| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 65378 | 2006-01-16 02:28:00 | Info on Ardmax keylogger | KatiMike (242) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 421579 | 2006-01-16 02:28:00 | On the kids win 98se computer I have all the usual / frequently recommended antispyware and AVG , all updated regularly . I am trying out Webroot Spy Sweeper and it's been running for a week or so - all clear until this morning it reports Ardamax kelogger at c:\windows\system.cab . No new sites visited / progs added EXCEPT I used the E-trust antivirus scanner yesterday and it asked permission to download an active x component [ no support for firefox] . Using windows explorer I can find the system.cab file ; a CB file size 116 bytes. A couple of questions - should I trust the Webroot report? No other progs pick anything up [ however s'pose they're looking for spyware vs keylogger] How to get rid of it [ manually rather than with Webroot] and finally could I have installed it from the E-trust site ? Many thanks |
KatiMike (242) | ||
| 421580 | 2006-01-16 02:39:00 | See if these files (www3.ca.com) are on your system. I doubt if E-trust would install any nasties on your system. |
Speedy Gonzales (78) | ||
| 421581 | 2006-01-16 03:16:00 | Thanks Speedy - can find no sign of any of those files, the kh.dll or the registry entries mentioned on the Ardmax site . Agree it seems unlikely E-trust was the source I have read such progs as this can hide in root-kits too [ so tuff luck if that's the case as this computers win 98se ] . Maybe it's a flase positive result from Webroot ? |
KatiMike (242) | ||
| 421582 | 2006-01-16 03:22:00 | Umm could be a false + . No program's perfect, just look at Windows :lol: You could post a hijackthis log here . We'll see whats in it . |
Speedy Gonzales (78) | ||
| 421583 | 2006-01-16 03:32:00 | Thanks for the offer , look forward to any thoughts Logfile of HijackThis v1.99.1 Scan saved at 8:26:06 AM, on 1/16/06 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [Mass Storage Check Registry] rundll32.exe C:\WINDOWS\SYSTEM\ShellExt\MSDServ.dll,CheckRegist ry O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - housecall60.trendmicro.com O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - 10.0.1.3 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - security.symantec.com O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - www3.ca.com Mike |
KatiMike (242) | ||
| 421584 | 2006-01-16 05:04:00 | Surely any .CAB file, let alone one called SYSTEM.CAB, only 116 bytes long would be suspicious? | Graham L (2) | ||
| 421585 | 2006-01-16 06:09:00 | The log doesnt look too bad Mike. But you can run HJT again, and tick these entries and tick fix checked. O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit I'm not too sure what this entry belongs to O4 - HKLM\..\RunServices: [Mass Storage Check Registry] rundll32.exe C:\WINDOWS\SYSTEM\ShellExt\MSDServ.dll,CheckRegist ry Is there something like a card reader on this computer? If not, I dont think this entry should be running on startup. I'll see if I can find out what this entry does. Can you change the desktop background etc on this computer?? Can u see any funny looking ads Mike?? |
Speedy Gonzales (78) | ||
| 421586 | 2006-01-16 06:33:00 | Ok, just found out that Mass Storage entry does belong to some kind of USB card reader. So you can leave that entry in there. | Speedy Gonzales (78) | ||
| 421587 | 2006-01-16 10:39:00 | Thanks for the replies Yep Speedy there is a mass storage device attached occasionally to the 'puter - a card reader for the [ ancient ] canon digicam - one of those 4 in one jobs - not connected when I did the scan/ log tho And thank you for your reply Graham - from my limited understanding the . CAB file is expected with these older windows installs [ 98se ] ; when I went searching for it Micro$oft talked a lot about window$ 95 . . . Do you think I can remove it manually and a: windows will survive and re-install it and b: that will remove the key-logger ? And anyway - is the keylogger actually installed ?? I can't find it , could it still be there [ and how???] ? The nwiz . exe is something to do with my [ quaint ] video card - nvidia Thanks for the help , I am evaluating Webroot Spy Sweeper [ for myself, not any commercial interest ] and if it turns out this is a false positive I'd like to know And if I have a keylogger on here not detected by my other security stuff I'd like to know as well ; I'm still learning Mike |
KatiMike (242) | ||
| 421588 | 2006-01-16 10:48:00 | ok so I look at the properties of the file in question System: . cb Type : CB file Location c:\Windows Size 116 bytes (116 bytes) 32,768 bytes used So how does 116 bytes = 32,768 bytes ??? Geez I dont know this stuff !!! Mike |
KatiMike (242) | ||
| 1 2 | |||||