Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Could be a stealth keylogger? [resolved]


  • This topic is locked This topic is locked

#1
gUmmi

gUmmi

    New Member

  • Member
  • Pip
  • 3 posts
Ok, I have a really strange problem.

symptoms:

In games the graphics and sound gets jerky and chops whenever I use the keyboard. If I only use the mouse there's no problem and everything runs smoothly. Also if I hold down a key in a text-document or anywhere else you can type in text I see the speed varies. It's not a consistent flow but the letters come out at a jerky pace.

I've had this problem before but it just went away without I did anything. It's odd because sometime it's there and something it's not.

I highly suspects that I have a key-logger somewhere in my system and I just can't find it. I have done quite alot to find I think but with no luck.

Here's a list of what I've tried:

Ad-aware SE
Spybot SD
Trend online anti virus - scanned for spyware also
Panda onine anti virus - scanned for spyware also
http://www.spywareinfo.com/xscan.php
HijackThis

They never find anything. Ad-aware SE found some cookies and Panda reported 4 files inside Ad-aware that was spyware but that's a wrong diagnosis IIRC. Right?

Everything is ofcourse updated to latest versions. I consider myself a experienced poweruser but this one really really bugs me as I have no clue what to do about it. I need help!

I'm beginning to think that it is maybe a setting in Windows I've overlooked that could explain this kind of behavior.

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 17:24:02, on 14-03-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\CursorXP\CursorXP.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Installs\StyleXP\YzShadow\YzShadow.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
D:\Installs\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
O1 - Hosts: Additionally, comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\TGTSoft\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: YzShadow.lnk = D:\Installs\StyleXP\YzShadow\YzShadow.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Shortcut to boot_bak.bat.lnk = F:\Backups\boot_bak.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093770096492
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B233D161-2379-4744-860F-830A63C29966}: NameServer = 194.239.134.83,193.162.153.164
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

I will appriciate any input on this.

/gUmmi
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Does this describe what is happening?

http://www.windowsst...ail.php?id=4074

I'm still reviewing your log but I see that you're on right now and thought I would send this note before I finish looking. :tazz:
  • 0

#3
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
What is this?

O4 - Startup: Shortcut to boot_bak.bat.lnk = F:\Backups\boot_bak.bat

and this:

O1 - Hosts: Additionally, comments (such as these) may be inserted on individual
  • 0

#4
gUmmi

gUmmi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts

What is this?

O4 - Startup: Shortcut to boot_bak.bat.lnk = F:\Backups\boot_bak.bat

and this:

O1 - Hosts: Additionally, comments (such as these) may be inserted on individual

View Post

boot_bak.bat is a batch of mine and perfectly safe.

the O1 Hosts turned up after I've modified the win hostfile. It's now back to normal and not showing up anymore.

The YzShadow.exe is something I've been runing for a long time without problems. It's just some eyecandy for windows.

/gUmmi
  • 0

#5
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Your log looks clean -- no keylogger is showing up.

I can tell you are very well-informed and put a lot of research into your problem. One thing that struck me in the description of your problem is that it works fine when you are using your mouse.

I see you have this.

http://www.stardock....ducts/cursorxp/

I wonder if that could be causing some problems. You might try uninstalling it and seeing if the problem goes away.

Also, I know I won't be describing this correctly but when I was fixing a friend's computer one time I came across this. You can set your keyboard act differently when you touch two keys in unison. I can't remember what you call it and this probably isn't even the problem. But it did put an icon in the task bar. I want to say "hot keys" but that is wrong. She had it for her child who was slightly handicapped.
  • 0

#6
gUmmi

gUmmi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
CursorXp is some more eyecandy for Windows. I've been using my own animated cursor with it for some weeks now with no problems.

I was thinking in the same lines that it might be some weird keyboard setting...

Guess what? The problem is now gone. Like the other times it has disappeared again for no apparent reason. It is so odd. :tazz:

This time I got fed up with it and I was so hoping for a sane explanation on what it might be...

Anyway thanks for your time.

/gUmmi ;)
  • 0

#7
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I've found that some times the more stuff that you add, so-called "eye candy" the more of a chance that it messes things up.

I think it's called "thumbs". Still can't remember.

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
This topic has been resolved and is now closed. If the original poster has any other problems and needs it reopened, please contact a staff member.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP