My System May Have An unknown Keylogger.

  • stechkov
  • Novice
  • Novice
  • stechkov
  • Posts: 22
  • Loc: philippines

Post 3+ Months Ago

i have a keylogger(stealth keylogger)..
and i tried to install another keylogger named...
elite keylogger..and when i am in the middle of the setup...
it said that "i have an older version of elite keylogger and i have to remove it"
but my computer is freshly reformatted..and its my first time to install elite keylogger....plss... help...
someone is getting inside my system(i thought)....

by the way this is my Hijackthis Log...
Code: [ Select ]
Logfile of HijackThis v1.99.1
Scan saved at 8:00:57 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Elite Antikeylogger] C:\Program Files\Widestep Software\Elite Antikeylogger\wseakadm.exe
O4 - HKLM\..\Run: [SysMon] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\All Users\Application Data\SysMon\SysMon.dll" rdl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Elite Antikeylogger monitoring service - Widestep Security Software - C:\Program Files\Widestep Software\Elite Antikeylogger\wseaksrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
  1. Logfile of HijackThis v1.99.1
  2. Scan saved at 8:00:57 PM, on 12/17/2007
  3. Platform: Windows XP SP2 (WinNT 5.01.2600)
  4. MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  5. Running processes:
  6. C:\WINDOWS\System32\smss.exe
  7. C:\WINDOWS\system32\winlogon.exe
  8. C:\WINDOWS\system32\services.exe
  9. C:\WINDOWS\system32\lsass.exe
  10. C:\WINDOWS\system32\svchost.exe
  11. C:\WINDOWS\System32\svchost.exe
  12. C:\WINDOWS\Explorer.EXE
  13. C:\WINDOWS\system32\spoolsv.exe
  14. C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
  15. C:\WINDOWS\system32\RunDll32.exe
  16. C:\WINDOWS\system32\ctfmon.exe
  17. C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
  18. C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
  19. C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
  20. C:\WINDOWS\system32\svchost.exe
  21. C:\WINDOWS\system32\wuauclt.exe
  22. C:\Program Files\Mozilla Firefox\firefox.exe
  23. C:\WINDOWS\system32\rundll32.exe
  24. C:\Program Files\HijackThis\HijackThis.exe
  25. O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
  26. O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  27. O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
  28. O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
  29. O4 - HKLM\..\Run: [Elite Antikeylogger] C:\Program Files\Widestep Software\Elite Antikeylogger\wseakadm.exe
  30. O4 - HKLM\..\Run: [SysMon] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\All Users\Application Data\SysMon\SysMon.dll" rdl
  31. O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
  32. O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
  33. O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
  34. O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  35. O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  36. O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
  37. O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
  38. O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
  39. O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  40. O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  41. O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
  42. O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
  43. O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
  44. O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
  45. O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
  46. O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
  47. O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
  48. O23 - Service: Elite Antikeylogger monitoring service - Widestep Security Software - C:\Program Files\Widestep Software\Elite Antikeylogger\wseaksrv.exe
  49. O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

The only thing I see is this
Quote:
O4 - HKLM\..\Run: [SysMon] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\All Users\Application Data\SysMon\SysMon.dll" rdl
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

O4 - HKLM\..\Run: [Elite Antikeylogger] C:\Program Files\Widestep Software\Elite Antikeylogger\wseakadm.exe

O4 - HKLM\..\Run: [Elite Antikeylogger] C:\Program Files\Widestep Software\Elite Antikeylogger\wseakadm.exe

I don't understand what you're saying. You installed a keylogger and now you need help deleting it? By the way, you're not the first. People test them on their web servers and leave the results where I can find them.

http://www.tibaco.com/proxy/log/2006-06 ... rokes.html

HAHA
  • stechkov
  • Novice
  • Novice
  • stechkov
  • Posts: 22
  • Loc: philippines

Post 3+ Months Ago

yes i installed a keylogger....for monitoring another computer users in this pc....but i dont installed 2 keylogger i only installed 1..and when i try to install the second keylogger...i encountered an error...that the setup said that i have an another or older version of that keylogger.....but i dont have it...i dont have that keylogger before i only downloaded it and..tried to install it...
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Maybe the other user installed a keylogger first to monitor you or someone else. Now that you know that no one trusts anyone, what are you going to do?
  • stechkov
  • Novice
  • Novice
  • stechkov
  • Posts: 22
  • Loc: philippines

Post 3+ Months Ago

Don2007 wrote:
Maybe the other user installed a keylogger first to monitor you or someone else. Now that you know that no one trusts anyone, what are you going to do?


no no....yah i have 2 users but the other is not administrator so that user cannot install any keylogger...
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

If you are sure of that, which I'm not, then boot the PC and don't open any windows. Open a command prompt and run:
netstat -ano
Post the output here unless you know how to determine any unwanted connections.
  • stechkov
  • Novice
  • Novice
  • stechkov
  • Posts: 22
  • Loc: philippines

Post 3+ Months Ago

grinch2171 wrote:
The only thing I see is this
Quote:
O4 - HKLM\..\Run: [SysMon] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\All Users\Application Data\SysMon\SysMon.dll" rdl


its the keylogger i installed.....
i fix it...and then...

tried to install elite keylogger but the prompt is the same....
that i installed old elite keylogger in my pc..

but the keylogger i installed is stealth keylogger....
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Are you going to check the netstat -ano output as I suggested?
If a keylogger was installed from a remote PC then it would be sending the results somewhere. Wouldn't you like to see if that's happening or not?
  • stechkov
  • Novice
  • Novice
  • stechkov
  • Posts: 22
  • Loc: philippines

Post 3+ Months Ago

Don2007 wrote:
Are you going to check the netstat -ano output as I suggested?
If a keylogger was installed from a remote PC then it would be sending the results somewhere. Wouldn't you like to see if that's happening or not?


yah...i tried it sorry for...late reply...
im safe now....tnx bro... :lol: :lol: :lol: :lol:
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

ok
  • stechkov
  • Novice
  • Novice
  • stechkov
  • Posts: 22
  • Loc: philippines

Post 3+ Months Ago

oh..sorry heres a screenshot of
the commands:
netstat -ano
netstat -a
and
netstat -n
netstat -o
-o and -n is ok no connections but in -a...

just take a look...

Image[/img]

Post Information

  • Total Posts in this topic: 12 posts
  • Users browsing this forum: No registered users and 49 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.