TheTechGuide Forum

General Category => Tech Clinic => Topic started by: rinoscar on June 20, 2010, 08:13:49 AM

Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: rinoscar on June 20, 2010, 08:13:49 AM
Hello,

When opening my computer my 2010 version of Kaspersky "Detected: PDM.Keylogger C:\WINDOWS\SYSTEM32\DRIVERS\MSIKBD2K.SYS"

I never payed attention to it until I found out what a keylogger is, and since I do all my banking and investments online I want to make sure I am SAFE at 100%.

Thank you
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: guestolo on June 20, 2010, 11:48:19 AM
That could very well be a False Positive on Kaspersky's side
I'm finding it's a safe file
but to be on the safe side, can you do the following please

Download [color="#FF0000"]OTL.exe[/color] (http://"http://oldtimer.geekstogo.com/OTL.exe")[/url] by OldTimer to your Desktop.

NOTE: If you have trouble, or an error message trying to post the logs
Can you upload it to a reply box
In a Reply, select "Browse..." on the bottom right and then navigate to the file and select it
Then click "Upload"
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: rinoscar on June 20, 2010, 01:11:55 PM
OTL logfile created on: 6/20/2010 2:02:54 PM - Run 1
OTL by OldTimer - Version 3.2.6.0     Folder = C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,023.00 Mb Total Physical Memory | 563.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.30 Gb Total Space | 10.66 Gb Free Space | 28.57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HOME-13C58E823B
Current User Name: Rino Scarsella
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Processes (SafeList) ==========
 
PRC - [2010/06/20 14:01:11 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Desktop\OTL.exe
PRC - [2009/10/20 19:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
PRC - [2009/10/20 19:34:38 | 000,207,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
PRC - [2008/06/10 05:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/20 21:35:02 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2006/11/21 21:08:57 | 000,813,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2003/04/07 22:36:06 | 000,176,128 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
PRC - [2002/12/10 04:40:58 | 000,102,400 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Inetkb\iNetKb.exe
PRC - [2002/02/21 00:48:18 | 000,102,400 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\Traymon.exe
PRC - [2001/11/02 03:19:34 | 000,090,112 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Onscreen Display\OSD.exe
PRC - [2001/08/06 07:41:48 | 000,028,672 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/06/20 14:01:11 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2009/10/20 19:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe -- (AVP)
SRV - [2007/02/20 21:35:02 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2001/08/06 07:41:48 | 000,028,672 | ---- | M] () [Auto | Running] -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- (nhksrv)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2010/03/18 16:47:37 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/10/14 20:18:34 | 000,036,880 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg)
DRV - [2009/10/02 18:39:44 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/09/14 13:42:46 | 000,032,272 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/09/01 14:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/02/03 10:32:36 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/02/03 10:25:56 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)
DRV - [2006/08/10 07:32:14 | 000,204,672 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM)
DRV - [2004/08/03 18:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2002/06/03 12:18:32 | 000,040,832 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371) Creative AudioPCI (ES1371,ES1373) (WDM)
DRV - [2001/12/20 10:02:12 | 000,006,656 | ---- | M] (Netropa Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Msikbd2k.sys -- (msikbd2k)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.canoe.ca/home.html
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\THBExt [2010/03/18 16:49:04 | 000,000,000 | ---D | M]
 
[2009/11/30 18:29:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Application Data\Mozilla\Extensions
[2009/11/30 18:29:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Application Data\Mozilla\Extensions\[email protected]
 
O1 HOSTS File: ([2009/08/30 14:34:08 | 000,325,921 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: 127.0.0.1   www.007guard.com
O1 - Hosts: 127.0.0.1   007guard.com
O1 - Hosts: 127.0.0.1   008i.com
O1 - Hosts: 127.0.0.1   www.008k.com
O1 - Hosts: 127.0.0.1   008k.com
O1 - Hosts: 127.0.0.1   www.00hq.com
O1 - Hosts: 127.0.0.1   00hq.com
O1 - Hosts: 127.0.0.1   010402.com
O1 - Hosts: 127.0.0.1   www.032439.com
O1 - Hosts: 127.0.0.1   032439.com
O1 - Hosts: 127.0.0.1   www.0scan.com
O1 - Hosts: 127.0.0.1   0scan.com
O1 - Hosts: 127.0.0.1   1000gratisproben.com
O1 - Hosts: 127.0.0.1   www.1000gratisproben.com
O1 - Hosts: 127.0.0.1   1001namen.com
O1 - Hosts: 127.0.0.1   www.1001namen.com
O1 - Hosts: 127.0.0.1   100888290cs.com
O1 - Hosts: 127.0.0.1   www.100888290cs.com
O1 - Hosts: 127.0.0.1   www.100sexlinks.com
O1 - Hosts: 127.0.0.1   100sexlinks.com
O1 - Hosts: 127.0.0.1   10sek.com
O1 - Hosts: 127.0.0.1   www.10sek.com
O1 - Hosts: 127.0.0.1   www.1-2005-search.com
O1 - Hosts: 127.0.0.1   1-2005-search.com
O1 - Hosts: 11154 more lines...
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe (Netropa Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 60
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} http://zone.msn.com/bingame/choc/default/ChocolatierWeb.1.0.0.17.cab (CPlayFirstChocolatieControl Object)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab (SysData Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272072987162 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://sympatico.zone.msn.com/bingame/luxr/default/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab (MSN Games – Texas Holdem Poker)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (DDRevision Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2007/02/26 15:35:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{d1416fe0-0e8b-11de-8187-000ae6b27bb6}\Shell\AutoRun\command - "" = RECYCLER\S-1-6-22-2434476501-1644491937-600003330-1213\winudpmgr.exe
O33 - MountPoints2\{d1416fe0-0e8b-11de-8187-000ae6b27bb6}\Shell\open\command - "" = RECYCLER\S-1-6-22-2434476501-1644491937-600003330-1213\winudpmgr.exe
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010/06/20 14:01:10 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Desktop\OTL.exe
[2010/06/09 06:14:54 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/07 06:19:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Desktop\Grad
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2010/06/20 14:02:41 | 000,000,245 | ---- | M] () -- C:\WINDOWS\MSIOSD.INI
[2010/06/20 14:01:11 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Desktop\OTL.exe
[2010/06/20 13:43:05 | 006,815,744 | ---- | M] () -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\ntuser.dat
[2010/06/20 13:43:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/20 13:42:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/20 13:42:55 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/20 13:41:14 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\ntuser.ini
[2010/06/20 13:34:21 | 000,013,712 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/09 06:52:02 | 000,146,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/09 06:38:56 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010/06/20 13:22:13 | 000,069,371 | ---- | C] () -- C:\WINDOWS\hpoins05.dat.temp
[2010/06/20 13:22:13 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat.temp
[2009/06/03 09:48:25 | 000,000,031 | ---- | C] () -- C:\WINDOWS\warhead.ini
[2009/05/04 15:03:00 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2009/05/04 14:53:28 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2009/05/04 14:53:10 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2009/01/02 14:26:33 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2008/12/31 17:27:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/12/31 17:27:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\msiosd32.dll
[2008/12/31 17:27:22 | 000,000,245 | ---- | C] () -- C:\WINDOWS\MSIOSD.INI
[2007/02/03 08:59:04 | 000,050,127 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2004/09/17 18:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 157 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3DB0B938
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:7715B65F
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4F58D818
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:74B502CB
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:60D735B2
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B894C266
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5F538558
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C3B04546
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:ABA71843
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2A8A3140
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3E35D9D6
< End of report >
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: rinoscar on June 20, 2010, 01:14:18 PM
OTL Extras logfile created on: 6/20/2010 2:02:54 PM - Run 1
OTL by OldTimer - Version 3.2.6.0     Folder = C:\Documents and Settings\Rino Scarsella.HOME-13C58E823B\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,023.00 Mb Total Physical Memory | 563.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.30 Gb Total Space | 10.66 Gb Free Space | 28.57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HOME-13C58E823B
Current User Name: Rino Scarsella
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00BA866C-F2A2-4BB9-A308-3DFA695B6F7C}" = Java DB 10.5.3.0
"{0208A7E3-0D30-11D4-A1FC-00508B9D1BA2}" = OmniKey
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{2A5C6AD0-F7B3-40A1-B140-23B085B1B8CE}" = UFile 2008
"{2C464EC1-2B0C-4490-9CAC-D4562DD8377A}" = Soap 3.0 Toolkit
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0160200}" = Java(TM) SE Development Kit 6 Update 20
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{451BB54C-8B23-4455-8BDC-14FC7D43E056}" = MSXML4SP2
"{461073BF-9642-4A73-B58E-157358D412AB}" = 6200
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CCC7F68-A437-4559-A840-F5E010934951}" = HP Driver Diagnostics
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{6518675B-CC8D-4AB3-A3F6-CC02FF6548D7}" = 6200_Help
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{85BCA736-A0F4-448E-9BC1-6EA08693E10B}" = HP Image Zone Express
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AF5A39FE-51FB-4BA3-B399-2D1F0C65D617}_is1" = AusLogics System Information
"{B6797F11-4A7D-45F5-8A20-72E9CCD83538}" = UFile Updater 2009
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{C3F81504-72F3-4262-9449-487404DA75BB}" = 6200Trb
"{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}" = Microsoft IntelliType Pro 6.1
"{C9967B5A-6E08-4E79-BFBD-BBB07DB0CA04}" = UFile Updater 2008
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{D36F4DCA-B6D5-403A-B69D-2439D59FC9A7}" = UFile 2009
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D627784F-B3EE-44E8-96B1-9509B991EA34}_is1" = AusLogics Registry Defrag
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"FrostWire" = FrostWire 4.18.6
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Photo & Imaging" = HP Image Zone 4.7
"ie8" = Windows Internet Explorer 8
"InstallWIX_{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PokerStars" = PokerStars
"Spell Checker For OE 2.1" = Spell Checker For OE 2.1
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 3/26/2010 2:36:33 PM | Computer Name = HOME-13C58E823B | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
 
Error - 4/6/2010 8:47:18 PM | Computer Name = HOME-13C58E823B | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6308.5000, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 4/6/2010 8:47:18 PM | Computer Name = HOME-13C58E823B | Source = Microsoft Office 12 | ID = 5000
Description = EventType officelifeboathang, P1 winword.exe, P2 12.0.6308.5000, P3
 ntdll.dll, P4 5.1.2600.5755, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.
 
Error - 4/6/2010 8:47:28 PM | Computer Name = HOME-13C58E823B | Source = Application Hang | ID = 1001
Description = Fault bucket 734307661.
 
Error - 4/6/2010 9:40:57 PM | Computer Name = HOME-13C58E823B | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6308.5000, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 4/6/2010 9:41:03 PM | Computer Name = HOME-13C58E823B | Source = Application Hang | ID = 1001
Description = Fault bucket 734307661.
 
Error - 4/17/2010 10:56:19 AM | Computer Name = HOME-13C58E823B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
 from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
 with error: This operation returned because the timeout period expired.  
 
Error - 4/24/2010 9:55:36 AM | Computer Name = HOME-13C58E823B | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Home and Student 2007 - Update 'Security
 Update for Microsoft Office Excel 2007 (KB978382)' could not be installed. Error
 code 1603. Windows Installer can create logs to help troubleshoot issues with installing
 software packages. Use the following link for instructions on turning on logging
 support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error - 4/24/2010 9:57:22 AM | Computer Name = HOME-13C58E823B | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Home and Student 2007 - Update 'Security
 Update for Microsoft Office system 2007 (972581)' could not be installed. Error
 code 1603. Windows Installer can create logs to help troubleshoot issues with installing
 software packages. Use the following link for instructions on turning on logging
 support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error - 4/24/2010 9:58:54 AM | Computer Name = HOME-13C58E823B | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Home and Student 2007 - Update 'Security
 Update for Microsoft Office PowerPoint 2007 (KB957789)' could not be installed.
 Error code 1603. Windows Installer can create logs to help troubleshoot issues
with installing software packages. Use the following link for instructions on turning
 on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
[ System Events ]
Error - 6/15/2010 8:10:17 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/15/2010 8:10:19 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/15/2010 8:10:20 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/15/2010 8:10:21 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/15/2010 8:10:23 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/15/2010 8:10:25 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/20/2010 9:35:53 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/20/2010 9:35:54 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/20/2010 9:36:03 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
Error - 6/20/2010 9:36:04 AM | Computer Name = HOME-13C58E823B | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.
 
 
< End of report >
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: guestolo on June 20, 2010, 10:07:31 PM
That file definitely looks as if it's related to your mulitmedia keyboard
There's a good chance you should have Kaspersky's just ignore it

But I do see other entries we should deal with
Can you do the following please
download Flash_Disinfector  (http://"http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe") and save it to your desktop[color="#4169E1"]Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/color]


Afterwards:
Double  click on OTL.exe and Run it
On startup, Allow OTL to run if prompted
A log should open, can you post it please
A copy of this log can also be found in
C:\_OTL\Moved Files folder

In addition:
Go to this link
http://www.virustotal.com/flash/index_en.html (http://"http://www.virustotal.com/flash/index_en.html")

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\system32\drivers\Msikbd2k.sys<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Or just post the link to the results page
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: rinoscar on June 22, 2010, 05:49:27 AM
[quote name='guestolo' date='20 June 2010 - 10:07 PM' timestamp='1277089651' post='470096']
That file definitely looks as if it's related to your mulitmedia keyboard
There's a good chance you should have Kaspersky's just ignore it

But I do see other entries we should deal with
Can you do the following please
download Flash_Disinfector  (http://"http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe")and save it to your desktop[color="#4169e1"]Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/color]


Afterwards:
Double  click on OTL.exe and Run itOn startup, Allow OTL to run if prompted
A log should open, can you post it please
A copy of this log can also be found in
C:\_OTL\Moved Files folder

In addition:
Go to this link
http://www.virustota...h/index_en.html (http://"http://www.virustotal.com/flash/index_en.html")

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\system32\drivers\Msikbd2k.sys<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Or just post the link to the results page
[/quote]


I will complete the virustota later tonight.
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: rinoscar on June 23, 2010, 05:22:55 AM
[size="3"]Sorry for the delay, but here is the results for virustotal[/size]:

File Msikbd2k.sys received on 2010.06.23 09:59:44 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
(http:///img/loader.gif)Result: 0/41 (0%)Loading server information... Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated. (http:///img/compress-icon.png) Compact (http://"#") Print results (http://"javascript:window.print()") (http:///img/print-icon.png) Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.  Email:AntivirusVersionLast UpdateResulta-squared5.0.0.302010.06.23-AhnLab-V32010.06.23.002010.06.23-AntiVir8.2.2.62010.06.22-Antiy-AVL2.0.3.72010.06.23-Authentium5.2.0.52010.06.23-Avast4.8.1351.02010.06.23-Avast55.0.332.02010.06.23-AVG9.0.0.8362010.06.22-BitDefender7.22010.06.23-CAT-QuickHeal10.002010.06.23-ClamAV0.96.0.3-git2010.06.23-Comodo51922010.06.23-DrWeb5.0.2.033002010.06.23-eSafe7.0.17.02010.06.22-eTrust-Vet36.1.76612010.06.23-F-Prot4.6.1.1072010.06.22-F-Secure9.0.15370.02010.06.23-Fortinet4.1.133.02010.06.22-GData212010.06.23-IkarusT3.1.1.84.02010.06.23-Jiangmin13.0.9002010.06.15-Kaspersky7.0.0.1252010.06.23-McAfee5.400.0.11582010.06.23-McAfee-GW-Edition2010.12010.06.22-Microsoft1.59022010.06.23-NOD3252212010.06.23-Norman6.05.102010.06.23-nProtect2010-06-23.022010.06.23-Panda10.0.2.72010.06.23-PCTools7.0.3.52010.06.23-Prevx3.02010.06.23-Rising22.53.02.042010.06.23-Sophos4.54.02010.06.23-Sunbelt64932010.06.23-Symantec20101.1.0.892010.06.23-TheHacker6.5.2.0.3032010.06.23-TrendMicro9.120.0.10042010.06.23-TrendMicro-HouseCall9.120.0.10042010.06.23-VBA323.12.12.52010.06.22-ViRobot2010.6.21.38962010.06.23-VirusBuster5.0.27.02010.06.22-Additional informationFile size: 6656 bytesMD5...: 9b99b04c28ccd19741dbbed64480195cSHA1..: ba53338071d78293c8ff8cb6ebe5293f7fba36e3SHA256: b16adca5c7d82e58e7380b30f0b341a56721dd852d010e65b06ebda033db5763ssdeep: 96:FVQe6SyOMFp6lwHs8sQr8tp7YCGpWw+k0Tx8bul5fmeS4N7AWTA9SToDhdB:F
We6SypxD8D8pkTZEd0T0
PEiD..: -PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x114e
timedatestamp.....: 0x3c227c03 (Fri Dec 21 00:02:11 2001)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x78a 0x800 6.01 ca766ca24e3d7dc75c4e162bd05ab501
.rdata 0xb00 0xbd 0x100 3.52 b8d2dbe50a24b5bb699715219d06be8a
PAGE 0xc00 0x4c0 0x500 6.08 a6ba9691623822cc51a7e4bae8952952
INIT 0x1100 0x3e4 0x400 5.53 1723aab17a171f69e5e226a151e2af2e
.rsrc 0x1500 0x3d0 0x400 3.26 680ed0e61a02d5014b44bf012384845c
.reloc 0x1900 0xa6 0x100 3.20 77c8ef037c6ee2254a963a5d44627884

( 2 imports )
> ntoskrnl.exe: IofCompleteRequest, ObReferenceObjectByHandle, ObfDereferenceObject, IoGetDriverObjectExtension, KeWaitForSingleObject, KeInitializeEvent, IoDeleteDevice, IofCallDriver, PoCallDriver, PoStartNextPowerIrp, KeClearEvent, DbgPrint, IoAllocateDriverObjectExtension, IoCreateSymbolicLink, RtlInitUnicodeString, KeSetEvent, IoCreateDevice, IoDetachDevice, IoAttachDeviceToDeviceStack
> HAL.dll: KfReleaseSpinLock, KeStallExecutionProcessor, KfAcquireSpinLock

( 0 exports )
RDS...: NSRL Reference Data Set
-pdfid.: -trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)sigcheck:
publisher....: Netropa Corporation
copyright....: Copyright (c) 1998-2001 Netropa Corporation
product......: Multimedia Keyboard
description..: Multimedia Keyboard Driver for Windows 2000/XP
original name: msikbd2k.sys
internal name: msikbd2k.sys
file version.: 1.06 built by: WinDDK
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: guestolo on June 26, 2010, 10:52:41 AM
Sorry for the delay, it definitely looks like a false positive from your version of Kaspersky's

How is everything running besides that?
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: rinoscar on June 27, 2010, 09:48:11 AM
[quote name='guestolo' date='26 June 2010 - 10:52 AM' timestamp='1277567561' post='470246']
Sorry for the delay, it definitely looks like a false positive from your version of Kaspersky's

How is everything running besides that?
[/quote]

Everything else is working fine, but I do have one last question. Does kaspersky catch, detect everything? Or should I also instal another program to complement Kaspersky?

Thank you for all the help!
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: guestolo on June 27, 2010, 12:46:24 PM
I don't think that Kaspersky's could be 100% full proof, but it's a very good Security suite
It's one of the best out there, so you definitely have great protection

You could however install another bit of software
It will help to silently protect you, it does not run in the background

SpywareBlaster  by JavaCool (http://"http://www.javacoolsoftware.com/spywareblaster.html")  
At the link you can read more about it if you like then continue with
Free Download on the right>>Continue Download at next page
Basically it Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
IMPORTANT>>"Check for updates every couple of weeks or so"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

Let's remove your outdated copy of Java from Add/Remove programs
Close all browser windows and remove Java™ 6 Update 7

Next: Open OTL.exe, click on the Cleanup button, follow the prompts and reboot if prompted
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: rinoscar on June 27, 2010, 06:05:00 PM
Thanks for all the help.

Your awsome!
Title: Detected: PDM.KeyloggerC:\WINDOWS\SYSTEM32\DRIVERS\
Post by: guestolo on July 05, 2010, 10:34:48 PM
[quote name='rinoscar' date='27 June 2010 - 04:05 PM' timestamp='1277679900' post='470291']
Thanks for all the help.

Your awsome!
[/quote]

Your very welcome, I'll lock this topic as your problems appear resolved, take care rinoscar  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />