Key Loggers ?

August 1st, 2016

I think I may have a keylogger installed on my machine. I recently noticed the cursor appearing in unusual places in my browser. Such as above or below and search boxes. I have done several scans with various software and the same Trojans seem to keep coming up in scans.
I decided to install key encryption software but I’m not sure how affective this is ? The other day I started typing and completely different letters appeared from what I was typing.
I don’t want to have to reinstall unless necessary….
Also can viruses be released from clicking on / loading / saving a genuine PDF or video file ? Is there a way of testing these ?
Thanks
J

Answer #1
have you scanned the pc in safe mode without network?
Answer #2
Try running hijackthis and posting the log here
boot into save mode and do a scan, some av’s don’t let you do this.
you could try downloading a linux live distro and using clam av to scan the drive
Answer #3
Ok HJThis log is a s follows….
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:40:42, on 28/05/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Safe mode
Running processes:
F:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 – REG:system.ini: UserInit=userinit.exe,
O2 – BHO: AcroIEHelperStub – {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 – BHO: Java(tm) Plug-In SSV Helper – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 – BHO: ZoneAlarm Security Engine Registrar – {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} – C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 – BHO: Windows Live ID Sign-in Helper – {9030D464-4C02-4ABF-8ECC-5164760863C6} – C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 – BHO: AVG Security Toolbar BHO – {A3BC75A2-1F87-4686-AA43-5347D756017C} – C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll (file missing)
O2 – BHO: Java(tm) Plug-In 2 SSV Helper – {DBC80044-A445-435b-BC74-9C25C1C588A9} – C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 – Toolbar: AVG Security Toolbar – {CCC7A320-B3CA-4199-B1A6-9F516DD69829} – C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll (file missing)
O3 – Toolbar: Wanadoo – {8B68564D-53FD-4293-B80C-993A9F3988EE} – C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O3 – Toolbar: ZoneAlarm Security Engine – {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} – C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 – HKLM\..\Run: [ZoneAlarm] “C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe”
O4 – HKLM\..\Run: [UpdatePSTShortCut] “C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite” UpdateWithCreateOnce “Software\CyberLink\PowerStarter”
O4 – HKLM\..\Run: [UpdatePPShortCut] “C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\PowerProducer” UpdateWithCreateOnce “Software\CyberLink\PowerProducer\5.0”
O4 – HKLM\..\Run: [UpdateP2GoShortCut] “C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\Power2Go” UpdateWithCreateOnce “SOFTWARE\CyberLink\Power2Go\6.0”
O4 – HKLM\..\Run: [UpdateLBPShortCut] “C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\LabelPrint” UpdateWithCreateOnce “Software\CyberLink\LabelPrint\2.5”
O4 – HKLM\..\Run: [Super-Charger] C:\Program Files (x86)\MSI\Super-Charger\StartSuperCharger.exe
O4 – HKLM\..\Run: [NUSB3MON] “C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe”
O4 – HKLM\..\Run: [MDS_Menu] “C:\Program Files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\MediaShow4” UpdateWithCreateOnce “Software\CyberLink\MediaShow\4.1”
O4 – HKLM\..\Run: [Live Update 5] C:\Program Files (x86)\MSI\Live Update 5\LU5.exe /reminder
O4 – HKLM\..\Run: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
O4 – HKLM\..\Run: [CLMLServer] “C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe”
O4 – HKLM\..\Run: [AllShareAgent] C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe
O4 – HKLM\..\Run: [Adobe ARM] “C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe”
O4 – HKLM\..\Run: [SDTray] “F:\Program Files (x86)\Spybot – Search & Destroy 2\SDTray.exe”
O4 – HKLM\..\Run: [KeyScrambler] F:\Program Files (x86)\KeyScrambler\keyscrambler.exe /a
O4 – HKCU\..\Run: [RGSC] F:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 – HKCU\..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
O4 – HKCU\..\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
O4 – HKCU\..\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
O4 – HKCU\..\Run: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
O4 – HKCU\..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
O4 – HKCU\..\Run: [Spybot-S&D Cleaning] “F:\Program Files (x86)\Spybot – Search & Destroy 2\SDCleaner.exe” /autoclean
O4 – HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘NETWORK SERVICE’)
O4 – HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘NETWORK SERVICE’)
O8 – Extra context menu item: E&xport to Microsoft Excel – res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 – {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} – C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 – Extra ‘Tools’ menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 – {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} – C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 – Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 – Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 – DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) – http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
O18 – Protocol: avgsecuritytoolbar – {F2DDE6B2-9684-4A55-86D4-E255E237B77C} – C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll (file missing)
O18 – Protocol: wlpg – {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} – C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 – Winlogon Notify: SDWinLogon – SDWinLogon.dll (file missing)
O23 – Service: Adobe Acrobat Update Service (AdobeARMservice) – Adobe Systems Incorporated – C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 – Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) – Unknown owner – C:\Windows\System32\alg.exe (file missing)
O23 – Service: ASP.NET State Service (aspnet_state) – Unknown owner – C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 – Service: BroadCam Video Streaming Server (BroadCamService) – Unknown owner – C:\Program Files (x86)\NCH Software\BroadCam\broadcam.exe
O23 – Service: CT Device Query service (CTDevice_Srv) – Creative Technology Ltd – C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe
O23 – Service: Creative Centrale Media Server (CTUPnPSv) – Creative Technology Ltd – C:\Program Files (x86)\Creative\Creative Centrale\CTUPnPSv.exe
O23 – Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) – Unknown owner – C:\Windows\System32\lsass.exe (file missing)
O23 – Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) – Unknown owner – C:\Windows\system32\fxssvc.exe (file missing)
O23 – Service: Google Update Service (gupdate) (gupdate) – Google Inc. – C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 – Service: Google Update Service (gupdatem) (gupdatem) – Google Inc. – C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 – Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) – Check Point Software Technologies – C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 – Service: @keyiso.dll,-100 (KeyIso) – Unknown owner – C:\Windows\system32\lsass.exe (file missing)
O23 – Service: LightScribeService Direct Disc Labeling Service (LightScribeService) – Hewlett-Packard Company – C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 – Service: Intel(R) Management and Security Application Local Management Service (LMS) – Unknown owner – C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (file missing)
O23 – Service: Mozilla Maintenance Service (MozillaMaintenance) – Mozilla Foundation – C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 – Service: @comres.dll,-2797 (MSDTC) – Unknown owner – C:\Windows\System32\msdtc.exe (file missing)
O23 – Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) – Unknown owner – C:\Windows\system32\lsass.exe (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – Unknown owner – C:\Windows\system32\nvvsvc.exe (file missing)
O23 – Service: NVIDIA Update Service Daemon (nvUpdatusService) – NVIDIA Corporation – C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 – Service: PnkBstrB – Unknown owner – C:\Windows\system32\PnkBstrB.exe
O23 – Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) – Unknown owner – C:\Windows\system32\lsass.exe (file missing)
O23 – Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) – Unknown owner – C:\Windows\system32\locator.exe (file missing)
O23 – Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) – Unknown owner – C:\Windows\system32\lsass.exe (file missing)
O23 – Service: Samsung AllShare PC (SamsungAllShareV2.0) – Samsung Electronics Co., Ltd. – C:\Program Files (x86)\Samsung\AllShare\AllShareDMS\AllShareDMS.exe
O23 – Service: Spybot-S&D 2 Scanner Service (SDScannerService) – Safer-Networking Ltd. – F:\Program Files (x86)\Spybot – Search & Destroy 2\SDFSSvc.exe
O23 – Service: Spybot-S&D 2 Updating Service (SDUpdateService) – Safer-Networking Ltd. – F:\Program Files (x86)\Spybot – Search & Destroy 2\SDUpdSvc.exe
O23 – Service: Spybot-S&D 2 Security Center Service (SDWSCService) – Safer-Networking Ltd. – F:\Program Files (x86)\Spybot – Search & Destroy 2\SDWSCSvc.exe
O23 – Service: SimpleSlideShowServer – Samsung Electronics Co., Ltd. – C:\Program Files (x86)\Samsung\AllShare\AllShareSlideShowService.exe
O23 – Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) – Unknown owner – C:\Windows\System32\snmptrap.exe (file missing)
O23 – Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) – Unknown owner – C:\Windows\System32\spoolsv.exe (file missing)
O23 – Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) – Unknown owner – C:\Windows\system32\sppsvc.exe (file missing)
O23 – Service: Steam Client Service – Valve Corporation – C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 – Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) – NVIDIA Corporation – C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 – Service: System Explorer Service (SystemExplorerHelpService) – Mister Group – C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
O23 – Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) – Unknown owner – C:\Windows\system32\UI0Detect.exe (file missing)
O23 – Service: Intel(R) Management and Security Application User Notification Service (UNS) – Unknown owner – C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (file missing)
O23 – Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) – Unknown owner – C:\Windows\system32\lsass.exe (file missing)
O23 – Service: @%SystemRoot%\system32\vds.exe,-100 (vds) – Unknown owner – C:\Windows\System32\vds.exe (file missing)
O23 – Service: TrueVector Internet Monitor (vsmon) – Check Point Software Technologies LTD – C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
O23 – Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) – Unknown owner – C:\Windows\system32\vssvc.exe (file missing)
O23 – Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) – Unknown owner – C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 – Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) – Unknown owner – C:\Windows\system32\wbengine.exe (file missing)
O23 – Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) – Unknown owner – C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 – Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) – Unknown owner – C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

End of file – 13814 bytes
I keep getting a Backdoor Trojan in Roaming (file inbox I think) or A Heuristic Trojan when using Zone Alarm. Unfortunately ZA won’t work without networking….
Answer #4
you have a few avg tool bars that i would remove
try scanning with malwarebytes
Answer #5
I see you already have KeyScrambler installed. It encrypts all your keystrokes.
But about the: “The cursor appearing in unusual places in my browser. Such as above or below and search boxes.”
-Do you Have this checked in mouse options?: Automatically move pointer to the default button in a dialog box.
-Control panel> Mouse> Pointer Options. Something may have enabled it. Happened to me once I think. Worth a look.
About the: Completely different letters appeared from what I was typing. Hmmm…
-Maybe that KeyScrambler has some bugs? check for a newer version maybe.
-Check if it’s your pc or your keyboard and use on screen keyboard: /Accessories/Ease of Access/On-screen keyboard.
-Random things you can try: -Shift+numlock -CTRL+Shift -FN+NUM -ctrl+shift+num
Is this a Laptop or desktop? Search google for: “wrong letters from what I was typing.”
It’s probably something else… keyloggers are usually made for you to not know that they are there.
Try: zemana AntiLogger from zemana . com… of course.. just get it from here. Note: It will probably detect that keyscrambler app that’s hooking the keys.
Malwarebytes… yep… You can also can give spybot a try:
Spybot 2: Free: http://www.safer-networking.org/mirrors/
Older version: 1.6.2 Same updates: http://www.safer-networking.org/mirrors16/

Anti-virus: Avira Free: The free version works very well. I use it myself.
and I tested the free anti viruses by actually downloading viruses on purpose. Avira was best.
Of course, any anti-virus might not detect certain ones until they are well known about.
You using AVG? It now fails in most of my test. encrypted trojans it fails. best to get rid of that avg. Avg is not #1 no more in my free book. Avira now is. if not.. at least avast. both are better than avg.
Note: If you get the avira pro from here, you’ll just be searching for a new key upon every update.
http://www.avira.com/en/avira-free-antivirus
Answer #6
Ok I’ve removed my AVG toolbars and ‘Facemoods’…..
I use ZoneAlarm for Antivirus and it keeps coming up with backdoor Trojans under ‘roaming’. It seems to find files ‘inbox’ and ‘trash’ which are from my mail client Thunderbird. you could try downloading a linux live distro and using clam av to scan the drive
I’ve also just downloaded Imunet.plus.30 (ClamAV powered). Not sure if that is what you recommend ? I’ve found several w32.spero.hupigon.05.12 which seem to be located under Application data for Zone Alarm.
Not sure about Linus live distro. I’ve never used Linus before and wouldn’t know where to start…..
I have Spybot and MalBytes so I’ll try running them again. Best in safe mode ? I realise that most Antivirus stuff doesn’t work in safe mode especially without networking. Why is this ?
Thanks

 

| Sitemap |