[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Keylogger.cone - Registry updates on system startup (Win2K Prof)

Posted on 2004-10-03
7
Medium Priority
?
194 Views
Last Modified: 2013-12-04
Hi, I'm trying to find a way to remove whatever software is adding keylogger.cone.trojan entries to my Win 2000 Pro registry each time my machine is started.  I have up to date Symantic anti virus/firewall running which does not detect anything with a full system scan, PC Tools SpyDoctor detects the registry entries and removes them but does not detect program that keeps putting them back...  I've run the McAfee Stinger as well!  Any thoughts on what I can do?  
Regards
Graham
0
Comment
Question by:Graham_Powell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12211438
Hello Graham_Powell =)

Try using Hijackthis now.... may be it can pick up that running process which others tools are failing to catch !! :)
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 

Author Comment

by:Graham_Powell
ID: 12211728
Hi SheharyaarSaahil,

Here is the link to the Hijack Log file - It has found some nasties and I'd appreciate your thoughts.  The registry entries are the ones found by PC Tools, Spydoctor but I don't know what is putting them there!

G

http://www.hijackthis.de/logfiles/ef711b43ab68752aaabf4daad983329a.html
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 500 total points
ID: 12212257
Hi!

Took a look at your HJT log.

Here's some information on Keylogger.cone:
http://securityresponse.symantec.com/avcenter/venc/data/keylogger.cone.trojan.html

The following is information on "unknown" and "nasty" entries,
present in your log.
------------
This is safe:
PRPCUI.exe

Intel® SpeedStep™ interface. This automatically detects whether
a mobile PC is using battery or AC power.
When using battery power, SpeedStep scales the processor clock frequency and
voltage to reduce the power it needs by 40%
------------
This one is very bad:
windll32.exe

http://www.2-spyware.com/file-windll32-exe.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.l.html
http://securityresponse.symantec.com/avcenter/venc/data/msnpws.trojan.html
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp
------------
This one is safe:
RegService.exe

http://www.network-drivers.com/drivers/1/1842.htm
------------
This one is probably bad:
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} -
C:\WINNT\system32\WINDLL~2.DLL
{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} X BHO  
Funnywb.dll, bpkwb.dll, Systemwb.dll, johnwb.dll, *****wb.dll
Personal Antispy keylogger
http://www.botspot.com/Intelligent_Agent/2235.html
http://www.blazingtools.com/bpk.html 
------------
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\spydoctor.exe" /Q
http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you downloaded this program from PCTools.com it is safe.
If not - it's probably bad - see the following:
http://www.spywarewarrior.com/rogue_anti-spyware.htm 
------------
O4 - Startup: TASKMGR.EXE.lnk = C:\WINNT\SYSTEM32\TASKMGR.EXE
This one has been flagged as "Nasty" - probably not.
Check it's properties -
(this is from a Win 2000 system, Sp 4, -  IE ver.6.0.2800.1106, Sp 1 - your version may be different)
If it's size is 85.2 KB (128 KB on disk)
Manufacturer is Microsoft
Version is 5.0.2195.6620
It's a legitimate program
------------
This one is not a "Nasty" - just a known resource hog
Should probably be fixed.
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office 97\Office\FINDFAST.EXE

You should definately, update Internet Explorer to Sp 1 and
apply all the recent patches and updates - your computer is vulnerable.

Hope this helps.

Regards...
RF

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12212330
well ross has already covered it all :)
im just listening to hear the results from u =)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question