Solved

Keylogger.cone - Registry updates on system startup (Win2K Prof)

Posted on 2004-10-03
7
189 Views
Last Modified: 2013-12-04
Hi, I'm trying to find a way to remove whatever software is adding keylogger.cone.trojan entries to my Win 2000 Pro registry each time my machine is started.  I have up to date Symantic anti virus/firewall running which does not detect anything with a full system scan, PC Tools SpyDoctor detects the registry entries and removes them but does not detect program that keeps putting them back...  I've run the McAfee Stinger as well!  Any thoughts on what I can do?  
Regards
Graham
0
Comment
Question by:Graham_Powell
  • 2
7 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12211438
Hello Graham_Powell =)

Try using Hijackthis now.... may be it can pick up that running process which others tools are failing to catch !! :)
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 

Author Comment

by:Graham_Powell
ID: 12211728
Hi SheharyaarSaahil,

Here is the link to the Hijack Log file - It has found some nasties and I'd appreciate your thoughts.  The registry entries are the ones found by PC Tools, Spydoctor but I don't know what is putting them there!

G

http://www.hijackthis.de/logfiles/ef711b43ab68752aaabf4daad983329a.html
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 125 total points
ID: 12212257
Hi!

Took a look at your HJT log.

Here's some information on Keylogger.cone:
http://securityresponse.symantec.com/avcenter/venc/data/keylogger.cone.trojan.html

The following is information on "unknown" and "nasty" entries,
present in your log.
------------
This is safe:
PRPCUI.exe

Intel® SpeedStep™ interface. This automatically detects whether
a mobile PC is using battery or AC power.
When using battery power, SpeedStep scales the processor clock frequency and
voltage to reduce the power it needs by 40%
------------
This one is very bad:
windll32.exe

http://www.2-spyware.com/file-windll32-exe.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.l.html
http://securityresponse.symantec.com/avcenter/venc/data/msnpws.trojan.html
http://www.pestpatrol.com/PestInfo/T/Traitor21.asp
------------
This one is safe:
RegService.exe

http://www.network-drivers.com/drivers/1/1842.htm
------------
This one is probably bad:
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} -
C:\WINNT\system32\WINDLL~2.DLL
{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} X BHO  
Funnywb.dll, bpkwb.dll, Systemwb.dll, johnwb.dll, *****wb.dll
Personal Antispy keylogger
http://www.botspot.com/Intelligent_Agent/2235.html
http://www.blazingtools.com/bpk.html 
------------
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\spydoctor.exe" /Q
http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you downloaded this program from PCTools.com it is safe.
If not - it's probably bad - see the following:
http://www.spywarewarrior.com/rogue_anti-spyware.htm 
------------
O4 - Startup: TASKMGR.EXE.lnk = C:\WINNT\SYSTEM32\TASKMGR.EXE
This one has been flagged as "Nasty" - probably not.
Check it's properties -
(this is from a Win 2000 system, Sp 4, -  IE ver.6.0.2800.1106, Sp 1 - your version may be different)
If it's size is 85.2 KB (128 KB on disk)
Manufacturer is Microsoft
Version is 5.0.2195.6620
It's a legitimate program
------------
This one is not a "Nasty" - just a known resource hog
Should probably be fixed.
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office 97\Office\FINDFAST.EXE

You should definately, update Internet Explorer to Sp 1 and
apply all the recent patches and updates - your computer is vulnerable.

Hope this helps.

Regards...
RF

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12212330
well ross has already covered it all :)
im just listening to hear the results from u =)
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question