Soneone is spying on me

Below please find my hijackthis log. I followed the instructions using ad-aware first. I am going to try to relay all of the problems I have had recently but I may not remember them all; or explain them well. I am new to the computer age. I haven't learned all of the terminology yet. I believe at this point that I have some kind of key logger software on my computer. I have narrowed down its source to two people, both of whom are computer engineers. So if anybody would know how to use it and keep it well hidden, it would be these two. First up, is my boyfriend. He bought me this computer and installed much of its software. The second choice is a college computer teacher of mine. This is the one I am putting my money on. He seems to know things about me and my life that can only be found out by reading my emails and chats. This teacher has been hitting on me to say the least. At first, I thought I had a virus or a worm. But I have purchased and ran (separately) both McAfee and Norton. They have found nothing. My computer is slow. My mouse doesn't always respond and then I have to wait for it to catch up. Windows will not close when I 'x' them or they do not disappear completely. I am constantly sending in error reports. My powerpoint and Word programs will not work. Some of my ppt and doc files aren't were they are suppose to be. My internet Exporer browser no longer works. I had to sign up for MSN Explorer so I could get back on the web. Sometimes when I want to disconnect my computer, I am told other people are using it. Most importantly, I just don't feel like I am "alone". At the very least, I think someone is using a screen capture program. Most of the time I just don't feel like I am in control. Like I said before, this does sound like a bug problem but my anti-virus softwares are not finding anything. And again, my teacher, who should only have access to my school file, knows way to much about my personal life. Can you please help? I have spoken to my boyfriend about this and he seems to think I have a tojan. Yes, I could just restore my computer but I am wary to do this. I see it as only a temporary solution. Whoever is on my computer got on here once, and could do so again. Thanks for you help. I logged on to the internet just before running this. Hope that helps.


Logfile of HijackThis v1.97.7
Scan saved at 4:51:48 PM, on 12/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\slrundll.exe
C:\Downloads\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webct.tjc.edu/webct/public/home.pl?action=print_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37860.8082291667
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.18/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4307/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE601E82-9BAC-4695-97F4-E14A5DDFE631}: NameServer = 209.244.0.3 209.244.0.4

 

Hi Shelley!

I'm sorry about your problems! As best I can see, your hijackthis looks fine (wait for a second opinion however) but if you do in fact have a keylogger it will likely not be seen in the output of HijackThis. I would strongly recommend that you download and install TDS from

http://tds.diamondcs.com.au/index.php?page=download

Once you have it installed and before you start it, manually download the latest database from the same page as above and save it to the same folder where you installed TDS (and overwrite the older database that is there). Once you so this, open up TDS and set all of the sensitivity settings to their maximum and scan your entire system.

If it does not show anything you might download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

Hope this helps

Dan

 

Thank you, Dan. I'll try your suggestions now.

 

This is the results from the asviewer. I hope I did it right. Thanks for all of your help. Shelley Morris


DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Shelley Daniels@SHELLEY-BU5V6M7, 12-15-2003
c:\autoexec.bat
Path C:\Academic\orawin95\Bin;%Path%
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\plusmcry.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\plusmcry.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CHotkey
C:\WINDOWS\mHotkey.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundMan
C:\WINDOWS\SOUNDMAN.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lexmark X74-X75
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\S3TRAY2
C:\WINDOWS\system32\S3tray2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MMTray
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
C:\WINDOWS\System32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Shelley Daniels\Start Menu\Programs\Startup\
C:\Documents and Settings\Shelley Daniels\Start Menu\Programs\Startup\PowerReg Scheduler.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ccEvtMgr\
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
HKLM\System\CurrentControlSet\Services\ccSetMgr\
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\HidServ\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LexBceS\
C:\WINDOWS\system32\LEXBCES.EXE
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SAVScan\
C:\Program Files\Norton AntiVirus\SAVScan.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Secdrv\
C:\WINDOWS\System32\DRIVERS\secdrv.sys
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SLService\
C:\WINDOWS\system32\slserv.exe
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Symantec Core LC\
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
HKLM\System\CurrentControlSet\Services\symlcbrd\
\??\C:\WINDOWS\System32\drivers\symlcbrd.sys
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

 

Shelley - D/l and install the trial versions of both Anti-Keylogger ( http://www.anti-keyloggers.com/ - you'll want the "Anti-keylogger™ SOHO Edition" from that page) and Who'sWatchingMe ( http://www.trapware.com/ProductsDownload.html ) and run them both - if necessary, update them before running them.

Let us know if those two come up clear first. Pete

 

Ironically, I have already used both of these. The key-logger only found a norton antivirus file. The Who's Watching me was a different story. It kept getting stuck initially in the same place. I had to delete a font file before it would go any further. Then it did the same thing somewhere else. I can't remember what file it was that time. So I can't tell you how I fixed it. I don't know if I deleted another file, moved it, or renamed it. I only have the trial versions of these programs. Would buying a license or two help? Shelley

 

Hi Shelly

I use a very good anti-keylogger app. called Spycop.

It has caught 2 keyloggers on my comp in the past.


This is the website if u would like to try it

http://www.spycop.com/


Limitations on the trial version are when scanning it does skip some files.

Just on a whim have u checked the back of your computer for any suspicious hardware?
I only ask because a friend of mine found some device that his ex wife had attached to the back of his computer to log his keystrokes.


Hope this helps.



snowbound

 

Hi Shelley,

I'm afraid I don't see anything standing out in your ASViewer output. To be extra certain, can you please email me (in a zip file, sending to the email address shown in my profile) these two files

C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\slrundll.exe

These are almost certainly pertaining to your modem but it would be good to be sure.

Were you able to download and run TDS?

Another thing that would be worthwhile is to download the trial of DCS's Port Explorer from

http://www.diamondcs.com.au/portexplorer/downloads/pedemosetup.exe

What this program will do is show all processes that are running that are listening on or using the network. The tab to pay the closest attention to is "Remote" which will show any process that is communicating with the outside world. If you see something listed here that you cannot associate with something legitimate such as your web browser or email program, etc then this will be where we want to focus our attention. Bear in mind that this list will change as your activity changes so you will want to revisit it periodically. Also, you will want to note any of the process shown in red as these are processes that are "hidden" though they are usually legitimate applications that, for instance, reside in the Systray rather than in a regular window.

 

Re:Someone is spying on me

Yup, snowbound - I do, too. I didn't recommend it because to get the full benefit from it, you have to purchase it ($49.95, even with the "discount").

The trial version is severely limited - from this page: http://spycop.com/spycop-free-product.htm - "First, it will skip random files while scanning. To be completely sure that there is not a spy program on your system, you must purchase the full version. Additionally, none of the configuration options can be changed."

Those kinds of limitations are bad enough if you don't think you have a problem - it's much worse when you're sure that you do.

IOW, if she's going to try SpyCop, she needs to just go ahead and buy it outright.

Your idea about checking for a hardware keylogger was good - but only if one of the two individuals mentioned still has physical access to the domicile in which the computer resides.

Shelly - see this link: http://spycop.com/keyloggerremoval.htm for what a hardware keylogger may look like.

I like both of Dan's ideas (getting the trial versions of TDS and PortExplorer) with the exception of the fact that both programs can be rather intimidating to learn under pressure - not to mention the fact that any GOOD keylogger isn't going to transmit ALL the time (and hence won't show up in PE unless you just happen to be looking at it when the transmission takes place).

Of course, you could spend a lot of time perusing the log files...).

But at least TDS would help rule out a trojan infection - as long as she set it up properly and updated it before scanning.

Pete

 

Re:Someone is spying on me

You're absolutely right spy1. In this case the trial version of Spycop would be virtually useless.

As for looking for hidden keylogger devices, Shelly mentioned her boyfriend so i figured he probably at some time had access to her computer.

I like Dan's ideas too. If there is anything going on, i'm sure they would be found out by TDS or Port Explorer.


Hope u get this figured out Shelly




snowbound

 

Hi Shelly,

I'm curious how this teacher accesses your "school file". Does he have remote access ?? If so, perhaps you could cut off his access and manually deliver copies of the file to him. Also, I have neither seen nor heard any mention of a firewall on your system. A firewall log file would go a long way in determining what is going in and out of your computer. And if your boyfriend is a computer engineer, why hasn't he gotten involved to remove this "suspected" Trojan that appears to have the capabilities to do whatever it wants on your system

Install a firewall and stop ALL in and out activity on your computer. Then SELECTIVELY allow access in and out to only those programs you recognize. When one tries to get in or out that you don't recognise, investigate its origin and purpose. Process of elimination should find the troublemaker. Personally, given all the problems and poor performance you have mentioned, I'd consider a reformat and reinstall of the OS and programs. Carefully monitoring activity on the computer after that.

 

My boyfriend did have physical access to my computer. In fact, he ordered it, and set it up for me. He has since sent me software to install or had me download things from his server. So yeah, it would seem more likely that he is messing with my computer than my teacher. Except for this: Because I knew he would have the ability to hack into my computer I have given him all of my email passwords from the beginning. I have even given him remote access at times. I have nothing to hide from him. But I didn't know about the ability for anyone to capture every keystoke until my computer teacher covered it in class. By this time I am already wondering why he seems to guess so many things about me correctly. In this particular lecture, he mentioned his web site that he had us visit the first day of class. And how if he had wanted to, he could get our IP adresses and get access to our computers. A light bulb went off for me and I think he saw the look on my face. I didn't start having real problems until after that day. I asked my boyfriend (he lives 1000 miles away) how to find out if someone was snooping. Now as I said before, if anyone knows how to hide spying software and keep it hidden it is one of these two. But they also both now knew I was on to one or both of them. I have wondered if my problems started when they tried to get it off my computer. I am behind a firewall now. But I have only recently really been so. I have only had a computer for a year. I am a computer virgin. But I am learning fast and I want to beat them at their own game. My money is still on my teacher. He use to work for the CIA. I was running spybot one time. And I saw a file name that struck me as odd: carnivore. That word was in my computer book this semester. It said it was some kind of surveillance thing the government used to use. When I tried to search out this file on my own, I couldn't find it. I am going to take all of your suggestions and try them today. I think I am going to have a look at the back of my modem also. I was placed in an awkard situation all semester with my computer teacher. I didn't want to thwart his advances for fear of it affecting my grade. But I also didn't want to encourage him. And that just isn't right or fair. Thanks all, Shelley Morris

 

Hi Shelley,

A couple more suggestions for you;

Can you please download ProcessView from

http://www.xmlsp.com/pview/PrcView.zip

and extract the pv.exe file into your Windows directory. Open up your Command Prompt and type

pv -m explorer.exe > modules.txt

and hit "Enter". Then type

modules.txt

and hit "Enter" and copy the contents from Notepad and paste here so we can review the modules loaded.

Also, if you have another PC or know someone that can help you, you might take your HD out of the suspect system and put it another and boot on that systems regular hard drive and run scans from that system on your suspect drive. This way we can bypass the normal means for hiding running malware processes/files. You might even hire out a reputable local consulting company to analyze the system for you in this fashion. I suggest, though, that if any trojan or keylogger is found that the files should be saved safely and that the location and names of the various components should be fully documented, as well as the respective file modify creation dates. It is usually the case that once a backdoor is found if you search for files created or modified at the same time you will find more evidence, frequently pointing to the origin of the hackers as well as their means of entry or redundant backdoor access.

Another thing you might try is to call your nearest FBI Branch Office. Each office has their own Computer Crime Squad and though they may be unwilling to offer material assistance (it might be that they will feel the indications of wrongdoing are too sketchy) they may be able to offer good suggestions.

 

All I want is the link for your professor's website.

Email it to me at spy1@comporium.net if you don't want to post it publicly - although you should.

I'm quite sure a few of us would like to "sign" his guestbook. Pete

 

"post it publicly - although you should.

I'm quite sure a few of us would like to "sign" his guestbook"


Yes POST his web site.

Sorry for all your troubles, I also have had the feeling "not alone" and thats why I study here @ "Wilders" ( Not that I'm getting very good but do have less of those feelings)

Happy Holidays Anyway.

ff

 

I agree post his web site here I would like to check it out also.

Randy

Shelly if you live in a large city some times the local police Department will have a Computer Crimes Unit. That may check out your computer and or this gentleman who knows too much about you.

I know LSU has bust a few Employees for improper use of their computers including a Professor or 2.

 

The funniest thing happened the other night. I don't remember what I was using, one of your suggestions. I "caught" someone "listening". Not only that but I had my msn messenger showing me as "appearing to be offline." And someone was trying to sign in as me somewhere else. They tried several times and each time I was prompted to keep myself signed in and stay signed in on my computer. I wiped out my computer the next day. I restored it. I have been busy trying to get all of my windows updates and driver updates reinstalled. Yeah, I need to look up my teacher's email address. Someone told me it may be possible to see if he has any spy software hidden on it somewhere. Hopefully, my restoration got rid of my spy. But time will tell. One thing is for sure, there is nothing on here of importance to look at anymore. Thank you for all of your suggestions, and interest. I have learned a lot from this experience. Shelley Morris

 

Hi Shelley!

You are in good hands with these people. They know what to do with spywares. I can perhaps help with some of the other things you mentioned. I am a paralegal in the business of realtime security and rescue.

In both the Commonwealth countries and the USA sexual harassment is illegal. Universities take a dim view of it too, especially from staff. You do not have to give in to it, nor walk a tightrope of doubt about your grades. Find a female counselor (psych or legal) that you trust and respect and tell her everything about your harasser and his advances, with the view of filing a formal complaint. You suspect that your harasser is or has been spying on you. This is called stalking. Both stalking and sexual harassment can lead to criminal charges. Laws may vary in different states but find out what you can do.

I know it's tough to share this sort of thing with other people, but you need their help to fight back against these forms of violation. You started contacting others by coming here for help. Keep doing that.


Best regards from Larry

 

Glad to hear you "wiped" your system.
Change all the names you used to use.
Get a couple extra "free on-line" Email Eddresses! (myownemail.com)a great place to get many and/or (hotmail)
Use them as you see fit but keep a log, (on paper not in sys)!
as to who you gave them to and always keep at least one clean and clear. If the school makes you keep their's then only us it from their systems and not yours.
And please post his "web page" not his eddress.
Is the class he is teaching called "stalking 101" by any chance??


Happy Holidays to you.!!

ff

 

Shelly - I don't want his email address - I want a link to his website that you mentioned. Pete

 

Yes, they need the URL, the web address of his site so they can check if it is "dirty." Then they can help you some more.

Here is a little freeware application to store all those passwords where they will be available only to you on your system.

Any Password


Best regards