Thread: help identifying keylogger?

    Feb 2011

    help identifying keylogger?

    i was hoping someone could help me identify whether or not i have a of my gmail accts was hacked into and though none of my numerous anti-spyware programs are picking up on a keylogger i would like to be is the DDS...

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Kelly at 19:25:46.15 on Mon 02/21/2011
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2046.1043 [GMT -5:00]

    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    uRun: [Google Update] "c:\users\kelly\appdata\local\google\update\GoogleUpdate.exe" /c
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
    mRun: [nwiz] nwiz.exe /install
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
    mRun: [VX1000] c:\windows\vVX1000.exe
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
    StartupFolder: c:\users\kelly\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\kelly\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\users\kelly\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\users\kelly\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
    R1 MpKsl68702862;MpKsl68702862;c:\programdata\microsoft\microsoft antimalware\definition updates\{6e207f40-ef3d-449f-98b0-501bdcf695df}\MpKsl68702862.sys [2011-2-21 28752]
    R1 MpKsl743c4f61;MpKsl743c4f61;c:\programdata\microsoft\microsoft antimalware\definition updates\{6e207f40-ef3d-449f-98b0-501bdcf695df}\MpKsl743c4f61.sys [2011-2-21 28752]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-21 1153368]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-3 1343400]

    =============== Created Last 30 ================

    2011-02-21 20:47:53 388096 ----a-r- c:\users\kelly\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-02-21 20:47:52 -------- d-----w- c:\program files\Trend Micro
    2011-02-21 20:38:46 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{6e207f40-ef3d-449f-98b0-501bdcf695df}\MpKsl743c4f61.sys
    2011-02-21 19:16:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-02-21 19:16:38 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
    2011-02-21 16:45:30 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{6e207f40-ef3d-449f-98b0-501bdcf695df}\MpKsl68702862.sys
    2011-02-20 17:09:45 5890896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{6e207f40-ef3d-449f-98b0-501bdcf695df}\mpengine.dll
    2011-02-14 03:01:44 -------- d-----w- c:\program files\Microsoft LifeCam
    2011-02-14 03:01:36 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
    2011-02-14 03:01:35 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
    2011-02-09 12:23:59 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-02-07 15:24:30 -------- d-----w- c:\users\kelly\appdata\roaming\Xerox
    2011-02-06 00:16:37 -------- d-----w- c:\program files\uTorrent
    2011-02-03 20:14:27 -------- d-----w- c:\users\kelly\appdata\roaming\Local
    2011-02-03 20:14:00 -------- d-----w- c:\program files\common files\DivX Shared
    2011-02-03 20:13:10 -------- d-----w- c:\program files\DivX
    2011-02-03 20:11:58 -------- d-----w- c:\progra~2\DivX
    2011-02-01 17:23:42 -------- d-----r- c:\users\kelly\Dropbox
    2011-02-01 17:21:12 -------- d-----w- c:\users\kelly\appdata\roaming\Dropbox
    2011-01-31 15:02:25 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{aca2c518-ee28-4e14-9153-0eb8392d02d2}\gapaengine.dll
    2011-01-31 00:15:18 5890896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
    2011-01-31 00:14:48 -------- d-----w- c:\program files\Microsoft Security Client
    2011-01-31 00:14:22 240008 ----a-w- c:\windows\system32\drivers\netio.sys
    2011-01-23 05:25:34 -------- d-----w- c:\users\kelly\appdata\local\ElevatedDiagnostics

    ==================== Find3M ====================

    2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
    2010-12-21 05:38:24 73728 ----a-w- c:\windows\system32\wscsvc.dll
    2010-12-21 05:38:24 51200 ----a-w- c:\windows\system32\wscapi.dll
    2010-12-21 05:38:22 981504 ----a-w- c:\windows\system32\wininet.dll
    2010-12-21 05:38:22 350720 ----a-w- c:\windows\system32\winhttp.dll
    2010-12-21 05:38:21 204800 ----a-w- c:\windows\system32\WebClnt.dll
    2010-12-21 05:38:19 204288 ----a-w- c:\windows\system32\upnp.dll
    2010-12-21 05:38:16 14336 ----a-w- c:\windows\system32\slwga.dll
    2010-12-21 05:36:17 1389568 ----a-w- c:\windows\system32\msxml6.dll
    2010-12-21 05:36:16 1236992 ----a-w- c:\windows\system32\msxml3.dll
    2010-12-21 05:34:12 80384 ----a-w- c:\windows\system32\davclnt.dll
    2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
    2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-11-27 01:08:55 952 --sha-w- c:\windows\system32\KGyGaAvL.sys

    ============= FINISH: 19:31:48.98 ===============

    i originally posted this with a "hijackthis" log here

    bump help?
    Last edited by tashi; 2011-02-22 at 16:52.

    Nov 2005
    Florida's SpaceCoast


    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

    Not seeing any markers for a keylogger, but if your email was hacked you may want to think about just closing out that account and creating a new one. Myself, I have had problems with spam and whatnot with Gmail.

    uTorrent If your computer is not infected now, it will be if you continue to use P2P file sharing programs like this, your downloading that file from an unknown source and most contain malware. Its like playing Russian Roulette malwarewise.

    Lets do a few things. Run these in order please

    Please download ATF Cleaner by Atribune to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
    Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

    Please download Malwarebytes from Here or Here

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please

    OTL will give a more in depth look at your system

    OTL by OldTimer
    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Click the "Scan All Users" checkbox.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

    Nov 2005
    Florida's SpaceCoast


    Due to inactivity, this thread will now be closed.

    If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

    Oct 2005


    Thank you Ken545.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

