Error leads to finding keylogger?

Discussion in 'Malware Help (A Specialist Will Reply)' started by ndnprincesss, May 13, 2007.

  1. ndnprincesss

    ndnprincesss Private E-2

    First of all...my neice (18 yrs) has been at my house for about a week<<-Explains the problems I can't fix!

    After reclaiming and being on my pc a short time, I thought it a bit sluggish. Then I got an error "Dr Watson Postmortem Debugger etc...exp needs to close" which eventually brought me to the forum. While doing the steps in your -read & run me first- it seems I have a keylogger maybe? While posting I got this error "Windows Genuine Advantage Notification etc...exp needs to close" - My windows is legit.

    And....after running panda I ran bitdefender again to see if everything was removed, it was not. When I saved the 2nd bdscan I wrote over the first one. Just in case there are time stamps on them, I want you to know I ran the scans in the correct order.

    The bitdefender scan was too large so I posted in 2 parts. I hope that's ok.

    ~Jena
     
    Last edited: May 14, 2007
    ndnprincesss, May 13, 2007
    #1
  2. ndnprincesss

    ndnprincesss Private E-2

    ....
     
    Last edited: May 14, 2007
    ndnprincesss, May 13, 2007
    #2
  3. ndnprincesss

    ndnprincesss Private E-2

    Oh gee, I almost couldn't get back on to upload the last log. Those errors were popping up non-stop, everytime I tried to click anywhere on anything...up came one of the errors and closed windows.
     
    Last edited: May 14, 2007
    ndnprincesss, May 13, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't appear to be having malware problems based on your logs! But I do have a few things for you to do.

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Run HijackThis and have it fix the below line.

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

    I'm not sure why your HJT log shows this old version of Sun Java and your newfiles.txt log shows that you have the correct 6.1 version installed.

    Now see step 8 of the READ ME and toggle system restore as instructed. This will remove the old items you saw in your BitDefender log. In the future, create the Bitdefender logs as requested not as a Word file and it will be attachable without being split.

    Now just to be safe, let's just do a check for rootkits but I'm not expecting any to be found.

    Now please download F-Secure's BlacklightBeta
    • Download fsbl.exe and save it to the Desktop.
    • Once saved... double click fsbl.exe to install the program.
    • Click accept agreement and Click scan
    • This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the BlackLight log.




    If you are still getting error messages, you should post the exact word for word error messages into a message in the Software Forum. It sounds like an OS problem.
     
    chaslang, May 13, 2007
    #4
  5. ndnprincesss

    ndnprincesss Private E-2

    I uninstalled CounterSpy, no folders were left behind to be deleted.

    HJT log - I had an older version of java, but I uninstalled it and installed the newer as per instructions in your read me before running online scans, maybe something from the older one was left behind? I ran HJT and this line was not there:
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

    Completed step 8. I've never heard of this before. Are you saying the malware/virus was probably gone and the second time I scanned with bitdefender it just showed me 'old' stuff kept by system restore? Oh...and I tried to upload the bdscan log - html and in word - I read and re-read the instructions for creating the log and didn't see where I did anything wrong. The file was just too big. That's why I split it.

    I ran backlight and nothing was found. Log is attached.

    Was there a keylogger on my pc or was that just a name given to malware or something? If it was on here do I need to change pw's etc. now? Lord...I pay all my bills on here! lol

    I haven't seen error messages today so far. Thank so much for your help. I haven't had to come here for a very long time, and I do so appreciate your time.

    ~Jena
     
    Last edited: May 14, 2007
    ndnprincesss, May 13, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes!

    If you follow the directions exactly as written you would be saving a file that contains HTML code but you would be renaming the file to have a .txt extension instead of .html. It would be much smaller than a WORD document and would be uploadable. HTML files are not uploadable and that is why we have you save it with a different extension name.


    Based on your CounterSpy log someone downloaded the file on to your PC but may never have installed it. This was something that you or someone else downloaded. It was saved in the below path which seems to be a folder someone uses.

    D:\My Documents D\Progs\Stealth Recorder\stealthkeylogger.exe
     
    chaslang, May 14, 2007
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds