Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create an account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you have signed in.
Sign In Create Account

How do I know if my computer is infected with a keylogger?


  • This topic is locked This topic is locked

#1
kylamb

kylamb

    Member

  • Member
  • PipPip
  • 17 posts
I made a purchase online and 2 days later I got a call from my credit card company about suspicious activity on my account. This is the second time in 3 months my credit card information has been stolen so I'm concerned there could be a keylogger or something on my computer. I don't know very much about how people obtain your personal information via the internet, so I need help to see if my computer is clear of any type of these threats. I have ran malwarebytes which found no threats, outside of that I didn't know what to do. My OTL log is below. Thank you in advance.

OTL logfile created on: 12/16/2010 8:21:17 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\E-Ztan\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 36.00% Memory free
5.00 Gb Paging File | 3.00 Gb Available in Paging File | 59.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 211.97 Gb Free Space | 91.04% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 148.82 Gb Free Space | 63.90% Space Free | Partition Type: NTFS

Computer Name: MAIN | User Name: E-Ztan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/16 08:20:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E-Ztan\Desktop\OTL.exe
PRC - [2010/06/14 13:08:03 | 002,326,920 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2010/01/29 14:09:20 | 030,020,096 | ---- | M] (Interactive Designs, Inc.) -- C:\SalonTouch\SalonTouch.exe
PRC - [2009/12/24 13:32:15 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/12/16 12:41:10 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/12/16 12:41:10 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/10/21 16:52:50 | 000,737,792 | ---- | M] (Interactive Designs, Inc.) -- C:\SalonTouch\ComManager.exe
PRC - [2009/09/12 15:31:36 | 000,357,384 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2009/09/12 15:31:30 | 000,660,520 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2009/09/12 15:30:48 | 005,048,488 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2009/06/04 15:10:56 | 005,777,408 | ---- | M] () -- C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/22 01:15:06 | 000,020,480 | ---- | M] (LazyCoding.com) -- C:\SalonTouch\Support\sqlscheduler\Service\SQLScheduler.WindowsService.exe
PRC - [2006/10/26 13:45:04 | 000,293,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WISPTIS.EXE
PRC - [2005/11/13 01:00:00 | 000,319,920 | ---- | M] (SafeNet, Inc.) -- c:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe


========== Modules (SafeList) ==========

MOD - [2010/12/16 08:20:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E-Ztan\Desktop\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/14 13:08:03 | 002,326,920 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2009/12/16 12:41:10 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/12/16 12:41:10 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/09/12 15:31:30 | 000,660,520 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/02/22 01:15:06 | 000,020,480 | ---- | M] (LazyCoding.com) [Auto | Running] -- C:\SalonTouch\Support\sqlscheduler\Service\SQLScheduler.WindowsService.exe -- (SQLScheduler Service)
SRV - [2005/11/13 01:00:00 | 000,319,920 | ---- | M] (SafeNet, Inc.) [Auto | Running] -- c:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe -- (SentinelKeysServer)


========== Driver Services (SafeList) ==========

DRV - [2010/06/14 13:08:04 | 000,159,168 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)
DRV - [2010/06/14 13:08:01 | 000,902,432 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm251.sys -- (tdrpman251) Acronis Try&Decide and Restore Points filter (build 251)
DRV - [2010/06/14 13:08:00 | 000,570,016 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2010/06/14 13:07:40 | 000,157,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/12/16 13:13:30 | 000,184,848 | ---- | M] (Advanced Micro Devices, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ahcix86.sys -- (ahcix86)
DRV - [2009/12/16 13:13:29 | 000,009,096 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdide.sys -- (amdide)
DRV - [2009/12/16 12:41:10 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/12/16 12:41:10 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/12/16 12:41:10 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/11/20 20:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/08/17 19:16:06 | 001,390,976 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2009/05/25 15:21:28 | 000,142,336 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/17 03:14:06 | 000,012,400 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/09/05 12:03:00 | 000,049,664 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2005/11/13 01:00:00 | 000,008,736 | ---- | M] (SafeNet Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\skeysusb.sys -- (skeysusb)
DRV - [2004/08/12 20:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/11/22 11:04:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E-Ztan\Application Data\Mozilla\Extensions
[2010/08/09 11:02:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E-Ztan\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [Six Engine] C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1260991899375 (WUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoft...s/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg...l_v1-0-31-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\E-Ztan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\E-Ztan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/16 11:37:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{31b74fea-edae-11df-b905-eacdb5421123}\Shell - "" = AutoRun
O33 - MountPoints2\{31b74fea-edae-11df-b905-eacdb5421123}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{31b74fea-edae-11df-b905-eacdb5421123}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/16 08:20:36 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\E-Ztan\Desktop\OTL.exe
[2010/12/08 07:27:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E-Ztan\Application Data\Malwarebytes
[2010/12/08 07:27:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/08 07:27:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/12/08 07:27:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/08 07:27:06 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/28 17:18:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E-Ztan\Application Data\U3
[2010/11/26 14:54:57 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars
[2009/12/21 09:00:07 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/16 08:20:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E-Ztan\Desktop\OTL.exe
[2010/12/16 08:08:59 | 000,002,537 | ---- | M] () -- C:\WINDOWS\Salon.INI
[2010/12/15 18:09:28 | 000,000,732 | ---- | M] () -- C:\WINDOWS\SALONTOUCH.INI
[2010/12/15 12:01:20 | 000,000,468 | ---- | M] () -- C:\Documents and Settings\E-Ztan\My Documents\spider.sav
[2010/12/15 06:49:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System\sys32_4.dll
[2010/12/15 03:22:26 | 000,515,626 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/15 03:22:26 | 000,094,292 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/15 03:18:14 | 000,272,291 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/12/15 03:18:10 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/15 03:18:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/15 03:18:06 | 000,268,600 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/15 03:02:08 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/08 07:27:10 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/06 11:02:11 | 000,000,778 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Full Tilt Poker.lnk
[2010/12/02 07:07:34 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\E-Ztan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/08 07:27:10 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/06 11:02:11 | 000,000,778 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Full Tilt Poker.lnk
[2009/12/22 10:14:12 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\p2smcube.dll
[2009/12/22 10:14:12 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\p2molap.dll
[2009/12/22 10:14:12 | 000,270,336 | ---- | C] () -- C:\WINDOWS\System32\p2solap.dll
[2009/12/22 10:14:09 | 000,006,540 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2009/12/22 10:14:06 | 000,164,864 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2009/12/21 10:25:52 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\E-Ztan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/21 09:05:21 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\SMZ_API.dll
[2009/12/21 09:05:21 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\VF3WClient.dll
[2009/12/21 09:05:21 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\VFingerView.dll
[2009/12/21 09:05:21 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\VFingerCom.dll
[2009/12/21 09:05:21 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\sslAtmel.dll
[2009/12/21 09:05:21 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ssl.dll
[2009/12/21 09:05:21 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\GetImageC500.dll
[2009/12/21 09:05:21 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\VFMatchSrvps.dll
[2009/12/21 09:05:21 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\VFExtractSrvps.dll
[2009/12/21 09:05:20 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\SmzCmos1.dll
[2009/12/21 09:05:20 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\sslCom.dll
[2009/12/21 09:05:19 | 000,647,168 | ---- | C] () -- C:\WINDOWS\System32\FingerChip.dll
[2009/12/21 09:05:19 | 000,270,427 | ---- | C] () -- C:\WINDOWS\System32\LynkDevicesCOM.dll
[2009/12/21 09:05:19 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\FingerPrinterDll.dll
[2009/12/21 09:05:19 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\GIF89.DLL
[2009/12/21 09:05:19 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lynkchannel.dll
[2009/12/21 09:05:18 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\dpp32b30.dll
[2009/12/21 09:00:12 | 000,307,200 | ---- | C] () -- C:\WINDOWS\System32\EXPORTMODELLER.DLL
[2009/12/21 09:00:12 | 000,049,223 | ---- | C] () -- C:\WINDOWS\System32\CRTSLV.DLL
[2009/12/21 09:00:12 | 000,002,537 | ---- | C] () -- C:\WINDOWS\Salon.INI
[2009/12/21 09:00:09 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\PG32CONV.DLL
[2009/12/21 09:00:03 | 000,000,732 | ---- | C] () -- C:\WINDOWS\SALONTOUCH.INI
[2009/12/21 09:00:03 | 000,000,047 | ---- | C] () -- C:\WINDOWS\CUSTDATA.INI
[2009/12/17 08:56:56 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/12/17 08:56:56 | 000,012,400 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/12/17 08:56:54 | 000,011,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2009/12/17 08:56:54 | 000,010,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2009/12/17 08:54:02 | 000,038,116 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2009/12/17 08:53:35 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/12/17 08:53:19 | 000,030,611 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/12/17 08:53:18 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/12/16 19:29:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/12/16 12:25:53 | 000,001,769 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2009/12/16 12:08:43 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll

========== LOP Check ==========

[2010/06/14 13:09:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2010/10/13 15:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E-Ztan\Application Data\Acronis
[2010/07/22 13:56:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E-Ztan\Application Data\GARMIN
[2010/08/19 08:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E-Ztan\Application Data\PriceGong

========== Purity Check ==========



< End of report >
  • 0

Similar Topics: How do I know if my computer is infected with a keylogger?     x


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hello kylamb and welcome to G2G! :D

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


Your OTL log is clean but we need to update your Java. After this let's try to hunt and remove hidden malware....if there is one ;).

Step 1

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Step 2

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Step 3

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
  • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow Posted Image at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


Step 4

Please don't forget to include these items in your reply:

  • GMER log
  • Dr.Web log
It would be helpful if you could post each log in separate post
  • 0

#3
kylamb

kylamb

    Member

  • Member
  • PipPip
  • 17 posts
Thanks for your reply. I'm really sorry but I messed up. I didn't save the DrWeb report. I will post below the GMER log. The DrWeb found 5 infected files and deleted them. I hope you can still help me.


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-22 08:24:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250318AS rev.CC38
Running: 1ej4st02.exe; Driver: C:\DOCUME~1\E-Ztan\LOCALS~1\Temp\pxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT B8760B0E ZwCreateKey
SSDT B8760B04 ZwCreateThread
SSDT B8760B13 ZwDeleteKey
SSDT B8760B1D ZwDeleteValueKey
SSDT B8760B22 ZwLoadKey
SSDT B8760AF0 ZwOpenProcess
SSDT B8760AF5 ZwOpenThread
SSDT B8760B2C ZwReplaceKey
SSDT B8760B27 ZwRestoreKey
SSDT B8760B18 ZwSetValueKey
SSDT B8760AFF ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB31D3380, 0x5414D5, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device ftdisk.sys (FT Disk Driver/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
  • 0

#4
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hi kylamb,

No trace for now. Let's do another scan with this tool and please try to save log because I need to know type of infection if there is one. Keylogger is not the only one that can steal your personal data. Please first read how to use this tool once then do a scan.

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.
    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.

  • 0

#5
kylamb

kylamb

    Member

  • Member
  • PipPip
  • 17 posts
Here is the log from Kaspersky.

Autoscan: completed 1 minute ago (events: 8, objects: 259265, time: 00:39:39)
12/23/2010 8:03:27 AM Task started
12/23/2010 8:20:23 AM Detected: not-a-virus:AdWare.Win32.Gamevance.fdt C:\System Volume Information\_restore{7B680A89-3859-47D0-8A01-A4E8664B7015}\RP39\A0016178.exe
12/23/2010 8:20:59 AM Detected: not-a-virus:AdWare.Win32.Gamevance.fdv C:\System Volume Information\_restore{7B680A89-3859-47D0-8A01-A4E8664B7015}\RP39\A0016095.exe
12/23/2010 8:21:00 AM Detected: not-a-virus:AdWare.Win32.Gamevance.fdr C:\System Volume Information\_restore{7B680A89-3859-47D0-8A01-A4E8664B7015}\RP39\A0016096.dll
12/23/2010 8:21:08 AM Deleted: not-a-virus:AdWare.Win32.Gamevance.fdt C:\System Volume Information\_restore{7B680A89-3859-47D0-8A01-A4E8664B7015}\RP39\A0016178.exe
12/23/2010 8:21:08 AM Deleted: not-a-virus:AdWare.Win32.Gamevance.fdv C:\System Volume Information\_restore{7B680A89-3859-47D0-8A01-A4E8664B7015}\RP39\A0016095.exe
12/23/2010 8:21:23 AM Deleted: not-a-virus:AdWare.Win32.Gamevance.fdr C:\System Volume Information\_restore{7B680A89-3859-47D0-8A01-A4E8664B7015}\RP39\A0016096.dll
12/23/2010 8:43:06 AM Task completed
  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
We need to do a little clean up...

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Commands
    [CLEARALLRESTOREPOINTS]
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply.

  • 0

#7
kylamb

kylamb

    Member

  • Member
  • PipPip
  • 17 posts
OTL log below, thank you so much for helping me btw!

All processes killed
========== OTL ==========
========== COMMANDS ==========
Restore points cleared and new OTL Restore Point set!

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: E-Ztan
->Temp folder emptied: 1189799273 bytes
->Temporary Internet Files folder emptied: 269913004 bytes
->Java cache emptied: 25909207 bytes
->Flash cache emptied: 147756 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 10560621 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 922765 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 78217820 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 202837 bytes

Total Files Cleaned = 1,503.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: E-Ztan
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12242010_072117

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_298.dat not found!

Registry entries deleted on Reboot...
  • 0

#8
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hi kylamb,

You logs and system are clean. There is nothing visible that could do this on your system. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#9
kylamb

kylamb

    Member

  • Member
  • PipPip
  • 17 posts
Thank you so much for your help! You guys are great!
  • 0

#10
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :D

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured