Please help identify this file and directory!! Is it keylogger? - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Closed Thread
Thread Tools Display Modes
Old 04-16-2006, 01:18 PM   #1 (permalink)
True Techie
Join Date: Mar 2005
Posts: 136
Default Please help identify this file and directory!! Is it keylogger?

This folder in my main user account and the directory is as follows: \local settings\temp\aaxB6.tmp is over 1.2Gb!!

Here are the files that are in the folder...

aaxB7.tmp 1.1Gb
ccpB8.tmp 125Mb
encode.log 6Mb
statistics.pass1.xml 4K
statistics.xml 0K

This is a sample of the log file that is in the folder: It almost looks like it could be a key logger of some kind? Any ideas as to what this is? There are no references as to it's link to any programs.

PLEASE help! This is makeing me feel weird about having this on my PC and not knowing what it is...

##map version 8
nframes 145924
timescale 30000
passes 1
***(Added by me, the next two lines are spaced out more, there are 7 feilds that go over the 7 colums of data)***
seq deltaT type total_bits motion_complexity texture_complexity modulation
0 0 I 18280 0.000039 0.274884 1.000000
1 1251 P 888 0.004258 0.000000 1.000000
2 1251 P 888 0.004258 0.000000 1.000000
3 1251 P 888 0.004258 0.000000 1.000000
4 1252 P 888 0.004258 0.000000 1.000000
5 1251 P 888 0.004258 0.000000 1.000000
6 1251 P 888 0.004258 0.000000 1.000000
7 1251 P 888 0.004258 0.000000 1.000000
8 1252 P 888 0.004258 0.000000 1.000000
9 1251 P 888 0.004258 0.000000 1.000000
10 1251 P 888 0.004258 0.000000 1.000000
11 1251 P 888 0.004258 0.000000 1.000000
12 1252 P 888 0.004258 0.000000 1.000000
13 1251 P 888 0.004258 0.000000 1.000000
14 1251 P 888 0.004258 0.000000 1.000000
15 1251 P 888 0.004258 0.000000 1.000000
16 1252 P 888 0.004258 0.000000 1.000000
17 1251 P 888 0.004258 0.000000 1.000000

mikepg is offline  
Old 04-16-2006, 01:39 PM   #2 (permalink)
True Techie
Join Date: Mar 2005
Posts: 136

Here is my Hijack This log, if it helps. Any other programs I should run to check my system out?

Logfile of HijackThis v1.99.1
Scan saved at 2:33:36 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ 2.0\program\soffice.exe
C:\Program Files\ 2.0\program\soffice.BIN
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\Hpqdirec.exe
C:\Documents and Settings\mike\Desktop\Downloads\hijackthis\HijackT his.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

O2 - BHO: VS_IEHlprObj Class - {829CAB51-A4EA-4a15-87B6-4B7D0747939C} - C:\Program Files\Network

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Cyber-Rights Messenger.lnk = ?
O4 - Startup: Hush Messenger.lnk = ?
O4 - Startup: 2.0.lnk = C:\Program Files\ 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C2FD2D7-79DF-4797-B8E9-83C8786A064B}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{82276CA2-B246-4417-9852-AADB71E624DB}: NameServer =
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth

O23 - Service: Cd12nw - Unknown owner - C:\WINDOWS\system32\dosx.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network

Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol

Soft\Alcohol 120\StarWind\StarWindService.exe

mikepg is offline  
Old 04-16-2006, 01:47 PM   #3 (permalink)
It's all just 1s and 0s
office politics's Avatar
Join Date: Jan 2004
Location: in the lab
Posts: 6,555
Send a message via MSN to office politics

i can't find a keylogger starting on boot.

i do wonder how long it takes to boot your pc tho. there's a lot of unnecessary crap in there.
office politics is offline  
Old 04-16-2006, 01:57 PM   #4 (permalink)
True Techie
Join Date: Mar 2005
Posts: 136

It actually boots pretty quick to the logon screen. Once I login with my username, it takes a while to boot and I'm running a MSI K8n Neo4 Plat, AMD 3200 64, (4) 512 PC3200, and ATI AIW x600. Need to get a sound card though..

Any suggestions on how to clean this up? I have been out of the "clean up" field for so long, that I don't remmber what is what. At my work, it is faster to re-image the HD and get the PC back to the user than mess around with trouble shooting.

Used to know this stuff, but wouldn't mind looking for a few pointers..

Thanks a lot for the reply bro!! The size of the file is what worried me. 1.2GB for a temp file? The log is 6Mb!?! Seems odd to me..

Any other good tech forums you go to?
mikepg is offline  
Old 04-16-2006, 02:16 PM   #5 (permalink)
Junior Techie
Join Date: Mar 2006
Posts: 84

I would suggest that you backup any pertinent data and attempt to delete the folder.

If it is something that XP requires, it won't allow you to delete it. That is one of the better features of XP.

You might try running a search on Windows website to see if the folder shows up.
- COOLER MASTER Wave Master TAC-T01-E1C Silver Case
- DFI LanpartyUT nF4 Ultra-D (BIOS = latest)
- AMD Athlon 64 X2 4800+ Toledo 1GHz HT 2 x 1MB L2 Cache
- OCZ 2GB (2 X 1024) DDR (500) PC-4000 EL Gold Gamer Ext. XTC (OCZ5002048ELGEGXT-K)
- OCZ PowerStream OCZ520ADJSLI ATX, BTX, EPS12V 520W
- XFX Geforce 7900 GTX 512MB (665/1630)
- HITACHI Deskstar 7K80 80GB 3.5\" SATA 3.0Gb/s x 2 (RAID)
old_geekster50 is offline  
Old 04-16-2006, 02:36 PM   #6 (permalink)
Monster Techie
Join Date: Mar 2006
Posts: 1,533

your log is clean , and that folder is defintly not a keylogger , it looks like a video encoding log , probably the temp folder of some video converter software you use ,you can safely delete it , just like any other thing in the *temp* folder as its used only for temporary files..
jeremy is offline  
Old 04-16-2006, 02:52 PM   #7 (permalink)
True Techie
Join Date: Mar 2005
Posts: 136

Cppl, probably a Divx converter. I'll email DivX about it. Thanks for the reassurance!

mikepg is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities

Copyright 2002-2015 Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 12:57 AM.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2016, vBulletin Solutions, Inc.