Keylogger problems (I think)

I usualy run a variety of virus scans online randomly about every month my main AV protection everynight, I went to pestpatrol for a scan about 5 minutes ago, The only scanner that found something and of course it was a nasty keylogger and a BHO?

I can't find the BHO objects is told me to look for...I ran about every spyware scan to virus scanner I know and pest patrol is the only one that found this stuff...

I downloaded SpySweeper and ran that, Nothing. I tried Ewido Security Suite in Safe mode nothing...I don't know... Should I delete the Keylogger entries found?

Here's the log.

 

Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post.

 

Hmm...Nothing...I put it in Program Files in a folder called F-Secure, That would be acceptable no?

 

Yeah, that's fine! That log looks ok, let's look at one more log.

Please follow the below steps...

1. Please download and unzip Rootkit Revealer to your desktop.
   
   
2. Please leave the defaults set as they are to:
   • Hide NTFS Metadata Files: this option is on by default
   • Scan Registry: this option is on by default.
   
   
3. Launch rootkit revealer on the system and press the Scan button.
   
   
4. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
   
   
5. The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
   
   
6. Please attach the the log here in this thread to your next post.

 

Grrr.

 

That look's ok, please see the below thread on how to run WinPfind and attach the log.

• Running WinPfind by OldTimer

 

Hmmm.

 

I'm kind of curious about these three files below, what I want you to do is manually locate them with the viewing of hidden files and folders enabled. Also be sure you have "hide extentions for known file types" unchecked.

C:\WINDOWS\SYSTEM32\ThriXXX010104Z.dll
C:\WINDOWS\SYSTEM32\ThriXXX010205PNG.dll
C:\WINDOWS\SYSTEM32\ThriXXX015003JP2.dll

rename them to the following...

C:\WINDOWS\SYSTEM32\ThriXXX010104Z.old
C:\WINDOWS\SYSTEM32\ThriXXX010205PNG.old
C:\WINDOWS\SYSTEM32\ThriXXX015003JP2.old

After you complete the above, reboot and attach a fresh HJT log.

 

Ok done and here's the log.

umm just curious...Even with those entries in my Registry it can't really do anything can it?

I mean there's no Executeable to transfer that info to and from you don't think my info could be stolen like that do you?

I could be badly mistaken but when I think about keyloggers I think about total destruction of my life cause basically part of my life is on this PC from bank accounts to a Paypal account sites that hold personal info...And sadly enough my backup PC seems to be comprimised by the same issues.

Should I start changing all my Passwords for every account I have online (Well even If I should I can't cause I have no other PC...)?

I mean the whole deal with this has me scared to death. Just really considering just backing up what I can and reformatting for the sake of I won't have to worry about it.

 

The initial detections from Pest Patrol are false positives for WinPCap. If you do not use this then look in Add/Remove Programs and uninstall WinPCap if you see it. It's not required that you change any passwords, if you are still concerned you can change them if you want.

If you do NOT see WinPCap in Add/Remove then procede with the below instructions....

Click Start > Run > type in cmd and press enter!

In the command box, type in the below pressing enter after each one...

sc delete npf

sc delete rpcapd


After you have completed the above, procede with the below instructions...

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O1 - Hosts: 64.235.252.234 www.hitwgang.com

O16 - DPF: {3C403675-B43C-410B-BF56-D4D1FB68356C} (ActiveXPortal Control) - http://72.29.80.113/OCX/gwnet.cab

Again, make sure ALL browser windows are closed when you click FIX.

After you have completed this post, reboot and let me know how things are running.

 

Oh don't worry about the www.hitwgang.com entry that is actually a trusted site, They're site gets server changes once in a while and it requires access Via Hosts.

Working on those fixes.

 

If your familiar with it then it's ok to leave it, I just like things to be default.

 

Ok done.

Which entries were false positives. Unfortunately I think I know why the BHO is there (was my dumb mistake), And I'm still having a problem locating those files.

The Keylogger detections were From WinPCap? I remember using that program actually.

 

The detections from Pest Patrol about WinPCap were the false positives.

All of your logs look good, are you having any current problems?

 

Well I know they were from WinPCap but which Entry The PC.Sentinal or the Bridge Detection?

Well no current problems but it would put my mind at ease if I could get those blooming files off of here...Or atleast stop pest patrol from detecting it if they don't really exsist...

 

I made it clear before posting! This is a keylogger, sometimes they are not in Add/Remove due to it's stealth that's why I added both removal steps.

 

The keylogger detections, these are the false positives. Ignore them, if you have this installed and do not want it, uninstall it. If you can't uninstall follow the steps I previously gave to you.

 

Oh sorry, Just wanted to make sure I heard it clear...No I don't have that software on my system I DID, It's gone though. Thanks for the help, Sorry I didn't comment I left town for a few days.

But I rescanned with pestpatrol to make sure everything was gone when I left I disconnected everything...And it comes up with some more crap...

Key Logger "Advanced KEYLOGGER" found in:
Key "hkey_local_machine \software\licenses" value "{k7c0db872a3f777c0}"

Is this actually a keylogger this time or pestpatrol really a piece of garbage that I should ignore from now on?

 

Could be the licensing part of the keylogger, let's go ahead and remove it.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and let me know if any problems remain.

 

Ok done...And rescanned with pest patrol...nothing came back up.

(Regedit4 was supposed to be included at the top right? If it was then good cause I did so if not...Then oops.)

But...IF it is part of the other entry than it must be false positive, The only thing I installed after having those previous issues was AIM from CNET.com.

 

Yeah, it was supposed to be in there.

Are you having any current problems?

 

Nope no problems...Just a bit paranoid and sick of computers right now lol...If it's not 1 thing it's another or 2 more ^_^.

I usualy do scans every other day to make sure I'm clean but it always ends up finding something weird. I think maybe I should stay away from pestpatrol.

Every other scanner was clean...Thanks for the help.

 

For anti-spy protection I strongly recommend Spy Sweeper. It's what I use and IMO is the best for removal and protection.

You should see this article on How to Protect yourself from malware!

 

Hmm sounds good, Thanks for the tip. Soon as my check deposits on monday I'll be sure to purchase it.

The trial still protects meanwhile doesn't it? =P

 

It will protect but will not update until purchased.