-
Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.
Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!
Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.
We'll also start using the forum for small bits of information, announcements and more again.
advanced keylogger
- Thread starter royakai
- Start date
tashi
Member of Team Spybot
Hi there.
Can you copy/paste the HJT log we discussed into this topic please and a helper will take a look as soon as able.
Before you post a log, and who will advise you.
Can you copy/paste the HJT log we discussed into this topic please and a helper will take a look as soon as able.
Before you post a log, and who will advise you.
advkeylog
Logfile of HijackThis v1.99.1
Scan saved at 02:25:53, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about.blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = about.blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://arcaonline.arcabit.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\erce\programy\PhotoshopCS\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\erce\programy\PhotoshopCS\PhotoshopElementsDeviceConnect.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
tashi said:Hi there.
Can you copy/paste the HJT log we discussed into this topic please and a helper will take a look as soon as able.
Before you post a log, and who will advise you.
Logfile of HijackThis v1.99.1
Scan saved at 02:25:53, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about.blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = about.blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://arcaonline.arcabit.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\erce\programy\PhotoshopCS\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\erce\programy\PhotoshopCS\PhotoshopElementsDeviceConnect.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
LonnyRJones
Security Expert-Emeritus
Hi
It doesnt appear to be still running , It would have looked like this in a HJT log
C:\WINDOWS\IDDE\kmonitor.exe
C:\WINDOWS\SYSTEM\svchost.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe
Are you saying it is still present after your PCguard and ad-aware fix it ?
It doesnt appear to be still running , It would have looked like this in a HJT log
C:\WINDOWS\IDDE\kmonitor.exe
C:\WINDOWS\SYSTEM\svchost.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe
Are you saying it is still present after your PCguard and ad-aware fix it ?
LonnyRJones
Security Expert-Emeritus
These are what it created for me, Are you comfortable working in the registry ?
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
LonnyRJones said:
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
advkeylog
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
LonnyRJones said:
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
LonnyRJones
Security Expert-Emeritus
What process do you suspect ?
Copy the contents of the quote box (not including the word quote) below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Copy the contents of the quote box (not including the word quote) below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Run check.bat and post back with the text that will open
advkeylog
Originally Posted by LonnyRJones
These are what it created for me, Are you comfortable working in the registry ?
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
thanks,
yes, mostly I know how to "surf' throughout registry, but what do you mean under letter 'B', the second file on list? There are only 'Default' (icmui.dll), and 'ThreadingModel' (Apartment)
abou IDDE - it doesn't exist any longer; I saw it in report of 5th March;
I don't see svchost in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
which process should I kill, because that is what blocks to delete it, I think?
LonnyRJones said:
Originally Posted by LonnyRJones
These are what it created for me, Are you comfortable working in the registry ?
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
thanks,
yes, mostly I know how to "surf' throughout registry, but what do you mean under letter 'B', the second file on list? There are only 'Default' (icmui.dll), and 'ThreadingModel' (Apartment)
abou IDDE - it doesn't exist any longer; I saw it in report of 5th March;
I don't see svchost in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
which process should I kill, because that is what blocks to delete it, I think?
advkeylog
........................................................................................................
That's it:
03/04/2006 8:15:05.01
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}\InprocServer32
Error: The system was unable to find the specified registry key or value
Error: The system was unable to find the specified registry key or value
.....................................................................................................
about a process running... I'm afraid that it is connected with one of Microsoft or my service provider's processes; if 'scvhost' is one suspected, so that's Microsoft's
I found a time ago Backdoor.Pulpit often used by Microsoft put together with their updates... Problem is over, but...
I see 5 svchost.exe processes in my TaskManager running. All of them by Microsoft. Yesterday, when I checked for updates for my PCGuard, an info started to appear that PCG cannot to delete the 'advanced KEYLOGGER'. It was the same when I was searching for suspected files on my disc - I saw the same info from time to time...
kind regards
royakai
LonnyRJones said:
........................................................................................................
That's it:
03/04/2006 8:15:05.01
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}\InprocServer32
Error: The system was unable to find the specified registry key or value
Error: The system was unable to find the specified registry key or value
.....................................................................................................
about a process running... I'm afraid that it is connected with one of Microsoft or my service provider's processes; if 'scvhost' is one suspected, so that's Microsoft's
I found a time ago Backdoor.Pulpit often used by Microsoft put together with their updates... Problem is over, but...
I see 5 svchost.exe processes in my TaskManager running. All of them by Microsoft. Yesterday, when I checked for updates for my PCGuard, an info started to appear that PCG cannot to delete the 'advanced KEYLOGGER'. It was the same when I was searching for suspected files on my disc - I saw the same info from time to time...
kind regards
royakai
advkeylog
wow!
probably I've done it!!!
I denied system control over ThreadingModel (Apartment), and Default (imcui.dll), and allowed Administrator and user to set control over it, and...
I deleted it from registry!!!
I'm going to check it by PCGuard and AdAware to see the results...
By the way - what do you think about it?
Could you explain how advanced keyloggers work?
LonnyRJones said:
wow!
probably I've done it!!!
I denied system control over ThreadingModel (Apartment), and Default (imcui.dll), and allowed Administrator and user to set control over it, and...
I deleted it from registry!!!
I'm going to check it by PCGuard and AdAware to see the results...
By the way - what do you think about it?
Could you explain how advanced keyloggers work?
LonnyRJones
Security Expert-Emeritus
Sounds as if the registry keys permisions were messed up, You solved it by changing them, then was able to delete the key.
You understand ? , it was not some process keeping it there.
You understand ? , it was not some process keeping it there.
Advkeylog
sounds like that... so, who could did it? I bought PC in October (wasn't new), and problem appeared first in the middle of January when PCGuard informed me many times that an advanced KEYLOGGER tries to pass its blocks, but PCG blocked it. Just after I lost internet connection, because my internet provider found that I didn't pay money for service (wrong - I paid by the way on time what I proved fast). Two weeks later, they reconnected my PC with LAN... Spybot did not see it... PCG quarantined as well as AdAware... the keylog was controled by system until today, but it wasn't me who put it into registry and changed registry values...
Another case... 2-3 months ago I was loosing connection once a day (ussualy in the morning). I thought first that the problem is with USB or modem, but I don't think so now. Recently (during the last 4 weeks) I loose connection up to 12 times a day. Short disconnection - seconds, sometimes couple of minutes...
Few hours passed since I deleted the advkeylog, and... nothing. LAN works properly.
LonnyRJones said:
sounds like that... so, who could did it? I bought PC in October (wasn't new), and problem appeared first in the middle of January when PCGuard informed me many times that an advanced KEYLOGGER tries to pass its blocks, but PCG blocked it. Just after I lost internet connection, because my internet provider found that I didn't pay money for service (wrong - I paid by the way on time what I proved fast). Two weeks later, they reconnected my PC with LAN... Spybot did not see it... PCG quarantined as well as AdAware... the keylog was controled by system until today, but it wasn't me who put it into registry and changed registry values...
Another case... 2-3 months ago I was loosing connection once a day (ussualy in the morning). I thought first that the problem is with USB or modem, but I don't think so now. Recently (during the last 4 weeks) I loose connection up to 12 times a day. Short disconnection - seconds, sometimes couple of minutes...
Few hours passed since I deleted the advkeylog, and... nothing. LAN works properly.
LonnyRJones
Security Expert-Emeritus
I cannot help with where it came from
Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
To help avoid reinfection see
http://forums.spybot.info/showthread.php?t=279
Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
To help avoid reinfection see
http://forums.spybot.info/showthread.php?t=279