Author Topic: What is this?  (Read 5491 times)

0 Members and 1 Guest are viewing this topic.

kandyk

  • Guest
What is this?
« on: January 10, 2006, 12:08:36 AM »
there are some files that the spyware program I have has identified as keyloggers.  these files were installed when i downloaded avast home edition (i guess).  can anyone help?

Offline chocholo

  • Poster
  • *
  • Posts: 645
  • BSC, GSC, MCP
    • Avast
Re: What is this?
« Reply #1 on: January 10, 2006, 12:27:45 AM »
I am certainly sure, that original avast!'s installation package doesn't contain any malware.

There are three possibilities:
- your anti-spyware is detecting false positive
- your installation package was not downloaded from our download server
- found keyloggers are not connected with download of avast! in any way

Please can you post names of detected files?
« Last Edit: January 10, 2006, 01:30:38 AM by chocholo »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: What is this?
« Reply #2 on: January 10, 2006, 01:39:20 AM »
Also what was the name of the spyware program?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: What is this?
« Reply #3 on: January 12, 2006, 08:52:09 PM »
***

Welcome to the forums, kandyk!    :)

You should come back and let us know more so that someone can help with your problem ... or let us know how you solved your problem if you have.    :)


***

kandyk

  • Guest
Re: What is this?
« Reply #4 on: February 13, 2006, 12:16:00 PM »
The name of the program is Trend Micro Anti Spyware, and....although I did not delete the files that were tagged as keylogggers, they are no longer appearing after I scan.  I can't remember the names, I only know that the spy slueth option of the program told me these files had been installed when I downloaded  Avast.  A friend of mine suggested I download hijack this.  The results of this scan makes no sense to me, and I was hoping one of you could help!  I would really appreciate it.


Logfile of HijackThis v1.99.1
Scan saved at 4:12:51 AM, on 2/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\amy\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7105863D-E8CE-40B3-99E8-D05E7608E6A9}: NameServer = 66.232.72.6 66.232.80.6
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks

Offline TedNelly

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1538
  • Trust No-One!
Re: What is this?
« Reply #5 on: February 13, 2006, 12:56:01 PM »
Hi kandyk Welcome
the first and obvious problem  is this Windows XP SP1 (WinNT 5.01.2600)
you should keep your operating system up-to date XP is now SP2 plus many
updates after SP2 You would need to do this asap
Windows 10 Pro | Intel I7 CPU | 16 Gig 2133 RAM | Avast beta 17.5.2295 | Firefox 54 b9(64-bit) | Cyberfox 52.1 | T-Bird 52.1.1 | SpyWareBlaster 5.5 | MalwareBytes 3.0.0.865 | WinPatrol 35.5.2 | GlassWire 1.2.100 | Cybereason Ransomfree 2.2.7 |  Pulla-dePlug Final!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: What is this?
« Reply #6 on: February 13, 2006, 03:41:59 PM »
After the windows update, it is important to have a firewall, XP SP2 has one but that only provides inbount protection so a full firewall is advisable.

Next your JAVA is out of date an it too has been updated to correct vulnerabilities.
Ensure you have the latest version of JRE because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove.
Then get the latest update from here http://www.java.com/en/download/index.jsp


For an on-line analysis of your log check this http://hijackthis.de/logfiles/8911644ef3f528b6ad7ee1204e20da30.html.
I suggest you start by checking all the nasty, possibly nasty and unknown entries. You can use the paperclip icon to upload suspect files to be scanned or use google to search for info on the file names.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: What is this?
« Reply #7 on: February 13, 2006, 04:11:32 PM »
***

Welcome back, kandy.    :)

I am surely not an expert on HJT logs so please follow David's advice above to analyze your HJT log. The below is just for information only.    :)

The following are HJT entries that are adware/spyware and are most likely what you were originally warned about by that anti-spyware program.    :(

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)

O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

O8 - Extra context menu item: &Search - http://kl(dot)bar(dot)need2find(dot)com/KL/menusearch(dot)html?p=KL
The above (dot) is my insert for "." so as to deactivate the link.


***

kandyk

  • Guest
Re: What is this?
« Reply #8 on: February 13, 2006, 04:42:50 PM »
I am in the process of updating right now.  But the keylogger find happened prior to my boyfriend preforming a complete system recovery (thats right, recovery!?!) So...  I guess that would have given me a clean slate?  Anyhow, I certainly appreciate the advice.  Thanks again

Offline TedNelly

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1538
  • Trust No-One!
Re: What is this?
« Reply #9 on: February 14, 2006, 08:14:17 AM »
Not if you mean by system recovery (system restore) as this will just reinstall all of the previous problems
If you mean XP System Restore You should turn off System Restore/reboot/clean your system/reboot/turn on system restore h-t-h's
« Last Edit: February 15, 2006, 08:39:34 AM by tednelly »
Windows 10 Pro | Intel I7 CPU | 16 Gig 2133 RAM | Avast beta 17.5.2295 | Firefox 54 b9(64-bit) | Cyberfox 52.1 | T-Bird 52.1.1 | SpyWareBlaster 5.5 | MalwareBytes 3.0.0.865 | WinPatrol 35.5.2 | GlassWire 1.2.100 | Cybereason Ransomfree 2.2.7 |  Pulla-dePlug Final!

Spiritsongs

  • Guest
Re: What is this?
« Reply #10 on: February 15, 2006, 05:52:47 AM »
 :)  Hi Kandyk :

     TrendMicro antiSPYWARE is NOT on the list of "Trustworthy"
     Anti-Spyware Products by AntiSpyware Expert Eric Howes;
     TrendMicro should stick to antiVIRUS detection. Therefore,
     I recommend you download Ad-Aware SE from :
     www.majorgeeks.com/download506.html . I would not rely
     on anything TrendMicro Antispyware allegedly "detects" .