Keyloggers

[Safety_First]

I was just wondering is there any way to find out if there is a keylogger in my system - I despise buying things online.

[I run Avast 4 home edition, Ad-aware, XP SP2, Windows Firewall]

Would the above programs/settings classify my computer as safe? Also would Avast notify me if there was a keylogger on my computer?

Thanks in advance.

[unlovedwarrior]

http://www.saviour-pc.com/forums/view.php?pg=malware_guide

look they and you can post a hijackthis log for us too look at

[Safety_First]

I checked out that link you gave me all I really needed to do was update my Java.
I think my system looks safe although I'm unsure, however Avast should warn me if a keylogger is detected right? 
 
This is the log :

Logfile of HijackThis v1.99.1
Scan saved at 12:19:04, on 22/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBS4\plugin\bin\pchbutton.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Josh\LOCALS~1\Temp\Rar$EX00.110\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tesco.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBS4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74E73AA-2A37-448A-AC93-D65BDCCB8508}: NameServer = 212.139.132.58 212.139.132.59
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

[CBMatt]

I don't really see any issues with your log.  You should get a firewall, though.  You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo.  They're all good free firewalls.  Just be sure you only have one installed at a time!  Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

Unfortunately, anti-virus software can't catch any infection.  However, a good firewall (Comodo is what I use) can really help out a lot.

[Safety_First]

Thanks Matt / Unloved, I take it that Windows Firewall is no good then, however I thought about downloading a different firewall but Avast comes with an "on access scanner" which includes ; a web shield, p2p shield, standard shield etc. Does this count as a firewall?

[Ivy]

I think you should just do what Chris (CBmatt)suggested and download  one of them:
ZoneAlarm, Kerio Personal Firewall, or Comodo.



later you could also go to http://www.grisoft.com download AVG Anti Rootkit, only if Chris or unloved think you need to.

[Safety_First]

Thank you Ivy - I believe a rootkit is a virus that is undetectable to a normal antivirus -  correct? I'll check it out

[Ivy]

Welcome and Keyloggers are also included in rootkits.
This http://free.grisoft.com/doc/5390/us/frt/0?prd=arw could help but wait up till some experts read this first (dont run it yet)

[Safety_First]

Okay, thanks for the advice.

[Ivy]

Okay, thanks for the advice.

You have already run it have you? what were the results?

[Safety_First]

No I have not run it yet, you told me not to  . Just thanking you for your invaluable wisdom.

[Ivy]

No I have not run it yet, you told me not to  . Just thanking you for your invaluable wisdom.

Very Funny !! , we are not allowed to show humor on these threads, you are most welcome to join the off topic family,but stick to your problem here. 

[Safety_First]

Ah right, the current status off the pending problem is :

• Waiting for response whether that Avast's on access scanner is indeed a firewall.
  
• Waiting for response to whether I should download and run the aforementioned anti-rootkit scanner

Thanks for all your replies

[Ivy]

Okay Saviour will just look into your problem, best of luck .
hope your problem is solved soon.

[The Saviour]

Avast's online scanner is not a firewall program...

Download and install the firewall of your choice as recommended by CBMatt...

Also download, install and run the free AVG Anti-Rootkit program from Grisoft.

If CBMatt says your HiJackThis log is clean...then there is no need to post another.

Also...FYI...
If your computer is connected to a router...then there really is no need for a firewall program, since the router has its own built in hardware firewall.  Remember...a router and a modem are two separate pieces of hardware.

However, if you want to have a software firewall just to cover yourself and provide yourself with additional protection...the Windows Firewall and those recommended to you will do just fine.  The only differnece between the Windows Firewall and the other free ones is that Windows does not monitor outgoing traffic.

Keep us posted...

[Safety_First]

Just installed Commodo, it seems very sensitive to me asks me before it allows anything (Steam gaming platform etc) . I'm not sure if it's slowed my internet - could just be after the reboot (my computer is slow when it boots). Does anyone have Commodo (CBMatt) if so how would you rate it, does it slow your internet? Additionally I'm about to install the Rootkit detector.

[Ivy]

Im using Comodo.
Here are the words of a wise man .

Comodo will continually learn from your Internet habits.
The best thing to do is allow it to learn and always make sure you tell it to remember your answers.
In addition...stay on top of the processes that run on your computer...knowing which of them should be allowed...and which shouldn't.


P.S. you should be sure about what you are going to ask comodo to remember , if you are not sure dont ask it to remember your answer .

[The Saviour]

Lots of users, here, will swear by it...
Personally...I've used it and subsequently uninstalled it...the learning process drove me nuts...and when idle, would disconnect me from the Internet...so I uninstalled it.

Having a router hardware firewall...I really didn't need a software firewall...but use Windows Firewall for additional security.

You never answered the question...are you connected to a router?  If so...read my previous post, again.

On a scale of 1-10...I'd give Comodo a 9...the alerts and idle disconnects keep me from giving it a full 10.  However...it does have to learn...it's the nature of the beast.

[Ivy]

If you are going to continue using comodo then you might like to be sure about what process to allow and what to deny ,this will guide you through it.
http://www.saviour-pc.com/forums/view.php?pg=malware_guide
http://www.saviour-pc.com/forums/view.php?pg=win_guide

[Safety_First]

Sorry, in response to your question: no I am using a speedtouch modem. So far Commodo has thrown fits over steam.exe (gaming platform) and svchost.exe - Which I'm going to assume are safe, however I didn't tell it to remember to allow permission for svchost.exe. I don't like the sound of the idle disconnect - going to see if I can disable that.
Additionally the rootkit scan shows all clear.
Thanks to all involved Unloved, CBMatt, Ivy, Saviour.

I think my PC has gained 10 + security points

I will also check out those links (Ivy)

[Ivy]

Welcome Safety_First ,
You might want to consult the above given links in future when ever you are unsure.
Im glad your comp is all clear.

[The Saviour]

Another useful link:  Process Library

In case you're ever wondering whether to allow or disallow a certain process...

I thought this additional link would help as well:  Process Scanner

[Safety_First]

One final thanks to everyone your wisdom has been invaluable. (as mentioned earlier )

[unlovedwarrior]

i use comodo and have steam mines fine if you need any help with comodo i might be able to help

[CBMatt]

If you know you can trust a program (such as C:\WINDOWS\system32\svchost.exe), then you should tell Comodo to remember your choice.  It's far more convenient that way.  I would only worry about programs that either (A) you're unfamiliar with or (B) you know you don't want to allow.  I don't use Steam on a regular basis, but I do still use it and I have had no conflicts with Comodo.  So far, the only thing it's given me trouble with is Battlefield 2142.  It takes a day or two to really get used to Comodo, but once you do, you won't want to be without it.

[wefr0]

I checked out that link you gave me all I really needed to do was update my Java.
I think my system looks safe although I'm unsure, however Avast should warn me if a keylogger is detected right? 

Not Exactly some things can Sneak Past Firewalls and Other protection programs