Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1151
  • Last Modified:

I am suspicious of keylogger or trojan. Conflicting info from anti-virus/anti-spyware. HJT attached.

Dell Inspiron laptop with Windows XP Pro. Linksys wireless router with wpa enabled.  I run Zone Alarm (free version) and NAV.  Windows is updated at least twice/month (but have declined sp2 so far)   Additionally, I have run deep scans with PestPatrol, Webroot's Spy Sweeper, Ad-Aware, Spybot S&D, and X-Block's X-Cleaner.

Because an acquaintance has become very interested in and adept with keyloggers (and possibly trojans) I am very concerned that my Inspiron laptop may have fallen victim.  This acquaintance really likes Spytech and Spector products, not sure what else.   The "stealth mode" of these products along with the fact that some can be remotely installed and be installed masquerading as another app to bypass ZA or other firewall increases my uneasiness.  

I do get clean scans with the above-mentioned products.  "Security Task Manager" by Neuber, however, alerted me to Dadkeyb.dll in C:\\windows\system32\drivers\ as a "DLL hidden" with a Rating of 100. "Properties: Able to record keyboard inputs.  Window not visible. No description of the program. No Windows System file. None(sic) detailed description available.  Function: records input."      I can't find information on Dadkeyb.dll good or bad.  I read good things about Security Task Manager, but surely don't want to delete or quarantine a necessary dll.  

HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 5:01:54 PM, on 10/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\I8kfanGUI\i8kfangui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.exe /startup
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

  • 4
  • 3
  • 3
  • +6
5 Solutions
I truely understand your purpose of posting the log here. Due to some regulations that might come effective in next few days or so in EE , it is better for everyone here if you can use this analyzer website

to check the bad ones in your machine. You can post your log there and get it analyzed
a) Remove the ones that it reports Nasty. Make sure to google search the ones that it tells nasty and also be aware to remove only those that you are not familiar with
b) Then if your system is clean it is fine or if you still have issues or if the analyzer cannot determine the bad ones,
post the log here with the executables or files that it cannot determine.
c) Make sure to run hijackthis in safe mode and after running spybot, ad-aware

Thanks for the co-operation
i suggest that you use an antispyware/detector program i recommend xoftspy if you want to purchase one, if you want something free, i recommend spybot, it defend my pc and i have no problems, another backup and essential is to have a good anti virus like avast! its free powerful, uses low resources and greatly customizable
If you are suspicios about the trojan than give a try to "THE CLEANER" from MOOSOFT.com
[ http://moosoft.com/products/cleaner/download/ ]
all the best
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

jaten19Author Commented:
Thanks for the input, everyone.  Not the magic bullet I was hoping for but I understand policy-changes may be taking place?  Can we sneak in under the wire????  No, really, I don't won't anyone to be in an uncomfortable position.  

I'll look closely at all 3 of the suggestions (and others that may arrive) this evening after work.

Thanks again!


Here's some info on dadkeyb.dll:
(note where it says it should be running from - C:\Program Files\Dell\AccessDirect\)
This line shows dadapp.exe running from C:\WINDOWS\SYSTEM32\Drivers\
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
The correct place it should be running from is probably:
C:\Program Files\Dell\AccessDirect\dadapp.exe
You should check the properties on those files - they look suspicious.
Also, you don't show Dadtray.exe in your list of running processes -
if you have dadapp.exe running (valid copy) - you should probably have Dadtray.exe running.
Don't forget to run your log through the "Analysis" site, as advised above; to see what it turns up.

Good luck!
SunRay_2003, I'm sorry to go off-topic but I can't see a way to send you a private message...
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?

First, I would get rid of Norton and Zone Alarm. Both of which have exploits to drop the service it's using to protect your system. It's important to have a few things in your case. You need to have a realible virus scanner than is going to perform properly. Also you need to monitor your registry for any changes(such as hidden .dll's). Also it's very important to have a firewall thats configured properly to use as defense against the latest attacks. Keeping these programs updated and patched is a huge role in security as well. Below I'm going to list some of the best products in there field along with some sites for you to use as research.

Norton lovers...think twice: http://eeye.com/html/research/advisories/index.html  - will show you how secure symantec really is.

NowI offer a list of the best programs. There is a free alternitive to the ones that cost money.

Kaspersky Antivirus 5.0 (new version) http://www.kaspersky.com/personal
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years and this is by far the best.

AVG is also a great virus scanner (more for home user) not to mention they have a wonderful FREE edition.

Sygate Personal Firewall Pro - Compared to ZoneAlarm or Nortons which both have tons of exploits to drop their service like a fly. Sygate is the choice for a software firewall.

Sygate has a home editon for free as well.  www.sygate.com

AD-AWARE - www.lavasoftusa.com
If you can afford it by the PRO version, the extra feature AD-WATCH is well worth it for it monitors your registry and notifies you of any changes made allowing you to ALLOW or REJECT the request on the fly.

RegistryProt 2.0 - http://www.diamondcs.com.au/index.php?page=regprot
This is a free program to monitor all changes to registry. This is a must in security for you windows machine. Big help in eliminating spyware, Trojans, backdoors, etc..

BHO Demon - www.majorgeeks.com/download3550.html  (mirrored)
This is a must now-a-days if your running Internet Explorer! BHO is used in a lot of the recent IE exploits as well as keyloggers. Windows XP SP2 offers something along these lines, but why trust M$.

IDS ( Intrusion Detection System ): - snort.org
I was reading my Windows & .NET Magazine, and it has a great article on SNORT. Setting it up and everything. Page 51! Or you can buy the book SNORT 2.1 Second Edition. This program is absolutly promising, this is for extreme paranoid users & advanced users.

http://isc.sans.org/index.php?off=diary -Everyday info on the latest exploits/virus/security issues.
http://eeye.com - perfect for advisories and the best security software.
www.majorgeeks.com - Every program a nerd could think of!!
www.sygate.com – Great Software firewall.
www.kaspersky.com – Best AV on the market.
www.lavasoftusa.com – Best spyware removal program.
http://www.grisoft.com – Wonderful FREE AV.

Geek Tested & Guru Approved,

Asta CuCommented:
You said you use AdAware and Spybot S&D, both excellent.  Did you get all updates first?  Did you configure AdAware also to do deep scanning as well as including the HOSTS file?  For Spybot S&D, after updates, did you rescan and use the Immunize function to block malware for more than 1900 problems?

Prior to cleaning things up, be sure to turn off System Restore or the problem will return.
Asta CuCommented:
Any idea what this is?  Something you installed or use?  As RF said above, check properties as well
C:\Program Files\I8kfanGUI\i8kfangui.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
There are a number of ActiveX objects in your initial list that I also am unfamiliar with and should be checked.  Post your log information here for some insights, if not already done.

If this is redundant, which I hope it isn't, I apologize.  Read this but eyes tired.
The only thing in that log that should be fixed is this:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
jaten19Author Commented:
So many helpful people!  Thank you.  I am sorting through all of the information.  Points will be decided soon, but I have to sift through the information I've been provided to know where to award.

A few questions/comments I can readily address:
Astaec, yes, I updated the definitions for Spybot, Adaware & configured carefully (always beyond the defaults).  All other programs mentioned were updated just prior to running, as well.  18kfangui is a gui I downloaded for controlling the fan.  As some other Dell laptop users will attest, some of them run hot & fans may not kick in.  Google this gui.  Works great imho.  Picasa is a free photo organizer from Google tools.  http://www.google.com/options/index.html   I recommend to anyone with more photos than organization :)

Grinler, can you please explain why the "Real" reference needs to be fixed?  

I mentioned Security Task Manager in my last line prior to hjt log.  I know that for every program there are as many opinions as people, but any thoughts?  Rossfingal addressed dadkeyb, thanks.  I'm not finding reference to it in my machine anywhere other than with Security Task Manager (see original post).  So, do I assume that it's there and only STM picked it up, or do I question STM?  Rossfingal, dadtray is turned off.

What a great place this is :)
The O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - entry is a known spyware/hijacker
Asta CuCommented:
Prior to cleaning things up, be sure to turn off System Restore or the problem will return... (sorry for doing a repeat here, but wanted to make sure).

I agree with you wholeheartedly, this really is a great site; having been helped here many times by many excellent people.

jaten19Author Commented:
Astaec, thanks for being certain I saw the point about sys restore.  Never fear.  I keep system restore off and only turn it on temporarily prior to doing a risky/tricky move, then off again as soon as I'm sure all is well.
Asta CuCommented:
Even that's risky, especially since you've experienced unwanted intrusions .... I'd keep it on and only turn it off 'while' doing virus/spyware removal processes.  Having gone through serious issues and losses, have learned this the hard way.  

Are you making any headway here?  I don't fill to fill this thread with more possibilities if you're 'recovering' from this unfortunate fiasco.

You did say " updated the definitions for Spybot, Adaware & configured carefully " ...  

Did you download the Spybot S&D updates from 09/20/04?  The Immunize function blocks about 1944 known problems now.  Recommend that as well.

What about AdAware?  Many updates delivered the past couple of days.  Be sure to configure it to INCLUDE the HOSTS file.

Listening further,
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?

Thanks to RF .. who had directed you to the guidelines..

You can always email me to the email address shown in my profile ..

If you want to communicate anything , post in the thread.... Please donot email me.. against EE regulations..
Thanks to Asta for reminding me...  

Just got from sleep..LOL  ....  

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 4
  • 3
  • 3
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now