jaten19
asked on
I am suspicious of keylogger or trojan. Conflicting info from anti-virus/anti-spyware. HJT attached.
Dell Inspiron laptop with Windows XP Pro. Linksys wireless router with wpa enabled. I run Zone Alarm (free version) and NAV. Windows is updated at least twice/month (but have declined sp2 so far) Additionally, I have run deep scans with PestPatrol, Webroot's Spy Sweeper, Ad-Aware, Spybot S&D, and X-Block's X-Cleaner.
Because an acquaintance has become very interested in and adept with keyloggers (and possibly trojans) I am very concerned that my Inspiron laptop may have fallen victim. This acquaintance really likes Spytech and Spector products, not sure what else. The "stealth mode" of these products along with the fact that some can be remotely installed and be installed masquerading as another app to bypass ZA or other firewall increases my uneasiness.
I do get clean scans with the above-mentioned products. "Security Task Manager" by Neuber, however, alerted me to Dadkeyb.dll in C:\\windows\system32\drive
HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 5:01:54 PM, on 10/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\SYSTEM32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\WINDOWS\SYSTEM32\Driver
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPCon
C:\PROGRA~1\PESTPA~1\PPMem
C:\PROGRA~1\PESTPA~1\Cooki
C:\Program Files\Picasa\PicasaMediaDe
C:\PROGRA~1\ZONELA~1\ZONEA
C:\WINDOWS\System32\ctfmon
C:\WINDOWS\SYSTEM32\Driver
C:\Program Files\I8kfanGUI\i8kfangui.
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Driver
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdat
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPCon
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMem
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\Cooki
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEA
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCLE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {556DDE35-E955-11D0-A707-0
O16 - DPF: {556DDE36-E951-11D1-A708-0
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-0
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8
Because an acquaintance has become very interested in and adept with keyloggers (and possibly trojans) I am very concerned that my Inspiron laptop may have fallen victim. This acquaintance really likes Spytech and Spector products, not sure what else. The "stealth mode" of these products along with the fact that some can be remotely installed and be installed masquerading as another app to bypass ZA or other firewall increases my uneasiness.
I do get clean scans with the above-mentioned products. "Security Task Manager" by Neuber, however, alerted me to Dadkeyb.dll in C:\\windows\system32\drive
HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 5:01:54 PM, on 10/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\SYSTEM32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\WINDOWS\SYSTEM32\Driver
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPCon
C:\PROGRA~1\PESTPA~1\PPMem
C:\PROGRA~1\PESTPA~1\Cooki
C:\Program Files\Picasa\PicasaMediaDe
C:\PROGRA~1\ZONELA~1\ZONEA
C:\WINDOWS\System32\ctfmon
C:\WINDOWS\SYSTEM32\Driver
C:\Program Files\I8kfanGUI\i8kfangui.
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Driver
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdat
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPCon
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMem
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\Cooki
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEA
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCLE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {556DDE35-E955-11D0-A707-0
O16 - DPF: {556DDE36-E951-11D1-A708-0
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-0
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i suggest that you use an antispyware/detector program i recommend xoftspy if you want to purchase one, if you want something free, i recommend spybot, it defend my pc and i have no problems, another backup and essential is to have a good anti virus like avast! its free powerful, uses low resources and greatly customizable
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the input, everyone. Not the magic bullet I was hoping for but I understand policy-changes may be taking place? Can we sneak in under the wire???? No, really, I don't won't anyone to be in an uncomfortable position.
I'll look closely at all 3 of the suggestions (and others that may arrive) this evening after work.
Thanks again!
I'll look closely at all 3 of the suggestions (and others that may arrive) this evening after work.
Thanks again!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SunRay_2003, I'm sorry to go off-topic but I can't see a way to send you a private message...
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?
Thanks,
G
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?
Thanks,
G
Here's where they were/are discussed:
https://www.experts-exchange.com/questions/21129167/HijackThis-a-discussion.html
And here's the basic guide-lines:
https://www.experts-exchange.com/questions/21149514/Instructions-regarding-the-handling-of-HIJACK-THIS-logs.html
Regards...
RF
https://www.experts-exchange.com/questions/21129167/HijackThis-a-discussion.html
And here's the basic guide-lines:
https://www.experts-exchange.com/questions/21149514/Instructions-regarding-the-handling-of-HIJACK-THIS-logs.html
Regards...
RF
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You said you use AdAware and Spybot S&D, both excellent. Did you get all updates first? Did you configure AdAware also to do deep scanning as well as including the HOSTS file? For Spybot S&D, after updates, did you rescan and use the Immunize function to block malware for more than 1900 problems?
Prior to cleaning things up, be sure to turn off System Restore or the problem will return.
Prior to cleaning things up, be sure to turn off System Restore or the problem will return.
Any idea what this is? Something you installed or use? As RF said above, check properties as well
C:\Program Files\I8kfanGUI\i8kfangui.
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
Files\Picasa\PicasaMediaDe
There are a number of ActiveX objects in your initial list that I also am unfamiliar with and should be checked. Post your log information here for some insights, if not already done.
http://www.hijackthis.de/
If this is redundant, which I hope it isn't, I apologize. Read this but eyes tired.
C:\Program Files\I8kfanGUI\i8kfangui.
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
Files\Picasa\PicasaMediaDe
There are a number of ActiveX objects in your initial list that I also am unfamiliar with and should be checked. Post your log information here for some insights, if not already done.
http://www.hijackthis.de/
If this is redundant, which I hope it isn't, I apologize. Read this but eyes tired.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So many helpful people! Thank you. I am sorting through all of the information. Points will be decided soon, but I have to sift through the information I've been provided to know where to award.
A few questions/comments I can readily address:
Astaec, yes, I updated the definitions for Spybot, Adaware & configured carefully (always beyond the defaults). All other programs mentioned were updated just prior to running, as well. 18kfangui is a gui I downloaded for controlling the fan. As some other Dell laptop users will attest, some of them run hot & fans may not kick in. Google this gui. Works great imho. Picasa is a free photo organizer from Google tools. http://www.google.com/options/index.html I recommend to anyone with more photos than organization :)
Grinler, can you please explain why the "Real" reference needs to be fixed?
I mentioned Security Task Manager in my last line prior to hjt log. I know that for every program there are as many opinions as people, but any thoughts? Rossfingal addressed dadkeyb, thanks. I'm not finding reference to it in my machine anywhere other than with Security Task Manager (see original post). So, do I assume that it's there and only STM picked it up, or do I question STM? Rossfingal, dadtray is turned off.
What a great place this is :)
A few questions/comments I can readily address:
Astaec, yes, I updated the definitions for Spybot, Adaware & configured carefully (always beyond the defaults). All other programs mentioned were updated just prior to running, as well. 18kfangui is a gui I downloaded for controlling the fan. As some other Dell laptop users will attest, some of them run hot & fans may not kick in. Google this gui. Works great imho. Picasa is a free photo organizer from Google tools. http://www.google.com/options/index.html I recommend to anyone with more photos than organization :)
Grinler, can you please explain why the "Real" reference needs to be fixed?
I mentioned Security Task Manager in my last line prior to hjt log. I know that for every program there are as many opinions as people, but any thoughts? Rossfingal addressed dadkeyb, thanks. I'm not finding reference to it in my machine anywhere other than with Security Task Manager (see original post). So, do I assume that it's there and only STM picked it up, or do I question STM? Rossfingal, dadtray is turned off.
What a great place this is :)
The O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
Prior to cleaning things up, be sure to turn off System Restore or the problem will return... (sorry for doing a repeat here, but wanted to make sure).
I agree with you wholeheartedly, this really is a great site; having been helped here many times by many excellent people.
I agree with you wholeheartedly, this really is a great site; having been helped here many times by many excellent people.
ASKER
Astaec, thanks for being certain I saw the point about sys restore. Never fear. I keep system restore off and only turn it on temporarily prior to doing a risky/tricky move, then off again as soon as I'm sure all is well.
Even that's risky, especially since you've experienced unwanted intrusions .... I'd keep it on and only turn it off 'while' doing virus/spyware removal processes. Having gone through serious issues and losses, have learned this the hard way.
Are you making any headway here? I don't fill to fill this thread with more possibilities if you're 'recovering' from this unfortunate fiasco.
You did say " updated the definitions for Spybot, Adaware & configured carefully " ...
Did you download the Spybot S&D updates from 09/20/04? The Immunize function blocks about 1944 known problems now. Recommend that as well.
What about AdAware? Many updates delivered the past couple of days. Be sure to configure it to INCLUDE the HOSTS file.
Listening further,
Asta
Are you making any headway here? I don't fill to fill this thread with more possibilities if you're 'recovering' from this unfortunate fiasco.
You did say " updated the definitions for Spybot, Adaware & configured carefully " ...
Did you download the Spybot S&D updates from 09/20/04? The Immunize function blocks about 1944 known problems now. Recommend that as well.
What about AdAware? Many updates delivered the past couple of days. Be sure to configure it to INCLUDE the HOSTS file.
Listening further,
Asta
Where are the updates to the regulations (concerning HijackThis and other such issues) posted and/or discussed?
Thanks to RF .. who had directed you to the guidelines..
You can always email me to the email address shown in my profile ..
Thanks to RF .. who had directed you to the guidelines..
You can always email me to the email address shown in my profile ..
Gargantubrain
If you want to communicate anything , post in the thread.... Please donot email me.. against EE regulations..
Thanks to Asta for reminding me...
Just got from sleep..LOL ....
If you want to communicate anything , post in the thread.... Please donot email me.. against EE regulations..
Thanks to Asta for reminding me...
Just got from sleep..LOL ....