Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Keylogger problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Keylogger problem

Unread postby shellycu1425 » August 2nd, 2009, 8:54 am

Recently I had a keylogger look into emails of mine that I had deleted and emptied from May '09. The person decided to pick one of my emails and send it to someone which caused a great deal of grief. I had the computer completely reformated, now I am scared this could happen again and I'd like to post my recent log from HiJack this, perhaps you could let me know if there is something I should always be aware of. I'm running Windows XP Pro, this is a home computer and single person use. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 8:43:27 AM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://81.130.200.130/SysCamInst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8195464601
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.wrexham.gov.uk/webcam/AxisCamControl.bin
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://eilandonan.remotemanager.co.uk/c ... Render.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
shellycu1425
Active Member
 
Posts: 7
Joined: August 2nd, 2009, 8:36 am
Advertisement
Register to Remove

Re: Keylogger problem

Unread postby Sharagoz » August 4th, 2009, 5:24 pm

Hello shellycu1425, welcome to MWR

The first thing you should do is to subscribe to this topic.
In the top left corner of your opening post there is a link called Subscribe topic. If you click it you will be subscribed to this thread and will receive instant email notification of new replies. Most find that this works better than periodically checking back here to see if there's any new posts.

The second thing you should do is to take a backup of everything you have on the computer that's important not to lose.
I will do my best to ensure a safe removal procedure (if anything is found), but it does happen on rare occations that computers does not make it through disinfection and must be reinstalled.

Perhaps you could let me know if there is something I should always be aware of
I will give you a tutorial on how to protect yourself from malware, but first lets run some scans and see if your computer is currently clean.

1) Download and run DDS by sUBs
  • Download DDS from one of the links below and save it to your desktop
    Link1 | Link2 | Link3
  • Double-click the file to run the tool
  • A black window will stay open while the tool runs
  • Wait for the scan to finish (this will only take a couple of minutes), and two logs to open in separate notepad documents
  • Include both these logs in your next reply

2) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Keylogger problem

Unread postby shellycu1425 » August 4th, 2009, 5:53 pm

I'm sorry I couldn't see the subscribe link you told me to click, just the unsubscribe at the top left of my post. Here are the logs you requested. I'm not too savvy I'm afraid.....I saved the 3 logs to my desktop, how do I include them in this answer?
You do not have the required permissions to view the files attached to this post.
shellycu1425
Active Member
 
Posts: 7
Joined: August 2nd, 2009, 8:36 am

Re: Keylogger problem

Unread postby Sharagoz » August 4th, 2009, 7:04 pm

I'm sorry I couldn't see the subscribe link you told me to click, just the unsubscribe at the top left of my post
If the link says "Unsubscribe", then it means you are already subscribed :)

I saved the 3 logs to my desktop, how do I include them in this answer?
Just open the logs, and then copy the text directly into the post.
Don't attach them like you did before.

I'm not too savvy I'm afraid
That's no problem. If you need more details, feel free to ask.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Keylogger problem

Unread postby shellycu1425 » August 4th, 2009, 8:32 pm

We'll try this again. Let me know if you received all this, thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 5:45:42 PM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://81.130.200.130/SysCamInst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8195464601
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.wrexham.gov.uk/webcam/AxisCamControl.bin
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://eilandonan.remotemanager.co.uk/c ... Render.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 17:39:08.76 on Tue 08/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.317 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.my.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://81.130.200.130/SysCamInst.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 8195464601
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://www.wrexham.gov.uk/webcam/AxisCamControl.bin
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://eilandonan.remotemanager.co.uk/c ... Render.ocx
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-22 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-22 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-22 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-22 55640]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2009-7-21 9344]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]

=============== Created Last 30 ================

2009-08-02 20:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-02 20:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-02 20:07 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-08-02 20:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-02 09:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-08-02 09:02 <DIR> --d----- c:\program files\Security Task Manager
2009-08-02 08:39 <DIR> --d----- c:\program files\Trend Micro
2009-08-01 16:32 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-01 09:10 <DIR> --d----- c:\program files\CCleaner
2009-07-28 17:39 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-28 17:39 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-26 21:17 <DIR> --d----- c:\documents and settings\user\Tracing
2009-07-26 21:15 <DIR> --d----- c:\program files\Microsoft
2009-07-26 21:15 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-26 20:56 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-07-26 20:56 380,928 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-07-26 20:56 268,288 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-07-26 20:56 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-26 20:56 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-07-26 20:56 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-07-26 20:56 2,452,872 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-07-26 20:56 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-07-26 20:56 6,067,200 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-07-25 18:04 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-25 18:04 208,744 a------- c:\windows\system32\muweb.dll
2009-07-25 18:04 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-25 06:14 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-24 22:26 488 a------- C:\hpfr5550.xml
2009-07-24 22:23 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-07-24 22:23 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-07-24 22:23 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-07-24 22:23 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-07-24 22:21 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-07-24 22:14 19,558 a------- c:\windows\hpoins01.dat
2009-07-24 22:14 16,606 -------- c:\windows\hpomdl01.dat
2009-07-24 22:13 <DIR> --d----- c:\temp\HP All-in-One Series Web Release
2009-07-24 22:13 <DIR> --d----- C:\temp
2009-07-24 07:12 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-07-24 07:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 07:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-24 07:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-24 07:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 13:25 <DIR> --d----- c:\windows\pss
2009-07-23 13:11 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-07-23 13:11 21,504 a------- c:\windows\system32\hidserv.dll
2009-07-23 13:11 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-07-23 13:11 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-07-23 13:10 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-07-23 13:10 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-07-22 10:09 32,656 a------- c:\windows\system32\msonpmon.dll
2009-07-22 10:00 <DIR> --d----- c:\windows\SHELLNEW
2009-07-22 09:01 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-22 09:01 <DIR> --d----- c:\program files\Avira
2009-07-22 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-21 13:46 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-07-21 13:34 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-21 13:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-21 13:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-21 13:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-21 13:33 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-07-21 13:33 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-21 13:33 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-21 13:33 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-21 13:33 <DIR> --d----- C:\763444c5766d0ff90a85b8ef2ca157
2009-07-21 13:27 <DIR> --d----- c:\windows\system32\URTTemp
2009-07-21 13:05 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-07-21 13:05 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-07-21 13:05 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-07-21 13:05 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-07-21 13:05 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-07-21 13:05 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-07-21 13:05 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-07-21 13:05 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-21 13:05 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-07-21 13:05 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-21 13:04 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-21 13:04 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-21 13:04 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-07-21 13:04 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-21 13:04 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-07-21 13:04 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-07-21 13:03 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-21 13:02 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-07-21 13:02 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-07-21 13:02 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-07-21 13:02 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-07-21 13:01 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-07-21 13:01 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-07-21 13:00 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-21 13:00 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-21 12:58 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-07-21 12:58 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-07-21 12:58 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-07-21 12:58 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-07-21 12:58 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-07-21 12:57 <DIR> --dsh--- c:\documents and settings\user\UserData
2009-07-21 12:54 316,640 a------- c:\windows\WMSysPr9.prx
2009-07-21 12:54 <DIR> --d----- c:\windows\system32\wbem\AutoRecover
2009-07-21 12:52 <DIR> --ds---- c:\windows\system32\Microsoft
2009-07-21 12:01 2,113,536 -------- c:\windows\system32\dxdiagn.dll
2009-07-21 11:58 <DIR> --d----- c:\windows\ServicePackFiles
2009-07-21 11:58 33,792 ac------ c:\windows\system32\dllcache\custsat.dll
2009-07-21 11:54 19,569 a------- c:\windows\002620_.tmp
2009-07-21 11:53 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-07-21 11:53 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-07-21 11:50 <DIR> --d----- c:\windows\EHome
2009-07-21 11:40 13,646 a------- c:\windows\system32\wpa.bak
2009-07-21 11:31 <DIR> --dsh--- c:\windows\Installer
2009-07-21 11:31 <DIR> --d----- c:\documents and settings\User
2009-07-21 11:30 8,192 a------- c:\windows\REGLOCS.OLD
2009-07-21 11:27 229,439 ac------ c:\windows\system32\dllcache\multibox.dll
2009-07-21 11:26 108,827 ac------ c:\windows\system32\dllcache\hanja.lex
2009-07-21 11:25 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2009-07-21 11:25 <DIR> --d----- c:\windows\system32\xircom
2009-07-21 11:25 <DIR> --d----- c:\windows\system32\wbem\snmp
2009-07-21 11:25 <DIR> --d----- C:\DELL
2009-07-21 11:21 24,576 a------- c:\windows\system32\xpsp1hfm.exe
2009-07-21 11:19 2,577 a------- c:\windows\system32\CONFIG.NT
2009-07-21 11:19 0 a------- c:\windows\control.ini
2009-07-21 11:19 25,065 a------- c:\windows\system32\wmpscheme.xml
2009-07-21 11:19 23,392 a------- c:\windows\system32\nscompat.tlb
2009-07-21 11:19 16,832 a------- c:\windows\system32\amcompat.tlb
2009-07-21 11:19 299,552 a------- c:\windows\WMSysPrx.prx
2009-07-21 11:18 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-21 11:18 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-07-21 11:18 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-07-21 11:18 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-07-21 11:18 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-07-21 11:17 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-07-21 11:17 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-07-21 11:17 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-07-21 11:17 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-07-21 11:17 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-07-21 11:17 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-07-21 11:17 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-07-21 11:17 <DIR> --d----- c:\windows\system32\DirectX
2009-07-21 11:16 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-21 11:15 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-21 11:15 <DIR> --d----- c:\program files\Online Services
2009-07-21 11:14 <DIR> --d----- c:\program files\Messenger
2009-07-21 11:14 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-21 11:14 <DIR> --d----- c:\program files\Windows NT
2009-07-21 07:07 <DIR> --d----- c:\program files\common files\ODBC
2009-07-21 07:06 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-21 07:06 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-07-21 12:04 80,943 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-21 11:15 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-29 12:12 78,336 -------- c:\windows\system32\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
shellycu1425
Active Member
 
Posts: 7
Joined: August 2nd, 2009, 8:36 am

Re: Keylogger problem

Unread postby Sharagoz » August 5th, 2009, 10:21 am

The HiJackThis log and the first DDS log was posted correctly, but you didnt unclude the 2nd DDS log.

That's not a big problem, I'll give you another way of getting the log:
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Check both boxes next to Generate StartupList log
  • Click the Generate Startuplist Log button.
  • Include this log in your next post
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Keylogger problem

Unread postby shellycu1425 » August 5th, 2009, 8:47 pm

I will send along what you asked for, sorry I didn't include it in the last post, new to all of this. From all that I have sent you can you see anything fishy or anything at all I should know about?
Thank you

tupList report, 8/5/2009, 8:44:52 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16876)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avgnt = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 2200 series#1248488745.job

--------------------------------------------------

Enumerating Download Program Files:

[Panasonic Network Camera]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ipv6cam.ocx
CODEBASE = http://81.130.200.130/SysCamInst.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupda ... 8195464601

[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.bin
CODEBASE = http://www.wrexham.gov.uk/webcam/AxisCamControl.bin

[MJPEGRender Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MJPEGR~1.OCX
CODEBASE = http://eilandonan.remotemanager.co.uk/c ... Render.ocx

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx
CODEBASE = http://download.macromedia.com/pub/shoc ... wflash.cab

[{E2883E8F-472F-4FB0-9522-AC9BF37916A7}]
CODEBASE = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,140 bytes
Report generated in 0.060 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
shellycu1425
Active Member
 
Posts: 7
Joined: August 2nd, 2009, 8:36 am

Re: Keylogger problem

Unread postby Sharagoz » August 6th, 2009, 3:12 pm

Im sorry, I gave you the instructions for the wrong type of log >_<
What I was looking for was an uninstall list.
Please do the below before we proceede.

Create an uninstall list
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Click the Open Uninstall Manager button.
  • Click the Save list button.
  • Include this log in your next reply

From all that I have sent you can you see anything fishy or anything at all I should know about?
I didnt see anything out of the ordinary from a quick glance at your logs. I will do a thorough analysis once I have the uninstall list.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Keylogger problem

Unread postby shellycu1425 » August 6th, 2009, 4:26 pm

Here you go, hope this is what you need.

Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.3
Avira AntiVir Personal - Free Antivirus
AXIS Media Control Embedded
CCleaner (remove only)
Choice Guard
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2200 series
hp psc 2200 series
Java(TM) 6 Update 14
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSVCRT
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
Spell Checker For OE 2.1
SUPERAntiSpyware Professional
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Service Pack 3
shellycu1425
Active Member
 
Posts: 7
Joined: August 2nd, 2009, 8:36 am

Re: Keylogger problem

Unread postby Sharagoz » August 6th, 2009, 5:00 pm

So far so good.

You also need to temporarily disable Avira AntiVir before the next 3 steps.
Right-click on the Avira-icon in the system tray (white umbrella on red background), and remove the checkmark next to AntiVir Guard enable

1) Run Malwarebytes Anti-Malware
  • You already have MBAM installed
  • Launch it and press Check for updates
  • Select Perform quick scan, then click Scan to start scanning
    (This scan is normally completed in less than 10 minutes)
  • When the scan is complete, click OK, then Show Results to view the results
  • Make sure that everything is checked, and click Remove Selected
  • When completed, a log will open in Notepad. Include this log in your next reply

2) Run ESET's online scanner
  • Go here using Internet Explorer:
    http://www.eset.com/onlinescan/run_scanner.php
  • Put a checkmark next to Yes, I accept the Terms of Use and click the Start button
  • If prompted about installing ActiveX, allow it and click Install
  • If there is a checkmark next to Remove found threats, remove the checkmark and then click Start
  • The scanner will initialize and then start scanning. It will normally take 0.5 - 2 hours to complete.
  • When the scan has finished, close Internet Explorer
  • A log will be located here
    C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Include this log in your next reply

3) Download and run RootRepeal
  • Download RootRepeal from here
  • Extract RootRepeal.exe from the RAR file, and save it to your desktop
  • Run RootRepeal.exe
  • Click the Report tab at the bottom of the window
  • Click the Scan button, and in the Select Scan dialog, put a checkmark next everything
  • Click the OK button and in the Select Drives dialog, put a checkmark next to every drive
  • Click OK to start the scan
  • RootRepeal will start scanning. Wait for it to finish. It can take awhile depending on how many drives, how many files, how many folders...etc. Be patient.
  • When it finishes, click Save Report and save it somewhere you can easily find it, and then include this report in your next reply

Enable Avira again after this step by right-clicking on its icon and chosing AntiVir Guard enable

4) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

Logs I need:
MBAM log
ESET log
RootRepeal log
HJT log
Last edited by Sharagoz on August 6th, 2009, 6:20 pm, edited 1 time in total.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Keylogger problem

Unread postby shellycu1425 » August 6th, 2009, 5:54 pm

I'm not running Vista I'm running Windows XP Pro
shellycu1425
Active Member
 
Posts: 7
Joined: August 2nd, 2009, 8:36 am

Re: Keylogger problem

Unread postby Sharagoz » August 6th, 2009, 6:22 pm

Ah, sorry.
I edited the instructions to have the first step removed.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Keylogger problem

Unread postby shellycu1425 » August 8th, 2009, 9:15 pm

Here are the latest scans as per your request. Order might be mixed up......sorry.

Malwarebytes' Anti-Malware 1.40
Database version: 2581
Windows 5.1.2600 Service Pack 3

8/8/2009 7:32:27 PM
mbam-log-2009-08-08 (19-32-27).txt

Scan type: Quick Scan
Objects scanned: 90579
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
__________________________________________________________
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=7382918806db34449702a5f8b342b61c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-09 12:07:07
# local_time=2009-08-08 08:07:07 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 37 100 100 440087086960
# scanned=26127
# found=0
# cleaned=0
# scan_time=1180
______________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:08:21 PM, on 8/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://81.130.200.130/SysCamInst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8195464601
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://cam1.east-ayrshire.gov.uk//activex/AMC.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.wrexham.gov.uk/webcam/AxisCamControl.bin
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://eilandonan.remotemanager.co.uk/c ... Render.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
________________________________________________________
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/08 20:43
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2F73000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A76000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_HAL
Image Path: \Driver\PCI_HAL
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2C0F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf8c62256

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8c6224c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf8c6225b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf8c62265

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf8c6226a

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8c62238

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8c6223d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf8c62274

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf8c6226f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf8c62260

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8c62247

==EOF==
shellycu1425
Active Member
 
Posts: 7
Joined: August 2nd, 2009, 8:36 am

Re: Keylogger problem

Unread postby Sharagoz » August 9th, 2009, 12:27 pm

All your logs are clean!
(Which is to be expected after doing a complete OS reinstall. I always recommend reinstalling when something as nasty as a keylogger is on a computer btw, so I think you made the right decision)
Unless you have discovered new problems its time to do the final steps.

Cleaning up after the tools we installed
  • 1) Uninstall through Add/Remove Programs
    • Locate and uninstall the below programs unless you want to keep some of them for future usage:
      HiJackThis
      ESET Online Scanner
  • 2) Other deletions
    • You can delete the files and folders below
      dds.com (on your desktop)
      RootRepeal.exe (on your desktop)
      settings.dat (on your desktop, belongs to RootRepeal)

Taking measures to prevent your computer from being infected again
    Now that your computer is free from malware you may want to know how you can prevent this from happening again.
    Below I'm quoting a tutorial I've written which I post to everybody I help here at MWR.
    It covers the key parts of the software side of computer security. What steps you take or dont take to increase your own computers security is of course up to you.
    The tutorial will take a little while to get through, but I hope you find it to be worth your time. There is no need to read it if you're not interested.
    If you have any questions beyond this, feel free to ask.

    How to protect yourself from malware
    Over the last few years there has been a dramatic increase in the number of infected computers online.
    If everybody using the internet knew what Im about to go through, this number would be significantly reduced.
    I dont have all the answers, and I cant go through every detail if the size of the tutorial is to be kept fairly short, but I'll do my best to explain the most important parts.

  • 1) Keeping your operating system up to date (windows updates)
    This is the most important security measure. With an unpatched operating system you will be defenseless even with top-notch security software.
    Malware often exploit security holes in your operating system to install itself, and keeping your OS up to date at all times will make sure this risk is at a minimum.
    Visit http://update.microsoft.com/ using Internet Explorer, and get all critical updates.
    You may have to repeat the update procedure several times before you get all updates. Repeat it until there are no more critical updates showing as missing.
    Also, I recommend you turn on automatic updates if you havent already.

  • 2) Keeping applications up to date
    Keeping your operating system up to date is critical, but its also important to keep your applications up to date.
    If security holes are discovered in common applications that most people use, malware writers are sure to try and exploit them to install their malicious content.
    Many applications have automatic updates. If you are asked about installing an update you should do so unless you got a good reason not to.
    There are also several online sites that offer to scan your computer for outdated software.
    One of them is provided by Secunia. This one is quick and easy to use, and will provide links to updates if outdated software is discovered.
    I recommend you go there once in a while and make sure you got your software up to date.
    Secunias Software Inspector is located here:
    http://secunia.com/vulnerability_scanning/online/
    Visit that page, click Start Scanner and the rest should be fairly easy to figure out.

  • 3) Immunization software
    This section covers security measures which doesn't do any realtime scanning. All they do is block sites that hosts malware, sites that advertises for malware, malicious ActiveX objects, malicious browser helpers, and cookies that have been identified as bad.
    These protection measures have proven very effective against "internet related" threats and require virtually no computer resources.
    I recommend you install all of the below, regardless of what real-time scanners you use (i.e anti-virus and such).
    - MVP hosts
      Blocks rougly 25k online domains that hosts or advertises malicious content.
      Will significantly reduce the chance of getting in trouble by accidently visiting the wrong page.
    • Download hosts.zip from here and save the file to your desktop
    • Open hosts.zip and extract the file called HOSTS to the folder C:\windows\system32\drivers\etc
    • Answer Yes if asked about overwriting an existing file
    • Delete hosts.zip
    Notes:
    If you have previously added custom entries to your own hosts file, these will have to be re-added after the new hosts file is installed.
    The MVP hosts file should be downloaded and re-installed every now and then to keep it up to date.
    If you install MVP Hosts you should disable a service called "DNS client".
    If you dont, your browser(s) will use 10-60 seconds longer to start than what you are used to.
    Disabling this service will have no side-effects. Its purpose is to put domains in cache, but there is no noticeable increase in browsing speed.
    To disable the "DNS Client" service, do the following:
    • Press the windows key and the R key at the same time to open the run dialog box
    • Type in services.msc and press Enter to open the control panel for services
    • Right-click on "DNS client" and chose "Stop".
    • After the service has stopped, right-click on it again, chose "Properties" and set "startup type" to "disabled, press "Apply" and "OK".

    - Javacool Spywareblaster
      Multi-purpose blocker of activeX objects, browser helpers and unwanted cookies.
    • Download Spywareblaster from here and install it using default settings
    • Launch Spywareblaster
    • Click "manual updating" (automatic require a subscription)
    • Click "updates"->"check for updates"
    • When the updates are finished downloading, click "protection status" -> "enable all protection"
    Note:
    The last two steps should be repeated from time to time to keep the protection up to date.

    - Spybot immunization
      Multi-purpose blocker of domains, activeX objects, browsers helpers and unwanted cookies.
    • Download Spybot from here
    • When installing spybot, be sure to uncheck "Security center integration", "Separate secure shredder application" and "use system settings protection (teatimer)".
      These features have more cons than pros.
    • Launch Spybot
    • Click "update" -> "check for updates" and install all available updates.
    • Click "Immunize" in the left menu and then "immunize" in the right-hand window to enable the protection. (this may take a couple of minutes to finish)
    Note:
    The last two steps should be repeated from time to time to keep the protection up to date.

    After immunization you will start to notice that on some web sites advertisements are not displayed, instead it shows an icon indicating that an image couldnt be loaded or a small frame saying "the web page could not be displayed".
    The reason for this is that the immunization is blocking the site that are hosting the ads because it has been found to advertise for malicious software.
    If you try to enter a website that is being blocked, the browser will simply say "the web page could not be displayed".

    4) Real-time protection
    This section covers security measures that work in real time and scans computer activity as it is happening (anti-virus/anti-malware scans a file before it allows it to be opened, a firewall controls network traffic and blocks it unless you have allowed it to happen).
    This requires a lot of system resources, so what we are looking for is applications with good detection rate, low resource usage, that dont cause problems for legitimate applications.
    I have divided the real-timer scanners into sub-catergories and listed my recommendation for each catergory.

    - Anti-virusNote:
    Never have more than one Anti-virus application installed. Installing a second one is likely to cause conflicts between the two and apart from making your system unstable it will reduce your security rather than increase it.

    - Anti-malware
      These applications are ment to supplement your antivirus as they are aimed spesifically at detecting malicious programs.
      This can be programs designed to display advertisements (adware), track your internet surfing (spyware), give other people control over your computer (backdoors) and the likes.
      Unfortuntly, in the anti-malware department there arent any great free alternatives like there are in the anti-virus department.
      If you want an anti-malware application worth using you'll need to purchase one. Here are three good alternatives:
    • Malwarebytes' Anti-Malware
    • SUPERAntiSpyware (can be tried for 14 days for free)
    • A-squared Anti-Malware (can be tried for 30 days for free)
    Note:
    You can have more than one of these running at the same time, but I don't recommend it because it only gives a small increase in security while a big increase in usage of system resources.
    These can also be run alongside a security suite.

    - 3rd party Firewall
      Modern operating systems and routers have firewalls built into them that control incoming traffic so the main reason you might want to install a 3rd party firewall is to control outgoing traffic.
      Firewalls are different from other security software as it really is a tool you need to learn how to use, rather than an automatic security solution. An anti-virus application for instance you usually just install and then it runs in the background and only alerts you if something is wrong.
      That is not the case with firewalls. It will alert you whenever something tries to connect to the internet, whether its good or bad, and then its up to you to allow or deny the request. So ultimately you are increasing the security yourself with the help of the firewall.
      If you want to have top notch security you need a 3rd party firewall and the knowledge of how to use it. This will be your last line of defense should something bad get through your immunzation, and anti-virus/anti-malware protection.
      It enables you to prevent a trojan downloader from downloading malware to your computer should you end up with one, or prevent malware from sending personal information after it has collected it.
      However, firewalls can be difficult to use properly. When the firewall prompts you with "should xxx be allowed to connect to the internet?" you need to be able to decide whether xxx is good or bad. Most people who use a 3rd party firewall doesnt know how to do this, and click Yes every time, hence making it fairly useless to have a 3rd party firewall.
      In my opinion, firewalls are for the ones who have an above average need/interest in computer security, but nevertheless it's needed to have top-notch security.
      Here are three good, free alternatives if you desire to have one. They each have their own support forum that can help you learn how setup and use their firewall.
    • Comodo
      (If you chose this one, be sure to uncheck the following alternatives during installation:
      "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage")
    • PCTools Firewall
    • Online Armor

    - Winpatrol
      This program is not strictly a security application, but gives you a lot more control over your computer.
      Like a firewall it's a tool you need to learn how to use.
      Basically it watches your system settings and alerts you if an application tries to change something. Then its up to you to accept or deny this change.
      Its main purpose is to watch programs that add themselfs to auto-start, but it also watches file associations, activeX objects and Internet Explorer helpers.
      Most programs do not need to be on auto-start, and the bad thing about auto-start is that it clogs down system resources.
      With winpatrol you can easily detect and prevent when an unwanted auto-start entry is added, and this becomes an additional security layer because most malware will add itself to auto-start.
      You can download winpatrol from here
      And here's a link to a place where you can get more information on how to use it

    If you managed to read through all of that you're probably asking "do I really need that much security software?".
    That depends on what your computer is used for.
    I'd say that everybody who uses a computer on the internet today really needs the following:
    - Windows updates (having all windows updates is more important than any security software)
    - The immunization software in step 3
    - Anti-virus software
    That's the minimum.
    If you use your computer for financial transactions (online bank, web-shopping, etc) or have sensitive information stored on the computer, you should strongly consider buying an anti-malware application to supplement your anti-virus software. A 3rd party firewall should also be considered.
    If you like to use your computer freely and install a lot of different programs, use file-sharing applications and surf all over the web you should also consider enhancing security as you'll be more at risk for infections.

    5) Safe and sensible online practices
    A book could be written on this subject, but here are some key points:
    - Be carefull about what you download and which programs you install.
    Dont blindly install every program that looks neat. If you're suspicious about a program, do a search online and see what others have to say about it before you install it.
    Be especially cautious about programs ment to "boost" your computer in any way, or programs that claim to make your computer run better.
    Any content given away for free are reason for suspicion.
    - Be carefull about which links you click.
    If somebody sends you a link you didnt expect, ask them about it before you click it.
    Some infections are designed to send messages to everybody on a persons email/messenger contact list, and if one of your contacts are infected, you may recive such messages
    - Be carefull about which email attachments you open.
    Use the same caution with unexpected email attachments as with links.
    - If a site looks shady, it probably is
    Sites that host malicious content often look shady with all types of adds and offers. Just navigate away.


Thats it.
If you have questions or comments, please respond back and let me know. If you do not respond, this thread will be closed within 48 hours.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Keylogger problem

Unread postby NonSuch » August 13th, 2009, 2:07 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 284 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware