Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Keylogger Detection/Removal - as well as real-time protection?

Status
Not open for further replies.
jimp56

jimp56

IS-IT--Management
Joined
Oct 4, 2004
Messages
545
Location
US
Hello-
I have encountered a computer with various trojans and a keylogger component (watchdll.dll, reportedly part of cybervizion) -- and no scanners I have yet found have detected it or its other components.

Whats do you recommend as a:
1)good keylogger detection utility (when scanning drive as a secondary drive (i.e. windows not running)

-and-

2) Good realtime protection/detection of same when windows is running for future prevention?

Need quick help as this is an exec's computer.

Thank You!
 
Sort by date Sort by votes
This keylogger is probably using a rootkit to hide it.


Run a scan with that and post the file on here.

Also id run a scan with this as well.


Then download hijackthis from the link below. Open it up , choose do a system scan and save a logfile and post the logfile on here. Do not on this program attempt to fix anything unless you are sure of what you are doing as not everything it shows is bad.


There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Oh, also if your looking for a good antivirus, I reccomend antivir. However if this computer currently has norton or mcafee, remove them before installation of antivir. They do not get along lol.


This is how I reccomend setting up antivir

This is to setup antivir after it has been installed.

Right click on the logo in the taskbar(a red square with a white umbrella), then left click configure. Towards the top left, you will see a box beside expert mode. Check this box. Now click the + beside scanner, and now the + beside scan. This will expand them.

Now click on scan itself to where it is highlighted. Now to the right under files, select the circle beside all files. Now click on action for concerning files. To the right, click the circle beside automatic. Now to the right of that, set primary action to repair and secondary action to delete. DO NOT check the box that says "copy file to quarantine before action".

Now click on archives to where it is highlighted. Make sure all boxes on this page are checked, if not check them. Now click on heuristic. To the right under win32 file heuristic, check the box beside "win32 file heurisitic", then click the circle beside medium detection level.

Now click the + beside guard and the + beside scan to expand them. Now click on scan to where it is highlighted. To the right under scan mode, check "scan when reading and writing". To the right of that under files, click the circle beside "all files".

Now click on heuristic to where it is highlighted. Check the box beside win32 file heuristic, and then click the circle beside medium detecion level. Now click ok and antivir is now setup for scanning. I highly reccomend doing a scan now.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Thanks! Will report back soon...have a conference call now :-(

Also note, I currently have the infected drive as a slave on a clean system. will the rootkit detector still work (i should think so)?
 
Upvote 0 Downvote
no, because the rootkit detector searches registry. Also on this drive be sure to empty all temp locations.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
thats my next step.

already ran ewido, did not detect watchdll.dll(as a slave), but it was in a temp folder so I will manually clean those, then boot the system and run the revealer.

Thanks.
 
Upvote 0 Downvote
If your going to boot the system, make life easier with this.

ccleaner (temp emptier for all locations)



There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
OK, I ran the RKR and HJT, they both appear clean to me:

rootkit log:
HKLM\SECURITY\Policy\Secrets\SAC*:
Description: Key name contains embedded nulls (*)
Date: 10/26/2005 10:40 AM
Size: 0 bytes
HKLM\SECURITY\Policy\Secrets\SAI*:
Description: Key name contains embedded nulls (*)
Date: 10/26/2005 10:40 AM
Size: 0 bytes
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\Siebel Application\EventMessageFile:
Description: Data mismatch between Windows API and raw hive data.
Date: 04/19/2006 11:32 AM
Size: 33 bytes
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\Siebel Application\CategoryMessageFile:
Description: Data mismatch between Windows API and raw hive data.
Date: 04/19/2006 11:32 AM
Size: 33 bytes
HKLM\SYSTEM\ControlSet002\Services\Eventlog\Application\Siebel Application\EventMessageFile:
Description: Data mismatch between Windows API and raw hive data.
Date: 04/19/2006 11:32 AM
Size: 33 bytes
HKLM\SYSTEM\ControlSet002\Services\Eventlog\Application\Siebel Application\CategoryMessageFile:
Description: Data mismatch between Windows API and raw hive data.
Date: 04/19/2006 11:32 AM
Size: 33 bytes

NOTE: Siebel is a known app we use.
<<<<>>>>>>



HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:56:57 AM, on 08/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\IFXSPMGT.exe
C:\program files\marimba\tuner\Tuner.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\SysAdmin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = company domain name).com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = company domain name).com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BC67D045-6DBD-4510-A327-DFA9ACF2B219} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\asdf\asdf.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Sametime Meeting Room Client ST31 - O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {719433EA-60DE-45A8-8255-115826F16D5B} (STConnectivityAgent Control) - O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - O16 - DPF: {C3448049-D8C1-47AF-82DE-74FE5F64C6D5} (Siebel Option Pack for IE 7.5.2) - O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - O16 - DPF: {ECB40B9A-5869-476D-9110-8E171A5929B2} (Siebel Option Pack for IE 7.5.3) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = (our company domain name).net
O17 - HKLM\Software\..\Telephony: DomainName = (our company domain name).net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B016DE-5E65-4DC7-BA92-D79735447AE0}: NameServer = 204.99.62.71,204.99.62.73,10.101.1.53,10.102.1.53,10.24.1.201
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = (our company domain name).net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = internal.pcshs.com,psd.(our company domain name).int,cts.(our company domain name).int,(our company domain name).int,(our company domain name).com,rx-r-us.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = (our company domain name).net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = internal.pcshs.com,psd.(our company domain name).int,cts.(our company domain name).int,(our company domain name).int,(our company domain name).com,rx-r-us.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = internal.pcshs.com,psd.(our company domain name).int,cts.(our company domain name).int,(our company domain name).int,(our company domain name).com,rx-r-us.com
O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing)
O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O20 - Winlogon Notify: system2 - C:\DOCUME~1\rc867a\LOCALS~1\Temp\system2.dll (file missing)
O23 - Service: AppnNode - IBM Corporation - C:\WINNT\System32\Drivers\appnnode.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: MarimbaEndPoint - Marimba, Inc. - C:\program files\marimba\tuner\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe
<<<>>>>>

I did see some problems with the HJT log, but will wait for your reply. Note the (our company domain name) entries are intentional.
 
Upvote 0 Downvote
O2 - BHO: (no name) - {BC67D045-6DBD-4510-A327-DFA9ACF2B219} - (no file)

O20 - Winlogon Notify: system2 - C:\DOCUME~1\rc867a\LOCALS~1\Temp\system2.dll (file missing)


check those and click fix checked.

I do not believe this spyware/keylogger is on there anymore. As I can not find any traces of it.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Thank you so very much for your immediate, helpful, and courteous advice!

also, thanks for the antivir program tip!
 
Upvote 0 Downvote
n/p, I love helping people which is why this forum exist lol. Everyone on here loves to help so we all help when we can.

Also just to be sure everything is gone, load the computer in safe mode and run every antivirus, antispyware and ccleaner.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kjv1611
  • Locked
  • Question Question
POS Malware Infections Detection and Protection
Replies
0
Views
268
kjv1611
kjv1611
2ffat
  • Locked
  • News News
Police: Do as we say and not as we do!
Replies
4
Views
457
goombawaho
goombawaho
javierdlm001
  • Locked
  • Question Question
&quot;Win32.Downloader.gen&quot; found as Malware by Spybot
Replies
3
Views
444
2ffat
2ffat
BionicJohn
  • Locked
  • Question Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
595
BionicJohn
BionicJohn
izzer43
  • Locked
  • Question Question
Manual Removal of Virus "TIDSERV 2" required by Norton
Replies
0
Views
248
izzer43
izzer43

Part and Inventory Search

Sponsor

Back
Top