Solved

Keylogger.cone - Registry updates on system startup (Win2K Prof)

Posted on 2004-10-03
7
192 Views
Last Modified: 2013-12-04
Hi, I'm trying to find a way to remove whatever software is adding keylogger.cone.trojan entries to my Win 2000 Pro registry each time my machine is started.  I have up to date Symantic anti virus/firewall running which does not detect anything with a full system scan, PC Tools SpyDoctor detects the registry entries and removes them but does not detect program that keeps putting them back...  I've run the McAfee Stinger as well!  Any thoughts on what I can do?  
Regards
Graham
0
Comment
Question by:Graham_Powell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12211438
Hello Graham_Powell =)

Try using Hijackthis now.... may be it can pick up that running process which others tools are failing to catch !! :)
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 

Author Comment

by:Graham_Powell
ID: 12211728
Hi SheharyaarSaahil,

Here is the link to the Hijack Log file - It has found some nasties and I'd appreciate your thoughts.  The registry entries are the ones found by PC Tools, Spydoctor but I don't know what is putting them there!

G

http://www.hijackthis.de/logfiles/ef711b43ab68752aaabf4daad983329a.html
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 125 total points
ID: 12212257
Hi!

Took a look at your HJT log.

Here's some information on Keylogger.cone:
http://securityresponse.symantec.com/avcenter/venc/data/keylogger.cone.trojan.html

The following is information on "unknown" and "nasty" entries,
present in your log.
------------
This is safe:
PRPCUI.exe

Intel® SpeedStep™ interface. This automatically detects whether
a mobile PC is using battery or AC power.
When using battery power, SpeedStep scales the processor clock frequency and
voltage to reduce the power it needs by 40%
------------
This one is very bad:
windll32.exe

http://www.2-spyware.com/file-windll32-exe.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.l.html
http://securityresponse.symantec.com/avcenter/venc/data/msnpws.trojan.html
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp
------------
This one is safe:
RegService.exe

http://www.network-drivers.com/drivers/1/1842.htm
------------
This one is probably bad:
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} -
C:\WINNT\system32\WINDLL~2.DLL
{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} X BHO  
Funnywb.dll, bpkwb.dll, Systemwb.dll, johnwb.dll, *****wb.dll
Personal Antispy keylogger
http://www.botspot.com/Intelligent_Agent/2235.html
http://www.blazingtools.com/bpk.html 
------------
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\spydoctor.exe" /Q
http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you downloaded this program from PCTools.com it is safe.
If not - it's probably bad - see the following:
http://www.spywarewarrior.com/rogue_anti-spyware.htm 
------------
O4 - Startup: TASKMGR.EXE.lnk = C:\WINNT\SYSTEM32\TASKMGR.EXE
This one has been flagged as "Nasty" - probably not.
Check it's properties -
(this is from a Win 2000 system, Sp 4, -  IE ver.6.0.2800.1106, Sp 1 - your version may be different)
If it's size is 85.2 KB (128 KB on disk)
Manufacturer is Microsoft
Version is 5.0.2195.6620
It's a legitimate program
------------
This one is not a "Nasty" - just a known resource hog
Should probably be fixed.
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office 97\Office\FINDFAST.EXE

You should definately, update Internet Explorer to Sp 1 and
apply all the recent patches and updates - your computer is vulnerable.

Hope this helps.

Regards...
RF

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12212330
well ross has already covered it all :)
im just listening to hear the results from u =)
0

Featured Post

Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question