I may have a Keystroke logger

SweetTreat · Trooper Joined: Apr 11, 2004 Posts: 20 Location: USA

I have reason to suspect that the guy who built my new PC may have installed a keylogger, probably as a prank.

What Kind of toos is best to check this out. I have tried Adaware, Spybot, bullet Proof software, Keylogger detector and Spy Sweeper, which reported it found E-Surveillor, but they then admitted it was a false positive. Any other suggestions?

FWIW, I run Iomega Zip and Jaz drives, Norton System Works, NAV, Acronis true Image, Cookie Pal, cookie patrol, and a remote control for my sound card front panel.

My HJT Log is below:

Logfile of HijackThis v1.97.7
Scan saved at 10:15:34 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\CPal\CPal.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Downloads-2004\HiJack_This\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\Downloads-2004\NAV-2003-DCC-zip\nav2003\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Startup: Cookie Pal.lnk = C:\Program Files\CPal\CPal.exe
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Startup: Shortcut to Internet Explorer.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

Prince_Serendip · Posted: Tue Apr 13, 2004 6:04 pm Post subject:

You might try Ewido Security Suite? It's a freeware antitrojan and antikeylogger.

TrojanHunter is one of the very best but it's payware, though they have a 30-day trial version.

If you are computer savvy tryTDS-3: Trojan Defense Suite. It's extremely good too and also has a trial version.

Best regards and welcome to Computer Cops! Very Happy

8goldfish · Trooper Joined: Apr 13, 2004 Posts: 12 Location: Australia

Prince_Serendip · Posted: Wed Apr 14, 2004 6:42 am Post subject:

Thanks for the input 8goldfish. It's appreciated. Very Happy

Check this article at Spycop: What About Hardware Keyloggers?

SweetTreat · Guest

Thank you, Prince and 8goldfish. Sounds like some great suggestions. I will try the eval versions and let you know how it turns out.

SweetTreat · Guest

Just an update. Often Zonealarm asks me if I want to allow msn to access the internet. It says the Destination is 172.16.0.163. Application: msn6.exe.
That's a valid address, but you need a uname and password to access it. A couple days ago, I denied permission for msn and my Outlook Express email would not receive. I had to reboot and then tell ZA to allow permission for msn and then the OE email came through.

I have never turned on msn. Could that be a keylogger masquerading as msn when it phones home?

8goldfish · Trooper Joined: Apr 13, 2004 Posts: 12 Location: Australia

SweetTreat · Guest

Thanks again. I only found one copy of msn6.exe and it's in MSNCoreFiles as expected - 92 KB.

This is a new PC with XP Pro and Microsoft may have had MSN set by default to look for updates, as you suggested. I clicked on MSN and went through the setup wizard. On the last page, I clicked NO to the question "Use MSN for Internet Access". That seems to have turned off the connection attempts.

SweetTreat · Trooper Joined: Apr 11, 2004 Posts: 20 Location: USA

OK, I have tried several of your suggested programs.

Ewido Security Suite is only available in the German language on their website, apparently.

Trojan Hunter (eval version) found nothing.

I bought IPTicker since it was only $10. It finds all kind of traffic in to my pc and some traffic out. Netstat gave me similar info, but how the heck do you know what all those numerical addresses are. Whois gave little info.

I installed a trial version of Smart Whois, which supposedly searches a broad database. They gave me some results, but many numerical IP numbers are only listed in a broad range of IP numbers that major corps have reserved, such as Akamai technologies, Level3.net and many come up as unknown.

I will list a few of the out reports:

66.77.165.161 get out to Akamai Technologies.
66.77.165.201 get in from same
66.77.165.160 get in from same all use port 80.
An email address was listed and I sent one asking why Im getting their traffic. No response
A phone number was listed for their IT guy. I left a voicemail. No response.

172.16.0.255 gets out most frequently ..numerous times per day. Its listed as an ambiguous Internet assigned address in a huge block of numbers.

Many of the incoming traffic reports also have ambiguous IP addresses. Most are listed as TCP and use port 80 or 110. Some are listed as UDP. One was listed in another protocol, but I did not write that down.

With all the processes running on a modern XP computer and phoning home, it may be impossible to ID a suspicious internet connection that may be related to key logging.

I will next try KeyLogger software.

brenny · Cadet Joined: Apr 22, 2004 Posts: 3 Location: UK

Hi SweetTreat.. I'm very new here and finding my way through the myriad of info on the boards.
I see your concern with Key Loggers and can certainly suggest the following site which will allow one to scan their drive/s for free and alert one of the nasties ingrained on it, at least you will know whats there, and can take action to erase it. Its on offer at an extremely neat price at the moment I believe, and by purchasing also clears the lot effectively.
Check out: www.pestpatrol.com

shamash · Corporal Joined: Mar 21, 2004 Posts: 70 Location: USA

Hi Brenny

If your talking about www.pestscan.com it's really not that great. Especially for detecting keyloggers. Neither is their product Pest Patrol. Spycop is better for keylogger detection IMO.

aDex · Cadet Joined: May 20, 2004 Posts: 2 Location: Australia

Hi Brenny

Does this guy have physical access to your computer? If he doesn't then a hardware keylogger will not be a problem for you.

You can see a few different form factors (types) of keyloggers on this page.
http://www.keyghost.com/

These keyloggers cannot be detected by the software programs that everyone is talking about, but he will require physical access to your pc (for at least 5 seconds) to get the keylogger back (so he can get the keystrokes off the keylogger).

resonator65 · Cadet Joined: May 28, 2004 Posts: 1 Location: USA

Just a couple of things here:

One-

[/quote] From the Akamai Web site:

"Akamai Streaming delivers consistent, reliable, high-quality streams for on demand and live events via the world's largest globally distributed computing platform."

Can someone say "streaming"?? I would not be surprised if you had viewed some sort of streaming content recently, music, video clips etc. Since most Windows compatible media players support streaming functions.....ring a bell? Whatcha wanna bet that every time you access a Web-based streaming service, there is a licensed piece of that software on your machine that says, "Hey, gotta check in with Akamai...unless you tell me different..."
Windows Media Player, for instance: Go to Tools, Options, and select the Privacy Tab....need I say more?

Two-

The address 172.16.0.163 is a valid address....on a private network only! This address is NOT routable on the Internet.
Look here for an explanation:

http://www.geocities.com/technofundo/te...cofip.html

Look under the section "Private Networks"...you will see your IP address included in the ranges listed.
So why are you getting a uname and password prompt? You have not revealed much about your network setup, so I will make a couple of guesses:

You are on an internal private network at home or work, with access to the Internet.
Your ISP is a small provider, and they are using NAT (private IP) to give you shared Internet access on their public address pool. Cheap for them, better security for you..... Razz

In any case, there appears to be a device in your local network (which might include your ISP, eh?) that requires a uname and password to access...might want to call them.

Three-

172.16.0.255 is not a valid IP address(also private) for a device (in most cases) but it IS a valid address for a group of addresses, a subnet if you will. In short, there is an application that is BROADCASTING to that group of addresses, looking for a response from one. Why? It's now yelling for anyone that can hear it....local subnet , anyway.

Okay, One More-

About the whole keylogger thing:

I think you have covered your bases, as far as what steps you have taken to respond to the "threat" that this guy might pose to your privacy...why did you have him build you a system, if you can't trust him?

In any case, if you can't resolve your feelings (paranoia?), then do two things:

Buy a new keyboard (Your old one could be one of those keystroke logger ones)
Boot from the WinXP disk....and wipe that sucker clean, rebuild it yourself from scratch....and sleep better at night.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1018 pages served in previous 5 minutes. Page Rendered: 0.457 seconds.