Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help with a keylogger [CLOSED]


  • This topic is locked This topic is locked

#1
NotComputerSavy

NotComputerSavy

    New Member

  • Member
  • Pip
  • 9 posts
I have a keylogger on my computer that I got on my computer by clicking on a link in a yahoo chatroom. I can't seem to get rid of it. I tried everthing. I downloaded just about everything but zone alarm still says "Yahoo Messenger was prevented from was prevented from monitoring your mouse and keyboard strokes" and "Yahoo Messenger was prevented from launching C:\PROGRAMFILES\YAHOO!\MESSENGER\YUPDATER.EXE, or use another program to gain access to privileged resources."

The hacker has changed my yahoo account passwords on me many times. He/she keeps bragging in the chatroom that he/she has me keylogged. What to do? I don't want to wipe everything out and reinstall everything, but if that is what I have to do then I will. Any suggestions.
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Please visit this page and scroll down to Step 5. Follow the instructions there to download a tool called Hijackthis and post a log here as a reply to this post.
  • 0

#3
NotComputerSavy

NotComputerSavy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:30:10 AM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\ike\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.yayindayi...ayx_vp6_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDBC00CA-881F-4364-8FBA-FC391103996F}: NameServer = 151.198.0.39 151.197.0.39
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net...wnload/updates/

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.


Reboot your computer and post a new hijackthis log and the log from Ewido.
  • 0

#5
NotComputerSavy

NotComputerSavy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:03:14 AM, on 9/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\ike\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.yayindayi...ayx_vp6_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDBC00CA-881F-4364-8FBA-FC391103996F}: NameServer = 151.198.0.39 151.197.0.39
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:57:40 AM, 9/30/2005
+ Report-Checksum: CEA923E0

+ Scan result:

C:\Documents and Settings\ahmet\Cookies\ahmet@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@cbs.112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@ehg-foxsports.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\ahmet\Cookies\ahmet@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.10:C:\Documents and Settings\ike\Application Data\Mozilla\Firefox\Profiles\h05y5vty.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\ike\Application Data\Mozilla\Firefox\Profiles\h05y5vty.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\ike\Application Data\Mozilla\Firefox\Profiles\h05y5vty.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\ike\Application Data\Mozilla\Firefox\Profiles\h05y5vty.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\ike\Application Data\Mozilla\Firefox\Profiles\h05y5vty.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\ike\Application Data\Mozilla\Firefox\Profiles\h05y5vty.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\ike\Application Data\Mozilla\Firefox\Profiles\h05y5vty.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\ike\Cookies\ike@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


I downloaded and used almost every spyware and virus cleaner and all the other stuff you can use, before this, including ewido.
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's take a closer look.

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot your computer into Safe Mode


Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.


===========


Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
  • 0

#7
NotComputerSavy

NotComputerSavy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
C:\

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\aswBoot.exe: UPX!t$
C:\WINDOWS\SYSTEM32\ExMenu.dll: UPX!
C:\WINDOWS\SYSTEM32\ExPMenu.dll: UPX!
C:\WINDOWS\SYSTEM32\ExTab.dll: UPX!
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye







10/01/05 02:05:00 [Info]: BlackLight Engine 1.0.23 initialized
10/01/05 02:05:00 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/01/05 02:05:00 [Note]: 4019 4
10/01/05 02:05:00 [Note]: 4005 0
10/01/05 02:05:07 [Note]: 4006 0
10/01/05 02:05:07 [Note]: 4011 1632
10/01/05 02:05:08 [Note]: FSRAW library version 1.7.1011
10/01/05 02:07:45 [Note]: 4007 0
  • 0

#8
NotComputerSavy

NotComputerSavy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I downloaded Keylogger Killer 14 day trial version and it says POSSIBLE SPYING KEYLOGGERS DETECTED

(PROGRAM) C:\PROGRA~1\Yahoo!\MESSEN~1\idle.dll

and also for C:\Program Files\Webroot\Spy Sweeper\ssi.dll BUT I KNOW THIS ONE IS OK.


Funny thing is I don't have my yahoo messenger running and zone alarm detected this as a problem before and supposedly erased it.

Edited by NotComputerSavy, 01 October 2005 - 03:13 AM.

  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINDOWS\SYSTEM32\aswBoot.exe
      C:\WINDOWS\SYSTEM32\ExMenu.dll
      C:\WINDOWS\SYSTEM32\ExPMenu.dll
      C:\WINDOWS\SYSTEM32\ExTab.dll
      C:\PROGRA~1\Yahoo!\MESSEN~1\idle.dll

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.



Uninstall anything that has to do with Yahoo. Then delete this folder.

C:\Program Files\Yahoo!

Reboot your computer. Let me know if Zone Alarm sounds any alarm. If all seems ok you can download and install Yahoo Messenger once again.

Let me know how it goes.
  • 0

#10
NotComputerSavy

NotComputerSavy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I am having problems with my zonealarm. I had to delete it because everytime I install it onto my computer and try connecting to the internet, it shuts down and I get blue screen with white letters saying:

A problem has been detected and windows has been shut down to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGE_AREA

If this is the first time you've seen this stop error screen, restart you computer. If this appears again follow these steps.

Check to make sure any new hardware or software is properly installed. If this is a new installation ask your hardware or software manufacturer for any windows updates you might need.

If problem continues disable or remove any newly installed hardware of softwarre. Disable BIOS memory options such as caching or shadowing. IF you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Start Up options and select safe mode.

Technical info

Stop 0x0000050 (0x8CAB8A79, 0X000000000, 0X8CAB8A79, 0X0000000)

Beginning dump of physcial memory
Physical memory dump complete
Contact your system administrator or technical support group for futher assistance.

I have spysweeper and I removed yahoo messenger like you told me too and it says everytime I restart my computer:

Alerts: Spy Sweeper protects your computer from unauthorized system changes. When Spy Sweeper's Shields detect changes that maybe be a result of spyware, it will give you detailed information so you can take the appropriate action.

Spy Sweeper has detected new programs that will start when Windows starts. If you just installed or updated a program, including Windows updates, you should not remove these items. To remove items added without your knowledge, select each item you do not want and click Remove. To keep items you added, select each item you want and click Keep.


Yahoo! Pager -- Assessment: Unknown

More details:

Start up Item: Yahoo! Pager

Product name is not provided
Company name is not provided
Copyright information is not provided

Location: C:\Program Files\Yahoo!\Messenger\ypager.exe
Registry or Startup Folder: HKCU: Run



Maybe it would be easier just to reformat and reinstall windows xp???

Edited by NotComputerSavy, 02 October 2005 - 01:03 AM.

  • 0

Advertisements


#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
A format should be considered a last resort. And it's possible that you have a hardware issue, so a format wouldn't resolve that anyway.

Right click on My Computer and select Properties.
Click on the Hardware tab.
Click on Device Manager.

Do you see any yellow exclamation points here?


Don't be concerned about that warning from Spysweeper. It doesn't appear to be malicious.

Please post a new hijackthis log.
  • 0

#12
NotComputerSavy

NotComputerSavy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I don't see any yellow exclamation points. I downloaded yahoo messenger again and I have it running and I ran the hijack this. When I go to task manager my Page File Usage runs at 450+ MB. Is that normal?





Logfile of HijackThis v1.99.1
Scan saved at 11:46:07 PM, on 10/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServAlert.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServAlert.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServAlert.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServAlert.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\ike\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [Anti-keylogger 6.1] C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.yayindayi...ayx_vp6_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDBC00CA-881F-4364-8FBA-FC391103996F}: NameServer = 151.198.0.39 151.197.0.39
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Edited by NotComputerSavy, 02 October 2005 - 09:53 PM.

  • 0

#13
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's not out of line with everything that you are running right now.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.yayindayi...ayx_vp6_mp3.cab





Do you know what this is?

O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll

If you're not sure let's run it through a scanner and find out.

First disable any firewalls that you have running for this step.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\WINDOWS\SYSTEM32\RegCompact.dll
  • Click on the submit button
  • Please post the results in your next reply.


Reboot and post a new hijackthis log and the results of the virus scan.
Let me know how things are working for you now.
  • 0

#14
NotComputerSavy

NotComputerSavy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I did not see O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet when I ran highjack this, although I did see the other one.

Service
Service load: 0% 100%

File: RegCompact.dll
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 4fb92addc847eddef270ffb822d8bad2
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
Logfile of HijackThis v1.99.1
Scan saved at 4:28:39 AM, on 10/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\ike\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [Anti-keylogger 6.1] C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDBC00CA-881F-4364-8FBA-FC391103996F}: NameServer = 151.198.0.39 151.197.0.39
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Edited by NotComputerSavy, 04 October 2005 - 02:30 AM.

  • 0

#15
NotComputerSavy

NotComputerSavy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
YPager.exe is trying to monitor your system to observe what events are occurring.

ZoneAlarm Security Suite is asking you whether you wish to allow this behavior or not. Your computer is safe.
What should I do?




If YPager.exe needs to monitor your system to observe what events are occurring and you trust this program, then give it permission. If you do not trust this program or the program does not need to monitor your system then deny it. If you are unsure, you can always deny access and run the program again, if it is required.





Why?




YPager.exe is potentially malicious. It may be attempting to monitor your system to observe what events are occurring to retrieve information about you or your system.


YPager.exe is trying to monitor your system to observe what events are occurring.

ZoneAlarm Security Suite is asking you whether you wish to allow this behavior or not. Your computer is safe.
Inside the OSFirewall alert



Alert property Alert property value Technical explanation
Program Name YPager.exe A program running on your computer, which attempted an action that was detected by the OSFirewall.
Filename YPager.exe The filename of the program that ZoneAlarm Security Suite found on your computer.
Program Size 3084288 The size of the program executable file in bytes.
Program MD5 2587308c711214c0e1890157a98e18e8 The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum bdba704554fbd4fa8cbd2d59dc76ad43 The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Aug-19-2005 07:34:02 PM The date when YPager.exe was most recently modified.
Event Type Execution The event involved executing Windows instructions.
Sub Event Type ExecutionGlobalWindowsHook YPager.exe attempted to set a Windows hook without a specific thread.





ExecutionGlobalWindowsHook

YPager.exe is trying to monitor your system to observe what events are occurring.

ZoneAlarm Security Suite is asking you whether you wish to allow this behavior or not. Your computer is safe.
Details




A program may legitimately monitor your system to observe what events are occurring. However, if a program is malicioius, this action could be associated with an attempt to record keystrokes, mouse clicks, and other types of malicious behavior.

Due to the potential threat, only programs which have been given explicit permission to observe what events are occuring on your system, will be allowed to do so.



http://osalerts.zone...ce&tab=overview

ZoneAlarm Security Alert also says Protected

The firewall has blocked Internet access to your computer (NetBIOS Name) from 83.216.227.130 (UDP Port 1034).

Also says Protected

The firewall has blocked internet access to your computer (NetBIOS Session) from 68.162.214.111 (TCP Port 1443) (TCP Flags: S].

ZoneAlarm Security Suite blocked access to port 139 on your computer

No breach in your security has occurred. Your computer is safe.
What happened?




ZoneAlarm Security Suite prevented a remote computer from connecting to port 139 on your computer. If you are sharing files on a local network, this connection attempt was probably legitimate network traffic. Port 139 is commonly used by networked Windows computers to enable file sharing and other resource sharing. However, if the traffic that generated this alert came from the Internet rather than a local network, this may have been attack on your computer





Should I be concerned?




No. ZoneAlarm Security Suite blocked the connection attempt, so no harm can come to your computer from it. However, blocking traffic on this port can keep you from sharing files and other resources with other computers on your local network. Also, Windows file sharing can represent a security vulnerability if you do not password-protect your shared files.





What should I do?




Click OK to close the alert box. This does not let any traffic into or out of your computer.

If you are sharing files on a local network, password-protect your shared files to keep them secure. See Windows help for instructions on how to do this.

If you are on a home or business local network, and you are receiving repeated alerts on port 139, do the following:

Make sure the ZoneAlarm Security Suite Internet Lock and Stop button are not engaged.
Make sure the local computers you want to share files with, or your entire local network, have been added to the Trusted Zone.
If the above steps do not reduce the number of alerts, use the ZoneAlarm Security Suite Alerts and Logs panel to suppress the alert box.
See ZoneAlarm Security Suite online help for instructions on how to perform these steps.







port139ina

YPager.exe is trying to monitor your system to observe what events are occurring.

ZoneAlarm Security Suite is asking you whether you wish to allow this behavior or not. Your computer is safe.
Inside the OSFirewall alert



Alert property Alert property value Technical explanation
Program Name YPager.exe A program running on your computer, which attempted an action that was detected by the OSFirewall.
Filename YPager.exe The filename of the program that ZoneAlarm Security Suite found on your computer.
Program Size 3084288 The size of the program executable file in bytes.
Program MD5 2587308c711214c0e1890157a98e18e8 The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum bdba704554fbd4fa8cbd2d59dc76ad43 The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Aug-19-2005 07:34:02 PM The date when YPager.exe was most recently modified.
Event Type Execution The event involved executing Windows instructions.
Sub Event Type ExecutionGlobalWindowsHook YPager.exe attempted to set a Windows hook without a specific thread.


ZoneAlarm Security Suite blocked access to port 139 on your computer

No breach in your security has occurred. Your computer is safe.
Details




Port 139 is commonly used for NetBIOS messages (Network Basic Input-Output System). Windows uses NetBIOS to manage network traffic, and particularly to enable you to share files, printers, and other resources with other computers on your home or business network. If 68.162.214.111, the address the blocked connection attempt came from, is on your local network, this alert may have been caused by:

A server on your network attempting to renew your IP address
Another Windows computer on your network attempting to refresh information about your shared directories
Another Windows computer responding to an attempt by you to access shared resources
If 68.162.214.111 is not on your local network, this alert may have been caused by a port scan.

About Port Scans

Port scanning means using an automated tool to systematically try to connect to every port on a computer. While port scans have some legitimate uses, hackers use them to look for unprotected computers with unguarded ports, typically scanning random blocks of Internet addresses.

Successful port scans can retrieve a variety of information about a computer, such as its operating system and the programs it is running. Because you are using ZoneAlarm Security Suite, your computer remains invisible to port scans. Hackers performing scans do not even know your computer exists, because no information is returned by the scan.


HACKER ID

Whois Report from Zone Labs




Details about 68.162.214.111, the IP address of the computer that caused the alert you received from ZoneAlarm Security Suite, are provided in the Whois report below. The information in the Whois report comes from the Regional Internet Registry (RIR) for the region where 68.162.214.111 is located: ARIN, RIPE, LACNIC or APNIC. The name of the RIR appears in the Whois report.

The Whois report includes the name, address and contact information for the Internet Service Provider (ISP) that administers the block of IP addresses that contains 68.162.214.111. The report probably does not list the administrator of the specific computer at IP address 68.162.214.111.

You should not assume that individuals listed in this report are responsible for the alert you received on your computer.



Top of page



Top of page

Whois Information




Verizon Internet Services VIS-68-160 (NET-68-160-0-0-1)
68.160.0.0 - 68.163.255.255
Verizon VZ-DSLDIAL-BSTNMA-20 (NET-68-162-206-0-1)
68.162.206.0 - 68.162.223.0

# ARIN WHOIS database, last updated 2005-09-27 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


CustName: Verizon
Address: 1880 Campus Commons Dr.
City: Reston
StateProv: VA
PostalCode: 20191
Country: US
RegDate: 2004-03-12
Updated: 2004-03-12

NetRange: 68.162.206.0 - 68.162.223.0
CIDR: 68.162.206.0/23, 68.162.208.0/21, 68.162.216.0/22, 68.162.220.0/23, 68.162.222.0/24, 68.162.223.0/32
NetName: VZ-DSLDIAL-BSTNMA-20
NetHandle: NET-68-162-206-0-1
Parent: NET-68-160-0-0-1
NetType: Reassigned
Comment:
RegDate: 2004-03-12
Updated: 2004-03-12

NOCHandle: ZV20-ARIN
NOCName: Verizon Internet Services
NOCPhone: +1-703-295-4583
NOCEmail: IPNMC@gnilink.net

OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse
OrgAbusePhone: +1-214-513-6711
OrgAbuseEmail: abuse@verizon.net

OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services
OrgTechPhone: +1-703-295-4583
OrgTechEmail: IPNMC@gnilink.net

# ARIN WHOIS database, last updated 2005-09-27 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



Top of page




Report Event Information




You have the option to anonymously submit information about this event for aggregation and analysis. Our security event aggregator will:
Gather intrusion event information from multiple parties.
Analyze all the aggregated event information.
Escalate the events to their respective sources as necessary.
To report your inbound firewall event information, click the submit button below. To view any open incidents related to the IP tied to this firewall event, click on the "View open incidents"link below.

http://fwalerts.zone...tab=whois&CL=en

Edited by NotComputerSavy, 04 October 2005 - 03:40 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP