Im being watched by the keystroke

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pamelaj, Mar 31, 2005.

  1. pamelaj

    pamelaj Private E-2

    i finally did everything you told me to prepare my computer first for hijacking.

    the first day everything went fine. Then today, I discovered that iexplore.exe is back where it doesnt belong, so i think i took care of that.

    My major problem is this: I know someone has logging my keystrokes and activity etc. I would like to post my HIJACK THIS log now to see what else needs to be done.

    I have way too many startup applications running in the backgroung with numerous SVC hosts. I need some help guys!!


    May I post my HIJACK THIS log file?

    from Pam
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you run ALL the steps (including the online scanners) in the Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal


    If so, follow the directions below. If not, complete all steps first.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  3. pamelaj

    pamelaj Private E-2

    heres my log file

    keep in mind, i did remove alot with the programs you suggested.
    something is still not right though.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must remember to exit all browsers before running HijackThis. You had C:\Program Files\Internet Explorer\iexplore.exe running.

    Also you had C:\PROGRA~1\WINZIP\winzip32.exe which is just unnecessary and should not be running.

    I looking at your log now.

    Are the below what you expect:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startpage.aol.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also do youu know what C:\Program Files\BayScribe\\bayscribe.dll is for. It looks rather suspicious to me!
     
  6. pamelaj

    pamelaj Private E-2


    yes this program is my work. I use an on line wordprocessor to transcribe in for a local hospital. I do need this.

    Let me close the other programs that you saw running and re-run Hijack this.

    I wasnt aware they were running.

    Be Right Back with New Log
     
  7. pamelaj

    pamelaj Private E-2

    Re: These Programs?

    I dont know what they are for, except I do have AOL on my computer. But I really on need to work through Internet Explorer. I did download Firefox, but with Firefox I cant get my bayscribe web site to run so I can do my work for the hospital?? I do have HP software on my computer, thats all I can tell you about these keys below.

    Are the below what you expect:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startpage.aol.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop[/QUOTE]
     
  8. pamelaj

    pamelaj Private E-2

    Heres My new LOG!! Thursday 03/31/2005

    Nothing was running that I could see.

    There are a ton of programs in task manager, under applications, but i made sure no tasks were running.

    Let me know if i did the LOG right.

    Thanks so much for your help. I know Im a pain
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Heres My new LOG!! Thursday 03/31/2005

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - blank (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - blank (file missing)
    O3 - Toolbar: (no name) - {A5181F8A-0B9D-43AC-8BE5-EB61651DB685} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll (file missing)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL (file missing)


    After clicking Fix, exit HJT.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  10. pamelaj

    pamelaj Private E-2

    okay im going to do that.

    Just wanted to make a note that the file dlbtbmon.exe you told me to delete
    turned out to be my printer.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Where did I say to do that?
     
  12. pamelaj

    pamelaj Private E-2

    oh chaslang, im so sorry.

    i received an email from tech forum telling me to delete that. I can attach that email if you want to see it.

    apparently they finally got back to me after i had already started with your help and i got confused.
     
  13. PhilliePhan

    PhilliePhan Guest

    This was my bad, Chas. I saw where BJGarrick had her fix that in her other thread and was going to edit it, but got caught up with work and forgot. Sorry!

    DSO Exploit and FUN Webs, keep coming back!


    PP :)
     
    Last edited by a moderator: Apr 1, 2005
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OK!

    Did you complete the steps in message number 9?
     
  15. pamelaj

    pamelaj Private E-2

    im going to do it right now.

    yeah that was it, Garrick.

    oh well. maybe I can find a printer driver for the DELL AIO 922 on line?

    ill get back to you with my log.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Aaah! This is why users need to stay in one thread until all their problems are resolved!
     
    Last edited: Apr 1, 2005
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They should be on the disks you got with your PC or with the printer! But they are probably available at Dell's Website too.
     
  18. PhilliePhan

    PhilliePhan Guest

    Yeah . . . But it's also sloppy! Blindly telling a user to remove a service that is clearly legitimate . . . No excuse for that :rolleyes:
     
  19. pamelaj

    pamelaj Private E-2

    im sorry phillie

    the only problem im having now is that I cant print out #9 from chaslang

    so i can do the steps, since i need Explorer closed

    :(
     
  20. pamelaj

    pamelaj Private E-2

    can i have my wordpad open to complete #9

    because i cant get my printer to work
    to read the instructions in #9 to do it.
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Notepad would be a better choice! But make sure you close either before running the HJT log at the end.
     
  22. pamelaj

    pamelaj Private E-2

    Hijack This

    here we gooooooooo!!! :cool:
     

    Attached Files:

  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Hijack This

    That looks better! How are things working?
     
  24. pamelaj

    pamelaj Private E-2

    OKAY :) :) THANKS SO MUCH!!!

    BUT I CANT GET MY PRINTER TO WORK

    HAVING A HARD TIME FINDING A DRIVER TOO

    MY PRINTER USES A USB PORT IN THE FRONT OF THE COMP

    ITS A DELL AIO 922 (ALL IN ONE)

    ............STILL NO DRIVER

    AND ACTUALLY I DONT KNOW IF ITS JUST THE DRIVER> iM AFRAID TO UNINSTALL ALL OF THE DELL PRINTER FOLDER BECAUSE I CANT FIND THE DISK

    ANY SUGGESTIONS?
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I said you should be able to get them from Dell. I quick bit of searching gave me:

    Printers: Dell Printer Personal All-in-One A920,
    Driver, Windows 2000,
    Windows XP,
    English,
    Multi System, v.2.0,
    A01Release Date 07/02/2003
    CategoryPrinter Drivers

    I'm not sure if the link will get you to the download or not (it is a 22 Mb download). Yo may have to navigate in to their site.

    http://support.dell.com/support/downloads/format.aspx?c=us&cs=19&l=en&s=dhs&SystemID=PRN_ALL_A920&os=WW1&osl=en&deviceid=4328&devlib=40&category=0&releaseid=R60655

    Looks like it may work!
     
  26. pamelaj

    pamelaj Private E-2

    ARRRRRGH

    the dell printer file was malicious!!! darn it :eek:
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why do you say that?
     
  28. pamelaj

    pamelaj Private E-2

    because when I opened it last night, Norton jumped up with a HIGH SECURITY ALERT saying this file contains a malicious script.
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you open what file!
     
  30. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    pamelaj,

    Temporarily disable your Norton. Do you have this printer?
    Dell Printer Personal All-in-One A920

    If so, please click the link below to download your driver to reinstall your printer:

    Download Driver Here!
     
  31. pamelaj

    pamelaj Private E-2

    chaslang

    when I try to install the 922 printer from DELL the AIO.
     
  32. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    pamelaj,

    Reinstall the driver as I requested. This will take care of your printer problem. Also, stay in this thread and stick to one instead of posting the same problem in multiple threads as Chaslang mentioned.
     
  33. pamelaj

    pamelaj Private E-2

    okay. i wasnt aware i was in multiple threads, except for when I was directed to post the printer problem into SOFTWARE Forum.

    Thanks.
     
  34. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Have you downloaded and installed the driver I requested yet?
     
  35. pamelaj

    pamelaj Private E-2

    yes. thanks it works. thanks so very much. :)
     
  36. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your Welcome!:)

    Are you having any further problems?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds