recently someone hacked into my account on And I've heard that it's possible because of some keyloggers ( I'm not sure what they are) I have Norton Antivirus 2005 and spybot and it hasnt detected anything. Can anyone give me more information please about these keyloggers. Thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
keyloggers
- Thread starter DN01
- Start date
Hi there,
KEYLOGGERS are programs that LOG the keys pressed, for instance when you access the Internet or type a Word DOC, and by opened Internet access, transfer the pressed keys to a recepient, he/she can then analyze the flood of information for USERLOGONs/NAMEs and the corresponding PASSWORDs, etc...
they are considered to be TROJANs, besides using AV software, or SPYBOT alone, you should also install AD-AWARE, SPYWAREBLASTER, a FIREWALL and a TROJAN SCAN SOFTWARE (ANTI-TROJAN or THE CLEANER for ie.), this will give you close to 99% protection against SH*T like this...
Ben
If it works don't fix it! If it doesn't use a sledgehammer...
KEYLOGGERS are programs that LOG the keys pressed, for instance when you access the Internet or type a Word DOC, and by opened Internet access, transfer the pressed keys to a recepient, he/she can then analyze the flood of information for USERLOGONs/NAMEs and the corresponding PASSWORDs, etc...
they are considered to be TROJANs, besides using AV software, or SPYBOT alone, you should also install AD-AWARE, SPYWAREBLASTER, a FIREWALL and a TROJAN SCAN SOFTWARE (ANTI-TROJAN or THE CLEANER for ie.), this will give you close to 99% protection against SH*T like this...
Ben
If it works don't fix it! If it doesn't use a sledgehammer...
- Thread starter
- #3
- Thread starter
- #4
I've installed ad ware and detected nothing but cookies and also something called spyware doctor from Neither of them haven't detected anything.( so i think this means that i have no keyloggers?)
Nick
Nick
- Thread starter
- #5
- Thread starter
- #6
the log:
C-Dilla (HKLM\SOFTWARE\C07ft5Y) Registry *
Zango Search Assistant (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\i-lookup.com) Registry *
Zango Search Assistant (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\teensguru.com) Registry *
Zango Search Assistant (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com) Registry *
Tracking Cookie (administrator@adtech[2].txt) cookie file *
Tracking Cookie (administrator@everyone[2].txt) cookie file *
Tracking Cookie (administrator@ads.x10[2].txt) cookie file *
Tracking Cookie (administrator@www.dgm2[1].txt) cookie file *
Tracking Cookie (administrator@pop.mircx[1].txt) cookie file *
Tracking Cookie (administrator@xmts[2].txt) cookie file *
Tracking Cookie (administrator@network[1].txt) cookie file *
IBIS Toolbar (C:\PROGRAM FILES\Microsoft Games\Rise of Nations\data\cursors.xml) file *
C-Dilla (HKLM\SOFTWARE\C07ft5Y) Registry *
Zango Search Assistant (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\i-lookup.com) Registry *
Zango Search Assistant (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\teensguru.com) Registry *
Zango Search Assistant (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com) Registry *
Tracking Cookie (administrator@adtech[2].txt) cookie file *
Tracking Cookie (administrator@everyone[2].txt) cookie file *
Tracking Cookie (administrator@ads.x10[2].txt) cookie file *
Tracking Cookie (administrator@www.dgm2[1].txt) cookie file *
Tracking Cookie (administrator@pop.mircx[1].txt) cookie file *
Tracking Cookie (administrator@xmts[2].txt) cookie file *
Tracking Cookie (administrator@network[1].txt) cookie file *
IBIS Toolbar (C:\PROGRAM FILES\Microsoft Games\Rise of Nations\data\cursors.xml) file *
Hi there,
first, ditch the XP Firewall (deaktivate it) and install a third party Firewall such as ZoneAlarm or Steganos Personal or Tiny Firewall, they are much better and easier to configure...
then like I said install a Trojan Hunter program...
Download SpyBot Search and Destroy aswell as SpywareBlaster, install it along with the Ad-Aware (using both will net you close to 100% of finding culprits after they have been installed), nice thing about SpyBot (Spywareblaster aswell) is that you can immunize your PC, also another feature about the prog is the TeaTimer, it runs in the background and monitors your Registry preventing progies from installing in the first place...
deaktivate ActiveX and JavaScript (if you don't know how to do this, I would suggest a progy named XP-Antispy)...
best also would be to ditch IE altogether and use another browser like Mozilla, Firefox, or Opera... these aren't as prone to being hit...
download HiJackThis!, run it's log feature, and you can paste it here for analysis...
PS - HiJackThis, SpyBot, and SpywareBlaster are Freeware progies, like Mozilla or Firefox aswell...
Ben
If it works don't fix it! If it doesn't use a sledgehammer...
first, ditch the XP Firewall (deaktivate it) and install a third party Firewall such as ZoneAlarm or Steganos Personal or Tiny Firewall, they are much better and easier to configure...
then like I said install a Trojan Hunter program...
Download SpyBot Search and Destroy aswell as SpywareBlaster, install it along with the Ad-Aware (using both will net you close to 100% of finding culprits after they have been installed), nice thing about SpyBot (Spywareblaster aswell) is that you can immunize your PC, also another feature about the prog is the TeaTimer, it runs in the background and monitors your Registry preventing progies from installing in the first place...
deaktivate ActiveX and JavaScript (if you don't know how to do this, I would suggest a progy named XP-Antispy)...
best also would be to ditch IE altogether and use another browser like Mozilla, Firefox, or Opera... these aren't as prone to being hit...
download HiJackThis!, run it's log feature, and you can paste it here for analysis...
PS - HiJackThis, SpyBot, and SpywareBlaster are Freeware progies, like Mozilla or Firefox aswell...
Ben
If it works don't fix it! If it doesn't use a sledgehammer...
- Thread starter
- #8
the hijack this log is:
Logfile of HijackThis v1.98.2
Scan saved at 16:50:13, on 25/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\calc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B875750-BC46-4A05-AD08-C58F2A73DB2E}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B875750-BC46-4A05-AD08-C58F2A73DB2E}: NameServer = 194.168.4.100 194.168.8.100
Logfile of HijackThis v1.98.2
Scan saved at 16:50:13, on 25/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\calc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B875750-BC46-4A05-AD08-C58F2A73DB2E}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B875750-BC46-4A05-AD08-C58F2A73DB2E}: NameServer = 194.168.4.100 194.168.8.100
Hi there, the following although not Spyware, should be still under suspicion, they are from INTEL and the names could be used from third party Spyware progies to lure unsuspecting Users into thinking nothing is amiss:
C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
if you don't use HotKeys then delete them, the same goes for igfxtray, this is the Intel Display Wizard, which can also be safely removed...
the following should be removed, and considered a threat:
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B875750-BC46-4A05-AD08-C58F2A73DB2E}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B875750-BC46-4A05-AD08-C58F2A73DB2E}: NameServer = 194.168.4.100 194.168.8.100
besides this I haven't found anything else suspicious... after deletion of the above, go back to and change your passwords, etc. and do not save them in IE or FireFox (Autocompletion/Passwort Storage), but rather write them down...
I hope I was of some help to you...
Ben
If it works don't fix it! If it doesn't use a sledgehammer...
C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
if you don't use HotKeys then delete them, the same goes for igfxtray, this is the Intel Display Wizard, which can also be safely removed...
the following should be removed, and considered a threat:
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B875750-BC46-4A05-AD08-C58F2A73DB2E}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B875750-BC46-4A05-AD08-C58F2A73DB2E}: NameServer = 194.168.4.100 194.168.8.100
besides this I haven't found anything else suspicious... after deletion of the above, go back to and change your passwords, etc. and do not save them in IE or FireFox (Autocompletion/Passwort Storage), but rather write them down...
I hope I was of some help to you...
Ben
If it works don't fix it! If it doesn't use a sledgehammer...
- Thread starter
- #11
Bazooka is another one you should try, its free and fast.
Perhaps you tried some cheating. I think you should read this, especially about scam sites
===
Karlis
ECDL; MCP
===
Karlis
ECDL; MCP
Hi
If you are running W2K etc., make sure you log on as a user. Apparently there is a vunerability in NAV2005 if you are logged on as Administrator.
I use Wingate firewall and NAV2005 to protect my network/VPN, which are very secure. NAV2005 also detects and blocks incoming worms etc., to good effect. You can also test your firewall security on GRC.com. My recent install of NAV2005 appears to have made my Adaware installs almost redundant.
PS - NAV2005 is blocking 5-10 viruses per day at my firewall/proxy, it also seems to be CPU resource hungry so you need a reasonably fast PC (PIII 1Gh +).
Good luck
If you are running W2K etc., make sure you log on as a user. Apparently there is a vunerability in NAV2005 if you are logged on as Administrator.
I use Wingate firewall and NAV2005 to protect my network/VPN, which are very secure. NAV2005 also detects and blocks incoming worms etc., to good effect. You can also test your firewall security on GRC.com. My recent install of NAV2005 appears to have made my Adaware installs almost redundant.
PS - NAV2005 is blocking 5-10 viruses per day at my firewall/proxy, it also seems to be CPU resource hungry so you need a reasonably fast PC (PIII 1Gh +).
Good luck
- Status