Solved

Keylogger.cone - Registry updates on system startup (Win2K Prof)

Posted on 2004-10-03
7
187 Views
Last Modified: 2013-12-04
Hi, I'm trying to find a way to remove whatever software is adding keylogger.cone.trojan entries to my Win 2000 Pro registry each time my machine is started.  I have up to date Symantic anti virus/firewall running which does not detect anything with a full system scan, PC Tools SpyDoctor detects the registry entries and removes them but does not detect program that keeps putting them back...  I've run the McAfee Stinger as well!  Any thoughts on what I can do?  
Regards
Graham
0
Comment
Question by:Graham_Powell
  • 2
7 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12211438
Hello Graham_Powell =)

Try using Hijackthis now.... may be it can pick up that running process which others tools are failing to catch !! :)
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 

Author Comment

by:Graham_Powell
ID: 12211728
Hi SheharyaarSaahil,

Here is the link to the Hijack Log file - It has found some nasties and I'd appreciate your thoughts.  The registry entries are the ones found by PC Tools, Spydoctor but I don't know what is putting them there!

G

http://www.hijackthis.de/logfiles/ef711b43ab68752aaabf4daad983329a.html
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 125 total points
ID: 12212257
Hi!

Took a look at your HJT log.

Here's some information on Keylogger.cone:
http://securityresponse.symantec.com/avcenter/venc/data/keylogger.cone.trojan.html

The following is information on "unknown" and "nasty" entries,
present in your log.
------------
This is safe:
PRPCUI.exe

Intel® SpeedStep™ interface. This automatically detects whether
a mobile PC is using battery or AC power.
When using battery power, SpeedStep scales the processor clock frequency and
voltage to reduce the power it needs by 40%
------------
This one is very bad:
windll32.exe

http://www.2-spyware.com/file-windll32-exe.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.l.html
http://securityresponse.symantec.com/avcenter/venc/data/msnpws.trojan.html
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp
------------
This one is safe:
RegService.exe

http://www.network-drivers.com/drivers/1/1842.htm
------------
This one is probably bad:
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} -
C:\WINNT\system32\WINDLL~2.DLL
{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} X BHO  
Funnywb.dll, bpkwb.dll, Systemwb.dll, johnwb.dll, *****wb.dll
Personal Antispy keylogger
http://www.botspot.com/Intelligent_Agent/2235.html
http://www.blazingtools.com/bpk.html 
------------
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\spydoctor.exe" /Q
http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you downloaded this program from PCTools.com it is safe.
If not - it's probably bad - see the following:
http://www.spywarewarrior.com/rogue_anti-spyware.htm 
------------
O4 - Startup: TASKMGR.EXE.lnk = C:\WINNT\SYSTEM32\TASKMGR.EXE
This one has been flagged as "Nasty" - probably not.
Check it's properties -
(this is from a Win 2000 system, Sp 4, -  IE ver.6.0.2800.1106, Sp 1 - your version may be different)
If it's size is 85.2 KB (128 KB on disk)
Manufacturer is Microsoft
Version is 5.0.2195.6620
It's a legitimate program
------------
This one is not a "Nasty" - just a known resource hog
Should probably be fixed.
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office 97\Office\FINDFAST.EXE

You should definately, update Internet Explorer to Sp 1 and
apply all the recent patches and updates - your computer is vulnerable.

Hope this helps.

Regards...
RF

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12212330
well ross has already covered it all :)
im just listening to hear the results from u =)
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now