Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Member
    Join Date
    Mar 2006
    Posts
    28
    Points
    0

    Default How can I be sure a monitoring software is gone?

    Someone had installed a remote stealth monitoring program on my computer I only became aware of it because they contacted me via yahoo messenger and recited exactly what I had done on my computer that day. Since then I have done everything in your Spyware detection and removal paper, and my system is running great! However my question is since it was running stealth in the first place how can i be sure it's gone?

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Why not post a HJT log ? Maybe this will tell us something

    BG

  3. #3
    Member
    Join Date
    Mar 2006
    Posts
    28
    Points
    0

    Default Here is my HJT log.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:20:18 AM, on 3/22/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\cidaemon.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINNT\system32\LVCOMSX.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\WINNT\system32\HPZipm12.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINNT\system32\WISPTIS.EXE
    C:\PROGRA~1\mcafee.com\agent\McDash.exe
    c:\program files\mcafee.com\shared\mghtml.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
    O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - http://search6.smartsearchonline.com/infopros/Tx.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

  4. #4
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    There is one unusual entry.

    O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - http://search6.smartsearchonline.com/infopros/Tx.cab

    Here is what it is :

    " SmartSearch Online provides the technology framework for your Internet recruiting strategy -- it’s the smart technology for sourcing, tracking and hiring the people you need. "

    Reference:

    http://www.smartsearchonline.com/index.asp

    Do you use this program ?

    Let us know.

    BG

  5. #5
    Member
    Join Date
    Mar 2006
    Posts
    28
    Points
    0

    Default

    Yes actually that is a program I use for work, it's a database for potential employees.

  6. #6
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Did the programs you run, assuming you are talking about Spyot and Adware, did they find anything they could not fix ?

    I would change every password that you use on everything, sign in names too, just incase.

    Lets try an Ewido scan:

    Download ewido security suite install, update and run it.

    Please set up as :-

    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    3. From the main ewido screen, click on update in the left menu, then click the Start update button.

    4. After the update finishes (the status bar at the bottom will display "Update successful")

    5. You may need to manually update the definitions which you can get HERE

    6. Exit Ewido. DO NOT scan yet.

    Reboot the PC in the Safe Mode

    SAFE MODE:

    safe mode<<< Click Here for instructions
    and scan with Ewido

    7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.

    Important - You need to click "Save report" and Save it to your desktop, or you wont have a log

    10. Post the Ewido log

    BG

  7. #7
    Member
    Join Date
    Mar 2006
    Posts
    28
    Points
    0

    Default

    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 8:26:54 PM, 3/22/2006
    + Report-Checksum: C4655432

    + Scan result:

    C:\Documents and Settings\Administrator\Cookies\kirwin@image.masterstats[1].txt -> TrackingCookie.Masterstats : Ignored
    C:\Documents and Settings\Administrator\Cookies\kirwin@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored
    C:\Documents and Settings\Administrator\Cookies\kirwin@questionmarket[1].txt -> TrackingCookie.Questionmarket : Ignored
    C:\Documents and Settings\Administrator\Cookies\kirwin@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Ignored
    C:\Documents and Settings\Administrator\Cookies\kirwin@zedo[2].txt -> TrackingCookie.Zedo : Ignored
    C:\WINNT\Temp\ASHeuristic\rb_exe.vir -> Heuristic.Win32.Backdoor.IrcBot : Ignored
    C:\WINNT\Temp\ASHeuristic\rb_exe.vir0 -> Heuristic.Win32.Backdoor.IrcBot : Ignored


    ::Report End

  8. #8
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Run the ewido program again, the same way and this time fix everything it finds. Post another ewido log please.

    BG

  9. #9
    Member
    Join Date
    Mar 2006
    Posts
    28
    Points
    0

    Default

    I did some research last night and ended up doint just that. Here is the last ewido log.

    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 12:58:42 AM, 3/23/2006
    + Report-Checksum: 2FFC96B

    + Scan result:

    C:\Documents and Settings\Administrator\Cookies\kirwin@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Administrator\Cookies\kirwin@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\Administrator\Cookies\kirwin@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Administrator\Cookies\kirwin@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Administrator\Cookies\kirwin@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
    C:\Documents and Settings\Administrator\Cookies\kirwin@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\WINNT\Temp\ASHeuristic\rb_exe.vir -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup
    C:\WINNT\Temp\ASHeuristic\rb_exe.vir0 -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup


    ::Report End

  10. #10
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    I really think you should be OK, but again I would change all log in names and passwords.

    BG

Page 1 of 2 12 LastLast