Keylogger Detection/Removal - as well as real-time protection?

[jimp56]

Hello-
I have encountered a computer with various trojans and a keylogger component (watchdll.dll, reportedly part of cybervizion) -- and no scanners I have yet found have detected it or its other components.

Whats do you recommend as a:
1)good keylogger detection utility (when scanning drive as a secondary drive (i.e. windows not running)

-and-

2) Good realtime protection/detection of same when windows is running for future prevention?

Need quick help as this is an exec's computer.

Thank You!

 

[electronicsfreak]

This keylogger is probably using a rootkit to hide it.

http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx

Run a scan with that and post the file on here.

Also id run a scan with this as well.

http://www.ewido.net/en/download/

Then download hijackthis from the link below. Open it up , choose do a system scan and save a logfile and post the logfile on here. Do not on this program attempt to fix anything unless you are sure of what you are doing as not everything it shows is bad.

http://www.download.com/HijackThis/3000-8022_4-10379544.html

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

Oh, also if your looking for a good antivirus, I reccomend antivir. However if this computer currently has norton or mcafee, remove them before installation of antivir. They do not get along lol.

http://www.free-av.com

This is how I reccomend setting up antivir

This is to setup antivir after it has been installed.

Right click on the logo in the taskbar(a red square with a white umbrella), then left click configure. Towards the top left, you will see a box beside expert mode. Check this box. Now click the + beside scanner, and now the + beside scan. This will expand them.

Now click on scan itself to where it is highlighted. Now to the right under files, select the circle beside all files. Now click on action for concerning files. To the right, click the circle beside automatic. Now to the right of that, set primary action to repair and secondary action to delete. DO NOT check the box that says "copy file to quarantine before action".

Now click on archives to where it is highlighted. Make sure all boxes on this page are checked, if not check them. Now click on heuristic. To the right under win32 file heuristic, check the box beside "win32 file heurisitic", then click the circle beside medium detection level.

Now click the + beside guard and the + beside scan to expand them. Now click on scan to where it is highlighted. To the right under scan mode, check "scan when reading and writing". To the right of that under files, click the circle beside "all files".

Now click on heuristic to where it is highlighted. Check the box beside win32 file heuristic, and then click the circle beside medium detecion level. Now click ok and antivir is now setup for scanning. I highly reccomend doing a scan now.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[jimp56]

Thanks! Will report back soon...have a conference call now :-(

Also note, I currently have the infected drive as a slave on a clean system. will the rootkit detector still work (i should think so)?

 

[electronicsfreak]

no, because the rootkit detector searches registry. Also on this drive be sure to empty all temp locations.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[jimp56]

thats my next step.

already ran ewido, did not detect watchdll.dll(as a slave), but it was in a temp folder so I will manually clean those, then boot the system and run the revealer.

Thanks.

 

[electronicsfreak]

If your going to boot the system, make life easier with this.

ccleaner (temp emptier for all locations)

http://www.ccleaner.com/

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[jimp56]

OK, I ran the RKR and HJT, they both appear clean to me:

rootkit log:
HKLM\SECURITY\Policy\Secrets\SAC*:
Description: Key name contains embedded nulls (*)
Date: 10/26/2005 10:40 AM
Size: 0 bytes
HKLM\SECURITY\Policy\Secrets\SAI*:
Description: Key name contains embedded nulls (*)
Date: 10/26/2005 10:40 AM
Size: 0 bytes
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\Siebel Application\EventMessageFile:
Description: Data mismatch between Windows API and raw hive data.
Date: 04/19/2006 11:32 AM
Size: 33 bytes
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\Siebel Application\CategoryMessageFile:
Description: Data mismatch between Windows API and raw hive data.
Date: 04/19/2006 11:32 AM
Size: 33 bytes
HKLM\SYSTEM\ControlSet002\Services\Eventlog\Application\Siebel Application\EventMessageFile:
Description: Data mismatch between Windows API and raw hive data.
Date: 04/19/2006 11:32 AM
Size: 33 bytes
HKLM\SYSTEM\ControlSet002\Services\Eventlog\Application\Siebel Application\CategoryMessageFile:
Description: Data mismatch between Windows API and raw hive data.
Date: 04/19/2006 11:32 AM
Size: 33 bytes

NOTE: Siebel is a known app we use.
<<<<>>>>>>



HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:56:57 AM, on 08/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\IFXSPMGT.exe
C:\program files\marimba\tuner\Tuner.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\SysAdmin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.(our

company domain name).com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.(our

company domain name).com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BC67D045-6DBD-4510-A327-DFA9ACF2B219} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\asdf\asdf.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Sametime Meeting Room Client ST31 -

http://sametime/sametime/stmeetingroomclient/STMeetingRoomClient.cab

O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) -

http://quickplace/qp2.cab

O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) -

http://txdanap5.internal.pcshs.com/sametime/stmeetingroomclient/STJNILoader.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

http://upload.facebook.com/controls/FacebookPhotoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130349044874

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137792270215

O16 - DPF: {719433EA-60DE-45A8-8255-115826F16D5B} (STConnectivityAgent Control) -

http://sametime/sametime/javaconnect/InstallSTConnAgent.cab

O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) -

http://sametime/sametime/STMeetingRoomClient/STJNILoader.cab

O16 - DPF: {C3448049-D8C1-47AF-82DE-74FE5F64C6D5} (Siebel Option Pack for IE 7.5.2) -

http://localhost/16085/applets/SiebelOptionPack.cab

O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) -

http://www.aquire.com/codebase71/OrgPubX.cab

O16 - DPF: {ECB40B9A-5869-476D-9110-8E171A5929B2} (Siebel Option Pack for IE 7.5.3) -

http://bart/erm_enu/16172/applets/SiebelOptionPack.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = (our company domain name).net
O17 - HKLM\Software\..\Telephony: DomainName = (our company domain name).net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B016DE-5E65-4DC7-BA92-D79735447AE0}: NameServer = 204.99.62.71,204.99.62.73,10.101.1.53,10.102.1.53,10.24.1.201
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = (our company domain name).net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = internal.pcshs.com,psd.(our company domain name).int,cts.(our company domain name).int,(our company domain name).int,(our company domain name).com,rx-r-us.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = (our company domain name).net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = internal.pcshs.com,psd.(our company domain name).int,cts.(our company domain name).int,(our company domain name).int,(our company domain name).com,rx-r-us.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = internal.pcshs.com,psd.(our company domain name).int,cts.(our company domain name).int,(our company domain name).int,(our company domain name).com,rx-r-us.com
O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing)
O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O20 - Winlogon Notify: system2 - C:\DOCUME~1\rc867a\LOCALS~1\Temp\system2.dll (file missing)
O23 - Service: AppnNode - IBM Corporation - C:\WINNT\System32\Drivers\appnnode.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: MarimbaEndPoint - Marimba, Inc. - C:\program files\marimba\tuner\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe
<<<>>>>>

I did see some problems with the HJT log, but will wait for your reply. Note the (our company domain name) entries are intentional.

 

[electronicsfreak]

O2 - BHO: (no name) - {BC67D045-6DBD-4510-A327-DFA9ACF2B219} - (no file)

O20 - Winlogon Notify: system2 - C:\DOCUME~1\rc867a\LOCALS~1\Temp\system2.dll (file missing)


check those and click fix checked.

I do not believe this spyware/keylogger is on there anymore. As I can not find any traces of it.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[jimp56]

Thank you so very much for your immediate, helpful, and courteous advice!

also, thanks for the antivir program tip!

 

[electronicsfreak]

n/p, I love helping people which is why this forum exist lol. Everyone on here loves to help so we all help when we can.

Also just to be sure everything is gone, load the computer in safe mode and run every antivirus, antispyware and ccleaner.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon