Help!

Is there a way I can check if my computer is being hacked into? Is it possible a keylogger could be installed on it and being viewed from another computer? How can I check and then get rid of it? Murder is an option I have considered but think there may be an easier way.

 

install an Anti-Virus and let it scan your whole hard drive. Norton AntiVirus is a very popular one that you can usually find for cheap, or if you want a free one, you can grab AVG Personal antivirus from the downloads section of Majorgeeks.

if that doesnt make you feel safe enough, Install a software Firewall, such as Kerio or ZoneAlarm. this will monitor all the open ports on your computer so you know whats going on, but you will have to "allow" programs to access the internet which can be annoying for a while to some people. I would recommend Kerio Personal Firewall.

good luck, let us know how things turn out, and Welcome to MajorGeeks

 

Weeeyell, ma'am, we don't usually recommend murder (or anything else illegal, immoral, or fattening) around these parts, SO...

Download, install and run Hijack This HERE, from Major Geeks and press the Scan button. When it runs, click Save Log, then when the log comes up in the text editor, use Ctrl+a to select the whole thing, then Copy it, and Paste it into a message here.

Don't take any reckless action. MOst of what it finds is harmless or even necessary.

We'll find that spy fer ya, ma'am.

"Team MG: Making the world safer for helpless females and children"

EDIT: InYears: Didn't see you in on this one. She wants to catch a keylogger, so I thot mebbe somebody had installed a logger on the machine, watching. Mebbe you're right and it's just spyware she's after.

 

Edited. Try others advice.

SilverD

 

helpless,
My impression was that you thought your computer had been bugged by someone who knows you and who is high on your list of UNtrusted acquaintances. We would need to see what's happening on your machine in order to help you discover such an intruder. Thus, my suggestion of a Hijack This log. It tells us what's going on, on your machine.

But these two other smart fellers thought mebbe you were just interested in locking out spyware programs, viruses, and malicious hackers, while you are on the Internet.

Ya pays yer money and ya takes yer chances. What you do depends on which of our guesses is right.

If you're interested in continuing protection from the Nasties on the Net, a Search here for "spyware" "anti-virus" and "firewall" will bag you a lot of threads on those things, and everything worth having in that line of protection is available at our main software site, The Major Geeks Front Page.

Keep in touch. We don't want you to think you're a "helpless female".

 

Hmm, think it should be hopeless not helpless female. You r right it is not general spyware that i am after, it is specific 'person'....still think murder may be an option - lol

Logfile of HijackThis v1.97.7
Scan saved at 13:57:50, on 30/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\enhance32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\bundle.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
c:\program files\internet explorer\iexplore.exe
C:\PROGRAM FILES\QUICKZIP\Quickzip.exe
C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\QZTEMP\3929560\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=135343
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=135343
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freeserve.co.uk/
R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
F1 - win.ini: run=c:\windows\system32\enhance32.exe
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Enhance32] c:\windows\system32\enhance32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Enhance32] c:\windows\system32\enhance32.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://chat-c2.freeserve.com/Java/cfs31235.cab
O16 - DPF: Win32 Classes -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006_mainstream.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - http://www.popmonster.com/control/src/iefeatures.ocx
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.5092013889
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://juicyland.com/cab/loader.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://38.144.58.45/Loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/UGO20.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{816D53D1-BB4B-4949-A401-5F2866C1288E}: NameServer = 194.168.4.100 194.168.8.100

 

there's always ANTI-KEYLOGGER
http://www.majorgeeks.com/download2125.html

 

Yo, hopeless not helpless!
You're definitely not either.

I have a plan based on the evidence you've supplied, but first we need to use the tools the other guys were thinking about. Your machine is definitely infected, so let's shoot as many bugs as possible and then clean up afterward.

Download, install, and run (default settings are fine) Ad-Aware and Spybot. Do NOT install these to your Temp folder. You already put Hijack in your Temp folder, and one of your problems is hiding in there as well, so install these new programs somewhere OTHER THAN in Temp.

Program Files is fine, or another folder.

Get the programs here:
http://www.majorgeeks.com/download506.html
http://www.majorgeeks.com/download2471.html

Before you run these programs, shut down all your OTHER programs. Don't have your browser running and other things running. Your Anti-virus is fine, though.

Use the recommendations of both programs. They make backups for you, so if anything goes wrong, you can reverse what they do.

Reboot.

Run another Hijack This scan and send me another report. We'll go from there.

 

Kodo and xflat:

The HJT log doesn't look as though there's any keylogger running there. But she's buried in browser hijackers, spyware, and adware. I've got a workable strategy for her, but let's see how much of the mess Spybot and Ad-Aware take care of first, eh?

 

key loggers usually run as hidden services and programs like HJT may not pick them up.

 

AHA! I didn't know that!

(('Scuse us while we have a conference here, helpless. This is what the whole TEAM idea is, BTW.)

OK, so you think we shd go with an antikeylogger BEFORE she does the anti-spyware stuff (she's got a boatload of it!), or just see whether the spyware cleanup solves the probs?

(Note: she hasn't told us exactly what she's seeing or why she thinks a keylogger might be watching. She suspects somebody of SOMEthing. More than that we don't know. Whatcha think?)

 

getting rid of the spyware is a bonus. I don't think it really matters in what order she does it. Though running the anti-key logger is a must to make sure there isn't anything running as a hidden process.
I might even suggest using THE CLEANER to make sure there are no trojans there as well.. bloody sub-7's are popular..

and then a good firewall is in order.

 

Hmm, I remember this topic: http://majorgeeks.com/vb/showthread.php?t=15500

There may be some valuable advice there.

 

Thanks for the input, Maxwell.

There is indeed some valuable advice there, but I'm thinking that someone who lists herself as "hopeless" and "helpless" probably isn't high enough up on the geek scale to be able to separate out the valuable from the trash in an archived thread, so if she comes back with a response to the last requests I made, I think we should just guide her through obtaining and using an Anti-keylogger, Ad-Aware, and Spybot, then we'll make sure we get the bodies buried (clean up the residue), and make sure she installs a firewall.

I've studied the HJT log, and listed the visible baddies in my records so that I can check a follow-up scan to see whether she's killed 'em all.

That sound like a plan to you?

 

Why, shucks, ma'am. It's jus' folks helpin' folks.

But thanks fer the kind words.

(And let's see whether we actually get the problem fixed before we take AbbySue's kind words to heart, guys!)

 

I think I have to agree with AbbeySue's comments about u lot! But, OH MY GAWD, not sure where to start. Not sure I like being described as covered in nasties and boogers either! lol. Wisewiz, please give me simple list of instructions, I am not completely hopeless or helpless but definately struggle against all you technical lot. Please bear with me....trying to be geek, honest.

 

right well i know wizewiz is about i expect hes busy so ill just get you started with the wizards suggestions go here and download these two programs

http://www.majorgeeks.com/download506.html

http://www.majorgeeks.com/download2471.html


install them and run a scan with each of them and delete any nasties found im assuming from your post your not totally helpless so you should be able to do this by just followingthe on screen prompts etc if however theres any thing your not sure of just ask

after this run hijack this again and post your new log up

someone else will have to help you with keylogging as ive no experience there


hopefully i aint tripping over the wizards feet again

 

Ok, HF, let's get started!

First, the spyware, then the keylogger, and then the sweep for trojans Kodo suggests. Finally, we'll get you to some choices on a firewall -- without one of which you should not be, as Churchill might have said.

First, go back up to my post that starts with
Yo, hopeless not helpless!
You're definitely not either.

Get the programs from the links, get off the Net, install them (accept the default installations is fine), then log back on and run Ad-Aware and use the Check for Updates Now control (click the words) on the main panel, accept the updates, and then run the program and do what it says, THEN run Spybot, use the Search for Updates button, and then use the Search for Problems button in the main panel, and FIX what it says needs fixing.

Get off the Net, reboot, look around to see whether anything's changed (you haven't yet told us what you saw that sent you here for help, and your next post would be a GOOD time to let us in on what we're trying to squelch), then log on, come back, and tell us what's happ'nin'.

Oh, and have fun. And ask questions if you have 'em.

 

Heehee! Well done, General!

Sort of an echo in here, huh?

 

yeah sorry wize i missed the bit in the middle where you linked the apps so many posts i must remember to read every single bit of info
so thought id point her in the right direction till you got here

 

Arghhh! Got the wrong link, should have been: http://majorgeeks.com/vb/showthread.php?p=184370#post184370

Discussing finding key logging software.

Yes, agree is a plan.

 

OK, thanks for that update, Maxwell. Appreciate your doing that search-work for us.

I've followed up on that and also scoured the Google results for this, and looked at Pest Patrol Anti-Keylogger, Advanced Anti-KeyLogger, AntiKeylogger, and Detect KeyLogger. All are either money-up-front, or describe very complex operation not suitable for a non-geek, and look to be designed for a corporate environment.

I found what looks like a winner at the Major Geeks link Kodo posted way up there on the first page of this thread (Thanks, Mr. K!). I'll give HF some help with getting it and using it when the subject comes up again. For now, I guess we'll just wait for a report on the work of A-A and Spybot.

Tomorrow, friends.

 

Reason for my paranoia: Once upon a time there was a young girl, she was bright and intelligent and married her Prince Charming. Unfortunately he later turned into an alcoholic frog intent on stalking her (in a hoppy kind of way) and generally making life miserable until her brain turned to mush and she kicked him to another pond. Unless frog is psychic he is hacking in somehow as he knows every password change, every e-mail, every site visited....u sure murder is illegal ....tis only a frog

Does this look any better guys?

Logfile of HijackThis v1.97.7
Scan saved at 18:25:30, on 31/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\enhance32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\bundle.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
c:\program files\internet explorer\iexplore.exe
C:\PROGRAM FILES\QUICKZIP\Quickzip.exe
C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\QZTEMP\2994315\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freeserve.co.uk/
R3 - Default URLSearchHook is missing
F1 - win.ini: run=c:\windows\system32\enhance32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Enhance32] c:\windows\system32\enhance32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Enhance32] c:\windows\system32\enhance32.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://chat-c2.freeserve.com/Java/cfs31235.cab
O16 - DPF: Win32 Classes -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - http://www.popmonster.com/control/src/iefeatures.ocx
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.5092013889
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://juicyland.com/cab/loader.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://38.144.58.45/Loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{816D53D1-BB4B-4949-A401-5F2866C1288E}: NameServer = 194.168.4.100 194.168.8.100

 

well i can personally see a few nastys in there so you really need to do an online trojan scan before you do anything else go here and run
http://www.trojanscan.com/

clean up what you can then you need to repost a new log and someone here will help you fix anything thats left

wizewiz will then help you out with the keylogging

 

guys i have been following this thread, i am learning a lot but please can you point out the nasties from helpless list so that i can see them for myself . as i have no idea looking at the list

thanks its great to see all the help

 

did as you suggested General but scan revealed nothing

 

Found loads....was covered in stuff

 

Hi, HF! Sorry. Had a little life to handle. Now back to the forums. <G>

GENERAL: Would you pls look this over and see whether I've missed something you see, or included on the hit list sthg you think shd be saved?

I like the General's suggestion very much, so if you haven't done it yet, go for it.

When you finish (and do what it sez), run another HJT, and IF these are still there, check them and clcik the Fix checked button (remember my instructions above: close evrything first, so HJT is the only running application):

C:\windows\system32\enhance32.exe
C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\bundle.exe
F1
04 ... bundle.exe
04 ... enhance32.exe
04 ... enhance32.exe
016 ... FileSharingCtrl Class ...
016 ... juicyland.com ...

Don't check the 016 FileSharing thingie this time around IF your computer is networked with another computer in your home. We'll see later. If not hooked to another, check it.

Now, we may have to go back in in SAFE MODE to kill bundle.exe and enhance32.exe. Do you know how to use Safe Mode?
And do you understand the full path to bundle.exe, even tho HJT has used DOS names for the folders?

 

Hold on for a min and let the General have a peek here before you run the HJT again.

 

For those following this thread, the enhance32 find is HERE. Look under Installation ...

 

hi wizard looks like you saw what i saw except this one which is a xxx dialler
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://38.144.58.45/Loader.cab

agreed as well your probably going to have to use safe mode to completly clear the folders you posted

 

Muchas Grasses, General!

OK, HF, Let's go with that, then.
Add a check for the line
O16 ...MyWebOperator Class ...
to all the other stuff I said, and then HIT that Fix checked button.
(Remember to see my instrs in the early post.)

Come back with the answers to my other Q's (Safe MOde and full path) and we'll go from there.

I'm in and out now, cuz I'm cooking dinner for a buncha guests, but "You're in Good Hands" (as Allstate sez) with the General watching you. He can handle it any time you need any Q's answered.

 

just a quick question for you helpless female
i notice your homepage etc is freeserve so im assuming thats your isp

yet this is a listing for NTL
O17 - HKLM\System\CCS\Services\Tcpip\..\{816D53D1-BB4B-4949-A401-5F2866C1288E}: NameServer = 194.168.4.100 194.168.8.100

see here
http://www.kempston.net/solaris/isplist.html

so just wondering what your internet provider is

 

Homepage is freeserve, server is Virgin

 

Is this looking any better? In answer to your questions re: safe mode etc. - no and no

Logfile of HijackThis v1.97.7
Scan saved at 16:25:24, on 01/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\windows\system32\netdllex.exe
C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\bundle.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\QZTEMP\144567\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freeserve.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Netdllex] c:\windows\system32\netdllex.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\bundle.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Netdllex] c:\windows\system32\netdllex.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://chat-c2.freeserve.com/Java/cfs31235.cab
O16 - DPF: Win32 Classes -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - http://www.popmonster.com/control/src/iefeatures.ocx
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.5092013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{816D53D1-BB4B-4949-A401-5F2866C1288E}: NameServer = 194.168.4.100 194.168.8.100

 

*Gasp*

Spyware!

http://www.doxdesk.com/parasite/Transponder.html

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll



Just noting that, I haven't even read this thread yet

 

to helpess female ok about the isp thing virgin uses ntl

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll

as for this she must have picked it up today as it wasnt on her last log well really have to teach HF to use her ad-aware etc every day
obviously does plenty of surfing

wizewiz can you guide you through the safe mode but if he doesnt have time ill look back in later

 

Nice catch, Adrynalyne! I actually HAD that on the (paper) list of the ones I checked with Google, and I knew it was a nasty, but it slipped out of the lists somewhere. Thanks for stopping by, man.

General, (I see you're here) I think we need to remove the BHO bi.dll with HJT, and then start in Safe Mode and remove that danged bundle.exe (which is still running and probably re-creating its stuff that HJT is wiping) and check to see that bi.dll is gone, too, and I think we'll be done and the final log of HJT will be clean. Whatcha think?

Patience, HF, we're getting there! You're almost home free.

 

agreed wizewiz yeah i just checked back through and that bi dll is on the first log but not the last one

have to guide her through the safe mode mode for bundle exe and also make sure this one has gone
c:\windows\system32\enhance32.exe

almost there

 

Thanks, GLS.

OK, HF, gotta do sthg else right now, but we'll be back in 15 or so to get rid of the two/three remaining possible sources of probs.

Come back or stick by if you can.

 

HF, here are the instructions for using Safe Mode. You're going to use this in the steps BELOW:

1. If the computer is running, shut it down and turn it off. Wait 30 secs or so.
2. Restart the computer.

(The computer begins processing a set of instructions. You know from past experience about how long it will take before the Windows XP screen with the little moving bar on it will appear. We want to start tapping F8 about once every two seconds, beginning a little bit BEFORE the Windows screen shows. If the Windows screen shows, let the machine finish booting, then shut down and try this all again. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. A couple of tries will let you get the "hang" of it: not too soon; not too late. See step 3.)

3. About five-ten secs after you press the Power Button to start the machine, begin tapping the F8 key on your keyboard. Continue to do so until the white Windows Advanced Options menu appears against a black background. Now the computer is waiting for your selection from the menu on your screen.
4. Using the arrow keys on the keyboard, move the cursor to and select the Safe Mode menu item, and then press Enter.
***********
Here are the steps that remain:

We want you to run HJT once more, check these, and click Fix checked:

O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\bundle.exe

Then we want you to turn off the machine and use the instructions above to restart in Safe Mode, and once you're in Windows in Safe Mode (looks funny and is awkward, but hang in there), open Explorer (My Computer, C: is okay). We need you to set your Explorer display to SHOW EVERYTHING, so go into Tools (menu bar), Folder Options, View tab, check Display contents, check Show hidden, check Remember each, UNcheck anything that says Hide. Then click the Apply button and OK.

Now navigate to each of these. If it's there, delete it. If it's not there, go to the next one in this list. Once you've finished the list, Empty the Recycle Bin.

c:\WINDOWS\system32\enhance32.exe
C:\WINDOWS\bi.dll
C:\WINDOWS\jeired.dll
C:\DOCUMENTS AND SETTINGS\JOHNNY(whatever, I can't tell)\LOCAL SETTINGS\Temp\bundle.exe

Now reboot the computer the normal way and come back and tell us about whether you did all that or had problems. If no probs, we'll go to the final step. If probs, we'll try to help solve them.

 

Thanks for all the advice, I really do appreciate the trouble you are going to for me. gonna give it a try tomorrow. General...yes, plenty of surfing...3 teenagers in house...its a miracle I ever get on here!

 

helpless i know how you feel i got 2 +wife and we have a rota to take turns on the puter. lol

 

We'll see you then, HF.

 

Wow...I can only handle 1 wife

 

OK, done all that with no probs.

 

congratulations you should be spy free at the moment just make sure you scan with ad-aware and spybot on a regular basis and dont forget to keep them updated

if you still think you are being tracked then as per earlier suggestion you need to download this program install it and run a scan to see if theres any keylogging going on
http://www.majorgeeks.com/download2125.html
it seems straight forward enuff to use but if theres anything your not sure of just ask
unfortunately its shareware so you can only scan with it but if it finds a nasty wont fix it unless you pay but well cross that bridge when we come to it

i know wizewiz has some thoughts on this and he can explain these things a lot better

@wizewiz good job man ive enjoyed this thread

 

Me, too, General. Thanks for all the work. And our (GLS & Ww) thanks to the rest of you who popped by and advised us.
********
HF: M'dear, you can delete Hijack This from the same Temp folder you deleted bundle.exe from. Or if you want to save it, move the HJT exe file to some other folder where there are tools, cuz you oughta check that Temp folder you had HJT in, and CLEAR it from time to time. Things that can BITE you hide in there.

You're done. I don't think the "evildoer" will have any spying ability anymore.

Oh, we want to strongly recommend that you go to http://www.majorgeeks.com/download.php?det=388 and download from either Author or BTN (look toward the lower right) this firewall and install it. It'll pretty much take care of itself, but you should read the Help file and perhaps do a Google search for Using Zone Alarm for some help with it.

Questions are welcome here, but it's pretty easy to figure out.

You should, however (since your teens waltz around the Web a lot getting into dark corners where nasties hide), for sure RUN SPYBOT AND AD-AWARE FREQUENTLY, and always check for updates before you start the scans, as the General said.

Keep your trash emptied, your Temps clear, and your viruses and spyware under control. Scan and defrag periodically. Maintain that machine. It's a lot more like a baby than a toaster, and it needs loving care.

Good Luck, NO-LONGER-HELPLESS Female! Thanks for hanging in there for the long haul.

(If you contact the Mods here, they'll let you change your Member Name to Highly Competent Spyslayer if you wish.)

...Wisewiz

 

LMAO wisewiz

 

Well peeps, I have to say I think you r truly wonderful!! Not only have u helped me immeasurably with my original prob but you have also helped me regain my faith in human nature and remember that there are nice people out there who don't turn into frogs!