNdis-PacketFilter64.sys -- (PCTFW-PacketFilter)
DRV:64bit: - [2010/11/17 10:20:20 | 000,331,368 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\pctgntdi64.sys -- (pctgntdi)
DRV:64bit: - [2010/07/08 09:49:08 | 000,079,000 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pctNdis64.sys -- (pctNdisMP)
DRV:64bit: - [2010/07/08 09:49:08 | 000,079,000 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pctNdis64.sys -- (pctNdis)
DRV:64bit: - [2010/05/26 10:39:08 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\6D4.tmp -- (MEMSWEEP2)
DRV:64bit: - [2010/05/15 04:11:48 | 001,327,520 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV:64bit: - [2010/02/17 11:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 11:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2009/11/27 00:47:56 | 000,067,072 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 17:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\serscan.sys -- (StillCam)
DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\URLSearchHook: {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files (x86)\NCH\tbNCH.dll (Conduit Ltd.)
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/http://www.facebook.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C4 CA 29 B2 96 70 CB 01  [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {00f2c0c6-2194-484e-9064-44e57787867b} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://mgs.asksearch.com/?cfg=2-384-0-2e5iv"
FF - prefs.js..browser.search.selectedEngine: "Ask"
 
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/03/19 16:48:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/06/28 13:03:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/05/03 10:59:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
 
[2011/04/09 12:16:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JIM\AppData\Roaming\Mozilla\Extensions
[2011/06/30 08:38:57 | 000,001,747 | ---- | M] () -- C:\Users\JIM\AppData\Roaming\Mozilla\Firefox\Profiles\w7ayk5sh.default\searchplugins\ask.uk.xml
[2011/05/03 10:59:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
File not found (No name found) --
[2011/06/28 13:03:14 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2011/04/14 09:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2010/01/01 01:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
 
O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll (Google Inc.)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (Elf 1.13 Toolbar) - {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll (Conduit Ltd.)
O2 - BHO: (NCH Toolbar) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files (x86)\NCH\tbNCH.dll (Conduit Ltd.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (NetAssistantBHO Class) - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files (x86)\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Elf 1.13 Toolbar) - {b80f591e-fe9a-46cf-a13e-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (NCH Toolbar) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files (x86)\NCH\tbNCH.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00F2C0C6-2194-484E-9064-44E57787867B} - No CLSID value found.
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Elf 1.13 Toolbar) - {B80F591E-FE9A-46CF-A13E-180377240586} - C:\Program Files (x86)\Elf_1.13\tbElf_.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (NCH Toolbar) - {C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - C:\Program Files (x86)\NCH\tbNCH.dll (Conduit Ltd.)
O4 - HKLM..\Run: [00PCTFW] C:\Program Files (x86)\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKCU..\Run: [Creative MediaSource Go] C:\Program Files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe (Creative Technology Ltd)
O4 - Startup: C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stickies.lnk = C:\Program Files (x86)\Stickies\stickies.exe (Zhorn Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB (Hewlett-Packard Printer Diagnostics)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ipp - No CLSID value found
O18:64bit: - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/11/28 07:28:10 | 000,023,040 | ---- | M] () - E:\Auto Repair list 11-29-05.doc -- [ NTFS ]
O32 - AutoRun File - [2005/11/27 13:25:09 | 000,025,600 | ---- | M] () - E:\Auto specs.xls -- [ NTFS ]
O32 - AutoRun File - [2009/07/14 02:29:38 | 000,000,122 | ---- | M] () - F:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\Setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011/07/02 09:08:36 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Users\JIM\Desktop\OTL.exe
[2011/07/01 14:39:39 | 000,000,000 | ---D | C] -- C:\Users\JIM\Desktop\Malware specialist schools
[2011/07/01 14:18:21 | 000,607,017 | R--- | C] (Swearware) -- C:\Users\JIM\Desktop\dds.scr
[2011/06/30 09:22:34 | 000,000,000 | ---D | C] -- C:\Users\JIM\Desktop\Mega needs work
[2011/06/29 09:05:18 | 000,252,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\drvinst.exe
[2011/06/29 09:05:17 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\devrtl.dll
[2011/06/29 09:04:52 | 002,228,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mssrch.dll
[2011/06/29 09:04:51 | 002,326,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tquery.dll
[2011/06/29 09:04:51 | 001,553,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\tquery.dll
[2011/06/29 09:04:51 | 001,401,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mssrch.dll
[2011/06/29 09:04:50 | 000,779,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mssvp.dll
[2011/06/29 09:04:50 | 000,666,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mssvp.dll
[2011/06/29 09:04:50 | 000,491,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mssph.dll
[2011/06/29 09:04:50 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mssph.dll
[2011/06/29 09:04:50 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mssphtb.dll
[2011/06/29 09:04:50 | 000,249,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\SearchProtocolHost.exe
[2011/06/29 09:04:50 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mssphtb.dll
[2011/06/29 09:04:50 | 000,113,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\SearchFilterHost.exe
[2011/06/29 09:04:50 | 000,075,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msscntrs.dll
[2011/06/29 09:04:50 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msscntrs.dll
[2011/06/26 14:38:14 | 000,000,000 | ---D | C] -- C:\Users\JIM\God on the mountain
[2011/06/26 14:36:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Akamai
[2011/06/16 11:30:02 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2011/06/16 11:30:02 | 000,599,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
[2011/06/16 11:30:01 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2011/06/16 11:30:01 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2011/06/16 11:30:01 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2011/06/16 11:30:01 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2011/06/16 11:30:01 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2011/06/16 11:30:01 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2011/06/16 11:30:01 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/06/16 11:30:01 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/06/16 11:30:01 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll
[2011/06/16 11:30:01 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll
[2011/06/16 11:30:01 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2011/06/16 11:30:01 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2011/06/16 11:29:58 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll
[2011/06/16 11:29:58 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d10_1.dll
[2011/06/16 11:29:56 | 000,861,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\oleaut32.dll
[2011/06/13 13:33:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Works
[2011/06/06 11:01:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DailyBibleGuideEI
[2011/06/04 10:19:49 | 000,000,000 | ---D | C] -- C:\Users\JIM\Desktop\Sin Problem
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2011/07/02 09:08:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\JIM\Desktop\OTL.exe
[2011/07/02 08:57:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/02 08:27:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/01 14:22:24 | 000,014,832 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/01 14:22:24 | 000,014,832 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/01 14:21:07 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/07/01 14:21:07 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/07/01 14:21:07 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/07/01 14:18:23 | 000,607,017 | R--- | M] (Swearware) -- C:\Users\JIM\Desktop\dds.scr
[2011/07/01 14:15:15 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/01 14:14:59 | 3220,578,304 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/01 13:14:13 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/30 08:44:55 | 002,761,080 | ---- | M] () -- C:\Users\JIM\Desktop\02-Track 2.mp3
[2011/06/30 08:44:42 | 003,176,069 | ---- | M] () -- C:\Users\JIM\Desktop\01-Track 1.mp3
[2011/06/30 08:42:18 | 000,001,492 | ---- | M] () -- C:\ProgramData\ss.ini
[2011/06/30 08:42:18 | 000,000,033 | ---- | M] () -- C:\ProgramData\{081230F8-EA50-42A9-983C-D22ABC2EED3B}.ini
[2011/06/30 08:38:28 | 000,001,720 | ---- | M] () -- C:\Users\JIM\Application Data\Microsoft\Internet Explorer\Quick Launch\Amazon.lnk
[2011/06/30 08:38:28 | 000,001,696 | ---- | M] () -- C:\Users\JIM\Desktop\Amazon.lnk
[2011/06/30 08:38:28 | 000,001,035 | ---- | M] () -- C:\Users\JIM\Application Data\Microsoft\Internet Explorer\Quick Launch\FreeRIP.lnk
[2011/06/30 08:38:28 | 000,001,011 | ---- | M] () -- C:\Users\JIM\Desktop\FreeRIP.lnk
[2011/06/29 16:14:07 | 000,403,072 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/06/28 13:03:15 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2011/06/28 10:37:06 | 000,001,065 | ---- | M] () -- C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stickies.lnk
[2011/06/28 10:37:06 | 000,000,639 | ---- | M] () -- C:\Windows\uninstallstickies.bat
[2011/06/07 09:44:38 | 000,000,000 | ---- | M] () -- C:\Users\JIM\AppData\Local\{9C1294B2-2029-48F4-B9D5-2BCF4A517C4C}
[2011/06/07 09:42:43 | 000,000,000 | ---- | M] () -- C:\Users\JIM\AppData\Local\{75A01D39-AE61-4693-B67B-7EA83E8E2707}
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2011/07/01 13:14:13 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/30 08:44:42 | 002,761,080 | ---- | C] () -- C:\Users\JIM\Desktop\02-Track 2.mp3
[2011/06/30 08:44:22 | 003,176,069 | ---- | C] () -- C:\Users\JIM\Desktop\01-Track 1.mp3
[2011/06/30 08:42:18 | 000,001,492 | ---- | C] () -- C:\ProgramData\ss.ini
[2011/06/30 08:42:18 | 000,000,033 | ---- | C] () -- C:\ProgramData\{081230F8-EA50-42A9-983C-D22ABC2EED3B}.ini
[2011/06/30 08:38:28 | 000,001,726 | ---- | C] () -- C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon.lnk
[2011/06/30 08:38:28 | 000,001,720 | ---- | C] () -- C:\Users\JIM\Application Data\Microsoft\Internet Explorer\Quick Launch\Amazon.lnk
[2011/06/30 08:38:28 | 000,001,696 | ---- | C] () -- C:\Users\JIM\Desktop\Amazon.lnk
[2011/06/28 10:37:06 | 000,001,065 | ---- | C] () -- C:\Users\JIM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stickies.lnk
[2011/06/07 09:44:38 | 000,000,000 | ---- | C] () -- C:\Users\JIM\AppData\Local\{9C1294B2-2029-48F4-B9D5-2BCF4A517C4C}
[2011/06/07 09:42:43 | 000,000,000 | ---- | C] () -- C:\Users\JIM\AppData\Local\{75A01D39-AE61-4693-B67B-7EA83E8E2707}
[2011/05/02 12:32:40 | 000,206,572 | ---- | C] () -- C:\Windows\hpwins28.dat
[2011/03/19 11:13:00 | 000,207,278 | ---- | C] () -- C:\Windows\hpwins28.dat.temp
[2011/03/19 09:27:54 | 000,000,418 | ---- | C] () -- C:\Windows\hpwmdl28.dat.temp
[2010/11/16 10:08:05 | 000,233,472 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll
[2010/10/28 10:47:41 | 001,064,960 | ---- | C] () -- C:\Windows\SysWow64\MGIIpl2PX.dll
[2010/10/28 10:31:47 | 000,000,520 | ---- | C] () -- C:\Windows\_delis32.ini
[2010/10/23 10:35:09 | 000,000,556 | ---- | C] () -- C:\Windows\MAXLINK.INI
[2010/10/21 15:34:46 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/08/18 00:18:40 | 000,000,418 | ---- | C] () -- C:\Windows\hpwmdl28.dat
[2009/07/13 22:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 19:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 19:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 17:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/12 09:20:52 | 000,571,320 | ---- | C] () -- C:\Windows\HPISExe.dat
[2009/06/10 14:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/01/14 17:47:06 | 000,099,712 | ---- | C] () -- C:\Windows\HPBroker.dll
[1999/01/22 11:46:56 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\MSRTEDIT.DLL
[1998/01/12 01:00:00 | 000,040,448 | ---- | C] () -- C:\Windows\SysWow64\REGOBJ.DLL
[1997/08/19 00:00:00 | 000,022,016 | ---- | C] () -- C:\Windows\SysWow64\DOCOBJ.DLL
[1997/08/19 00:00:00 | 000,012,288 | ---- | C] () -- C:\Windows\SysWow64\HLINKPRX.DLL
 
========== Custom Scans ==========
 
 
< :OTL >
 
< uURLSearchHooks: H - No File >
 
< BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File >
 
< TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File >
 
< TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File >
 
< TB: {00000000-0000-0000-0000-000000000000} - No File >
 
< TB: {00F2C0C6-2194-484E-9064-44E57787867B} - No File >
 
< TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File >
 
< TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File >
 
< TB: {B9B97401-98E1-4942-930D-C36652DAB7F2} - No File >
 
< BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File >
 
< BHO-X64:     0x1 - No File >
 
< BHO-X64:     HP Print Enhancer - No File >
 
< BHO-X64:     AcroIEHelperStub - No File >
 
< BHO-X64:     NetAssistantBHO - No File >
 
< BHO-X64:     HP Smart BHO Class - No File >
 
< TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File >
 
< TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File >
 
< TB-X64: {00000000-0000-0000-0000-000000000000} - No File >
 
< TB-X64: {00F2C0C6-2194-484E-9064-44E57787867B} - No File >
 
< TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File >
 
< TB-X64: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File >
 
< TB-X64: {B9B97401-98E1-4942-930D-C36652DAB7F2} - No File >
 
< EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File >
 
< FF - prefs.js: browser.search.selectedEngine - Ask >
 
<  >
 
< :COMMANDS >
 
< [resethosts] >
 
< [purity] >
 
< [emptytemp] >
 
< [start explorer] >
 
<  >
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 106 bytes -> C:\ProgramData\TEMP:C31F31E6

< End of report >
Logged
You are much appreciated..     Thank you ,

jim.mar

    Topic Starter


    Apprentice
  • Long in the tooth, shy between the ears
    • Yes
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 7
Re: How can I find out if my machine has a keylogger?
« Reply #5 on: July 02, 2011, 10:35:25 AM »
Security check logg

Results of screen317's Security Check version 0.99.17 
 Windows 7  (UAC is enabled)
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 avast! Free Antivirus   
 ESET Online Scanner v3   
 PC Tools Firewall Plus 7.0 
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 Java(TM) 6 Update 24 
 Out of date Java installed!
Flash Player Out of Date!
 Adobe Flash Player    10.2.159.1 
 Adobe Reader X (10.0.1) Adobe Reader Out of Date! 
 Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 PC Tools Firewall Plus FirewallGUI.exe   
 Common Files Microsoft Shared Windows Live AvastSvc.exe -?-
 AVAST Software Avast AvastUI.exe 
``````````End of Log````````````
Logged
You are much appreciated..     Thank you ,

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: How can I find out if my machine has a keylogger?
« Reply #6 on: July 02, 2011, 05:20:27 PM »
Quote
I cannot find the second DDS log Attach.txt.
Please do a search on your computer for *.txt and look for the above txt file.
As for the OTL, you didn't do as I instructed. You ran a full scan instead. Please review my instructions and run the fix.
Quote
I have recently had two of my credit card numbers used fraudulently and I have never determined how they got my numbers.  So I thought that I would try to find out if I had a keylogger installed..

Did you heed my warning about Elf 1.13 Toolbar?

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
**************************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
****************************************************
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix login your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
Logged
Windows 8 and Windows 10 dual boot with two SSD's

jim.mar

    Topic Starter


    Apprentice
  • Long in the tooth, shy between the ears
    • Yes
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 7
Re: How can I find out if my machine has a keylogger?
« Reply #7 on: July 05, 2011, 11:42:37 AM »
SUPER DAVE:  thanks for being so patient with me.  I screw up a lot.

I still cannot find a DDS log attach.txt anywhere on my machine.  I searched all 4 drives.. no luck
 
I did the "Run fix" on OTL

I eliminated Elkf 1.13 and Freeze

Updated Java

Eliminated older version of Adobe and downloaded new version.  Had a hard time with that.  Since then I can't open some of my forwrded e-mail.. ???

Ran "combofix" 

Including  OTL log and combofix log
-================================================================
All processes killed
========== OTL ==========
Prefs.js: browser.search.selectedEngine - Ask removed from refs.js
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: JIM
->Temp folder emptied: 88519497 bytes
->Temporary Internet Files folder emptied: 243420482 bytes
->Java cache emptied: 219098 bytes
->FireFox cache emptied: 286821613 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2283 bytes
 
User: Public
 
User: Terri
->Temp folder emptied: 10004 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
 
User: vue 3
->Temp folder emptied: 6243877 bytes
->Temporary Internet Files folder emptied: 97831607 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 174211344 bytes
->Flash cache emptied: 19369 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 12288 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 145135258 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 84793 bytes
RecycleBin emptied: 1183571983 bytes
 
Total Files Cleaned = 2,123.00 mb
 
 
OTL by OldTimer - Version 3.2.25.0 log created on 07052011_092444

Files\Folders moved on Reboot...
C:\Users\JIM\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\JIM\AppData\Local\Temp\~DF2ED0D2DB7D98F6A6.TMP not found!
File\Folder C:\Users\JIM\AppData\Local\Temp\~DF5D5A152783C9A9F2.TMP not found!
File\Folder C:\Users\JIM\AppData\Local\Temp\~DF8773A47C43596886.TMP not found!
File\Folder C:\Users\JIM\AppData\Local\Temp\~DF8EDF79965F4E3302.TMP not found!
File\Folder C:\Users\JIM\AppData\Local\Temp\~DF9BFFAC84EE0D79D8.TMP not found!
File\Folder C:\Users\JIM\AppData\Local\Temp\~DFAEDDB0FB64118B72.TMP not found!
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MCMMB8L4\iframe3[2].htm moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MCMMB8L4\launch[2].htm moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GE90ZUYY\categoryhtml[1].htm moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GE90ZUYY\ext-render-secure[1].html moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GE90ZUYY\iepngfix[1].htc moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GE90ZUYY\index[1].htm moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\F5LF5G5G\controller[1].html moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\F5LF5G5G\google_com[1].htm moved successfully.
File\Folder C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\F5LF5G5G\purchase[1].htm not found!
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CN05CMYV\app[1].html moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C5BBKNVW\aceUAC[1].htm moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C5BBKNVW\st[3] moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C5BBKNVW\yimapp[2].html moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7MI6O07I\view[1].html moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\30E14Z08\blank[1].html moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\26OHHFLJ\facebook_com[2].htm moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\26OHHFLJ\quickreply[2].html moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.
C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2HFY1OS2\background_button_green_full[1].png moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
-------------------------------------------------

ComboFix 11-07-05.02 - JIM 07/05/2011   9:52.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4095.2800 [GMT -7:00]
Running from: c:\users\JIM\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: PC Tools Firewall Plus *Disabled* {175D0B73-9F8F-2CA9-8BF1-62277A276DC9}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Dealio Toolbar
c:\program files (x86)\Dealio Toolbar\Res\amazon.gif
c:\program files (x86)\Dealio Toolbar\Res\apple.gif
c:\program files (x86)\Dealio Toolbar\Res\barnes.gif
c:\program files (x86)\Dealio Toolbar\Res\bestbuy.gif
c:\program files (x86)\Dealio Toolbar\Res\dealio_logo.gif
c:\program files (x86)\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files (x86)\Dealio Toolbar\Res\ebay.gif
c:\program files (x86)\Dealio Toolbar\Res\icon_settings.gif
c:\program files (x86)\Dealio Toolbar\Res\macys.gif
c:\program files (x86)\Dealio Toolbar\Res\newegg.gif
c:\program files (x86)\Dealio Toolbar\Res\overstock.gif
c:\program files (x86)\Dealio Toolbar\Res\search-button-hover.gif
c:\program files (x86)\Dealio Toolbar\Res\search-button.gif
c:\program files (x86)\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files (x86)\Dealio Toolbar\Res\search-chevron.gif
c:\program files (x86)\Dealio Toolbar\Res\search_amazon.gif
c:\program files (x86)\Dealio Toolbar\Res\search_dealio.gif
c:\program files (x86)\Dealio Toolbar\Res\search_ebay.gif
c:\program files (x86)\Dealio Toolbar\Res\search_yahoo.gif
c:\program files (x86)\Dealio Toolbar\Res\target.gif
c:\program files (x86)\Dealio Toolbar\Res\walmart.gif
c:\program files (x86)\Dealio Toolbar\Res\widgets.xml
c:\program files (x86)\Search Settings
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
c:\users\JIM\AppData\Roaming\PriceGong
c:\users\JIM\AppData\Roaming\PriceGong\Data\1.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\a.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\b.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\c.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\d.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\e.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\f.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\g.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\h.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\i.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\J.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\k.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\l.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\m.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\mru.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\n.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\o.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\p.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\q.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\r.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\s.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\t.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\u.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\v.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\w.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\x.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\y.xml
c:\users\JIM\AppData\Roaming\PriceGong\Data\z.xml
c:\windows\SysWow64\regobj.dll
F:\autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-05 to 2011-07-05  )))))))))))))))))))))))))))))))
.
.
2011-07-05 16:58 . 2011-07-05 16:58   --------   d-----w-   c:\users\vue 3\AppData\Local\temp
2011-07-05 16:58 . 2011-07-05 16:58   --------   d-----w-   c:\users\Terri\AppData\Local\temp
2011-07-05 16:24 . 2011-07-05 16:24   --------   d-----w-   C:\_OTL
2011-07-05 15:21 . 2011-06-07 17:10   8873296   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{C38F1CCB-A86E-4E4A-BE9B-233CC84ADB4C}\mpengine.dll
2011-07-04 17:17 . 2011-07-04 17:17   --------   d-----w-   c:\program files (x86)\Common Files\Java
2011-07-04 17:16 . 2011-07-04 17:16   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2011-07-04 17:16 . 2011-07-04 17:16   --------   d-----w-   c:\program files (x86)\Java
2011-06-29 16:05 . 2011-05-24 11:21   404992   ----a-w-   c:\windows\system32\umpnpmgr.dll
2011-06-29 16:05 . 2011-05-24 10:34   145920   ----a-w-   c:\windows\SysWow64\cfgmgr32.dll
2011-06-29 16:05 . 2011-05-24 10:32   252928   ----a-w-   c:\windows\SysWow64\drvinst.exe
2011-06-29 16:05 . 2011-05-24 10:34   64512   ----a-w-   c:\windows\SysWow64\devobj.dll
2011-06-29 16:05 . 2011-05-24 10:34   44544   ----a-w-   c:\windows\SysWow64\devrtl.dll
2011-06-26 21:38 . 2011-06-26 22:07   --------   d-----w-   c:\users\JIM\God on the mountain
2011-06-26 21:36 . 2011-07-05 17:00   --------   d-----w-   c:\program files (x86)\Common Files\Akamai
2011-06-16 18:29 . 2011-01-17 06:17   197120   ----a-w-   c:\windows\system32\d3d10_1.dll
2011-06-16 18:29 . 2011-01-17 05:38   161792   ----a-w-   c:\windows\SysWow64\d3d10_1.dll
2011-06-16 18:29 . 2011-04-29 03:13   461312   ----a-w-   c:\windows\system32\drivers\srv.sys
2011-06-16 18:29 . 2011-04-29 03:12   399872   ----a-w-   c:\windows\system32\drivers\srv2.sys
2011-06-16 18:29 . 2011-04-29 03:12   161792   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2011-06-16 18:29 . 2010-12-18 06:13   861184   ----a-w-   c:\windows\system32\oleaut32.dll
2011-06-16 18:29 . 2010-12-18 05:31   571904   ----a-w-   c:\windows\SysWow64\oleaut32.dll
2011-06-16 18:29 . 2011-05-03 05:21   976896   ----a-w-   c:\windows\system32\inetcomm.dll
2011-06-16 18:29 . 2011-05-03 04:50   740864   ----a-w-   c:\windows\SysWow64\inetcomm.dll
2011-06-13 20:33 . 2011-06-13 20:33   --------   d-----w-   c:\program files (x86)\Microsoft Works
2011-06-06 18:01 . 2011-06-06 18:01   --------   d-----w-   c:\program files (x86)\DailyBibleGuideEI
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-28 17:37 . 2011-02-18 23:38   639   ----a-w-   c:\windows\uninstallstickies.bat
2011-05-25 02:14 . 2010-10-20 20:33   270720   ------w-   c:\windows\system32\MpSigStub.exe
2011-05-10 12:10 . 2011-03-22 21:03   40112   ----a-w-   c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-03-22 21:03   199304   ----a-w-   c:\windows\SysWow64\aswBoot.exe
2011-05-10 12:10 . 2011-03-22 21:03   253888   ----a-w-   c:\windows\system32\aswBoot.exe
2011-05-10 12:04 . 2011-03-22 21:03   600920   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:04 . 2011-03-22 21:03   287576   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-03-22 21:03   53592   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2011-03-22 21:03   31064   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-03-22 21:03   64344   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2011-03-22 21:03   22360   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2011-04-22 20:18 . 2011-05-25 16:25   27008   ----a-w-   c:\windows\system32\drivers\Diskdump.sys
2011-04-09 06:58 . 2011-05-19 21:47   142336   ----a-w-   c:\windows\system32\poqexec.exe
2011-04-09 06:45 . 2011-05-11 16:57   5509504   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-11 16:57   3957632   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 16:57   3901824   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-19 21:47   123904   ----a-w-   c:\windows\SysWow64\poqexec.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c2db4fe6-8409-45ce-8010-189a7b5cce86}]
2010-10-18 19:26   3908192   ----a-w-   c:\program files (x86)\NCH\tbNCH.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{c2db4fe6-8409-45ce-8010-189a7b5cce86}"= "c:\program files (x86)\NCH\tbNCH.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{c2db4fe6-8409-45ce-8010-189a7b5cce86}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative MediaSource Go"="c:\program files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 204800]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="c:\program files (x86)\PC Tools Firewall Plus\FirewallGUI.exe" [2010-11-29 2676696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\users\JIM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files (x86)\Stickies\stickies.exe [2011-2-18 1101824]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-21 136176]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-21 136176]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\6D4.tmp

R3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\DRIVERS\pctNdis64.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S1 aswSnx;aswSnx;

S1 aswSP;aswSP;

S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi64.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 aswFsBlk;aswFsBlk;

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys

S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter64.sys

S3 pctNdisMP;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis64.sys

S3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw64.sys

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys

.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - AVGIDSDriver
*Deregistered* - AVGIDSEH
*Deregistered* - AVGIDSFilter
*Deregistered* - Avgrkx64
*Deregistered* - Avgtdia
*Deregistered* - pctESPInject
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-21 16:45]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-21 16:45]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10   134384   ----a-w-   c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\JIM\AppData\Roaming\Mozilla\Firefox\Profiles\w7ayk5sh.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://mgs.asksearch.com/?cfg=2-384-0-2e5iv
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00f2c0c6-2194-484e-9064-44e57787867b} - (no file)
URLSearchHooks-{b80f591e-fe9a-46cf-a13e-180377240586} - (no file)
URLSearchHooks-{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{00F2C0C6-2194-484E-9064-44E57787867B} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{B80F591E-FE9A-46CF-A13E-180377240586} - (no file)
WebBrowser-{B9B97401-98E1-4942-930D-C36652DAB7F2} - (no file)
WebBrowser-{C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6D4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\PC Tools Firewall Plus\FWService.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2011-07-05  10:05:18 - machine was rebooted
ComboFix-quarantined-files.txt  2011-07-05 17:05
.
Pre-Run: 205,062,729,728 bytes free
Post-Run: 204,464,590,848 bytes free
.
- - End Of File - - C9F42F35FFBC9041F68079E6F7391275
------------
Logged
You are much appreciated..     Thank you ,

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: How can I find out if my machine has a keylogger?
« Reply #8 on: July 05, 2011, 04:57:29 PM »
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
Logged
Windows 8 and Windows 10 dual boot with two SSD's

jim.mar

    Topic Starter


    Apprentice
  • Long in the tooth, shy between the ears
    • Yes
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 7
Re: How can I find out if my machine has a keylogger?
« Reply #9 on: July 12, 2011, 10:27:51 AM »
SuperDave:  Thanks for the comeback.  I really appreciate all your help and support.  Unfortunately, because of personal circumstances,  I have to leave my machine offline for a few weeks.  I am usiing my wife's laptop  for now.  I hope we can pick this up later or will we have to start all over??
Thanks again.  Till later,  JIM
Logged
You are much appreciated..     Thank you ,

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: How can I find out if my machine has a keylogger?
« Reply #10 on: July 12, 2011, 01:21:27 PM »
Quote from: jim.mar on July 12, 2011, 10:27:51 AM
SuperDave:  Thanks for the comeback.  I really appreciate all your help and support.  Unfortunately, because of personal circumstances,  I have to leave my machine offline for a few weeks.  I am usiing my wife's laptop  for now.  I hope we can pick this up later or will we have to start all over??
Thanks again.  Till later,  JIM
No problem. Whenever you're ready.
Logged
Windows 8 and Windows 10 dual boot with two SSD's
Pages: [1]   Go Up
« previous next »