Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible keylogger


  • Please log in to reply
8 replies to this topic

#1 stopher

stopher

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 24 June 2010 - 12:37 AM

I am scared that i have a keylogger on my computer and I really dont want to reformat it, i have tried spybot, malware bytes, a process scanner and a few other programs but have not found anything. Help please :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,949 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:32 PM

Posted 24 June 2010 - 07:20 AM

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 stopher

stopher
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 25 June 2010 - 11:04 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, June 25, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, June 24, 2010 15:01:27
Records in database: 4308930
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 203157
Threats found: 2
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 15:26:47


File name / Threat / Threats count
C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My Documents\Downloads\pvpTool\pvpTool.exe Infected: Trojan.Win32.Refroso.bhsl 1
C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My Documents\Downloads\pvpTool_v2.3.0(2).exe Infected: Trojan.Win32.Refroso.bhsl 1
C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My Documents\Downloads\pvpTool_v2.3.0.exe Infected: Trojan.Win32.Refroso.bhsl 1
C:\hp\bin\wbug\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP18921\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP18921\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,949 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:32 PM

Posted 25 June 2010 - 12:20 PM

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
pvpTool.exe
pvpTool_v2.3.0(2).exe
pvpTool_v2.3.0.exe

:Services

:Reg

:Files
C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My 
Documents\Downloads\pvpTool\pvpTool.exe
C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My 
Documents\Downloads\pvpTool_v2.3.0(2).exe
C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My 
Documents\Downloads\pvpTool_v2.3.0.exe

:Commands
[emptytemp]
[start explorer]
[reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to begin.
  • If offered the option to get information or buy software. Just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

    C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 stopher

stopher
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 25 June 2010 - 03:05 PM

All processes killed
========== PROCESSES ==========
No active process named pvpTool.exe was found!
No active process named pvpTool_v2.3.0(2).exe was found!
No active process named pvpTool_v2.3.0.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My not found.
File/Folder Documents\Downloads\pvpTool\pvpTool.exe not found.
File/Folder C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My not found.
File/Folder Documents\Downloads\pvpTool_v2.3.0(2).exe not found.
File/Folder C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\My not found.
File/Folder Documents\Downloads\pvpTool_v2.3.0.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Application Data

User: Compaq_Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Compaq_Administrator.YOUR-4DACD0EA75
->Temp folder emptied: 112786496 bytes
->Temporary Internet Files folder emptied: 361330 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 92499525 bytes
->Flash cache emptied: 5392 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Erik
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Evan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: MCX1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 23132 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 72704 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 2820 bytes

Total Files Cleaned = 196.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06252010_155733

Files moved on Reboot...
C:\Documents and Settings\Compaq_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\IadHide5.dll moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_d50.dat moved successfully.

Registry entries deleted on Reboot...



running eset scan atm :thumbsup:

btw I love you

#6 stopher

stopher
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 26 June 2010 - 12:59 AM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=34cfb4d91bd3b242a05291a5e8ce638e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-26 04:53:13
# local_time=2010-06-26 12:53:13 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 1077879 1077879 0 0
# compatibility_mode=1026 16777214 0 2 25258432 25258432 0 0
# compatibility_mode=5121 16777214 0 96 17971038 29505373 0 0
# compatibility_mode=5891 16776533 100 100 0 17017815 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=202858
# found=5
# cleaned=5
# scan_time=31342
C:\hp\bin\wbug\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP18921\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP18921\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP144\A0079989.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP144\A0079990.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,949 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:32 PM

Posted 26 June 2010 - 05:58 AM

Nothing of significant concern.

MyWebSearch is one of many browser toolbar add-ons (to include MyWay, MySearch) created and distributed by Ask Jeeves. It is often bundled with "free software" such as wallpaper and screensavers offered by third party software vendors and part of the Fun Web Products suite of utilities (Smiley Central, Cursor Mania, FunBuddyIcons, FunWebProducts, MyFunCards, My Mail Stationary, My Mail Signature, PopSwatter, Popular Screensavers, Webfetti, My Way website portal, etc). The toolbar is also aggressively offered via annoying banner ads and pop ups advertised on third party web sites that target kids. For a more detailed overview, refer to the Ask Jeeves Software Review conducted by Sunbelt Software Research Center.

MyWebSearch and MyWay were pre-installed on new Dell computers starting in November 2004 as reported in The Pharmer In The Dell. Dell had a link to "What is the Dell MyWebSearch Home Page?" but it has since been redirected to The "Dell My Way" Home Page. Dell now uses the "Dell Search Assistant " where they address many of the same concerns previously addressed in the redirected link.

Although MyWebSearch is not technically spyware, the program uses tracking cookies and transmits information regarding search requests performed through the toolbar's search facility. Some anti-virus and anti-malware programs detect the toolbar as a non-viral threat (i.e. not-a-virus:AdTool.Win32.MyWebSearch) or Potentially Unwanted Program, while others (Spybot, MBAM, Ad-aware...) may detect or remove individual files files and registry entries. However, even after these security tools detect and remove files/registry entries, remnants may still be found from time to time during subsequent scans.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 stopher

stopher
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 26 June 2010 - 02:21 PM

Good to hear! thank you soooo much for all this help you're a great person =) good luck in future endeavors

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,949 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:32 PM

Posted 26 June 2010 - 10:06 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users