PDA

View Full Version : Should I Panic or not ??



KraFT
2007-04-04, 06:21
This is what SPYBOT found.
Should I Panic or not ??
Please if anyone can put some light on this...
These are just traces or ?
Thanks!!!!
(XP+all updates, Spybot 1.4 + all updates)


*******************************************************
keylogger: Company: Next Generation Count
Product: NGC PC & Internet Monitor
Threat: Keylogger
Company product URL: http://www.nextgen.dk/
Functionality: Monitors keystrokes, internet activity, applications.
Description: Stealth, sends log by email or file (network).

NGC PC & Internet Monitor
*******************************************************
NGC PC & Internet Monitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\LockX.Lock

NGC PC & Internet Monitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{729E478E-E746-11D5-9B2D-525405F95A4C}

NGC PC & Internet Monitor: Interface (Lock) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{1918B48D-4585-4CFC-A51C-D5481EAE2E22}

NGC PC & Internet Monitor: Interface (Lock) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{B135FACD-1C0C-467A-85B5-441684C04773}

NGC PC & Internet Monitor: Type library (LockX) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{729E478C-E746-11D5-9B2D-525405F95A4C}
*******************************************************

tashi
2007-04-04, 07:20
Hello.

Could you follow the instructions that I posted in your other topic please: http://forums.spybot.info/showthread.php?t=12645

You can also follow the procedure in this link:
"BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288)

We need to see the HJT log, instructions to produce one in "BEFORE you POST"

Thanks.

KraFT
2007-04-04, 08:51
Hello.

Could you follow the instructions that I posted in your other topic please: http://forums.spybot.info/showthread.php?t=12645


We need to see the HJT log, instructions to produce one in "BEFORE you POST"

Thanks.

sorry,
here is my hjthis log
K

KraFT
2007-04-04, 08:54
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:03:40, on 03.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Alati\Zashtita\Nod32\nod32krn.exe
C:\Alati\Perfect Disk\PDAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Alati\Logitech\iTouch\iTouch.exe
C:\Alati\Zashtita\Nod32\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Dizajn\PDF\Print2PDF\PrnPack.exe
C:\Link\DUmeter\DUMeter.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Alati\TClock\tclock.exe
C:\Link\Skype\Phone\Skype.exe
C:\Link\Trillian\trillian.exe
C:\Link\mIRC\mirc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Alati\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Alati\totalcmd\TOTALCMD.EXE
c:\Link\Download\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\dizajn\pdf\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Alati\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Alati\Zashtita\Nod32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrintPack dispatcher] "C:\Dizajn\PDF\Print2PDF\PrnPack.exe" /server
O4 - HKLM\..\Run: [DU Meter] C:\Link\DUmeter\DUMeter.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: tclock.lnk = C:\Alati\TClock\tclock.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Link\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Link\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Link\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Link\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Link\Yahoo Msngr\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Link\Yahoo Msngr\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155506964484
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B659B31F-5F46-43A6-B8CA-49C336ACF3EC}: NameServer = 62.162.32.5 62.162.32.6
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BCL easyPDF SDK Loader (bepprldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\KraFT\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Alati\Zashtita\Nod32\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Alati\Perfect Disk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Alati\Perfect Disk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Link\RealVNC4\WinVNC4.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\Media\ATI\Remote\x10nets.exe (file missing)

--
End of file - 7345 bytes

tashi
2007-04-11, 09:50
Hello.

Your log shows: Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:03:40, on 03.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

"BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288)

At the present time, do not run Trend Micro HijackThis v2.0.0 (BETA) to produce a log for this forum, unless specifically requested, or you have a Vista Operating System.
Please READ: Which HJT Version to use (http://forums.spybot.info/showthread.php?t=12274)

Please do not post logs from HJT V2.0 Beta's unless you have Vista installed as your Operating System. All others will be asked to rescan and provide a log from 1.99.1

Once Trend Micro has their version out of Beta we will review the situation.

:spider:

tashi
2007-04-17, 00:07
This topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.