Solve : Can a keylogger log your clipboard??

1.	Solve : Can a keylogger log your clipboard??
Answer» I've recently become paranoid after I fell victim to a keylogger last week having a very important password stolen and decided to manually copy and paste my passwords from a notepad document from then on. Might be important to note that since that time I had NEVER typed the password, EVEN to initially create it. Thought I was safe and was surprised to have the same password stolen again. I have run hijackthis, avg, trojan remover, trendmicro online scan, adaware, and win security task manager(actually a safe program believe it or not) and my system turned up clean. I even ran them all in safe mode to be sure. I have a router and use the xp FIREWALL as well. I just don't get it. The only possible way that that password could have been stolen again is if the keylogger is somehow recording my clipboard, which I have began deleting after I paste the password. Is this possible? Is there any way to prevent it happening in the future?can you post the hijackthis log for us to look at?Quote from: endezeichen on August 23, 2007, 12:41:58 AM The only possible way that that password could have been stolen again is if the keylogger is somehow recording my clipboard, which I have began deleting after I paste the password. Is this possible? Yes Quote from: endezeichen on August 23, 2007, 12:41:58 AM Is there any way to prevent it happening in the future? Get rid of the keylogger. As unlovedwarrior said a hijackthis log would be good place to start. Sorry, I didn't post my hijackthis log because I didn't think it would be necessary. I've done extensive cleaning with many programs as well as manually. This really is one heck of a trojan. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:23:21 AM, on 8/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Just took a nice look into this one and noticed there was a bogus exe in the folder that was not recognized by google or licensed. Deleted the whole folder, could care less about winmsngr... that could be what I had missed O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NOD32 Kernel Services (NOD32kren) - Nero AG - (no file) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 2626 bytes Thanks You could have just uploaded the file to http://www.virustotal.com/, it can tell you, from numerous scanners whether a file is malcious or not..Do you download warez by any chance? One thing you can try... Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. GO ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls. You could also try running a full-system scan with SUPERAntiSpyware in Safe Mode. I'm not sure how much this will help, though. When it comes to this sort of breach of security, I think it's best to back up all important personal files (not programs; download them again later) and then reformat. Keyloggers can be pretty sneaky and even when you remove one, it's sometimes hard to trust that your computer truly is clean again.Well I must say, combofix is a pretty interesting and useful program. Never even heard of it so thanks for that. Got a bit weary when zonealarm told me it was launching cmd.exe...that was a high risk alert. Did a little reading up and apparently combofix was infected a few months ago. I just assumed that was a clean version and the cmd.exe part was just part of the process. Oh yeah- Wwwwinnnantispyware... the most annoying piece of crap I've ever had on my computer. Apparently I didn't get rid of it as I thought I did. C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor C:\Program Files\Common Files\curity~1 C:\Program Files\Common Files\winantispyware 2007 C:\Program Files\Common Files\winantispyware 2007\err.log C:\Program Files\Common Files\WinAntiSpyware 2007\err.log C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe C:\Program Files\Common Files\ystem~1 C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WINDOWS\scurit~1 C:\WINDOWS\system32\aeksree.dll C:\WINDOWS\system32\configs C:\WINDOWS\system32\driver C:\WINDOWS\system32\drivers\ApiMon.sys C:\WINDOWS\system32\drivers\fopn.sys C:\WINDOWS\system32\f02WtR C:\WINDOWS\system32\F2 C:\WINDOWS\system32\F3 C:\WINDOWS\system32\H1 C:\WINDOWS\system32\mcroso~1.net C:\WINDOWS\system32\mcroso~1.net\M?crosoft.NET\ C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\V1 C:\WINDOWS\system32\winpfz32.sys C:\WINDOWS\system32\wtsicomsv.exe C:\WINDOWS\system32\zxdnt3d.cfg C:\WINDOWS\uninstall_nmon.vbs C:\WINDOWS\wr.txt ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CMDSERVICE -------\LEGACY_FOPN -------\LEGACY_NETWORK_MONITOR -------\LEGACY_NET_AGENT -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS -------\fopn -------\Net Agent -------\Windows Overlay Components ((((((((((((((((((((((((( Files Created from 2007-07-23 to 2007-08-23 ))))))))))))))))))))))))))))))) 2007-08-23 13:4351,200--a------C:\WINDOWS\nircmd.exe 2007-08-23 09:22d--------C:\DOCUME~1\ED903B~1.ED-\vw 2007-08-23 09:21d--------C:\Program Files\Visual IP Trace 2007 2007-08-23 07:28512--a------C:\ScanSectorLog.dat 2007-08-23 07:195,664--AHS----C:\WINDOWS\system32\drivers\fidbox2.dat 2007-08-23 07:191,720,352--ahs----C:\WINDOWS\system32\drivers\fidbox.dat 2007-08-23 07:19d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\MailFrontier 2007-08-23 07:0775,512--a------C:\WINDOWS\zllsputility.exe 2007-08-23 07:074,212---h-----C:\WINDOWS\system32\zllictbl.dat 2007-08-23 07:0711,264--a------C:\WINDOWS\system32\SpOrder.dll 2007-08-23 07:071,087,216--a------C:\WINDOWS\system32\zpeng24.dll 2007-08-23 07:07d--------C:\WINDOWS\system32\ZoneLabs 2007-08-23 07:06d--------C:\WINDOWS\Internet Logs 2007-08-23 04:50d--------C:\WINDOWS\CSC 2007-08-21 04:46d--------C:\DOCUME~1\ED903B~1.ED-\AIMPro 2007-08-21 04:45d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\AIMPro 2007-08-21 04:45d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\acccore 2007-08-21 04:305,632--a------C:\WINDOWS\system32\ptpusb.dll 2007-08-21 04:30159,232--a------C:\WINDOWS\system32\ptpusd.dll 2007-08-21 04:3015,104--a------C:\WINDOWS\system32\drivers\usbscan.sys 2007-08-21 01:37d---s----C:\DOCUME~1\ED903B~1.ED-\UserData 2007-08-19 00:52d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\Ahead 2007-08-19 00:37d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\Simply Super Software 2007-08-18 21:16d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\Ventrilo 2007-08-17 19:59d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\WinRAR 2007-08-17 19:57d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\vlc 2007-08-17 08:15d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\uTorrent 2007-08-16 15:201,310,720--ah-----C:\DOCUME~1\ED903B~1.ED-\NTUSER.DAT 2007-08-16 13:47d--------C:\WINDOWS\system32\ActiveScan 2007-08-16 03:426,588--a------C:\WINDOWS\system32\bcbeg.ini.ren 2007-08-16 03:426,473--a------C:\WINDOWS\system32\bcbeg.bak1.ren 2007-08-16 03:42243,296--a------C:\WINDOWS\system32\gebcb.dll.ren 2007-08-15 11:536,536--a------C:\WINDOWS\system32\prutv.ini.ren 2007-08-15 11:536,421--a------C:\WINDOWS\system32\prutv.bak1.ren 2007-08-15 11:4852,750--a------C:\WINDOWS\system32\lqdsrngo.exe 2007-08-15 11:4843,542--a------C:\WINDOWS\system32\gebabxw.dll 2007-08-15 11:48192,582--a------C:\WINDOWS\system32\qwinrmdt.exe.ren 2007-08-15 11:48d--------C:\WINDOWS\system32\tmps9 2007-08-15 11:48d--------C:\WINDOWS\system32\ICdll 2007-08-15 11:48d--------C:\WINDOWS\system32\chkconfig 2007-08-15 11:48d--------C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon 2007-08-05 22:51d--------C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software 2007-08-05 22:11d--------C:\Program Files\Trend Micro 2007-08-05 21:557,021--a------C:\WINDOWS\system32\ijkmp.ini.ren 2007-08-05 21:556,507--a------C:\WINDOWS\system32\ijkmp.bak1.ren 2007-08-05 21:34d--------C:\WINDOWS\system32\appmgmt 2007-08-05 20:10d--------C:\Program Files\MagicISO 2007-08-05 19:541,404,928--a------C:\WINDOWS\system\nvcpl.dll 2007-08-05 19:07d--------C:\DOCUME~1\ed\APPLIC~1\Help 2007-08-05 19:05d--------C:\Program Files\Security Task Manager 2007-08-05 19:05d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan 2007-08-05 18:5377,312--a------C:\WINDOWS\system32\ztvunace26.dll 2007-08-05 18:5375,264--a------C:\WINDOWS\system32\unacev2.dll 2007-08-05 18:5369,632--a------C:\WINDOWS\system32\ztvcabinet.dll 2007-08-05 18:53162,304--a------C:\WINDOWS\system32\ztvunrar36.dll 2007-08-05 18:53153,088--a------C:\WINDOWS\system32\UNRAR3.dll 2007-08-05 18:53d-a------C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-08-05 18:53d--------C:\Program Files\Trojan Remover 2007-08-05 18:53d--------C:\DOCUME~1\ed\APPLIC~1\Simply Super Software 2007-08-05 18:53d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software 2007-08-05 18:37786,432--ah-----C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-08-05 18:206,467---hs----C:\WINDOWS\system32\efhkj.bak1 2007-08-05 04:0189,088--a------C:\WINDOWS\system32\atl71.dll 2007-08-05 04:01499,712--a------C:\WINDOWS\system32\msvcp71.dll 2007-08-05 04:01348,160--a------C:\WINDOWS\system32\msvcr71.dll 2007-08-05 04:011,060,864--a------C:\WINDOWS\system32\mfc71.dll 2007-08-05 03:346,466---hs----C:\WINDOWS\system32\ttutv.bak1 2007-08-05 03:29169,147--a------C:\WINDOWS\TTC-4444.exe.ren 2007-08-05 03:29d--------C:\Temp 2007-08-05 03:2840,183--a------C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe.ren 2007-08-05 03:28d--------C:\DOCUME~1\ed\APPLIC~1\s?stem32 2007-08-02 23:00d--------C:\Program Files\Lavasoft 2007-08-02 23:00d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-07-30 23:16d--------C:\DOCUME~1\ed\AIMPro 2007-07-30 22:47d--------C:\DOCUME~1\ed\APPLIC~1\AIMPro 2007-07-30 22:47d--------C:\DOCUME~1\ed\APPLIC~1\acccore 2007-07-30 22:46d--------C:\Program Files\Common Files\Nullsoft 2007-07-30 22:46d--------C:\Program Files\AIM 2007-07-30 22:46d--------C:\DOCUME~1\ed\APPLIC~1\AIM 2007-07-27 20:56d--------C:\WINDOWS\ShellNew 2007-07-27 20:56d--------C:\Program Files\AutoIt3(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-23 13:4516292--ahs----C:\WINDOWS\system32\drivers\fidbox.idx 2007-08-23 13:451508--ahs----C:\WINDOWS\system32\drivers\fidbox2.idx 2007-08-20 22:39---------d--------C:\Program Files\World of Warcraft 2007-08-20 21:07---------d--------C:\Program Files\Realtek 2007-08-19 01:38---------d--h-----C:\Program Files\WindowsUpdate 2007-08-18 20:27---------d--------C:\Program Files\uTorrent 2007-08-17 19:59359040--a------C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL 2007-08-17 19:59359040--a------C:\WINDOWS\system32\drivers\TCPIP.SYS 2007-08-16 02:1514656--a------C:\WINDOWS\gdrv.sys 2007-08-15 12:16---------d--------C:\Program Files\AC3Filter 2007-08-10 15:2116384000--a------C:\WINDOWS\RTHDCPL.exe 2007-08-10 13:524603904--a------C:\WINDOWS\system32\drivers\RtkHDAud.sys 2007-08-05 20:1812528--a------C:\WINDOWS\system32\drivers\secdrv.sys 2007-08-03 13:221826816--a------C:\WINDOWS\SkyTel.exe 2007-08-02 23:00---------d--------C:\Program Files\Common Files\Wise Installation Wizard 2007-07-30 19:1992504--a------C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19549720--a------C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:1953080--a------C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:1943352--a------C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19325976--a------C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19203096--a------C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:191712984--a------C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:1833624--a------C:\WINDOWS\system32\wups.dll 2007-07-26 18:061191936--a------C:\WINDOWS\RtlUpd.exe 2007-07-26 17:09520192--a------C:\WINDOWS\RtlExUpd.dll 2007-07-20 00:2936864--a------C:\WINDOWS\system32\dxinputdll.dll 2007-07-20 00:19---------d--h-----C:\Program Files\InstallShield Installation Information 2007-07-19 01:34---------d--------C:\Program Files\Guitar Pro 5 2007-07-17 00:32---------d--------C:\Program Files\Axon Data 2007-07-13 17:17---------d--------C:\Program Files\Ventrilo 2007-07-10 00:08---------d--------C:\Program Files\Common Files\Ahead 2007-07-10 00:07---------d--------C:\Program Files\Nero 2007-07-09 00:052722--a------C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin 2007-07-09 00:048972--a------C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin 2007-07-06 21:44---------d--------C:\Program Files\RivaTuner v2.02 2007-07-06 20:40---------d--------C:\Program Files\GIGABYTE 2007-07-06 18:13---------d--------C:\Program Files\Common Files\Blizzard Entertainment 2007-07-05 11:07315392--a------C:\WINDOWS\HideWin.exe 2007-07-05 11:06---------d--------C:\Program Files\Common Files\InstallShield 2007-07-05 10:580-rahs----C:\MSDOS.SYS 2007-07-05 10:580-rahs----C:\IO.SYS 2007-07-05 10:580--a------C:\CONFIG.SYS 2007-07-05 10:580--a------C:\AUTOEXEC.BAT 2007-07-05 10:58---------d--------C:\Program Files\microsoft frontpage 2007-07-05 10:56---------d--------C:\Program Files\Movie Maker 2007-07-05 10:56---------d--------C:\Program Files\Common Files\MSSoap 2007-07-05 10:55---------d--------C:\Program Files\Windows NT 2007-07-05 10:55---------d--------C:\Program Files\Online Services 2007-07-05 10:55---------d--------C:\Program Files\MSN Gaming Zone 2007-07-05 06:50---------d--------C:\Program Files\Common Files\SpeechEngines 2007-07-05 06:50---------d--------C:\Program Files\Common Files\ODBC 2007-07-05 00:38---------d--------C:\Program Files\QuickTime 2007-07-04 23:36---------d--------C:\Program Files\VideoLAN 2007-07-04 23:22---------d--------C:\Program Files\XviD 2007-06-28 16:442165760--a------C:\WINDOWS\MicCal.exe 1997-10-24 13:2025088--a------C:\WINDOWS\inf\regl3acm.exeDoes anyone know of a keylogger that can log a copy & pasted password? I don't know of one, the log usually comes up as Ctrl C and Ctrl P with no further detail. Could you be getting directed to a malicious website and pasting your password there? This is a common problem when clicking on links that COME in emails, very common with banking sites but they play it down because they don't want to admit they're being ripped off. I have personally reported 2 such misdirections to 2 different banks and neither of them even acknowledged my email. They're running scared.

Answer»

I've recently become paranoid after I fell victim to a keylogger last week having a very important password stolen and decided to manually copy and paste my passwords from a notepad document from then on. Might be important to note that since that time I had NEVER typed the password, EVEN to initially create it. Thought I was safe and was surprised to have the same password stolen again. I have run hijackthis, avg, trojan remover, trendmicro online scan, adaware, and win security task manager(actually a safe program believe it or not) and my system turned up clean. I even ran them all in safe mode to be sure. I have a router and use the xp FIREWALL as well. I just don't get it. The only possible way that that password could have been stolen again is if the keylogger is somehow recording my clipboard, which I have began deleting after I paste the password. Is this possible? Is there any way to prevent it happening in the future?can you post the hijackthis log for us to look at?Quote from: endezeichen on August 23, 2007, 12:41:58 AM

The only possible way that that password could have been stolen again is if the keylogger is somehow recording my clipboard, which I have began deleting after I paste the password. Is this possible?

Yes
Quote from: endezeichen on August 23, 2007, 12:41:58 AM

Is there any way to prevent it happening in the future?

Get rid of the keylogger. As unlovedwarrior said a hijackthis log would be good place to start. Sorry, I didn't post my hijackthis log because I didn't think it would be necessary. I've done extensive cleaning with many programs as well as manually. This really is one heck of a trojan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:21 AM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Just took a nice look into this one and noticed there was a bogus exe in the folder that was not recognized by google or licensed. Deleted the whole folder, could care less about winmsngr... that could be what I had missed
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Services (NOD32kren) - Nero AG - (no file)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2626 bytes

Thanks
You could have just uploaded the file to http://www.virustotal.com/, it can tell you, from numerous scanners whether a file is malcious or not..Do you download warez by any chance?

One thing you can try... Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. GO ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

You could also try running a full-system scan with SUPERAntiSpyware in Safe Mode.

I'm not sure how much this will help, though. When it comes to this sort of breach of security, I think it's best to back up all important personal files (not programs; download them again later) and then reformat. Keyloggers can be pretty sneaky and even when you remove one, it's sometimes hard to trust that your computer truly is clean again.Well I must say, combofix is a pretty interesting and useful program. Never even heard of it so thanks for that. Got a bit weary when zonealarm told me it was launching cmd.exe...that was a high risk alert. Did a little reading up and apparently combofix was infected a few months ago. I just assumed that was a clean version and the cmd.exe part was just part of the process. Oh yeah- Wwwwinnnantispyware... the most annoying piece of crap I've ever had on my computer. Apparently I didn't get rid of it as I thought I did.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\ystem~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\scurit~1
C:\WINDOWS\system32\aeksree.dll
C:\WINDOWS\system32\configs
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\ApiMon.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\H1
C:\WINDOWS\system32\mcroso~1.net
C:\WINDOWS\system32\mcroso~1.net\M?crosoft.NET\
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\V1
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wtsicomsv.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\fopn
-------\Net Agent
-------\Windows Overlay Components

((((((((((((((((((((((((( Files Created from 2007-07-23 to 2007-08-23 )))))))))))))))))))))))))))))))

2007-08-23 13:4351,200--a------C:\WINDOWS\nircmd.exe
2007-08-23 09:22d--------C:\DOCUME~1\ED903B~1.ED-\vw
2007-08-23 09:21d--------C:\Program Files\Visual IP Trace 2007
2007-08-23 07:28512--a------C:\ScanSectorLog.dat
2007-08-23 07:195,664--AHS----C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-23 07:191,720,352--ahs----C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-23 07:19d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\MailFrontier
2007-08-23 07:0775,512--a------C:\WINDOWS\zllsputility.exe
2007-08-23 07:074,212---h-----C:\WINDOWS\system32\zllictbl.dat
2007-08-23 07:0711,264--a------C:\WINDOWS\system32\SpOrder.dll
2007-08-23 07:071,087,216--a------C:\WINDOWS\system32\zpeng24.dll
2007-08-23 07:07d--------C:\WINDOWS\system32\ZoneLabs
2007-08-23 07:06d--------C:\WINDOWS\Internet Logs
2007-08-23 04:50d--------C:\WINDOWS\CSC
2007-08-21 04:46d--------C:\DOCUME~1\ED903B~1.ED-\AIMPro
2007-08-21 04:45d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\AIMPro
2007-08-21 04:45d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\acccore
2007-08-21 04:305,632--a------C:\WINDOWS\system32\ptpusb.dll
2007-08-21 04:30159,232--a------C:\WINDOWS\system32\ptpusd.dll
2007-08-21 04:3015,104--a------C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-21 01:37d---s----C:\DOCUME~1\ED903B~1.ED-\UserData
2007-08-19 00:52d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\Ahead
2007-08-19 00:37d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\Simply Super Software
2007-08-18 21:16d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\Ventrilo
2007-08-17 19:59d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\WinRAR
2007-08-17 19:57d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\vlc
2007-08-17 08:15d--------C:\DOCUME~1\ED903B~1.ED-\APPLIC~1\uTorrent
2007-08-16 15:201,310,720--ah-----C:\DOCUME~1\ED903B~1.ED-\NTUSER.DAT
2007-08-16 13:47d--------C:\WINDOWS\system32\ActiveScan
2007-08-16 03:426,588--a------C:\WINDOWS\system32\bcbeg.ini.ren
2007-08-16 03:426,473--a------C:\WINDOWS\system32\bcbeg.bak1.ren
2007-08-16 03:42243,296--a------C:\WINDOWS\system32\gebcb.dll.ren
2007-08-15 11:536,536--a------C:\WINDOWS\system32\prutv.ini.ren
2007-08-15 11:536,421--a------C:\WINDOWS\system32\prutv.bak1.ren
2007-08-15 11:4852,750--a------C:\WINDOWS\system32\lqdsrngo.exe
2007-08-15 11:4843,542--a------C:\WINDOWS\system32\gebabxw.dll
2007-08-15 11:48192,582--a------C:\WINDOWS\system32\qwinrmdt.exe.ren
2007-08-15 11:48d--------C:\WINDOWS\system32\tmps9
2007-08-15 11:48d--------C:\WINDOWS\system32\ICdll
2007-08-15 11:48d--------C:\WINDOWS\system32\chkconfig
2007-08-15 11:48d--------C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-08-05 22:51d--------C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software
2007-08-05 22:11d--------C:\Program Files\Trend Micro
2007-08-05 21:557,021--a------C:\WINDOWS\system32\ijkmp.ini.ren
2007-08-05 21:556,507--a------C:\WINDOWS\system32\ijkmp.bak1.ren
2007-08-05 21:34d--------C:\WINDOWS\system32\appmgmt
2007-08-05 20:10d--------C:\Program Files\MagicISO
2007-08-05 19:541,404,928--a------C:\WINDOWS\system\nvcpl.dll
2007-08-05 19:07d--------C:\DOCUME~1\ed\APPLIC~1\Help
2007-08-05 19:05d--------C:\Program Files\Security Task Manager
2007-08-05 19:05d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-08-05 18:5377,312--a------C:\WINDOWS\system32\ztvunace26.dll
2007-08-05 18:5375,264--a------C:\WINDOWS\system32\unacev2.dll
2007-08-05 18:5369,632--a------C:\WINDOWS\system32\ztvcabinet.dll
2007-08-05 18:53162,304--a------C:\WINDOWS\system32\ztvunrar36.dll
2007-08-05 18:53153,088--a------C:\WINDOWS\system32\UNRAR3.dll
2007-08-05 18:53d-a------C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-05 18:53d--------C:\Program Files\Trojan Remover
2007-08-05 18:53d--------C:\DOCUME~1\ed\APPLIC~1\Simply Super Software
2007-08-05 18:53d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-08-05 18:37786,432--ah-----C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-05 18:206,467---hs----C:\WINDOWS\system32\efhkj.bak1
2007-08-05 04:0189,088--a------C:\WINDOWS\system32\atl71.dll
2007-08-05 04:01499,712--a------C:\WINDOWS\system32\msvcp71.dll
2007-08-05 04:01348,160--a------C:\WINDOWS\system32\msvcr71.dll
2007-08-05 04:011,060,864--a------C:\WINDOWS\system32\mfc71.dll
2007-08-05 03:346,466---hs----C:\WINDOWS\system32\ttutv.bak1
2007-08-05 03:29169,147--a------C:\WINDOWS\TTC-4444.exe.ren
2007-08-05 03:29d--------C:\Temp
2007-08-05 03:2840,183--a------C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe.ren
2007-08-05 03:28d--------C:\DOCUME~1\ed\APPLIC~1\s?stem32
2007-08-02 23:00d--------C:\Program Files\Lavasoft
2007-08-02 23:00d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 23:16d--------C:\DOCUME~1\ed\AIMPro
2007-07-30 22:47d--------C:\DOCUME~1\ed\APPLIC~1\AIMPro
2007-07-30 22:47d--------C:\DOCUME~1\ed\APPLIC~1\acccore
2007-07-30 22:46d--------C:\Program Files\Common Files\Nullsoft
2007-07-30 22:46d--------C:\Program Files\AIM
2007-07-30 22:46d--------C:\DOCUME~1\ed\APPLIC~1\AIM
2007-07-27 20:56d--------C:\WINDOWS\ShellNew
2007-07-27 20:56d--------C:\Program Files\AutoIt3(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-23 13:4516292--ahs----C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-23 13:451508--ahs----C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-20 22:39---------d--------C:\Program Files\World of Warcraft
2007-08-20 21:07---------d--------C:\Program Files\Realtek
2007-08-19 01:38---------d--h-----C:\Program Files\WindowsUpdate
2007-08-18 20:27---------d--------C:\Program Files\uTorrent
2007-08-17 19:59359040--a------C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-08-17 19:59359040--a------C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-08-16 02:1514656--a------C:\WINDOWS\gdrv.sys
2007-08-15 12:16---------d--------C:\Program Files\AC3Filter
2007-08-10 15:2116384000--a------C:\WINDOWS\RTHDCPL.exe
2007-08-10 13:524603904--a------C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-08-05 20:1812528--a------C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-03 13:221826816--a------C:\WINDOWS\SkyTel.exe
2007-08-02 23:00---------d--------C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 19:1992504--a------C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19549720--a------C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:1953080--a------C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:1943352--a------C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19325976--a------C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19203096--a------C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:191712984--a------C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:1833624--a------C:\WINDOWS\system32\wups.dll
2007-07-26 18:061191936--a------C:\WINDOWS\RtlUpd.exe
2007-07-26 17:09520192--a------C:\WINDOWS\RtlExUpd.dll
2007-07-20 00:2936864--a------C:\WINDOWS\system32\dxinputdll.dll
2007-07-20 00:19---------d--h-----C:\Program Files\InstallShield Installation Information
2007-07-19 01:34---------d--------C:\Program Files\Guitar Pro 5
2007-07-17 00:32---------d--------C:\Program Files\Axon Data
2007-07-13 17:17---------d--------C:\Program Files\Ventrilo
2007-07-10 00:08---------d--------C:\Program Files\Common Files\Ahead
2007-07-10 00:07---------d--------C:\Program Files\Nero
2007-07-09 00:052722--a------C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-07-09 00:048972--a------C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-07-06 21:44---------d--------C:\Program Files\RivaTuner v2.02
2007-07-06 20:40---------d--------C:\Program Files\GIGABYTE
2007-07-06 18:13---------d--------C:\Program Files\Common Files\Blizzard Entertainment
2007-07-05 11:07315392--a------C:\WINDOWS\HideWin.exe
2007-07-05 11:06---------d--------C:\Program Files\Common Files\InstallShield
2007-07-05 10:580-rahs----C:\MSDOS.SYS
2007-07-05 10:580-rahs----C:\IO.SYS
2007-07-05 10:580--a------C:\CONFIG.SYS
2007-07-05 10:580--a------C:\AUTOEXEC.BAT
2007-07-05 10:58---------d--------C:\Program Files\microsoft frontpage
2007-07-05 10:56---------d--------C:\Program Files\Movie Maker
2007-07-05 10:56---------d--------C:\Program Files\Common Files\MSSoap
2007-07-05 10:55---------d--------C:\Program Files\Windows NT
2007-07-05 10:55---------d--------C:\Program Files\Online Services
2007-07-05 10:55---------d--------C:\Program Files\MSN Gaming Zone
2007-07-05 06:50---------d--------C:\Program Files\Common Files\SpeechEngines
2007-07-05 06:50---------d--------C:\Program Files\Common Files\ODBC
2007-07-05 00:38---------d--------C:\Program Files\QuickTime
2007-07-04 23:36---------d--------C:\Program Files\VideoLAN
2007-07-04 23:22---------d--------C:\Program Files\XviD
2007-06-28 16:442165760--a------C:\WINDOWS\MicCal.exe
1997-10-24 13:2025088--a------C:\WINDOWS\inf\regl3acm.exeDoes anyone know of a keylogger that can log a copy & pasted password?
I don't know of one, the log usually comes up as Ctrl C and Ctrl P with no further detail.
Could you be getting directed to a malicious website and pasting your password there?
This is a common problem when clicking on links that COME in emails, very common with banking sites but they play it down because they don't want to admit they're being ripped off.
I have personally reported 2 such misdirections to 2 different banks and neither of them even acknowledged my email.
They're running scared.

Solve : Can a keylogger log your clipboard??

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment