Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webwatcher/keylogger?


  • Please log in to reply
11 replies to this topic

#1 ashtan

ashtan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 27 June 2008 - 01:55 PM

Hi....

I hope I'm posting in the right spot. My husband has something called webwatcher on my computer. I found it through Spybot. I also searched for files & came up with one called keylogger under C:\DocumentsandSettings\Owner\Recent . I know he's monitoring what I do. I need to know how to prove it ASAP. He's decided to divorce me & I really need this info. PLEASE! I have no idea what I'm doing on the computer! He already knows that I know about it because he found a page I printed last night. I need to get this proved today & over to my lawyers office! Just a little background...short version...I know he' sbeen in my email, etc, when I call him on it he tells me I'm crazy & losing my mind. I KNOW I'm not crazy now! He's got this crap on my PC. PLEASE PLEASE tell me how to prove it! My friend told me how to find it, but have no clue how to print out things proving that it's here. Help!!!

THANKS :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2008 - 02:03 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

And look in your softwarelist if you can find "Webwatcher". If you find it, delete it. :thumbsup:


(This will delete the keylogger if it's malware, and in the logfile you got your prove)

Edited by superbird, 27 June 2008 - 02:06 PM.


#3 ashtan

ashtan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 27 June 2008 - 02:41 PM

ok, the scan is running (thank you!!!!) but my lawyer suggested NOT deleting it just yet, she might want me to bring the computer in to her office. Is there a way to choose NOT to delete this at the end & still print out the proof???

#4 ashtan

ashtan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 27 June 2008 - 02:52 PM

all that showed up was adaware coupons . But I KNOW this webwatcher & keylogger is on there, I saw it on the spybot & search thing. Any other ideas?

#5 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2008 - 02:56 PM

We have enough ideas. :thumbsup:

Please do this:

Go to Kaspersky Online scanner.
Klick Accept
Follow the instructions, and scan your whole system.
Post the logfile in your next reply. :flowers:

#6 ashtan

ashtan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 27 June 2008 - 03:26 PM

do I choose "my computer" to scan?

#7 ashtan

ashtan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 27 June 2008 - 05:41 PM

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 179771
Number of viruses found 5
Number of infected objects 39
Number of suspicious objects 1
Duration of the scan process 02:08:06

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\Log\logfile.nmapp_exe.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\Log\logfile.nmsrvc_exe.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00000.VBN/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00000.VBN/data.rar/keyms.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00000.VBN/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00000.VBN/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00000.VBN/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00000.VBN RarSFX: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00000.VBN CryptZ: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01480000.VBN Suspicious: Exploit.Win32.IMG-WMF skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01CC0000.VBN Infected: Trojan-Dropper.MSOffice.Agent.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01CC0001.VBN Infected: Trojan-Dropper.MSOffice.Agent.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01CC0002.VBN Infected: Trojan-Dropper.MSOffice.Agent.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01CC0003.VBN Infected: Trojan-Dropper.MSOffice.Agent.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040000.VBN/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040000.VBN/data.rar/keyms.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040000.VBN/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040000.VBN/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040000.VBN/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040000.VBN RarSFX: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040000.VBN CryptZ: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040001.VBN/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040001.VBN/data.rar/keyms.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040001.VBN/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040001.VBN/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040001.VBN/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040001.VBN RarSFX: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09040001.VBN CryptZ: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B6C0000.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B6C0001.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700001.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700002.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700003.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740000.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740001.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740002.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740003.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B940000.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B940001.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B980000.VBN Infected: Trojan-Spy.Win32.BZub.buz skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008062720080628\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF786C.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Drivers\pspv.zip/pspv.exe Infected: not-a-virus:PSWTool.Win32.PassView.162 skipped

C:\Drivers\pspv.zip ZIP: infected - 1 skipped

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP635\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{670F2086-C4B9-4B47-8EC5-04074FE8D00B}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2008 - 02:42 AM

Hi,

At first, I see there is a trojan present.
If you want to clean it:

1. Open Notepad (Do not use any other texteditor or the script will fail!)
Copy/paste this bold code into the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\Drivers\pspv.zip) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt


Go to File > Save as...
Fill in these values:
Location: Desktop
File name: del.bat
File Type: All files
Click Save
Now doubleclick del.bat and post the content of logfile that opens.

2. Cleanup the virus vault of Norton. There are viruses in there. :thumbsup:

Now, let's deal with the keylogger:

Go to C:\Program Files\, is there a folder with a name like WebWatcher or something?
If not, whe have other solutions, but we need to do it step-by-step...

#9 ashtan

ashtan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 30 June 2008 - 08:20 AM

ok, so you definitely see a keylogger though?? The computer is actually at my lawyer's office right now, they are having their pc guys look at it to prove this stuff is on there. So I cant' get rid of the viruses & other things right now. But you DO see a keylogger??? My husband admitted there was one but said it was removed long ago & I couldn't prove anything. But if you see it....it's still there....so my lawyer's pc guys should find it too, right? THANK YOU!!! I really don't know very much about computers, so I'm astounded that I figured this out. Thank you so much for your help. When I get it back I'll return to figure out how to get all this stuff off of there :thumbsup:

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 June 2008 - 08:25 AM

Hi,

No I didn't saw I keylogger with these tools. But I saw a trojan present, this was that trojan: http://virscan.org/report/9bb6d11fe489eaec...1b95ec0158.html

I think they will find it. I wanted to regard you to post a HijackThis logfile. I think it's present in there, but it's too late now. Have a wait for the pc guys at the lawyer, I think they will find it too.

Please respond when you have your pc back, so we can clean it. :thumbsup:

#11 ashtan

ashtan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 30 June 2008 - 08:27 AM

what is a hijack this logfile? what does that do?

#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 June 2008 - 08:30 AM

HijackThis is a program used by the HJT Helpers here on the forum. With HijackThis you can find almost all malware/keyloggers that are present. I almost know sure there will be shown an entry from the keylogger, when it's active. :thumbsup:

I may not help you with HijackThislogs. I recommend you'll have a wait untill the pc is analysed by the pc tech guys at your lawyer. If they could not find anything, we can try it through HijackThis.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users