Go Premium for a chance to win a PS4. Enter to Win


I am suspicious of keylogger or trojan. Conflicting info from anti-virus/anti-spyware. HJT attached.

Posted on 2004-10-03
Medium Priority
Last Modified: 2013-12-04
Dell Inspiron laptop with Windows XP Pro. Linksys wireless router with wpa enabled.  I run Zone Alarm (free version) and NAV.  Windows is updated at least twice/month (but have declined sp2 so far)   Additionally, I have run deep scans with PestPatrol, Webroot's Spy Sweeper, Ad-Aware, Spybot S&D, and X-Block's X-Cleaner.

Because an acquaintance has become very interested in and adept with keyloggers (and possibly trojans) I am very concerned that my Inspiron laptop may have fallen victim.  This acquaintance really likes Spytech and Spector products, not sure what else.   The "stealth mode" of these products along with the fact that some can be remotely installed and be installed masquerading as another app to bypass ZA or other firewall increases my uneasiness.  

I do get clean scans with the above-mentioned products.  "Security Task Manager" by Neuber, however, alerted me to Dadkeyb.dll in C:\\windows\system32\drivers\ as a "DLL hidden" with a Rating of 100. "Properties: Able to record keyboard inputs.  Window not visible. No description of the program. No Windows System file. None(sic) detailed description available.  Function: records input."      I can't find information on Dadkeyb.dll good or bad.  I read good things about Security Task Manager, but surely don't want to delete or quarantine a necessary dll.  

HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 5:01:54 PM, on 10/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\I8kfanGUI\i8kfangui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.exe /startup
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

Question by:jaten19
  • 4
  • 3
  • 3
  • +6
LVL 49

Assisted Solution

sunray_2003 earned 400 total points
ID: 12213970
I truely understand your purpose of posting the log here. Due to some regulations that might come effective in next few days or so in EE , it is better for everyone here if you can use this analyzer website

to check the bad ones in your machine. You can post your log there and get it analyzed
a) Remove the ones that it reports Nasty. Make sure to google search the ones that it tells nasty and also be aware to remove only those that you are not familiar with
b) Then if your system is clean it is fine or if you still have issues or if the analyzer cannot determine the bad ones,
post the log here with the executables or files that it cannot determine.
c) Make sure to run hijackthis in safe mode and after running spybot, ad-aware

Thanks for the co-operation

Expert Comment

ID: 12214252
i suggest that you use an antispyware/detector program i recommend xoftspy if you want to purchase one, if you want something free, i recommend spybot, it defend my pc and i have no problems, another backup and essential is to have a good anti virus like avast! its free powerful, uses low resources and greatly customizable

Assisted Solution

imnajam earned 400 total points
ID: 12215335
If you are suspicios about the trojan than give a try to "THE CLEANER" from MOOSOFT.com
[ http://moosoft.com/products/cleaner/download/ ]
all the best
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 12216412
Thanks for the input, everyone.  Not the magic bullet I was hoping for but I understand policy-changes may be taking place?  Can we sneak in under the wire????  No, really, I don't won't anyone to be in an uncomfortable position.  

I'll look closely at all 3 of the suggestions (and others that may arrive) this evening after work.

Thanks again!

LVL 12

Accepted Solution

rossfingal earned 600 total points
ID: 12217539

Here's some info on dadkeyb.dll:
(note where it says it should be running from - C:\Program Files\Dell\AccessDirect\)
This line shows dadapp.exe running from C:\WINDOWS\SYSTEM32\Drivers\
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
The correct place it should be running from is probably:
C:\Program Files\Dell\AccessDirect\dadapp.exe
You should check the properties on those files - they look suspicious.
Also, you don't show Dadtray.exe in your list of running processes -
if you have dadapp.exe running (valid copy) - you should probably have Dadtray.exe running.
Don't forget to run your log through the "Analysis" site, as advised above; to see what it turns up.

Good luck!

Expert Comment

ID: 12220066
SunRay_2003, I'm sorry to go off-topic but I can't see a way to send you a private message...
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?

LVL 12

Expert Comment

ID: 12220251

Assisted Solution

knoxj81 earned 400 total points
ID: 12222612
First, I would get rid of Norton and Zone Alarm. Both of which have exploits to drop the service it's using to protect your system. It's important to have a few things in your case. You need to have a realible virus scanner than is going to perform properly. Also you need to monitor your registry for any changes(such as hidden .dll's). Also it's very important to have a firewall thats configured properly to use as defense against the latest attacks. Keeping these programs updated and patched is a huge role in security as well. Below I'm going to list some of the best products in there field along with some sites for you to use as research.

Norton lovers...think twice: http://eeye.com/html/research/advisories/index.html  - will show you how secure symantec really is.

NowI offer a list of the best programs. There is a free alternitive to the ones that cost money.

Kaspersky Antivirus 5.0 (new version) http://www.kaspersky.com/personal
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years and this is by far the best.

AVG is also a great virus scanner (more for home user) not to mention they have a wonderful FREE edition.

Sygate Personal Firewall Pro - Compared to ZoneAlarm or Nortons which both have tons of exploits to drop their service like a fly. Sygate is the choice for a software firewall.

Sygate has a home editon for free as well.  www.sygate.com

AD-AWARE - www.lavasoftusa.com
If you can afford it by the PRO version, the extra feature AD-WATCH is well worth it for it monitors your registry and notifies you of any changes made allowing you to ALLOW or REJECT the request on the fly.

RegistryProt 2.0 - http://www.diamondcs.com.au/index.php?page=regprot
This is a free program to monitor all changes to registry. This is a must in security for you windows machine. Big help in eliminating spyware, Trojans, backdoors, etc..

BHO Demon - www.majorgeeks.com/download3550.html  (mirrored)
This is a must now-a-days if your running Internet Explorer! BHO is used in a lot of the recent IE exploits as well as keyloggers. Windows XP SP2 offers something along these lines, but why trust M$.

IDS ( Intrusion Detection System ): - snort.org
I was reading my Windows & .NET Magazine, and it has a great article on SNORT. Setting it up and everything. Page 51! Or you can buy the book SNORT 2.1 Second Edition. This program is absolutly promising, this is for extreme paranoid users & advanced users.

http://isc.sans.org/index.php?off=diary -Everyday info on the latest exploits/virus/security issues.
http://eeye.com - perfect for advisories and the best security software.
www.majorgeeks.com - Every program a nerd could think of!!
www.sygate.com – Great Software firewall.
www.kaspersky.com – Best AV on the market.
www.lavasoftusa.com – Best spyware removal program.
http://www.grisoft.com – Wonderful FREE AV.

Geek Tested & Guru Approved,

LVL 27

Expert Comment

by:Asta Cu
ID: 12223034
You said you use AdAware and Spybot S&D, both excellent.  Did you get all updates first?  Did you configure AdAware also to do deep scanning as well as including the HOSTS file?  For Spybot S&D, after updates, did you rescan and use the Immunize function to block malware for more than 1900 problems?

Prior to cleaning things up, be sure to turn off System Restore or the problem will return.
LVL 27

Expert Comment

by:Asta Cu
ID: 12223066
Any idea what this is?  Something you installed or use?  As RF said above, check properties as well
C:\Program Files\I8kfanGUI\i8kfangui.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
There are a number of ActiveX objects in your initial list that I also am unfamiliar with and should be checked.  Post your log information here for some insights, if not already done.

If this is redundant, which I hope it isn't, I apologize.  Read this but eyes tired.

Assisted Solution

Grinler- earned 200 total points
ID: 12230353
The only thing in that log that should be fixed is this:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

Author Comment

ID: 12233642
So many helpful people!  Thank you.  I am sorting through all of the information.  Points will be decided soon, but I have to sift through the information I've been provided to know where to award.

A few questions/comments I can readily address:
Astaec, yes, I updated the definitions for Spybot, Adaware & configured carefully (always beyond the defaults).  All other programs mentioned were updated just prior to running, as well.  18kfangui is a gui I downloaded for controlling the fan.  As some other Dell laptop users will attest, some of them run hot & fans may not kick in.  Google this gui.  Works great imho.  Picasa is a free photo organizer from Google tools.  http://www.google.com/options/index.html   I recommend to anyone with more photos than organization :)

Grinler, can you please explain why the "Real" reference needs to be fixed?  

I mentioned Security Task Manager in my last line prior to hjt log.  I know that for every program there are as many opinions as people, but any thoughts?  Rossfingal addressed dadkeyb, thanks.  I'm not finding reference to it in my machine anywhere other than with Security Task Manager (see original post).  So, do I assume that it's there and only STM picked it up, or do I question STM?  Rossfingal, dadtray is turned off.

What a great place this is :)

Expert Comment

ID: 12233706
The O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - entry is a known spyware/hijacker
LVL 27

Expert Comment

by:Asta Cu
ID: 12237184
Prior to cleaning things up, be sure to turn off System Restore or the problem will return... (sorry for doing a repeat here, but wanted to make sure).

I agree with you wholeheartedly, this really is a great site; having been helped here many times by many excellent people.


Author Comment

ID: 12245005
Astaec, thanks for being certain I saw the point about sys restore.  Never fear.  I keep system restore off and only turn it on temporarily prior to doing a risky/tricky move, then off again as soon as I'm sure all is well.
LVL 27

Expert Comment

by:Asta Cu
ID: 12245051
Even that's risky, especially since you've experienced unwanted intrusions .... I'd keep it on and only turn it off 'while' doing virus/spyware removal processes.  Having gone through serious issues and losses, have learned this the hard way.  

Are you making any headway here?  I don't fill to fill this thread with more possibilities if you're 'recovering' from this unfortunate fiasco.

You did say " updated the definitions for Spybot, Adaware & configured carefully " ...  

Did you download the Spybot S&D updates from 09/20/04?  The Immunize function blocks about 1944 known problems now.  Recommend that as well.

What about AdAware?  Many updates delivered the past couple of days.  Be sure to configure it to INCLUDE the HOSTS file.

Listening further,
LVL 49

Expert Comment

ID: 12334359
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?

Thanks to RF .. who had directed you to the guidelines..

You can always email me to the email address shown in my profile ..
LVL 49

Expert Comment

ID: 12334518

If you want to communicate anything , post in the thread.... Please donot email me.. against EE regulations..
Thanks to Asta for reminding me...  

Just got from sleep..LOL  ....  

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question