Solved

Keylogger.cone - Registry updates on system startup (Win2K Prof)

Posted on 2004-10-03
7
191 Views
Last Modified: 2013-12-04
Hi, I'm trying to find a way to remove whatever software is adding keylogger.cone.trojan entries to my Win 2000 Pro registry each time my machine is started.  I have up to date Symantic anti virus/firewall running which does not detect anything with a full system scan, PC Tools SpyDoctor detects the registry entries and removes them but does not detect program that keeps putting them back...  I've run the McAfee Stinger as well!  Any thoughts on what I can do?  
Regards
Graham
0
Comment
Question by:Graham_Powell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12211438
Hello Graham_Powell =)

Try using Hijackthis now.... may be it can pick up that running process which others tools are failing to catch !! :)
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 

Author Comment

by:Graham_Powell
ID: 12211728
Hi SheharyaarSaahil,

Here is the link to the Hijack Log file - It has found some nasties and I'd appreciate your thoughts.  The registry entries are the ones found by PC Tools, Spydoctor but I don't know what is putting them there!

G

http://www.hijackthis.de/logfiles/ef711b43ab68752aaabf4daad983329a.html
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 125 total points
ID: 12212257
Hi!

Took a look at your HJT log.

Here's some information on Keylogger.cone:
http://securityresponse.symantec.com/avcenter/venc/data/keylogger.cone.trojan.html

The following is information on "unknown" and "nasty" entries,
present in your log.
------------
This is safe:
PRPCUI.exe

Intel® SpeedStep™ interface. This automatically detects whether
a mobile PC is using battery or AC power.
When using battery power, SpeedStep scales the processor clock frequency and
voltage to reduce the power it needs by 40%
------------
This one is very bad:
windll32.exe

http://www.2-spyware.com/file-windll32-exe.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.l.html
http://securityresponse.symantec.com/avcenter/venc/data/msnpws.trojan.html
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp
------------
This one is safe:
RegService.exe

http://www.network-drivers.com/drivers/1/1842.htm
------------
This one is probably bad:
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} -
C:\WINNT\system32\WINDLL~2.DLL
{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} X BHO  
Funnywb.dll, bpkwb.dll, Systemwb.dll, johnwb.dll, *****wb.dll
Personal Antispy keylogger
http://www.botspot.com/Intelligent_Agent/2235.html
http://www.blazingtools.com/bpk.html 
------------
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\spydoctor.exe" /Q
http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you downloaded this program from PCTools.com it is safe.
If not - it's probably bad - see the following:
http://www.spywarewarrior.com/rogue_anti-spyware.htm 
------------
O4 - Startup: TASKMGR.EXE.lnk = C:\WINNT\SYSTEM32\TASKMGR.EXE
This one has been flagged as "Nasty" - probably not.
Check it's properties -
(this is from a Win 2000 system, Sp 4, -  IE ver.6.0.2800.1106, Sp 1 - your version may be different)
If it's size is 85.2 KB (128 KB on disk)
Manufacturer is Microsoft
Version is 5.0.2195.6620
It's a legitimate program
------------
This one is not a "Nasty" - just a known resource hog
Should probably be fixed.
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office 97\Office\FINDFAST.EXE

You should definately, update Internet Explorer to Sp 1 and
apply all the recent patches and updates - your computer is vulnerable.

Hope this helps.

Regards...
RF

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12212330
well ross has already covered it all :)
im just listening to hear the results from u =)
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question