Keystoke logger/spam

Hi everyone
I was hoping someone might help me out. I'd be really grateful as I've tried and failed to sort this. I'm stuck now.
I'm very worried as I think I've got either a keystroke logger downloading screen snapshots and emailing them to a hacker so my passwords are compromised or someone is using my computer to forward on spam emails I receive from them

What happens is
When I log on first the Norton Symantec box comes up highlighting the letter symbol showing me an email/message is being sent out (I think)
Then roughly every 1 or 2 minutes ever after (seems random) Symantec tells me its scanning another outgoing message. I've no idea what they are (I think it must be emails though as I always get that scanning message when I send an email). Some messages do seem to be bigger than others.

I've got Norton firewall & antivirus set up as standard.
I've also tried running Spybot, Spyware Doctor, NoAdware, Pestpatrol & Rubotted with no luck
I think maybe whatever I've got is hidden well within one of my normal programmes in the registry and can't be detected easily

As well as these messages (emails?) the Norton antivirus keeps on saying it has detected and removed this virus
http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99
even though I have successfully removed it already using the SAFE mode. It seems to be continually trying to reinstall I think.
Whether the two problems are linked I 'm not sure but they both started around the same time.

I've attached a HIJACKTHIS log of my programmes
I've also attached a screenshot of a programme called ActivePorts as well. It shows what ports are open. It might help hopefully to try and see anything unusual

Many thanks for any help anyone can give



Logfile of HijackThis v1.99.1
Scan saved at 18:09:08, on 11/09/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.



PROCESS PID LOCAL IP LOCAL PORT REMOTE IP REMOTE PORT STATE PROTOCOL PATH
Unknown 0 127.0.0.1 1054 127.0.0.1 1027 TIME_WAIT TCP
Unknown 0 127.0.0.1 1100 127.0.0.1 1032 TIME_WAIT TCP
Unknown 0 127.0.0.1 1098 127.0.0.1 1032 TIME_WAIT TCP
Unknown 0 127.0.0.1 1096 127.0.0.1 1027 TIME_WAIT TCP
Unknown 0 127.0.0.1 1032 127.0.0.1 1104 TIME_WAIT TCP
Unknown 0 77.99.214.25 1101 216.32.90.186 80 TIME_WAIT TCP
Unknown 0 77.99.214.25 1089 62.25.101.100 80 TIME_WAIT TCP
Unknown 0 77.99.214.25 1087 62.25.101.100 80 TIME_WAIT TCP
Unknown 0 77.99.214.25 1068 203.23.213.115 80 TIME_WAIT TCP
Unknown 0 77.99.214.25 1061 83.231.138.8 80 TIME_WAIT TCP
Unknown 0 77.99.214.25 1060 83.231.138.8 80 TIME_WAIT TCP
System 4 77.99.214.25 138 LISTEN UDP
System 4 77.99.214.25 137 LISTEN UDP
System 4 0.0.0.0 445 LISTEN UDP
System 4 77.99.214.25 139 LISTEN TCP
System 4 0.0.0.0 1047 LISTEN TCP
System 4 0.0.0.0 445 LISTEN TCP
lsass.exe 620 0.0.0.0 500 LISTEN UDP C:\WINDOWS\system32\lsass.exe
svchost.exe 776 0.0.0.0 135 LISTEN TCP C:\WINDOWS\system32\svchost.exe
svchost.exe 828 127.0.0.1 123 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 828 0.0.0.0 1025 LISTEN TCP C:\WINDOWS\System32\svchost.exe
svchost.exe 904 0.0.0.0 1063 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 904 0.0.0.0 1028 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 960 127.0.0.1 1900 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 960 0.0.0.0 5000 LISTEN TCP C:\WINDOWS\System32\svchost.exe
ccApp.exe 1892 127.0.0.1 1027 LISTEN TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
svchost.exe 2148 0.0.0.0 1030 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 2732 0.0.0.0 1041 LISTEN UDP C:\WINDOWS\System32\svchost.exe

 

Hi, thanks for replying

Just got in and started working through your post
I'm trying to download the cccleaner but I get this error message

C:Windows\system32\msvbvm60.dll
An error occurred while trying to replace the existing file
Deletefile failed code 5
Access is denied

Should I press the ignore option and skip this file or is it important

Thanks

 

Hi,

1) I've now managed to download & install & run Ccleaner to clean hard drive & check registry
2) Have defragmented hard drive using Smart Defrag
3) Nothing is quaranteened under Norton Antivirus
4) I've downloaded Superantisypware but couldn't get it to install to run it
Kept getting message ''the windows installer could not be accessed. Could be running in safe mode or the windows installer is not correctly installed''
I don't think I'm in safe mode as the safeboot box under msconfig/system configuration utility/boot.ini is unchecked
Under the general tab it is normal set up - load all device drivers and set ups. Is this wrong maybe?
In fact I'm getting a lot of windows installer messages when I first switch on now which I never used to get
5) Ran spybot - only a NoAdware programme showed which I deleted
6) Ran Malwarebytes - one entry I've deleted, log is underneath
Interestingly after I deleted that the Downloader virus I mentioned above flashed up as well with Norton saying it has deleted it
7) I was going to delete all the various Java's I've got that are on your list but not sure about these other two
Is it safe to delete these - ''Java webstart'' & ''Jfreechart 0.9.21 demo''
Sorry for being a bit dense but which is the right Java option to download to replace them from
java.sun.com/javase/downloads/index.jsp
Is it Java SE 6 Update 10?
8) Looked at Combofix and downloaded the file ''winxpsp1'' but got stuck after that.
I tried dragging it over the combofix symbol and the red bars going accross seemed to show it had worked but then nothing seemed to happen after that
I thought maybe I had to install the winxpsp1 first maybe but it asked for a floppy drive to copy images to, so I wasn't sure
I am doing it right?

Printer problem
For some reason I now seem to have two printers installed
HP PSC 2170 and a HP PSC 2170 (copy 1). I have to manually click on the copy 1 before I can print anything off now

Many thanks

 

Hi,
All the logs ran nice and smoothly.

1) I've attached the Mgtools log
I've got XP 2002 Home edition SP1 but I've no idea whether its 32 or 62 bit. Just tell me where to check if you need it
2) Attached the Combofix log as well
3) Managed to run Superantispyware but only once I'd run these first two logs, changed it to SAS.exe as well
Attached the log, nothing on it

Good news is that the outgoing email I was sending when I first booted up seems to have stopped, or at least I don't see it now.
The flow of apparent emails that Norton was scanning every few minutes has also stopped.
If I blocked internet access, the Pc after a while would restart itself, and that's stopped as well

I sometimes still get an incoming UDP message that I don't recall seeing before that Norton asks me if I wish to permit it
'remote system attempting to access C\windows\sysyem32\lsass.exe.
Is that OK?

I'd be grateful if you'd check there isn't anything else nasty to worry about in the logs, for peace of mind

I tried to remove these old Java's but couldn't. I keep getting that error installer message I mentioned above.
Would you prefer me to raise that on the software forum?

Will I need to do a toggle system restore now?

Many thanks

 

Hi,

1) Deleted all the files you listed, they all looked superfluous
2) Windows Messenger removal seemed to work OK, but I had to press OK to ignore this message that came up ''error registering the OCX16422''
Is that important?
3) Got rid off all the old Java's Ok and successfully installed the new one
4) Ran the Mgtools\analyse.exe.
Got the message saying fixme was added to the registry
5) Ran malwarebytes and then the Ccleaner
7) I've attached all the logs again

The Pc is definitely running much quicker and smoother now and these emails seem to have stopped. Hopefully the logs back that up.
Thanks a bunch for that, there's no way I would have managed all that on my own

About that incoming lsass.exe message trying to connect inwards to me - it was just occasionally, but at random times, it seems to have stopped now.
I don't think I have any P2P or torrent programs. Only thing I can think of is a financial website I use that provides constantly updating prices
but I think that uses Java.

Can you reassure me that all these things below are safe and I needn't worry about them
When I log on first Norton Firewall tells me all these programmes under system 32 are accessing the internet in this order
C\windows/system32/lsass.exe - just at start up, don't see it again after that
This is a first though - /alg.exe - never seen it before until start up today
Then 2 at same time of /svchost - again just at start up
Then /hkcmd connects up
Shortly after I am asked if I wish to permit /hkcmd to send an outgoing message
Should I allow it?

Many thanks again

 

I just noticed the 1st part you asked
Do you have your Windows XP SP1 bootable CD? You may need it during this next step.

I bought the Pc preinstalled from HP store about 3 years ago but there was no disc. I remember running off 7 CD's then for some reason. I think it was to copy all the settings on the computer. Is that any use?

Thanks

 

Back again,
Bit disorganised today. Just ran that scan. The blue bar gradually went right along to the end. I was expecting a finished message but one never came up. Does that just mean the scan found no problems?

Hopefully me doing this bit out of order won't matter ?

Thanks

 

Hi,
Sorry, I thought I'd attached that ComboFix log
I've tried a few times and it won't attach although its only seems to be 14.3kb & a txt file. Is there a way round this?

I closed Pestpatrol, SAS & Spware Doctor and disabled Norton antivirus before I clicked on Getlogs.bats
Hopefully this new Mglog zip file has updated OK now

Spyware Doctor 4.0 is in the add/remove bit of the C drive but Pest Patrol isn't
Both are paid versions I've had for 2 or 3 years now and renew each year

Thanks

 

Hi,
You were right, that log was still dated 13/9
Hopefully the attached log is OK now, its got todays date on it at least!!

Will I wait till after I'm fixed to remove Pestpatrol and get an updated version of Spyware Doctor. No idea why I'm still on 4 as its on auto daily updates.
Or do you think SAS might be the best one to keep?

Pestpatrol is definitely not in Add/remove but I assume I can just use the uninstaller tool you gave me to do it.
Its on the

Thanks

 

I have noticed something strange about Outlook though
As I said above all these messages every few minutes saying Symantec is scanning something going out have stopped.

But now when I send an email, even if just a test with nothing in it it takes a good 30 seconds to go. It goes to the outbox and then the scanning message comes up for a good 15 seconds. Is it possible something is still attaching itself to any emails I send out?
It was always much much quicker before.

Thanks

 

Hi,

Dragged that .txt file onto the .exe file
But the file won't upload
Ran the .bat file again, attached log
I think your going to have to guide me through exactly what I need to do
I'm not that good on computers and I'm getting a bit confused

Thanks

 

Hi again,

I've ran and attached these 2 logs
Fingers crossed I've done it right this time

Re how the Pc is working now -
Those dodgy outgoing email scan messages I was getting are still gone which is great.
Any time I send an email though it now takes forever to exit system as I mentioned above and every time I log on I still get loads of installers messages, makes logging on really slow. Both these issues never used to happen before I started the fixes.
Could it be something I've done unintentionally to cause them?

Thanks

 

Hi,
Sorry, my poor use of English. I'm not refering to either shutting down the Pc or closing down Outlook.
I really meant that every time I send an email now Outlook says 'sending' in bottom right of computer for about 20 seconds and the email sits in the outbox, then Symantec scans it for about a further 20 seconds.

I think to keep things simpler for me since we've just about finished cleaning the malware off I'd prefer not to reinstate the old restore points if we don't know it will definitely sort the installer problem.
I've not heard of event viewer before. If you can you give me a link to it I'll run it prior to posting this installer problem on the Software Forum once
I've done this final clean up.
Since I'm going to remove PestPatrol anyway would it be best if I did it now before we do this final clean up, if it might fix the installer problem?

Thanks

 

Hi,
For whatever reason, without doing anything, sending emails are bank to normal speed today. Very strange, so I'll see what happens over the next few days.

On the desktop I can right click on the Pestpatrol icon, it brings up that new uninstaller (you gave me) option.
Its giving me the option to delete file PestPatrol.exe on path C\program files\Pest Patrol
Once I saw that I went into the program files folder and all the files are there. There is a Pest Patrol uninstall option called UnPP.exe.
Worry is under the quarantine file its got three zipped files 1) Hacker Eliminator zip file, 2) two files called wer5d.temp.dir00, and another called 5e,
3) Some kind of registry entry file I think
Will these quaranteened files reinfect the computer if I uninstall it?
So as I seem to have got two possible ways to uninstall which would be the best/safest one to try first?

I'll get a software query opened next up and come back to you once they've had a look at it.

Looking at the event manager security log every day when I log on there is an entry ''event 540'', ''anonymous logon''.
Other details when I go into it are NT authority/anonymous logon, category logon/logoff, logon ID 0x0, 0X3B18D, logon type 3,
logon process NtLmSsp, authentication package NTLM
Clicking on the option to send to Microsoft - file name MsAuditE.dll, type success audit
It’s the anonymous got me wondering. Is there anything to worry about?

Thanks

 

Hi,

I removed Pest Patrol with its own uninstaller

I was looking at the security log history of the last few days in time order. The anonymous one is still there today. It appeared after I switched on the Pc first today, I later used Turn of computer - restart to reboot and it appeared again.

Its a home PC, personally owned, I don't logon to any domain that I'm aware of.

Thanks

 

Hi Chasling
Hope you had a good holiday.

I had major problems when I tried to download SP2 as part of my fix on the sofware forum. The PC crashed just as it was installing the SP2 information.
Message was ''Missing or corrupt Ntfs.sys'' when I tried rebooting. I had to use the F10 option for system recovery to reinstate the original factory settings.
It cleared up the uninstaller problem though so I hoped SP2 would work now and it did thankfully.
I also got the new Java installed no problem and its working well.
I defragged it all again and the PC overall is much faster which is a big help.
So I think we should be able to go ahead now.

I had been thinking of getting rid of my Norton & Spyware Doctor for a while now. They were nearly expired so I've uninstalled them and replaced them
with the 2009 Kaspersky Firewall/Antinvirus/Malware package.

Will the rollback to factory setting have undone a lot of what we had already done?
Some of the programs like Spybot/SAS/Malwarebytes/Avenger seem to have disappeared. I think combo fix is still there.
Is that QOOBOX in C\programe related to Malwarebytes?, I've noticed there seems to be virus files in the quarantine folder.
I did the windows messenger removal again and re-ran Ccleaner.
I haven't done the sfc /scannow as yet.

I ran the full Scan for Kaspersky. Hopefully these details might help.
It found 2 copies of a high risk one called Trojan.Downloader.Win32.Delf.gcy which are now deleted.
Its stopped 4 inbound attempts so far by a worm called Intrusion.Win.MSSQL.worm.Helkern to get into port 1434.
It says my system is clear. Is it likely though?

Will we need to do anything again just to make sure everything is OK before the final clean up?

Thanks

 

Hi,

I think all the malwares gone now, can't see any problems at all now.
Before I do the final instructions can I just check something first.
Will uninstalling Combo fix automatically delete the viruses in the quarantine folder at the same time?
If not, can I safely delete them manually?

Thanks

 

Hi Chaslang.
Been away a few days. I've just done all the final tidying up and the Pc is behaving itself once again, its much much quicker as well.

So thanks again for all the time & help you've given me