Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keylog Problem Alert


  • This topic is locked This topic is locked
3 replies to this topic

#1 artharpster

artharpster

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 09 March 2006 - 07:47 PM

I run Compuserve 7.0. About 6 months ago, when I shut down Compuserve and then restarted it, nothing happened. I went into 'windows task manager' and found the file 'wcs2000.exe' and ended the process and returned to restart Compuserve and it worked. The CPU read 100% when I was in 'task manager' and went down to normal after the Compuserve process was ended. I got in and out of the program that way as no one in Compuserve tech support could help.

I purchased Spyware Doctor last week and the 'keylogger guard' feature alerted me that 'C:\program files\Compuserve 7.0a\wcs2000.exe' was trying to gain access and blocked it. About every 30 seconds it attempted to gain access. Now, is this a virus of some kind that has attached itself to the Compuserve browser?

I followed your instructions as listed on your site before joining this forum. I also downloaded and ran 'CWShredder' and it came up with 'CWmsconfig.sys' and deleted it (I hope the original msconfig.exe wasn't affected).

Since then Compuserve still is blocked by Spyware Doctor only one time and the program seems to have ceased multiple attempts as it had done before.

Do I have a trojan or virus? I am a little confused as to 'cftmon'. It was in start-up and also windows task manager. Some sites say it is OK and some say it isn't. It didn't seem to be affected by the scans.

Any help you can give me would be much appreciated. I am not greatly computer savvy, but I can follow directions well.

Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 6:42:31 PM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/...*http://www.yah

oo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://ca.red.clientapps.yahoo.com/customi...b/*http://www.y

ahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard -

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class -

{65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class -

{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor -

{B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: SidebarAutoLaunch Class -

{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program

Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} -

(no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5]

"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe"

/source=HKLM
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online]

"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2]

"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe"

/source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware

Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor -

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

- C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative

Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com

Operating System Class) -

http://download.mcafee.com/molbin/shared/m...0,83/mcinsctl.c

ab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE

Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall

ActiveX 6.5) -

http://housecall65.trendmicro.com/housecal.../x86/win32/acti

vex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr

Class) -

http://download.mcafee.com/molbin/shared/m...,0,0,20/mcgdmgr

.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative

Software AutoUpdate Support Package) -

http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation -

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd

- C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. -

C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman

Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc -

c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -

McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -

Networks Associates Technology, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty

Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America

Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation -

C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. -

C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:59 PM

Posted 11 March 2006 - 01:59 PM

Hello artharpster and welcome to the BC HijackThis forum. I do not see any signs of viruses or malware in the log. It is clean.

There are a couple of cleanup items that can be fixed so let's do that while you are here.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =http://ca.red.clientapps.yahoo.com/customi...b/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Ctfmon.exe is part of MS Office so that's Ok. The wcs2000.exe file is a part of CompuServe so that's Ok too. I do not know what function it has but CompuServe should be able to tell you that. If you do not have any problems with having it blocked then you should be able to go ahead and leave it blocked. Otherwise let it make its connection (Spyware Doctor might simply be giving a flase positive for a legit process).

Other than that you are good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 artharpster

artharpster
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 13 March 2006 - 05:51 PM

Thank you for checking my registry and helping fix the errors. I am glad to see that there are no other virus or trojans in my system!

I still get Compuserve trying to load a 'system-wide keyboard monitor' repeatedly, as per Spyware Doctor. If I let it go and allowed it, I would have to go into task manager again to delete the 'ws2000.exe' listing in order for other programs to work properly and to start Compuserve again. Compuserve techs are very incapable of understanding anything beyond their 101 manual unfortunately. It's primarily a problem that one tends to see with outsourcing as I have been told.

I can live with this as long as Spyware Doctor is running and of course relieved to hear that my system is not being hijacked.

Thanks again 'Old Timer'.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:59 PM

Posted 13 March 2006 - 06:12 PM

Hi artharpster. I hear ya man :thumbsup:

Now that any malware quesitons have been resolved I will close this topic. If you have any new issues in the future please start a new topic.

Cheers and happy computing.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users