Solved

I am suspicious of keylogger or trojan. Conflicting info from anti-virus/anti-spyware. HJT attached.

Posted on 2004-10-03
18
1,107 Views
Last Modified: 2013-12-04
Dell Inspiron laptop with Windows XP Pro. Linksys wireless router with wpa enabled.  I run Zone Alarm (free version) and NAV.  Windows is updated at least twice/month (but have declined sp2 so far)   Additionally, I have run deep scans with PestPatrol, Webroot's Spy Sweeper, Ad-Aware, Spybot S&D, and X-Block's X-Cleaner.

Because an acquaintance has become very interested in and adept with keyloggers (and possibly trojans) I am very concerned that my Inspiron laptop may have fallen victim.  This acquaintance really likes Spytech and Spector products, not sure what else.   The "stealth mode" of these products along with the fact that some can be remotely installed and be installed masquerading as another app to bypass ZA or other firewall increases my uneasiness.  

I do get clean scans with the above-mentioned products.  "Security Task Manager" by Neuber, however, alerted me to Dadkeyb.dll in C:\\windows\system32\drivers\ as a "DLL hidden" with a Rating of 100. "Properties: Able to record keyboard inputs.  Window not visible. No description of the program. No Windows System file. None(sic) detailed description available.  Function: records input."      I can't find information on Dadkeyb.dll good or bad.  I read good things about Security Task Manager, but surely don't want to delete or quarantine a necessary dll.  

HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 5:01:54 PM, on 10/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
C:\Program Files\I8kfanGUI\i8kfangui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.exe /startup
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0151ad898784087d7b04/netzip/RdxIE2.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

 
0
Comment
Question by:jaten19
  • 4
  • 3
  • 3
  • +6
18 Comments
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 100 total points
Comment Utility
I truely understand your purpose of posting the log here. Due to some regulations that might come effective in next few days or so in EE , it is better for everyone here if you can use this analyzer website
http://hijackthis.de/index.php?langselect=english

to check the bad ones in your machine. You can post your log there and get it analyzed
a) Remove the ones that it reports Nasty. Make sure to google search the ones that it tells nasty and also be aware to remove only those that you are not familiar with
b) Then if your system is clean it is fine or if you still have issues or if the analyzer cannot determine the bad ones,
post the log here with the executables or files that it cannot determine.
c) Make sure to run hijackthis in safe mode and after running spybot, ad-aware

Thanks for the co-operation
0
 
LVL 3

Expert Comment

by:4ceReconSniper
Comment Utility
i suggest that you use an antispyware/detector program i recommend xoftspy if you want to purchase one, if you want something free, i recommend spybot, it defend my pc and i have no problems, another backup and essential is to have a good anti virus like avast! its free powerful, uses low resources and greatly customizable
0
 
LVL 9

Assisted Solution

by:imnajam
imnajam earned 100 total points
Comment Utility
If you are suspicios about the trojan than give a try to "THE CLEANER" from MOOSOFT.com
[ http://moosoft.com/products/cleaner/download/ ]
all the best
0
 

Author Comment

by:jaten19
Comment Utility
Thanks for the input, everyone.  Not the magic bullet I was hoping for but I understand policy-changes may be taking place?  Can we sneak in under the wire????  No, really, I don't won't anyone to be in an uncomfortable position.  

I'll look closely at all 3 of the suggestions (and others that may arrive) this evening after work.

Thanks again!

0
 
LVL 12

Accepted Solution

by:
rossfingal earned 150 total points
Comment Utility
Hi!

Here's some info on dadkeyb.dll:
(note where it says it should be running from - C:\Program Files\Dell\AccessDirect\)
http://www.kephyr.com/filedb/index.php?viewtopic=dadkeyb.dll
This line shows dadapp.exe running from C:\WINDOWS\SYSTEM32\Drivers\
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
The correct place it should be running from is probably:
C:\Program Files\Dell\AccessDirect\dadapp.exe
You should check the properties on those files - they look suspicious.
Also, you don't show Dadtray.exe in your list of running processes -
if you have dadapp.exe running (valid copy) - you should probably have Dadtray.exe running.
Don't forget to run your log through the "Analysis" site, as advised above; to see what it turns up.

Good luck!
RF
0
 
LVL 3

Expert Comment

by:Gargantubrain
Comment Utility
SunRay_2003, I'm sorry to go off-topic but I can't see a way to send you a private message...
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?

Thanks,
G
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
0
 
LVL 6

Assisted Solution

by:knoxj81
knoxj81 earned 100 total points
Comment Utility
First, I would get rid of Norton and Zone Alarm. Both of which have exploits to drop the service it's using to protect your system. It's important to have a few things in your case. You need to have a realible virus scanner than is going to perform properly. Also you need to monitor your registry for any changes(such as hidden .dll's). Also it's very important to have a firewall thats configured properly to use as defense against the latest attacks. Keeping these programs updated and patched is a huge role in security as well. Below I'm going to list some of the best products in there field along with some sites for you to use as research.

Norton lovers...think twice: http://eeye.com/html/research/advisories/index.html  - will show you how secure symantec really is.

NowI offer a list of the best programs. There is a free alternitive to the ones that cost money.


Kaspersky Antivirus 5.0 (new version) http://www.kaspersky.com/personal
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years and this is by far the best.

AVG is also a great virus scanner (more for home user) not to mention they have a wonderful FREE edition.
http://www.grisoft.com/us/us_dwnl_free.php

Firewall:
Sygate Personal Firewall Pro - Compared to ZoneAlarm or Nortons which both have tons of exploits to drop their service like a fly. Sygate is the choice for a software firewall.

Sygate has a home editon for free as well.  www.sygate.com

Spyware/Adware/Malware/Dataware:
AD-AWARE - www.lavasoftusa.com
If you can afford it by the PRO version, the extra feature AD-WATCH is well worth it for it monitors your registry and notifies you of any changes made allowing you to ALLOW or REJECT the request on the fly.

RegistryProt 2.0 - http://www.diamondcs.com.au/index.php?page=regprot
This is a free program to monitor all changes to registry. This is a must in security for you windows machine. Big help in eliminating spyware, Trojans, backdoors, etc..

BHO Demon - www.majorgeeks.com/download3550.html  (mirrored)
This is a must now-a-days if your running Internet Explorer! BHO is used in a lot of the recent IE exploits as well as keyloggers. Windows XP SP2 offers something along these lines, but why trust M$.

IDS ( Intrusion Detection System ): - snort.org
I was reading my Windows & .NET Magazine, and it has a great article on SNORT. Setting it up and everything. Page 51! Or you can buy the book SNORT 2.1 Second Edition. This program is absolutly promising, this is for extreme paranoid users & advanced users.

References:
http://isc.sans.org/index.php?off=diary -Everyday info on the latest exploits/virus/security issues.
http://eeye.com - perfect for advisories and the best security software.
www.majorgeeks.com - Every program a nerd could think of!!
www.sygate.com – Great Software firewall.
www.kaspersky.com – Best AV on the market.
www.lavasoftusa.com – Best spyware removal program.
http://www.grisoft.com – Wonderful FREE AV.

Geek Tested & Guru Approved,

Jorden
0
 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
You said you use AdAware and Spybot S&D, both excellent.  Did you get all updates first?  Did you configure AdAware also to do deep scanning as well as including the HOSTS file?  For Spybot S&D, after updates, did you rescan and use the Immunize function to block malware for more than 1900 problems?

Prior to cleaning things up, be sure to turn off System Restore or the problem will return.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
Any idea what this is?  Something you installed or use?  As RF said above, check properties as well
C:\Program Files\I8kfanGUI\i8kfangui.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
Files\Picasa\PicasaMediaDetector.exe
There are a number of ActiveX objects in your initial list that I also am unfamiliar with and should be checked.  Post your log information here for some insights, if not already done.
http://www.hijackthis.de/

If this is redundant, which I hope it isn't, I apologize.  Read this but eyes tired.
0
 
LVL 1

Assisted Solution

by:Grinler-
Grinler- earned 50 total points
Comment Utility
The only thing in that log that should be fixed is this:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0151ad898784087d7b04/netzip/RdxIE2.cab
0
 

Author Comment

by:jaten19
Comment Utility
So many helpful people!  Thank you.  I am sorting through all of the information.  Points will be decided soon, but I have to sift through the information I've been provided to know where to award.

A few questions/comments I can readily address:
Astaec, yes, I updated the definitions for Spybot, Adaware & configured carefully (always beyond the defaults).  All other programs mentioned were updated just prior to running, as well.  18kfangui is a gui I downloaded for controlling the fan.  As some other Dell laptop users will attest, some of them run hot & fans may not kick in.  Google this gui.  Works great imho.  Picasa is a free photo organizer from Google tools.  http://www.google.com/options/index.html   I recommend to anyone with more photos than organization :)

Grinler, can you please explain why the "Real" reference needs to be fixed?  

I mentioned Security Task Manager in my last line prior to hjt log.  I know that for every program there are as many opinions as people, but any thoughts?  Rossfingal addressed dadkeyb, thanks.  I'm not finding reference to it in my machine anywhere other than with Security Task Manager (see original post).  So, do I assume that it's there and only STM picked it up, or do I question STM?  Rossfingal, dadtray is turned off.

What a great place this is :)
0
 
LVL 1

Expert Comment

by:Grinler-
Comment Utility
The O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0151ad898784087d7b04/netzip/RdxIE2.cab entry is a known spyware/hijacker
0
 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
Prior to cleaning things up, be sure to turn off System Restore or the problem will return... (sorry for doing a repeat here, but wanted to make sure).

I agree with you wholeheartedly, this really is a great site; having been helped here many times by many excellent people.

0
 

Author Comment

by:jaten19
Comment Utility
Astaec, thanks for being certain I saw the point about sys restore.  Never fear.  I keep system restore off and only turn it on temporarily prior to doing a risky/tricky move, then off again as soon as I'm sure all is well.
0
 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
Even that's risky, especially since you've experienced unwanted intrusions .... I'd keep it on and only turn it off 'while' doing virus/spyware removal processes.  Having gone through serious issues and losses, have learned this the hard way.  

Are you making any headway here?  I don't fill to fill this thread with more possibilities if you're 'recovering' from this unfortunate fiasco.

You did say " updated the definitions for Spybot, Adaware & configured carefully " ...  

Did you download the Spybot S&D updates from 09/20/04?  The Immunize function blocks about 1944 known problems now.  Recommend that as well.

What about AdAware?  Many updates delivered the past couple of days.  Be sure to configure it to INCLUDE the HOSTS file.

Listening further,
Asta
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?

Thanks to RF .. who had directed you to the guidelines..

You can always email me to the email address shown in my profile ..
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Gargantubrain

If you want to communicate anything , post in the thread.... Please donot email me.. against EE regulations..
Thanks to Asta for reminding me...  

Just got from sleep..LOL  ....  
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now