Should I Panic or not ??

KraFT · Apr 4, 2007

This is what SPYBOT found.
Should I Panic or not ??
Please if anyone can put some light on this...
These are just traces or ?
Thanks!!!!
(XP+all updates, Spybot 1.4 + all updates)

*******************************************************
keylogger: Company: Next Generation Count
Product: NGC PC & Internet Monitor
Threat: Keylogger
Company product URL: http://www.nextgen.dk/
Functionality: Monitors keystrokes, internet activity, applications.
Description: Stealth, sends log by email or file (network).

NGC PC & Internet Monitor
*******************************************************
NGC PC & Internet Monitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\LockX.Lock

NGC PC & Internet Monitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{729E478E-E746-11D5-9B2D-525405F95A4C}

NGC PC & Internet Monitor: Interface (Lock) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{1918B48D-4585-4CFC-A51C-D5481EAE2E22}

NGC PC & Internet Monitor: Interface (Lock) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{B135FACD-1C0C-467A-85B5-441684C04773}

NGC PC & Internet Monitor: Type library (LockX) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{729E478C-E746-11D5-9B2D-525405F95A4C}
*******************************************************

tashi · Apr 4, 2007

Hello.

Could you follow the instructions that I posted in your other topic please: http://forums.spybot.info/showthread.php?t=12645

You can also follow the procedure in this link:
"BEFORE you POST"

We need to see the HJT log, instructions to produce one in "BEFORE you POST"

Thanks.

KraFT · Apr 4, 2007

tashi said:
Hello.

Could you follow the instructions that I posted in your other topic please: http://forums.spybot.info/showthread.php?t=12645

We need to see the HJT log, instructions to produce one in "BEFORE you POST"

Thanks.

sorry,
here is my hjthis log
K

KraFT · Apr 4, 2007

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:03:40, on 03.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Alati\Zashtita\Nod32\nod32krn.exe
C:\Alati\Perfect Disk\PDAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Alati\Logitech\iTouch\iTouch.exe
C:\Alati\Zashtita\Nod32\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Dizajn\PDF\Print2PDF\PrnPack.exe
C:\Link\DUmeter\DUMeter.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Alati\TClock\tclock.exe
C:\Link\Skype\Phone\Skype.exe
C:\Link\Trillian\trillian.exe
C:\Link\mIRC\mirc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Alati\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Alati\totalcmd\TOTALCMD.EXE
c:\Link\Download\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\dizajn\pdf\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Alati\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Alati\Zashtita\Nod32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrintPack dispatcher] "C:\Dizajn\PDF\Print2PDF\PrnPack.exe" /server
O4 - HKLM\..\Run: [DU Meter] C:\Link\DUmeter\DUMeter.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: tclock.lnk = C:\Alati\TClock\tclock.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Link\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Link\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Link\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Link\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Link\Yahoo Msngr\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Link\Yahoo Msngr\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155506964484
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B659B31F-5F46-43A6-B8CA-49C336ACF3EC}: NameServer = 62.162.32.5 62.162.32.6
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BCL easyPDF SDK Loader (bepprldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\KraFT\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Alati\Zashtita\Nod32\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Alati\Perfect Disk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Alati\Perfect Disk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Link\RealVNC4\WinVNC4.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\Media\ATI\Remote\x10nets.exe (file missing)

--
End of file - 7345 bytes

tashi · Apr 11, 2007

Hello.

Your log shows: Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:03:40, on 03.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

"BEFORE you POST"

At the present time, do not run Trend Micro HijackThis v2.0.0 (BETA) to produce a log for this forum, unless specifically requested, or you have a Vista Operating System.

Please READ: Which HJT Version to use

Please do not post logs from HJT V2.0 Beta's unless you have Vista installed as your Operating System. All others will be asked to rescan and provide a log from 1.99.1

Once Trend Micro has their version out of Beta we will review the situation.

:spider:

tashi · Apr 16, 2007

This topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

Should I Panic or not ??

KraFT

New member

tashi

Member of Team Spybot

KraFT

New member

KraFT

New member

tashi

Member of Team Spybot

tashi

Member of Team Spybot