Solve : 3 keyloggers found? – InterviewSolution

InterviewSolution

1.	Solve : 3 keyloggers found?
Answer» Hello all: The atni-spyware my ISP (SBC Yahoo) provides found 3 key loggers C:\Program Files\common\microsoft shared key hkey_local_machine\software\sces software\the pc detective key hkey_local_machine\software\sces software\tpcdhost but when I click remove, nothing is removed. I've waited as much as 2 hours, and have to use task manger to GET out of the program. I have run eset scanner, and the 1 provide by my ISP (computer associates) and they have found nothing. I ran the scanner from Trend Micro and it has found spyware_trak_msnspymonitor 364 infected files but cannot remove them. I have let the remove function run for up to 2 hours with no luck./ Panda found this Potentially unwanted tool:Application/PCDetective.A Not disinfected C:\Program Files\Common Files\Microsoft Shared\DAO\PCD\SVCHOST.EXE Virus:Generic Malware Disinfected C:\Program Files\Common Files\Microsoft Shared\DAO\PCD\SVCHOSTE.EXE When I navigate to this folder. I find a bunch of ".TPC" files, which wont let me delete, and when I open in notepad ( if it finds themthey all are charectors not letters (ÿØÿà JFIF ÿþ Intel(R) JPEG Library, version 1,5,4,36 ÿÛ C (just a sample) I have no idea what to do; HJT log to come Should I do a clean install, or can this be fixed? Thanks Mel Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:57:54 AM, on 1/5/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Yahoo!\browser\ybrowser.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\WINDOWS\system32\taskmgr.exe C:\DOCUMENTS and Settings\Owner\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?.done=https%3A%2F%2Fedit.client.yahoo.com%2Fmembercenter&.partner=sbc&.intl=us R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O16 - DPF: Yahoo! Gin - http://download2.games.yahoo.com/games/clients/y/nt1_x.cab O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI UTILITY Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176731264312 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing) O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE -- End of file - 8677 bytes Thanks again Mel1. Run free ESET Online Scanner at: http://www.eset.com/onlinescan/ Note: This Scanner is for Internet Explorer Only* 1. You will notice that the "Start" button is grayed out. Place a check mark at "Yes, I accept the Terms of use". The "Start" button will become visible. Click on it. 2. If it wants to install an ActiveX component allow it 3. You will be asked to install an ActiveX, click the "Install" button (Note: If you have a Firewall install you may have to approve the installation) 4. Once ActiveX control is installed click on the "Start" button to initialize the scanner 5. After initialization is complete uncheck\untick "Remove found threats" 6. Check\tick "Scan unwanted applications" 7. Click the "Scan" button 8. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt Post ESET's log. 2. Download SUPERAntiSpyware Free for Home Users: http://www.superantispyware.com/ Print these instructions out. * Double-click SUPERAntiSpyware.exe and use the default settings for installation. * An icon will be created on your desktop. Double-click that icon to launch the program. * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.) * Close SUPERAntiSpyware. Restart computer in Safe Mode. To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen * Open SUPERAntiSpyware. * Under "Configuration and Preferences", click the Preferences button. * Click the Scanning Control tab. * Under Scanner Options make sure the following are checked (leave all others unchecked): o Close browsers before scanning. o Scan for tracking cookies. o Terminate memory threats before quarantining. * Click the "Close" button to leave the control center screen. * Back on the main screen, under "Scan for Harmful Software" click Scan your computer. * On the left, make sure you check C:\Fixed Drive. * On the right, under "Complete Scan", choose Perform Complete Scan. * Click "Next" to start the scan. Please be patient while it scans your computer. * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". * Make sure everything has a checkmark next to it and click "Next". * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. * If asked if you want to reboot, click "Yes". * To retrieve the removal information after reboot, launch SUPERAntispyware again. o Click Preferences, then click the Statistics/Logs tab. o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. o Please copy and paste the Scan Log results in your next reply with a new HijackThis log. * Click Close to exit the program. Post SUPERAntiSpyware log. 3. Post new HijackThis log.Hello: I'm sorry it took so long. I had posted this problem in another forum 5 days before I had posted here. They got back to me about an hour after I posted here. If there is a chace of getting a second opinion, I would appreciate it very much. I know you all are real busy. the thread is located here http://www.bleepingcomputer.com/forums/topic123575-15.html#entry705463 I have the utmost respect and gratetude to the specialist from the other forum I did the things that Broni suggest last night and here are the logs # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=2766 (20080104) # vers_arch_module=1.060 (20071228) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=65cfd09981048c4f8c46196d2470cb62 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-01-06 06:51:05 # local_time=2008-01-05 10:51:05 (-0800, Pacific Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=420450 # found=0 # scan_time=9025 SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 01/06/2008 at 10:34 PM Application Version : 3.9.1008 Core Rules Database Version : 3375 Trace Rules Database Version: 1369 Scan type : Complete Scan Total Scan Time : 04:40:26 Memory items scanned : 176 Memory threats detected : 0 Registry items scanned : 8566 Registry threats detected : 0 File items scanned : 111952 File threats detected : 29 Adware.Tracking Cookie C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt It was after this that I ran my Isp's spyware scanner and found the same keylogger The crew at BleepingComputer are very competent and i would trust in their advice. Thank yo so much

Discussion

No Comment Found

Related InterviewSolutions