Keylogger Trojan
I keep suffering re-occurrence of the keylogger Trojan, implying that I’ve not removed it successfully from my system.
I’ve tried following the Norton guidelines Set-up is Windows 2000, Service pack 4 with Norton AntiVirus 2003 version, with all latest updates and patches / virus signatures I’ve turned off hiding files and think that I’ve removed all references to the lol.dll, along with checking the registry for offending references. First reboot after cleaning the system no appearance, but reboot again and it’s back Any suggestions, it’s proving hard to beat! BTW – Using another machine at the moment when connected to the internet Thks (sorry for posting in another tread 1st time round) |
colossus,
First follow the guide in that thread you posted in: Guide for Eliminating Spyware, Adware, and Random Popups Once you are done with that guide I want you to download Hijack This! and post the log file here. Do NOT make any repairs. (Hijack This! pulls up everything, including programs that are supposed to be in your computer.) Take Care, Richard |
Hi Richard,
Thks very much for the guidance, issue appears to be getting worse, Keylogger is now appearing at every boot. Have followed posting as requested Upgrade to IE 6 to version 6.1 refused to work, hence log report v6 Running Ad-Aware is very enlightening but scary by the same token !! Machine running like a dog Log From Hijackthis as requested, using Lexmark printer so suspect that Lexbces and lexpps are innocent prosesses Logfile of HijackThis v1.98.2 Scan saved at 21:36:50, on 25/08/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\System32\LXSUPMON.EXE C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE F:\Flight Sim project\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [Microsoft IIS] C:\WINNT\system32\syshost.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/259cc4da...p/RdxIE601.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB Many Thanks Best Rgds Colossus |
Hi Colossus,
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button… O4 - HKLM\..\Run: [Microsoft IIS] C:\WINNT\system32\syshost.exe Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK. Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\WINNT\Temp folder, but not the folder itself. Next please find and delete the following bolded file... C:\WINNT\system32\syshost.exe Then please boot back into normal mode and download AdAware 6 181 from here. Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts. Now to set it up for optimum performance... Make sure the following settings are configured. Remember that ON=GREEN. From main window click Start | Activate in-depth scan. Then click Use custom scanning options | Customize and have these options switched ON... Scan within archives Scan active processes Scan registryDeep scan registry Scan my IE Favourites for banned URLs Scan my host-files Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check.. Unload recognised processes during scanning. Cleaning engine. Let windows remove files in use at next reboot. and uncheck.. Automatically try to unregister objects prior to deletion. Then click Proceed, to save your settings. Now click the Scan button. When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them. Next, reboot again and download Spybot - Search & Destroy 1.3 from here: if you haven't already got the program. Click on Updates | Download Updates, and follow the prompts. Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED. Next reboot and go here, and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over. Cheers Liam |
All times are GMT. The time now is 11:57. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.