Do I have an keylogger in my computer? Please, check my log

KittyCat · Jun 23, 2013

I suspect that my colleague has installed a keylogger or similar software that sends him information about my activities on the PC to my laptop. Can you please check my log?

Thank you so much in advance!

Code:

Logfile of random's system information tool 1.09 (written by random/random)
Run by Renca at 2013-06-22 14:08:22
Microsoft Windows 7 Professional  Service Pack 1
System drive C: has 193 GB (81%) free of 238 GB
Total RAM: 3033 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:08:36, on 22.6.2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16611)
Boot mode: Normal

Running processes:
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Users\Renca\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Renca\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\trend micro\Renca.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Renca\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Renca\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [Mobile Partner] C:\Program Files (x86)\WEB Partner\WEB Partner
O4 - HKCU\..\Run: [googletalk] C:\Users\Renca\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ShowBatteryBar] "C:\Program Files\BatteryBar\ShowBatteryBar.exe" show
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: HWDeviceService64.exe - Unknown owner - C:\ProgramData\DatacardService\HWDeviceService64.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\SysWOW64\rpcnet.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7042 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
winlogon.exe
C:\Windows\system32\svchost.exe -k RPCSS
"c:\Program Files\Microsoft Security Client\MsMpEng.exe"
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
"taskhost.exe"
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
"C:\ProgramData\DatacardService\HWDeviceService64.exe" -/service
"C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"
"C:\ProgramData\DatacardService\DCSHelper.exe"
C:\Windows\SysWOW64\rpcnet.exe
"C:\Windows\System32\igfxtray.exe" 
"C:\Windows\System32\hkcmd.exe" 
"C:\Windows\System32\igfxpers.exe" 
"C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
"C:\Users\Renca\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"C:\Users\Renca\AppData\Roaming\Google\Google Talk\googletalk.exe" /autostart
"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" 
C:\Windows\system32\svchost.exe -k imgsvc
"c:\Program Files\Microsoft Security Client\NisSrv.exe"
C:\Windows\system32\SearchIndexer.exe /Embedding
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
"C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe" 
"C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe" --type=gpu-process --channel="2124.0.712598899\214242287" --supports-dual-gpus=false --gpu-vendor-id=0x8086 --gpu-device-id=0x2a42 --gpu-driver-vendor="Intel Corporation" --gpu-driver-version=8.15.10.2302 --ignored=" --type=renderer " /prefetch:822062411
"C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe" --type=renderer --lang=cs --force-fieldtrials="AutocompleteDynamicTrial_1/DefaultControl/ForceCompositingMode/thread/InfiniteCache/No/InstantDummy/DummyPadding channel:stable/InstantExtended/Padding1 channel:stable/OmniboxHQPReplaceHUPProhibitTrumpingInlineableResult/Standard/OmniboxSearchSuggestTrialStarted2013Q1/4/OneClickSignIn/Standard/OverlappedReadImpact/OverlappedReadEnabled/Prerender/PrerenderEnabled/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_07/UMA-Uniformity-Trial-1-Percent/group_79/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_01/UMA-Uniformity-Trial-5-Percent/group_06/UMA-Uniformity-Trial-50-Percent/default/" --extension-process --renderer-print-preview --enable-threaded-compositing --disable-accelerated-2d-canvas --channel="2124.2.1483782974\483403213" /prefetch:673131151
"C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe" --type=renderer --lang=cs --force-fieldtrials="AutocompleteDynamicTrial_1/DefaultControl/ForceCompositingMode/thread/InfiniteCache/No/InstantDummy/DummyPadding channel:stable/InstantExtended/Padding1 channel:stable/OmniboxHQPReplaceHUPProhibitTrumpingInlineableResult/Standard/OmniboxSearchSuggestTrialStarted2013Q1/4/OneClickSignIn/Standard/OverlappedReadImpact/OverlappedReadEnabled/Prerender/PrerenderEnabled/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_07/UMA-Uniformity-Trial-1-Percent/group_79/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_01/UMA-Uniformity-Trial-5-Percent/group_06/UMA-Uniformity-Trial-50-Percent/default/" --extension-process --renderer-print-preview --enable-threaded-compositing --disable-accelerated-2d-canvas --channel="2124.3.1033461813\2037108886" /prefetch:673131151
"C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe" --type=renderer --lang=cs --force-fieldtrials="AutocompleteDynamicTrial_1/DefaultControl/ForceCompositingMode/thread/InfiniteCache/No/InstantDummy/DummyPadding channel:stable/InstantExtended/Padding1 channel:stable/OmniboxHQPReplaceHUPProhibitTrumpingInlineableResult/Standard/OmniboxSearchSuggestTrialStarted2013Q1/4/OneClickSignIn/Standard/OverlappedReadImpact/OverlappedReadEnabled/Prerender/PrerenderEnabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_07/UMA-Uniformity-Trial-1-Percent/group_79/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_01/UMA-Uniformity-Trial-5-Percent/group_06/UMA-Uniformity-Trial-50-Percent/default/" --renderer-print-preview --enable-threaded-compositing --disable-accelerated-2d-canvas --channel="2124.4.1283402643\1393150312" /prefetch:673131151
"c:\Program Files\Microsoft Security Client\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke
"c:\Program Files\Microsoft Security Client\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate
\??\C:\Windows\system32\conhost.exe "-532467685-7400630701635661876543761802572154354646499343-580462447-50501113
C:\Windows\system32\svchost.exe -k bthsvcs
"C:\Users\Renca\AppData\Local\Google\Chrome\Application\chrome.exe" --type=ppapi --channel="2124.6.1794813806\1878685711" --lang=cs --ignored=" --type=renderer " /prefetch:-632637702
C:\Windows\servicing\TrustedInstaller.exe
"c:\Program Files\Microsoft Security Client\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 96715962-8F2D-C548-6C4D-9B734DFE83EF -Reinvoke
"C:\Users\Renca\Downloads\RSITx64.exe" 
C:\Windows\system32\wbem\wmiprvse.exe

======Scheduled tasks folder======

C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1232745917-3098099244-947842590-1001Core.job
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1232745917-3098099244-947842590-1001UA.job
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1232745917-3098099244-947842590-1005Core.job
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1232745917-3098099244-947842590-1005UA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1232745917-3098099244-947842590-1005Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1232745917-3098099244-947842590-1005UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2012-09-30 449512]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2012-09-30 157672]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2011-02-11 162328]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2011-02-11 386584]
"Persistence"=C:\Windows\system32\igfxpers.exe [2011-02-11 417304]
"MSC"=c:\Program Files\Microsoft Security Client\msseces.exe [2013-01-27 1281512]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Users\Renca\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-03 116648]
"Facebook Update"=C:\Users\Renca\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-09-06 138096]
"Mobile Partner"=C:\Program Files (x86)\WEB Partner\WEB Partner []
"googletalk"=C:\Users\Renca\AppData\Roaming\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"ShowBatteryBar"=C:\Program Files\BatteryBar\ShowBatteryBar.exe [2013-04-11 89600]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2013-04-04 958576]
"SunJavaUpdateSched"=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2012-07-03 252848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2011-02-11 272896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"VIDC.UYVY"=msyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.YVYU"=msyuv.dll
"VIDC.IYUV"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"VIDC.YVU9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"MSVideo8"=VfWWDM32.dll

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 2 months======

2013-06-22 14:08:22 ----D---- C:\rsit
2013-06-22 14:08:22 ----D---- C:\Program Files\trend micro
2013-06-17 19:49:50 ----A---- C:\Windows\SYSWOW64\iesetup.dll
2013-06-17 19:49:50 ----A---- C:\Windows\SYSWOW64\iernonce.dll
2013-06-17 19:49:50 ----A---- C:\Windows\system32\iesetup.dll
2013-06-17 19:49:50 ----A---- C:\Windows\system32\iernonce.dll
2013-06-17 19:49:50 ----A---- C:\Windows\system32\ie4uinit.exe
2013-06-17 19:49:49 ----A---- C:\Windows\SYSWOW64\RegisterIEPKEYs.exe
2013-06-17 19:49:49 ----A---- C:\Windows\SYSWOW64\iesysprep.dll
2013-06-17 19:49:49 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe
2013-06-17 19:49:49 ----A---- C:\Windows\system32\iesysprep.dll
2013-06-17 19:49:48 ----A---- C:\Windows\SYSWOW64\msfeeds.dll
2013-06-17 19:49:48 ----A---- C:\Windows\system32\msfeeds.dll
2013-06-17 19:49:47 ----A---- C:\Windows\SYSWOW64\jscript.dll
2013-06-17 19:49:47 ----A---- C:\Windows\system32\jscript9.dll
2013-06-17 19:49:47 ----A---- C:\Windows\system32\jscript.dll
2013-06-17 19:49:46 ----A---- C:\Windows\SYSWOW64\jscript9.dll
2013-06-17 19:49:43 ----A---- C:\Windows\SYSWOW64\wininet.dll
2013-06-17 19:49:43 ----A---- C:\Windows\SYSWOW64\jsproxy.dll
2013-06-17 19:49:43 ----A---- C:\Windows\system32\wininet.dll
2013-06-17 19:49:43 ----A---- C:\Windows\system32\jsproxy.dll
2013-06-17 19:49:09 ----A---- C:\Windows\SYSWOW64\urlmon.dll
2013-06-17 19:49:09 ----A---- C:\Windows\system32\urlmon.dll
2013-06-17 19:49:08 ----A---- C:\Windows\SYSWOW64\iertutil.dll
2013-06-17 19:49:07 ----A---- C:\Windows\SYSWOW64\ieui.dll
2013-06-17 19:49:07 ----A---- C:\Windows\system32\ieui.dll
2013-06-17 19:49:07 ----A---- C:\Windows\system32\iertutil.dll
2013-06-17 19:49:05 ----A---- C:\Windows\SYSWOW64\ieframe.dll
2013-06-17 19:49:05 ----A---- C:\Windows\system32\ieframe.dll
2013-06-17 19:49:03 ----A---- C:\Windows\system32\mshtml.dll
2013-06-17 19:49:01 ----A---- C:\Windows\SYSWOW64\mshtml.dll
2013-06-17 14:20:55 ----D---- C:\Users\Renca\AppData\Roaming\Mozilla
2013-06-17 13:51:43 ----A---- C:\Windows\SYSWOW64\win32spl.dll
2013-06-17 13:51:43 ----A---- C:\Windows\system32\win32spl.dll
2013-06-17 13:51:42 ----A---- C:\Windows\system32\drivers\tcpip.sys
2013-06-17 13:51:36 ----A---- C:\Windows\SYSWOW64\cryptdlg.dll
2013-06-17 13:51:36 ----A---- C:\Windows\system32\cryptdlg.dll
2013-06-17 13:51:29 ----A---- C:\Windows\SYSWOW64\WindowsCodecs.dll
2013-06-17 13:51:29 ----A---- C:\Windows\system32\WindowsCodecs.dll
2013-06-17 13:51:18 ----A---- C:\Windows\system32\certutil.exe
2013-06-17 13:51:17 ----A---- C:\Windows\SYSWOW64\certutil.exe
2013-06-17 13:51:17 ----A---- C:\Windows\system32\crypt32.dll
2013-06-17 13:51:16 ----A---- C:\Windows\SYSWOW64\crypt32.dll
2013-06-17 13:51:16 ----A---- C:\Windows\system32\cryptsvc.dll
2013-06-17 13:51:16 ----A---- C:\Windows\system32\cryptnet.dll
2013-06-17 13:51:15 ----A---- C:\Windows\SYSWOW64\cryptsvc.dll
2013-06-17 13:51:15 ----A---- C:\Windows\SYSWOW64\cryptnet.dll
2013-06-17 13:51:15 ----A---- C:\Windows\system32\certenc.dll
2013-06-17 13:51:14 ----A---- C:\Windows\SYSWOW64\certenc.dll
2013-06-17 13:50:22 ----A---- C:\Windows\SYSWOW64\d3d11.dll
2013-06-17 13:50:22 ----A---- C:\Windows\system32\d3d11.dll
2013-05-22 11:04:59 ----D---- C:\Windows\SYSWOW64\Adobe
2013-05-16 13:40:35 ----A---- C:\Windows\system32\drivers\dxgmms1.sys
2013-05-16 13:40:35 ----A---- C:\Windows\system32\drivers\dxgkrnl.sys
2013-05-16 13:40:35 ----A---- C:\Windows\system32\cdd.dll
2013-05-16 13:40:25 ----A---- C:\Windows\system32\shell32.dll
2013-05-16 13:40:24 ----A---- C:\Windows\system32\shdocvw.dll
2013-05-16 13:40:24 ----A---- C:\Windows\system32\authui.dll
2013-05-16 13:40:23 ----A---- C:\Windows\SYSWOW64\shell32.dll
2013-05-16 13:40:23 ----A---- C:\Windows\SYSWOW64\shdocvw.dll
2013-05-16 13:40:23 ----A---- C:\Windows\SYSWOW64\authui.dll
2013-05-16 13:40:23 ----A---- C:\Windows\system32\consent.exe
2013-05-16 13:40:22 ----A---- C:\Windows\system32\appinfo.dll
2013-05-16 13:40:07 ----A---- C:\Windows\system32\wwansvc.dll
2013-05-16 13:40:07 ----A---- C:\Windows\system32\wwanprotdim.dll
2013-05-16 13:40:04 ----A---- C:\Windows\system32\win32k.sys
2013-04-29 10:01:09 ----A---- C:\Windows\system32\mstscax.dll
2013-04-29 10:01:08 ----A---- C:\Windows\SYSWOW64\mstscax.dll
2013-04-29 10:01:07 ----A---- C:\Windows\SYSWOW64\tsgqec.dll
2013-04-29 10:01:07 ----A---- C:\Windows\SYSWOW64\aaclient.dll
2013-04-29 10:01:07 ----A---- C:\Windows\system32\tsgqec.dll
2013-04-29 10:01:07 ----A---- C:\Windows\system32\aaclient.dll
2013-04-29 10:00:50 ----A---- C:\Windows\system32\drivers\ntfs.sys
2013-04-29 10:00:50 ----A---- C:\Windows\system32\drivers\fvevol.sys
2013-04-29 10:00:47 ----A---- C:\Windows\system32\ntoskrnl.exe
2013-04-29 10:00:46 ----A---- C:\Windows\SYSWOW64\ntoskrnl.exe
2013-04-29 10:00:46 ----A---- C:\Windows\SYSWOW64\ntkrnlpa.exe
2013-04-29 10:00:45 ----A---- C:\Windows\SYSWOW64\apisetschema.dll
2013-04-29 10:00:45 ----A---- C:\Windows\system32\smss.exe
2013-04-29 10:00:45 ----A---- C:\Windows\system32\csrsrv.dll
2013-04-28 21:44:50 ----D---- C:\Program Files (x86)\O2
2013-04-28 21:17:32 ----D---- C:\HUAWEI

======List of files/folders modified in the last 2 months======

2013-06-22 14:08:36 ----D---- C:\Windows\Prefetch
2013-06-22 14:08:22 ----RD---- C:\Program Files
2013-06-22 14:06:55 ----D---- C:\Windows\Temp
2013-06-22 14:04:46 ----D---- C:\Windows\system32\config
2013-06-22 14:04:08 ----D---- C:\Windows\tracing
2013-06-22 13:54:06 ----A---- C:\Windows\system32\rpcnetp.exe
2013-06-22 13:53:57 ----A---- C:\Windows\SYSWOW64\rpcnet.dll
2013-06-21 12:10:45 ----D---- C:\Windows\winsxs
2013-06-21 12:10:38 ----A---- C:\Windows\SYSWOW64\rpcnetp.dll
2013-06-21 12:09:50 ----A---- C:\Windows\SYSWOW64\rpcnetp.exe
2013-06-21 12:09:08 ----D---- C:\Windows\system32\drivers
2013-06-21 12:09:08 ----D---- C:\Program Files (x86)\Internet Explorer
2013-06-21 12:09:07 ----D---- C:\Windows\SysWOW64
2013-06-21 12:09:07 ----D---- C:\Windows\System32
2013-06-21 12:09:07 ----D---- C:\Program Files\Internet Explorer
2013-06-21 12:09:05 ----D---- C:\Windows\SYSWOW64\cs-CZ
2013-06-21 12:09:05 ----D---- C:\Windows\system32\cs-CZ
2013-06-17 19:52:03 ----SHD---- C:\Windows\Installer
2013-06-17 19:52:03 ----D---- C:\ProgramData\Microsoft Help
2013-06-17 19:50:25 ----A---- C:\Windows\system32\MRT.exe
2013-06-17 19:50:09 ----D---- C:\Windows\system32\catroot2
2013-06-17 19:50:09 ----D---- C:\Windows\system32\catroot
2013-06-17 19:48:18 ----SHD---- C:\System Volume Information
2013-06-17 15:34:44 ----A---- C:\Windows\SYSWOW64\FlashPlayerApp.exe
2013-06-17 13:41:41 ----D---- C:\Windows\inf
2013-06-17 13:41:41 ----A---- C:\Windows\system32\PerfStringBackup.INI
2013-06-06 16:32:51 ----D---- C:\Program Files\BatteryBar
2013-06-01 11:36:37 ----D---- C:\Users\Renca\AppData\Roaming\BatteryBar
2013-05-22 11:09:50 ----D---- C:\Windows
2013-05-22 11:05:00 ----D---- C:\Windows\Downloaded Program Files
2013-05-21 13:38:00 ----D---- C:\Windows\rescache
2013-05-21 11:55:43 ----D---- C:\Windows\Microsoft.NET
2013-05-21 11:55:42 ----RSD---- C:\Windows\assembly
2013-05-17 10:33:14 ----D---- C:\Windows\AppPatch
2013-05-10 18:39:07 ----A---- C:\Windows\SYSWOW64\identprv.dll
2013-05-02 17:29:56 ----N---- C:\Windows\system32\MpSigStub.exe
2013-04-28 21:44:50 ----D---- C:\Program Files (x86)
2013-04-28 21:31:32 ----D---- C:\Windows\system32\NDF
2013-04-28 21:11:28 ----D---- C:\Windows\Tasks
2013-04-28 21:11:28 ----D---- C:\Windows\system32\wfp
2013-04-28 21:11:28 ----D---- C:\Windows\system32\drivers\UMDF
2013-04-28 21:11:27 ----D---- C:\Windows\system32\wbem
2013-04-28 21:10:35 ----D---- C:\Windows\system32\DriverStore
2013-04-28 21:10:35 ----D---- C:\Windows\system32\CodeIntegrity
2013-04-28 21:10:33 ----D---- C:\Windows\AppCompat
2013-04-28 21:10:28 ----D---- C:\Windows\registration

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2013-01-20 230320]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2010-11-21 213888]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2010-11-21 514560]
R1 vwififlt;Virtual WiFi Filter Driver; C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
R2 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl664.sys [2009-07-08 2769400]
R3 BthEnum;Ovladač pro Bluetooth Request Block; C:\Windows\system32\drivers\BthEnum.sys [2009-07-14 41984]
R3 BthPan;Zařízení Bluetooth (síť PAN); C:\Windows\system32\DRIVERS\bthpan.sys [2009-07-14 118784]
R3 BTHUSB;Ovladač rozhraní USB radiostanice Bluetooth; C:\Windows\System32\Drivers\BTHUSB.sys [2011-04-28 80384]
R3 huawei_enumerator;huawei_enumerator; C:\Windows\system32\DRIVERS\ew_jubusenum.sys [2011-01-30 86016]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys [2011-02-11 10628640]
R3 RFCOMM;Zařízení Bluetooth (RFCOMM protokol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-07-14 158720]
R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2010-11-21 109056]
S3 BTHPORT;Ovladač portu Bluetooth; C:\Windows\System32\Drivers\BTHport.sys [2012-07-06 552960]
S3 dmvsc;dmvsc; C:\Windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device; C:\Windows\system32\DRIVERS\ew_hwusbdev.sys [2010-07-27 117248]
S3 ewusbmbb;HUAWEI USB-WWAN miniport; C:\Windows\system32\DRIVERS\ewusbwwan.sys [2010-12-23 421376]
S3 Huawei;HUAWEI Mobile Connect - USB Smart Card Reader; C:\Windows\system32\DRIVERS\ewdcsc.sys [2010-10-08 32768]
S3 huawei_cdcacm;huawei_cdcacm; C:\Windows\system32\DRIVERS\ew_jucdcacm.sys [2011-02-25 98816]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys [2010-12-24 221312]
S3 hwusbdev;Huawei DataCard USB PNP Device; C:\Windows\system32\DRIVERS\ewusbdev.sys []
S3 pciide;pciide; C:\Windows\system32\drivers\pciide.sys [2009-07-14 12352]
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2010-11-21 165888]
S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys [2010-11-21 6656]
S3 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys [2010-11-21 34688]
S3 TsUsbFlt;TsUsbFlt; C:\Windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device; C:\Windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 vmbus;vmbus; C:\Windows\system32\drivers\vmbus.sys [2010-11-21 199552]
S3 VMBusHID;VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys [2010-11-21 21760]
S3 WinUsb;Ovladač WinUSB; C:\Windows\system32\DRIVERS\WinUSB.sys [2010-11-21 41984]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeARMservice;Adobe Acrobat Update Service; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2013-05-10 65640]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-14 27136]
R2 HWDeviceService64.exe;HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [2011-03-14 346976]
R2 MDM;Machine Debug Manager; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\MsMpEng.exe [2013-01-27 22056]
R2 rpcnet;Remote Procedure Call (RPC) Net; C:\Windows\SysWOW64\rpcnet.exe [2013-02-15 58288]
R3 NisSrv;@c:\Program Files\Microsoft Security Client\MpAsDesc.dll,-243; c:\Program Files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-17 256904]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-14 27136]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2011-07-20 440696]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2012-02-20 1255736]

-----------------EOF-----------------

Kestrel13! · Jun 23, 2013

Welcome to the Malware Removal Forum.

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****

Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.

To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

Log in or Sign up

Do I have an keylogger in my computer? Please, check my log

KittyCat Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member