Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32 Keylogger


  • Please log in to reply
3 replies to this topic

#1 Nerublanco

Nerublanco

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 06 June 2005 - 02:58 PM

Hi all, I'm kind of new in this computers thing and I found out that I have a W32keylogger in my machine. I was using norton antivirus before but it did not detected it, then I install F-prot and this program detected it but it says that it could not remove it (no clue why). then I've been using spyware doctor, Xoftspy, adware 6.0, Spyboat, microsoft antispyware but none of these have detected it. First it says that this w32**keylogger*.dll was in the forder c:windows/system32/, found it, remane it and I moved it to the root, couple days later I could not find it and Fprot gave me this alert:

C:System Volume Information \_restore{71CD564C-DFCF-4E26-881D-D113F8018F35}\RP91\A0011601.dll infection:W32/SCkeylogger.D@pws

I don't really have a clue on how to eliminate this and if there is a way to find out what kind of information it was collecting.

My PC is a Compaq Presario sr1334nx running windows XP SP2
pentium 4 2.66 Mhz
512 SDRAM
160 GB HD
High speed internet (before I had it directly to me computer and using windows firewall and norton firewall, later I connect my PC to a Unisys router that goes to another computer too and it is set up to have access to only 2 ip addresses)
I am using IE and Mozilla.

That is why I decided to talk to the experts so somebody please could help me ????

this is a copy of my logfile:

Logfile of HijackThis v1.99.1 Scan saved at 2:23:17 PM, on 6/6/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: 

C:\WINDOWS\System32\smss.exe 
C:\WINDOWS\system32\csrss.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\services.exe 
C:\WINDOWS\system32\lsass.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\System32\svchost.exe 
C:\Program Files\Ahead\InCD\InCDsrv.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\system32\spoolsv.exe 
C:\WINDOWS\system32\crypserv.exe 
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\system32\wdfmgr.exe 
C:\WINDOWS\Explorer.EXE 
C:\WINDOWS\System32\alg.exe 
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe 
C:\WINDOWS\system32\hkcmd.exe 
C:\HP\KBD\KBD.EXE C:\WINDOWS\SOUNDMAN.EXE 
C:\WINDOWS\AGRSMMSG.exe 
C:\WINDOWS\ALCWZRD.EXE 
C:\WINDOWS\ALCMTR.EXE 
C:\Program Files\Win AntiSpam\gcasServ.exe 
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe C:\Program Files\QuickTime\qttask.exe 
C:\Program Files\iTunes\iTunesHelper.exe 
C:\Program Files\Ahead\InCD\InCD.exe 
C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe 
C:\Program Files\iPod\bin\iPodService.exe 
C:\Program Files\FSI\F-Prot\F-StopW.EXE 
C:\Program Files\FSI\F-Prot\F-Sched.exe 
C:\WINDOWS\system32\ctfmon.exe 
C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe 
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe 
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe 
C:\Program Files\Yahoo Messenger\Messenger\ymsgr_tray.exe 
C:\Program Files\Win AntiSpam\gcasDtServ.exe C:\PROGRA~1\SPYWAR~1\swdoctor.exe C:\WINDOWS\system32\wbem\wmiprvse.exe 
C:\Program Files\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quixtar.com/ 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quixtar.com 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - 
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll 
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll 
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - 
C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll 
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll 
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll 
O2 - BHO: PCTools Browser Monitor - B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll 
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll 
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll 
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll 
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe 
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe 
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe 
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE 
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r 
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE 
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE 
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe 
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe 
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE 
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe 
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Win AntiSpam\gcasServ.exe" 
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe" 
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime 
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe 
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe 
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe 
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot 
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe 
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE 
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe 
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background 
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo Messenger\Messenger\ypager.exe -quiet 
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe 
O4 - Startup: Compaq Organize.lnk = ? 
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe 
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe 
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe 
O4 - Global Startup: Spy Sweeper Fix.lnk = C:\Program Files\Webroot\Spy Sweeper\SpySweeperFix.bat 
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html 
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html 
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html 
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html 
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html 
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html 
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html 
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll 
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll 
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll 
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo Messenger\Messenger\yhexbmes0521.dll 
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo Messenger\Messenger\yhexbmes0521.dll 
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL 
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe 
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe 
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111982216750 O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab 
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll 
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe 
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe 
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe 
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


BC AdBot (Login to Remove)

 


#2 MowGreen

MowGreen

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 07 June 2005 - 01:41 PM

Howdy Nerublanco and welcome to BC. The infected file is in the System Restore hierarchy and can not reinfect the system unless you choose to utilize this restore point. You can flush System Restore by turning it off and back on or run Disk Cleanup to remove all but the latest restore points. To be certain you've removed the infected restore point suggest you flush the restore hierarchy by right clicking My Computer on the Desktop and choosing Properties. Then click the System Restore tab. Check the box
next to Turn off System Restore on all drives, click Apply, then OK.
Now uncheck the box, click Apply, OK to reenable System Restore.
Then go to Start, Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and follow the prompts.

Also, go here and download the JRE 5.0 Update 3. Get the Windows Offline Installation. The one currently installed has critical vulnerabilities. Then go to Add/Remove Programs in the Control Panel and uninstall (Sun) JRE 1.4.2_03. Restart the system after uninstalling.
After restarting install the latest java package with all programs and browsers closed.
Steve Wechsler (akaMowGreen)
MS-MVP 2003-2011
Windows Expert - IT Pro
Consumer Security

*-343-* FDNY
NEVER FORGOTTEN

#3 Nerublanco

Nerublanco
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 07 June 2005 - 03:19 PM

Hi MowGreen,

Thanks for helping me. I did it as you said and hopefully I will not have any other problem.

Thanks again and have a great and wonderful day :thumbsup:

#4 MowGreen

MowGreen

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 07 June 2005 - 03:41 PM

You're most welcome. To help mitigate against future infestations download and install
Spyware Blaster
Have a look at the FAQ'S to learn how to enable it's protection, obtain updates for it, etc.
Also create a System Snapshot so that you can restore the system's settings to it's present clean state, just in case.
Click the System Snapshot link in the left frame to access it.

Take care and happy, safe surfing .... :thumbsup:
Steve Wechsler (akaMowGreen)
MS-MVP 2003-2011
Windows Expert - IT Pro
Consumer Security

*-343-* FDNY
NEVER FORGOTTEN




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users