Possible keylogger infection after Elitebar

Unknown

Hi,

I spent the whole weekend removing Elitebar. Adaware, Spybot, Spyware Dr., and HJT were not too helpful because there was a hidden process (kalvrhw32.exe) re-infecting the computer. I installed Security Task Manager, which identified and stopped that process.

Anyway, now all 3 programs run clean but I was running Spyware Doctor and noticed that the Scanning Entry showed the following for a few secondswhile scanning directories:

c:\program Files\Invisible Keylogger\...\*.jpg

I also noticed that while scanning the processes, Spyware Doctor showed something like "007 keylogger". All 3 spyware removal programs come out clean now, but I am still very concerned. I am sure I did not imagine any of this.

My latest HTW log is attached below. I still have some of the early ones, if they are useful to anyone.

Thanks for any suggestions you may provide.

G.

Logfile of HijackThis v1.97.7
Scan saved at 10:16:42 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Stretch\Stretch.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Eudora\Eudora.exe
C:\Program Files\Eudora\Plugins\Spamnix\Spamnix.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\SYSTEM32\cmd.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Gabriel%20Toro/Application%20Data/Microsoft/Internet%20Explorer/grt.htm
O1 - Hosts: 192.131.143.35 rei
O1 - Hosts: 192.131.143.35 REI
O1 - Hosts: 192.131.143.35 risk735
O1 - Hosts: 192.131.143.40 server1 # Terminal Server
O1 - Hosts: 192.131.143.43 ntserver
O1 - Hosts: 192.131.143.44 klm
O1 - Hosts: 192.131.143.45 scw
O1 - Hosts: 192.131.143.46 tps
O1 - Hosts: 192.131.143.47 rkm
O1 - Hosts: 192.131.143.48 peggy
O1 - Hosts: 192.131.143.51 jav1000
O1 - Hosts: 192.131.143.52 jav
O1 - Hosts: 192.131.143.53 klm_old
O1 - Hosts: 192.131.143.55 laptop2
O1 - Hosts: 192.131.143.70 Hpslip
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ATT Wireless RoamingClient] "C:\Program Files\AT&T Wireless\Wi-Fi Connector\AWSWC.exe" "C:\Program Files\AT&T Wireless\Wi-Fi Connector\AwsWifi.skn"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: grt.lnk = ?
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Startup: Stretch Break.lnk = C:\Program Files\Stretch\Stretch.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Citi (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax65.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v5/Ticker.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A326B8-7757-4CCD-A026-3565A4980E9A}: NameServer = 64.7.11.2,205.171.3.65

SpywareShooter

Please upgrade to hijackthis version 1.98.2 and post a new log.

GRToro

Here is the log obtained with HJT 1.98.2. I look forward to your suggestions.

Thanks,

G.

Logfile of HijackThis v1.98.2
Scan saved at 4:57:13 PM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Stretch\Stretch.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Eudora\Eudora.exe
C:\Program Files\Eudora\Plugins\Spamnix\Spamnix.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\speech\vcmd.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Microsoft Office\Office10\1033\msohelp.exe
C:\WINDOWS\SYSTEM32\cmd.exe
C:\Program Files\gs\Ghostgum\gsview\gsview32.exe
C:\Program Files\emacs\emacs-20.7\bin\emacs.exe
c:\sys\util\gnuserv.exe
C:\Program Files\gs\Ghostgum\gsview\gsview32.exe
C:\Program Files\emacs\emacs-20.7\bin\emacs.exe
C:\WINDOWS\SYSTEM32\cmd.exe
c:\cygwin\bin\less.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Gabriel%20Toro/Application%20Data/Microsoft/Internet%20Explorer/grt.htm
O1 - Hosts: 192.131.143.35 rei
O1 - Hosts: 192.131.143.35 REI
O1 - Hosts: 192.131.143.35 risk735
O1 - Hosts: 192.131.143.40 server1 # Terminal Server
O1 - Hosts: 192.131.143.43 ntserver
O1 - Hosts: 192.131.143.44 klm
O1 - Hosts: 192.131.143.45 scw
O1 - Hosts: 192.131.143.46 tps
O1 - Hosts: 192.131.143.47 rkm
O1 - Hosts: 192.131.143.48 peggy
O1 - Hosts: 192.131.143.51 jav1000
O1 - Hosts: 192.131.143.52 jav
O1 - Hosts: 192.131.143.53 klm_old
O1 - Hosts: 192.131.143.55 laptop2
O1 - Hosts: 192.131.143.70 Hpslip
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ATT Wireless RoamingClient] "C:\Program Files\AT&T Wireless\Wi-Fi Connector\AWSWC.exe" "C:\Program Files\AT&T Wireless\Wi-Fi Connector\AwsWifi.skn"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: grt.lnk = ?
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Startup: Stretch Break.lnk = C:\Program Files\Stretch\Stretch.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v5/Ticker.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A326B8-7757-4CCD-A026-3565A4980E9A}: NameServer = 64.7.11.2,205.171.3.65

SpywareShooter

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Gabriel%20Toro/Application%20Data/Microsoft/Internet%20Explorer/grt.htm
O1 - Hosts: 192.131.143.35 rei
O1 - Hosts: 192.131.143.35 REI
O1 - Hosts: 192.131.143.35 risk735
O1 - Hosts: 192.131.143.40 server1 # Terminal Server
O1 - Hosts: 192.131.143.43 ntserver
O1 - Hosts: 192.131.143.44 klm
O1 - Hosts: 192.131.143.45 scw
O1 - Hosts: 192.131.143.46 tps
O1 - Hosts: 192.131.143.47 rkm
O1 - Hosts: 192.131.143.48 peggy
O1 - Hosts: 192.131.143.51 jav1000
O1 - Hosts: 192.131.143.52 jav
O1 - Hosts: 192.131.143.53 klm_old
O1 - Hosts: 192.131.143.55 laptop2
O1 - Hosts: 192.131.143.70 Hpslip

Fix those entries then reboot and post a new log.

GRToro

Hi,

Thanks for your response. A few explanations about the entries below (I should have explained it earlier):

This R0 entry actually points to my startup file. It has not been changed since long before the infection. Do I really need to remove it?

The host-file entries are the fixed IP addresses of an office LAN. I added all of them and they are correct.

Any other suggestions?

Thanks,

G.

SpywareShooter wrote:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Gabriel%20Toro/Application%20Data/Microsoft/Internet%20Explorer/grt.htm

These host-file entries are the fixed IP addresses of an office LAN.

O1 - Hosts: 192.131.143.35 rei
O1 - Hosts: 192.131.143.35 REI
O1 - Hosts: 192.131.143.35 risk735
O1 - Hosts: 192.131.143.40 server1 # Terminal Server
O1 - Hosts: 192.131.143.43 ntserver
O1 - Hosts: 192.131.143.44 klm
O1 - Hosts: 192.131.143.45 scw
O1 - Hosts: 192.131.143.46 tps
O1 - Hosts: 192.131.143.47 rkm
O1 - Hosts: 192.131.143.48 peggy
O1 - Hosts: 192.131.143.51 jav1000
O1 - Hosts: 192.131.143.52 jav
O1 - Hosts: 192.131.143.53 klm_old
O1 - Hosts: 192.131.143.55 laptop2
O1 - Hosts: 192.131.143.70 Hpslip

Fix those entries then reboot and post a new log.

SpywareShooter

Okay, you don't need to fix them. I seen no keylogger on yoru system though. Are you sure there is one?

GRToro

Thanks for your response. As I mentioned in my first posting, I briefly saw these suspicious file names while Spyware Doctor was scanning (I don't see them every time, though). It could be that the program was listing known threats, not existing files. I submitted a question to the Spyware Doctor people, but they have not responded (they are not as quick as you are!).

How good are spyware programs at detecting keyloggers? I am using Ad-aware, Spybot, Spyware Doctor, and HJT (in addition to Norton antivirus). After my experiences during the weekend, I am becoming paranoid. Who isn't?

Thanks,

G

SpywareShooter

I don't know about Spyware Doctor, but I know that Ad-Aware and Spybot scan for known threats also. This scared me too the first time I ran Ad-Aware (knowing nothing about the tools). That is probably waht it was.