| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 101520 | 2009-07-17 18:05:00 | Hijackthis log question. | AntiVirMan (15107) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 792569 | 2009-07-17 18:05:00 | Hi, I'm new here. Is this the forum to post Hijackthis logs? I have a keylogger on my system and am looking for advice on how to remove it. I Googled it, and that's how I ended up here at this forum. Thanks. |
AntiVirMan (15107) | ||
| 792570 | 2009-07-17 18:29:00 | Welcome to PressF1, AntiVirMan. Yes, you've arrived at a useful place for what you want. But it's just a bit early in the day here for the Hijacklog experts to surface. (No, sorry I am definitely not one of them) You see, this is a New Zealand-based website, whereas I see you're in London. So why not go ahead & post your log while waiting for your dinner. And no doubt it'll be viewed soon at breakfast time here... not perhaps as early as a weekday morning, but worth a wait... BTW It's 5.30am Saturday here right now. |
Laura (43) | ||
| 792571 | 2009-07-17 21:39:00 | Try trojan remover its below. Update it first then scan. Then select all options under utilities. See if this removes it. Disable system restore as well. It may help And post a log, we'll see whats in it |
Speedy Gonzales (78) | ||
| 792572 | 2009-07-17 21:39:00 | Hi Laura, Thanks for your reply! Yeah, I noticed that the site was in New Zealand, after I'd set the account up. Never mind, it's good to travel, I suppose. I m glad to hear that there are some hijacking experts around, Well, it's still Friday might here, 9.34 pm, so technically, I am sending this message to somebody in the future, while you are speaking to someone in the past. I shall post the log and then kick back and wait I guess. Did you really interview Arthur Lowe? Impressive, if you did! Best wishes, AntiVirMan |
AntiVirMan (15107) | ||
| 792573 | 2009-07-17 21:41:00 | Post away ! Dont forget to disable system restore first. Get malwarebytes below as well. Update it then scan | Speedy Gonzales (78) | ||
| 792574 | 2009-07-17 22:02:00 | My appeal to Hijacklog techies. Hi, I'm new here, because I have a log from Hijackthis that I would like to ask somebody about. I hope that somebody is able to help out, as I have a keylogger on my system, that I want to get rid of. The keystrokes are blocked, by an application called SafeSpace, thankfully, but I would very much like to get rid of the keylogger, all the same. It is logging, and thankfully blocking, thousands of key strokes per session and it's making me a little uneasy. I know that they are blocked, but still, I don't like it very much. Here is the Hijackthis log post. I have marked all of the entries, where I am pretty sure it's okay, or not. The entry which refers to 'cloaker.exe' concerns me a little. I Googled it, and that's how I ended up here. Thaks for any advice. Windows Xp. (Pro - SP3). 4 choice OS boot menu because of re-installations. - Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:26:08, on 17/07/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS1\System32\smss.exe - (ok?) C:\WINDOWS1\system32\winlogon.exe - (ok?) C:\WINDOWS1\system32\services.exe - (ok?) C:\WINDOWS1\system32\lsass.exe - (ok?) C:\WINDOWS1\system32\Ati2evxx.exe - (think is ok) C:\WINDOWS1\system32\svchost.exe - (ok?) C:\WINDOWS1\System32\svchost.exe - (ok?) C:\Program Files1\Artificial Dynamics\SafeSpace\LauncherService.exe - (think is ok) C:\Program Files1\Artificial Dynamics\SafeSpace\SafeSpace_Agent.EXE - (think is ok) C:\WINDOWS1\system32\spoolsv.exe - (ok?) C:\WINDOWS1\system32\Ati2evxx.exe - (think is ok) C:\WINDOWS1\Explorer.EXE - (think is ok) C:\Program Files1\Artificial Dynamics\SafeSpace\WaveFramer.exe - (think is ok) C:\WINDOWS1\RTHDCPL.EXE -(think is ok) C:\Program Files\McAfee\MSK\MskAgent.exe - (think is ok) C:\Program Files\O2\bin\sprtcmd.exe - (think is ok) C:\Program Files\McAfee.com\Agent\mcagent.exe - (ok?) C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe - (think is ok) C:\WINDOWS1\system32\ctfmon.exe - (ok?) C:\Windows1\system32\WTablet\TabUserW.exe - (think is ok) C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe - (think is ok) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe - (think is ok) C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe - (think is ok) c:\program files\common files\mcafee\mna\mcnasvc.exe - (think is ok) C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe - (think is ok) c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe - (think is ok) c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe - (think is ok) C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe - (think is ok) C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe - (think is ok) C:\Program Files\McAfee\MPF\MPFSrv.exe - (think is ok) C:\PROGRA~1\McAfee\MPS\mps.exe - (think is ok) C:\Program Files\McAfee\MSK\MskSrver.exe - (think is ok) C:\Program Files\O2\bin\sprtsvc.exe - (think is ok) C:\WINDOWS1\system32\svchost.exe - (ok?) C:\WINDOWS1\system32\Tablet.exe - (think is ok) C:\Program Files\McAfee\MPS\mpsevh.exe - (think is ok) C:\WINDOWS1\system32\wscntfy.exe - (ok?) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe - (think is ok) C:\WINDOWS1\System32\svchost.exe - (ok?) C:\Documents and Settings\Administrator.BRAINWORLD\Desktop\Download s\HiJackThis.exe - (ok) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program - (maybe it's ok?) Files\AVG\AVG8\avgssie.dll (file missing) - (is it okay to fix/remove this? - app deleted) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll - (think is ok) O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll - (think is ok) O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll - (think is ok) O4 - HKLM\..\Run: [SafeSpace] C:\Program Files1\Artificial Dynamics\SafeSpace\SafeSpaceSysTray.exe - (think is ok) O4 - HKLM\..\Run: [WaveFramer] C:\Program Files1\Artificial Dynamics\SafeSpace\WaveFramer.exe - (think is ok) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE - (soundcard - ok) O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE - (not sure what this is?) O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe - (think is ok( O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2 - (broadband support - ok) O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey - (think is ok) O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s - (think is ok) O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS1\system32\ctfmon.exe - (ok?) O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS1\system32\CTFMON.EXE (User 'LOCAL SERVICE') - (ok?) O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS1\system32\CTFMON.EXE (User 'NETWORK SERVICE') - (ok?) O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS1\system32\CTFMON.EXE (User 'SYSTEM') - (ok?) O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS1\system32\CTFMON.EXE (User 'Default user') - (ok?) O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') - (don't like the sound of this) - (could this be the source of the keylogging on my system?) O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') - (don't like the sound of this!) - (could this be the source of the keylogging on my system?) O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS1\system32\WTablet\TabUserW.exe - (mouse tablet - ok) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS1\Network Diagnostic\xpnetdiag.exe - (ok?) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS1\Network Diagnostic\xpnetdiag.exe - (ok?) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe - (think is ok) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe - (think is ok) O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll - (think is ok) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL - (think is ok) O20 - AppInit_DLLs: AS_WAVEHook.dll - (think is ok) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - (think is ok) O23 - Service: Artificial Dynamics SafeSpace Agent - Unknown owner - C:\Program Files1\Artificial Dynamics\SafeSpace\SafeSpace_Agent.EXE - (think is ok) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS1\system32\Ati2evxx.exe - (think is ok) O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS1\system32\ati2sgag.exe - (think is ok) O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe - (think is ok) O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe - (think is ok) O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe - (think is ok) O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe - (think is ok) O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe - (think is ok) O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe - (think is ok) O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe - (think is ok) O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe - (think is ok) O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe - (think is ok) O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe - (think is ok) O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe - (think is ok) O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe - (think is ok) O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe - (think is ok) O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe - (think is ok) O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe - (think is ok) O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS1\system32\Tablet.exe -(think is ok) O23 - Service: Artificial Dynamics WAVE Launcher Service (WAVE Launcher Service) - Artificial Dynamics Ltd. - C:\Program Files1\Artificial Dynamics\SafeSpace\LauncherService.exe - (think is ok) -- End of file - 6868 bytes - Well that's it! If this keylogger is nothing to do with this Hijacklog, then I don't know what else to do. The day before yesterday, I installed a supposed 'anti-keylogger' application, which completely trashed my system so badly, I had to re-install Windows Xp. (Pro - SP3). Any advice would be greatly appreciated. Thanks and best wishes, AntiVirMan |
AntiVirMan (15107) | ||
| 792575 | 2009-07-17 22:11:00 | You should have continued from your first post . Did you disable system restore?? Tick these then tick fix checked Close browswers After this is fixed, I would update IE if you use it You dont have to put think is ok after every entry, thats why you posted the log . And it makes it harder to read Uninstall Mcafee AV its crap . Install Avast or NOD (if you want to pay for it) instead O4 - HKCU\ . . \Run: [CTFMON . EXE] C:\WINDOWS1\system32\ctfmon . exe - (ok?) O4 - HKUS\S-1-5-19\ . . \Run: [CTFMON . EXE] C:\WINDOWS1\system32\CTFMON . EXE (User 'LOCAL SERVICE') - (ok?) O4 - HKUS\S-1-5-20\ . . \Run: [CTFMON . EXE] C:\WINDOWS1\system32\CTFMON . EXE (User 'NETWORK SERVICE') - (ok?) O4 - HKUS\S-1-5-18\ . . \Run: [CTFMON . EXE] C:\WINDOWS1\system32\CTFMON . EXE (User 'SYSTEM') - (ok?) O4 - HKUS\ . DEFAULT\ . . \Run: [CTFMON . EXE] C:\WINDOWS1\system32\CTFMON . EXE (User 'Default user') - (ok?) This belongs to your printer O4 - . DEFAULT User Startup: Pin . lnk = C:\hp\bin\CLOAKER . EXE (User 'Default user') - (don't like the sound of this) - (could this be the source of the keylogging on my system?) O4 - . DEFAULT User Startup: PinMcLnk . lnk = C:\hp\bin\cloaker . exe (User 'Default user') - (don't like the sound of this!) - (could this be the source of the keylogging on my system?) There is nothing wrong with this log . Use trojan remover and malwarebytes, update both then scan (do a full scan with malwarebytes) |
Speedy Gonzales (78) | ||
| 792576 | 2009-07-17 22:17:00 | Hi SG, Thanks for your reply . I have akready scanned my system with Maklwarebytes Anti Malware and SuperAntiSpyware and they both detect nothing . This is also with scanning with McAfee as well, so this keylogger is well hidden . I'll try that link you posted, if nothing comes of this Hijacklog scan post . Regards, |
AntiVirMan (15107) | ||
| 792577 | 2009-07-17 22:21:00 | Did you do a full scan with malwarebytes? Get trojan remover update it, then scan. Then select all options under utilities. HOW do you know you've got a keylogger? Dont tick the cloaker entries, your HP printer may not work, if you delete the startup entries | Speedy Gonzales (78) | ||
| 792578 | 2009-07-17 22:26:00 | Hi again, Sorry, I thought when I found out it was cool for me to post the Hijacklog here, that I had to start a new thread. How does this apply to new topics then? Do you post a new thread, or add to previous posts by replying? If I did that though, maybe not many people would see the post? It's tough being a newbie at a forum. I'm not completely dumb when it comes to PC's, but I don't know everything. Thanks for your help and are those lines or 'keys' in the log. okay for me to fix, and by fix I mean delete? Regards, AntiVirMan |
AntiVirMan (15107) | ||
| 1 2 3 | |||||