View Full Version : advanced keylogger
just to resolve a problem... tashi wrote that it would be good to show my report here, so I'm doing now...
check the attachements
Hi there.
Can you copy/paste the HJT log we discussed into this topic please and a helper will take a look as soon as able. :)
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)
First put hijackthis into a permanent folder.
Do this first - go to C: and create a new permanent folder.
Example C:\AntiSpyWare or C:\hijackthis
This is necessary to ensure you have backups should anything go wrong.
Then put (or download - choose "save" not "run") the hijackthis.exe file in this folder.
If you downloaded a zipped HJT file unzip it to the permanent folder so you have C:\hijackthis\hijackthis.exe.
Example of the wrong way:
C:\DOCUME~1\Name\LOCALS~1\Temp\Temporary Directory for hijackthis.zip\HijackThis.exe
Double click HijackThis.exe.
Hit None Of The Above, just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click that, save the log somewhere, and copy/paste the HJT log into your own new topic.
How to copy and paste (http://www.webmasternow.com/copyandpaste.html)
Most of what hjt lists will be harmless or even required, so do not fix anything yet.
Downloads:
http://www.downloads.subratam.org/hijackthis.zip
If you are unfamiliar with zip programs get HijackThis.exe here:
http://www.merijn.org/files/HijackThis.exe
Hi there.
Can you copy/paste the HJT log we discussed into this topic please and a helper will take a look as soon as able. :)
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)
Logfile of HijackThis v1.99.1
Scan saved at 02:25:53, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about.blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = about.blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://arcaonline.arcabit.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\erce\programy\PhotoshopCS\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\erce\programy\PhotoshopCS\PhotoshopElementsDeviceConnect.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
LonnyRJones
2006-04-01, 15:29
Hi
It doesnt appear to be still running , It would have looked like this in a HJT log
C:\WINDOWS\IDDE\kmonitor.exe
C:\WINDOWS\SYSTEM\svchost.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe
Are you saying it is still present after your PCguard and ad-aware fix it ?
Hi
It doesnt appear to be still running , It would have looked like this in a HJT log
C:\WINDOWS\IDDE\kmonitor.exe
C:\WINDOWS\SYSTEM\svchost.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe
Are you saying it is still present after your PCguard and ad-aware fix it ?
yes it is... it's name is 'Apartment' and enclosed in HKEY_CLASSES_ROOT: CLSID\... under ServerImpro32 folder;
by the way - I'm not sure that the keylog in report is the same that the one I'm writting about
yes it is... it's name is 'Apartment' and enclosed in HKEY_CLASSES_ROOT: CLSID\... under ServerImpro32 folder;
by the way - I'm not sure that the keylog in report is the same that the one I'm writting about
in addition:
that's the last adaware report... the keylog was quarantined both by adaware and PCGuard, but PCG couldn't delete it after. AdAware is a free version, and dosen't fix such a problem so.
LonnyRJones
2006-04-02, 01:00
These are what it created for me, Are you comfortable working in the registry ?
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
These are what it created for me, Are you comfortable working in the registry ?
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
thanks,
yes, mostly I know how to "surf' throughout registry, but what do you mean under letter 'B', the second file on list? There are only 'Default' (icmui.dll), and 'ThreadingModel' (Apartment)
abou IDDE - it doesn't exist any longer; I saw it in report of 5th March;
I don't see svchost in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
These are what it created for me, Are you comfortable working in the registry ?
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
thanks,
yes, mostly I know how to "surf' throughout registry, but what do you mean under letter 'B', the second file on list? There are only 'Default' (icmui.dll), and 'ThreadingModel' (Apartment)
abou IDDE - it doesn't exist any longer; I saw it in report of 5th March;
I don't see svchost in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
which process should I kill, because that is what blocks to delete it, I think?
which process should I kill, because that is what blocks to delete it, I think?
I have some suspicious, but no proof...
LonnyRJones
2006-04-02, 15:30
What process do you suspect ?
Copy the contents of the quote box (not including the word quote) below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
(Echo %DATE% %TIME%
sc query svchost
sc query svchostQuarantine
reg query HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
)>logit.txt 2>&1
start notepad logit.txt
Run check.bat and post back with the text that will open
These are what it created for me, Are you comfortable working in the registry ?
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
Originally Posted by LonnyRJones
These are what it created for me, Are you comfortable working in the registry ?
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
thanks,
yes, mostly I know how to "surf' throughout registry, but what do you mean under letter 'B', the second file on list? There are only 'Default' (icmui.dll), and 'ThreadingModel' (Apartment)
abou IDDE - it doesn't exist any longer; I saw it in report of 5th March;
I don't see svchost in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
c:\WINDOWS\IDDE < folder
c:\WINDOWS\system\MSIDLLSI.DAT
c:\WINDOWS\system\setup.log
c:\WINDOWS\system\svchost.exe
c:\WINDOWS\system32\TMLib.dll
c:\WINDOWS\system32\TMUtils.dll
c:\WINDOWS\ddemal.bin
c:\WINDOWS\tm-log.log
There are no files showed above in my computer even I use mode that shows hidden files...
I cannot to simply delete this:
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850} - ThreadingModel (Apartment)
'unable to delete all specified values'...
joke?
which process should I kill, because that is what blocks to delete it, I think?
What process do you suspect ?
Copy the contents of the quote box (not including the word quote) below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Run check.bat and post back with the text that will open
........................................................................................................
That's it:
03/04/2006 8:15:05.01
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
HKEY_CLASSES_ROOT\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}\InprocServer32
Error: The system was unable to find the specified registry key or value
Error: The system was unable to find the specified registry key or value
.....................................................................................................
about a process running... I'm afraid that it is connected with one of Microsoft or my service provider's processes; if 'scvhost' is one suspected, so that's Microsoft's
I found a time ago Backdoor.Pulpit often used by Microsoft put together with their updates... Problem is over, but...
I see 5 svchost.exe processes in my TaskManager running. All of them by Microsoft. Yesterday, when I checked for updates for my PCGuard, an info started to appear that PCG cannot to delete the 'advanced KEYLOGGER'. It was the same when I was searching for suspected files on my disc - I saw the same info from time to time...
kind regards
royakai
[QUOTE=LonnyRJones]What process do you suspect ?
alg.exe - it was installed during the same time when I started to see the first informations that 'advanced KEYLOGGER' want to go through...
It's Microsoft's one...
What process do you suspect ?
Copy the contents of the quote box (not including the word quote) below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Run check.bat and post back with the text that will open
wow!
probably I've done it!!!
I denied system control over ThreadingModel (Apartment), and Default (imcui.dll), and allowed Administrator and user to set control over it, and...
I deleted it from registry!!!
I'm going to check it by PCGuard and AdAware to see the results...
By the way - what do you think about it?
Could you explain how advanced keyloggers work?
wow!
probably I've done it!!!
I denied system control over ThreadingModel (Apartment), and Default (imcui.dll), and allowed Administrator and user to set control over it, and...
I deleted it from registry!!!
I'm going to check it by PCGuard and AdAware to see the results...
By the way - what do you think about it?
Could you explain how advanced keyloggers work?
...
ok, that problem is over... nor PCG neither AdAware see it any longer...
thanks a lot for your time
do you have any comments?
I hope that it was helpful for other users. However, I still don't know who sender was...
LonnyRJones
2006-04-03, 15:00
Sounds as if the registry keys permisions were messed up, You solved it by changing them, then was able to delete the key.
You understand ? , it was not some process keeping it there.
Sounds as if the registry keys permisions were messed up, You solved it by changing them, then was able to delete the key.
You understand ? , it was not some process keeping it there.
sounds like that... so, who could did it? I bought PC in October (wasn't new), and problem appeared first in the middle of January when PCGuard informed me many times that an advanced KEYLOGGER tries to pass its blocks, but PCG blocked it. Just after I lost internet connection, because my internet provider found that I didn't pay money for service (wrong - I paid by the way on time what I proved fast). Two weeks later, they reconnected my PC with LAN... Spybot did not see it... PCG quarantined as well as AdAware... the keylog was controled by system until today, but it wasn't me who put it into registry and changed registry values...
Another case... 2-3 months ago I was loosing connection once a day (ussualy in the morning). I thought first that the problem is with USB or modem, but I don't think so now. Recently (during the last 4 weeks) I loose connection up to 12 times a day. Short disconnection - seconds, sometimes couple of minutes...
Few hours passed since I deleted the advkeylog, and... nothing. LAN works properly.
LonnyRJones
2006-04-03, 18:53
I cannot help with where it came from
Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
To help avoid reinfection see
http://forums.spybot.info/showthread.php?t=279
I cannot help with where it came from
Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
To help avoid reinfection see
http://forums.spybot.info/showthread.php?t=279
cheers
royakai
LonnyRJones
2006-04-05, 01:21
Im Glad we could help royakai
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.
Im Glad we could help royakai
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.
ok
that problem is over;
I wrote before that LAN works properly since I deleted advkeylog, but no - I still loose connection...
kind regards
LonnyRJones
2006-04-05, 07:09
Hi
I do not think any connection/lan problems was coused by advanced keyloger. If you need help ask in a more general area of a forum.
Good luck