Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » [Closed] keylogger and 2 adware

[Fixed] Hijackthis! Logs - [Closed] keylogger and 2 adware posted in the Security & Safety forums; through the course of removing and fixing a couple other issues, i ran a number of the recommended progs and these were found at the very end of what i ...

JOIN US NOW to remove these Ads

Post New Thread  Closed Thread
Page 1 of 3 1 2 3 >
  #1  
Old 12-29-2006
fijidave12's Avatar
Bronze Member
  
Join Date: Dec 2006
Posts: 10
fijidave12 - See this Members User comments on their Profile page
Default [Closed] keylogger and 2 adware
through the course of removing and fixing a couple other issues, i ran a number of the recommended progs and these were found at the very end of what i thought were my resolved problems.....

From Spy Sweeper:
Adware found: command
Adware found: locators toolbar
System Monitor found: beyond keylogger

i read a bit on the keylogger and it needs to be manually installed, but i normally keep my box on the lockdown when not around it. and i am always running av and firewall....keeping updated.....but have slipped up on a constant scan for spy/mal-ware. let me know if there is any other info needed.

any advice/help will be much appreciated...

--------------------------------
hijackthis log:
-------------
Logfile of HijackThis v1.99.1
Scan saved at 12:08:53 AM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\Program Files\YzShadow\YzShadow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SEC\MagicTune3.6\GammaTray.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\SEC\MagicTune3.6\MagicTune.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSettingsService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVTaskManagerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVLibraryService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSchedulerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVNetworkService.exe
C:\Program Files\Spyware Nuker\swnxt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Advanced Spyware Remover\Asr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Windows Live
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Windows Live
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SWN2] "C:\Program Files\Spyware Nuker\swnxt.exe" /h
O4 - HKCU\..\Run: [WinRoll] "C:\Program Files\WinRoll\winroll.exe"
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [Yz Shadow] "C:\Program Files\YzShadow\YzShadow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: RK Launcher.lnk = ?
O4 - Global Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136683283390
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: GB-PVR Recording Service - devnz.com - C:\Program Files\devnz\gbpvr\GBPVRRecordingService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  #2  
Old 12-29-2006
Wolfeymole's Avatar
Resident WereWolf
  
Join Date: Nov 2006
Posts: 1,611
PC Experience: Enough to choke a Mule
Wolfeymole - See this Members User comments on their Profile page Wolfeymole - See this Members User comments on their Profile page Wolfeymole - See this Members User comments on their Profile page
Default
Hello Fijidave

Welcome to PC Help Forums

A member of our Security Team will be along as soon as possible to examine that log and assess it. Please bear with us. Thank you for your cooperation.


__________________
  #3  
Old 12-29-2006
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,510
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default
I notice you have Spyware Nuker on your computer. It was a rogue application. It reported a lot of false positives, and the advertizing tactics used were questionable, to say the least. However, the company producing it has cleaned up its act considerably, and is no longer considered a rogue. How effective it is, compared to the conventional, popular anti-spyware programs (Adaware, Spybot S&D) is unclear. Would you want to remove it?



Can I see a full Spyware Sweeper log? That would show the locations of the files detected.
  #4  
Old 12-29-2006
fijidave12's Avatar
Bronze Member
  
Join Date: Dec 2006
Posts: 10
fijidave12 - See this Members User comments on their Profile page
Default
Spy Sweeper log:

1:02 PM: Traces Found: 4
1:02 PM: Full Sweep has completed. Elapsed time 00:42:19
1:02 PM: File Sweep Complete, Elapsed Time: 00:35:48
12:52 PM: Warning: Failed to open file "d:\tv\recorded tv\thumbs.db:encryptable". The operation completed successfully
12:48 PM: Warning: Failed to open file "c:\documents and settings\dave\application data\mozilla\firefox\profiles\8fi81x7a.default\par ent.lock". The operation completed successfully
12:29 PM: C:\WINDOWS\system32\rgtcvc32.dll (ID = 347548)
12:29 PM: Found System Monitor: beyond keylogger
12:26 PM: Starting File Sweep
12:26 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:26 PM: Starting Cookie Sweep
12:26 PM: Registry Sweep Complete, Elapsed Time:00:00:14
12:26 PM: HKU\S-1-5-21-1004336348-299502267-725345543-1003\software\microsoft\windows\currentversion\ext \stats\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ (ID = 1888173)
12:26 PM: Found Adware: locators toolbar
12:26 PM: HKLM\system\controlset001\enum\root\legacy_cmdserv ice\ (ID = 1556665)
12:26 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmd service\ (ID = 1016072)
12:26 PM: Found Adware: command
12:26 PM: Starting Registry Sweep
12:26 PM: Memory Sweep Complete, Elapsed Time: 00:06:11
12:20 PM: Starting Memory Sweep
12:20 PM: Start Full Sweep
12:20 PM: Sweep initiated using definitions version 827
12:20 PM: Spy Sweeper 5.2.3.2138 started
12:20 PM: | Start of Session, Friday, December 29, 2006

----------------------------------
and concerning spyware nuker--i installed/ran because of a couple posts from this forum that i had used to fix a couple other problems i had. i have no problem uninstalling it.
  #5  
Old 12-30-2006
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,510
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default
This forum recommended SpywareNuker? Would it be too much trouble if you gave me the links to those posts?

Go to Control Panel and uninstall the following if found:
locators toolbar


Reboot. Then:
  1. Please download the Killbox.
  2. Unzip it to the desktop but do NOT run it yet.
  3. Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  4. Once in Safe Mode, please run Killbox.
  5. Click "Delete on Reboot".
  6. Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\rgtcvc32.dll
  7. Click the red-and-white "Delete File".
  8. Click "Yes" at the Delete on Reboot prompt.
  9. Click "No" at the Pending Operations prompt.

Now Download and scan with CCleaner
a. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
b. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

c. Click the "Run Cleaner" button.
d. A pop up box will appear advising this process will permanently delete files from your system.
e. Click "OK" and it will scan and clean your system.
f. Click "exit" when done.


Finally do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location. You might need to post it later.
  #6  
Old 12-30-2006
fijidave12's Avatar
Bronze Member
  
Join Date: Dec 2006
Posts: 10
fijidave12 - See this Members User comments on their Profile page
Default
in the process of the panda scan now....will post any info when available.

concerning the nuker links....my mistake, definitely not posted on this forum. was probably on one of the prior forums that i had used when first reading about the keylogger. definitely didnt use them for anymore advice though, once i found this site. and my history has been cleared a number of times since so i cant find the exact link to the post for nuker. it has now been unistalled.

will update....

Closed Thread
New! Norton Internet Security 2008 – Download Now Click Here
Page 1 of 3 1 2 3 >

Bookmarks

« [Resolved] my moms machine is like a dial up on qualudes | [Resolved] Major spyware problem »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On

Contact Us - PC Help Forum - Site Map - Privacy Statement - Top

All times are GMT +1. The time now is 11:29 PM.
Powered by vBulletin
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC7
All Graphics & Content Copyright © 2004-2008 - PC Help Forum.com


Back to Top