Soneone is spying on me

Discussion in 'adware, spyware & hijack cleaning' started by Shelley Morris, Dec 14, 2003.

Thread Status:
Not open for further replies.
  1. Below please find my hijackthis log. I followed the instructions using ad-aware first. I am going to try to relay all of the problems I have had recently but I may not remember them all; or explain them well. I am new to the computer age. I haven't learned all of the terminology yet. I believe at this point that I have some kind of key logger software on my computer. I have narrowed down its source to two people, both of whom are computer engineers. So if anybody would know how to use it and keep it well hidden, it would be these two. First up, is my boyfriend. He bought me this computer and installed much of its software. The second choice is a college computer teacher of mine. This is the one I am putting my money on. He seems to know things about me and my life that can only be found out by reading my emails and chats. This teacher has been hitting on me to say the least. At first, I thought I had a virus or a worm. But I have purchased and ran (separately) both McAfee and Norton. They have found nothing. My computer is slow. My mouse doesn't always respond and then I have to wait for it to catch up. Windows will not close when I 'x' them or they do not disappear completely. I am constantly sending in error reports. My powerpoint and Word programs will not work. Some of my ppt and doc files aren't were they are suppose to be. My internet Exporer browser no longer works. I had to sign up for MSN Explorer so I could get back on the web. Sometimes when I want to disconnect my computer, I am told other people are using it. Most importantly, I just don't feel like I am "alone". At the very least, I think someone is using a screen capture program. Most of the time I just don't feel like I am in control. Like I said before, this does sound like a bug problem but my anti-virus softwares are not finding anything. And again, my teacher, who should only have access to my school file, knows way to much about my personal life. Can you please help? I have spoken to my boyfriend about this and he seems to think I have a tojan. Yes, I could just restore my computer but I am wary to do this. I see it as only a temporary solution. Whoever is on my computer got on here once, and could do so again. Thanks for you help. I logged on to the internet just before running this. Hope that helps.


    Logfile of HijackThis v1.97.7
    Scan saved at 4:51:48 PM, on 12/14/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\slrundll.exe
    C:\Downloads\Downloads\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webct.tjc.edu/webct/public/home.pl?action=print_home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37860.8082291667
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.18/ttinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4307/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AE601E82-9BAC-4695-97F4-E14A5DDFE631}: NameServer = 209.244.0.3 209.244.0.4
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Shelley!

    I'm sorry about your problems! As best I can see, your hijackthis looks fine (wait for a second opinion however) but if you do in fact have a keylogger it will likely not be seen in the output of HijackThis. I would strongly recommend that you download and install TDS from

    http://tds.diamondcs.com.au/index.php?page=download

    Once you have it installed and before you start it, manually download the latest database from the same page as above and save it to the same folder where you installed TDS (and overwrite the older database that is there). Once you so this, open up TDS and set all of the sensitivity settings to their maximum and scan your entire system.

    If it does not show anything you might download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Hope this helps

    Dan
     
  3. Thank you, Dan. I'll try your suggestions now.
     
  4. This is the results from the asviewer. I hope I did it right. Thanks for all of your help. Shelley Morris


    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Shelley Daniels@SHELLEY-BU5V6M7, 12-15-2003
    c:\autoexec.bat
    Path C:\Academic\orawin95\Bin;%Path%
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\plusmcry.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\plusmcry.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CHotkey
    C:\WINDOWS\mHotkey.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundMan
    C:\WINDOWS\SOUNDMAN.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lexmark X74-X75
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\S3TRAY2
    C:\WINDOWS\system32\S3tray2.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MMTray
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
    C:\WINDOWS\System32\ctfmon.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
    C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\Navw32.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\Shelley Daniels\Start Menu\Programs\Startup\
    C:\Documents and Settings\Shelley Daniels\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office10\OSA.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ccEvtMgr\
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    HKLM\System\CurrentControlSet\Services\ccSetMgr\
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\HidServ\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LexBceS\
    C:\WINDOWS\system32\LEXBCES.EXE
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\navapsvc\
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINDOWS\system32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SAVScan\
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    HKLM\System\CurrentControlSet\Services\SBService\
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Secdrv\
    C:\WINDOWS\System32\DRIVERS\secdrv.sys
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SLService\
    C:\WINDOWS\system32\slserv.exe
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Symantec Core LC\
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    HKLM\System\CurrentControlSet\Services\symlcbrd\
    \??\C:\WINDOWS\System32\drivers\symlcbrd.sys
    HKLM\System\CurrentControlSet\Services\SYMTDI\
    \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  6. Ironically, I have already used both of these. The key-logger only found a norton antivirus file. The Who's Watching me was a different story. It kept getting stuck initially in the same place. I had to delete a font file before it would go any further. Then it did the same thing somewhere else. I can't remember what file it was that time. So I can't tell you how I fixed it. I don't know if I deleted another file, moved it, or renamed it. I only have the trial versions of these programs. Would buying a license or two help? Shelley
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Shelly

    I use a very good anti-keylogger app. called Spycop.

    It has caught 2 keyloggers on my comp in the past.


    This is the website if u would like to try it

    http://www.spycop.com/


    Limitations on the trial version are when scanning it does skip some files.

    Just on a whim have u checked the back of your computer for any suspicious hardware?
    I only ask because a friend of mine found some device that his ex wife had attached to the back of his computer to log his keystrokes. :eek:


    Hope this helps.



    snowbound
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Shelley,

    I'm afraid I don't see anything standing out in your ASViewer output. To be extra certain, can you please email me (in a zip file, sending to the email address shown in my profile) these two files

    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\slrundll.exe

    These are almost certainly pertaining to your modem but it would be good to be sure.

    Were you able to download and run TDS?

    Another thing that would be worthwhile is to download the trial of DCS's Port Explorer from

    http://www.diamondcs.com.au/portexplorer/downloads/pedemosetup.exe

    What this program will do is show all processes that are running that are listening on or using the network. The tab to pay the closest attention to is "Remote" which will show any process that is communicating with the outside world. If you see something listed here that you cannot associate with something legitimate such as your web browser or email program, etc then this will be where we want to focus our attention. Bear in mind that this list will change as your activity changes so you will want to revisit it periodically. Also, you will want to note any of the process shown in red as these are processes that are "hidden" though they are usually legitimate applications that, for instance, reside in the Systray rather than in a regular window.
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re:Someone is spying on me

    Yup, snowbound - I do, too. I didn't recommend it because to get the full benefit from it, you have to purchase it ($49.95, even with the "discount").

    The trial version is severely limited - from this page: http://spycop.com/spycop-free-product.htm - "First, it will skip random files while scanning. To be completely sure that there is not a spy program on your system, you must purchase the full version. Additionally, none of the configuration options can be changed."

    Those kinds of limitations are bad enough if you don't think you have a problem - it's much worse when you're sure that you do.

    IOW, if she's going to try SpyCop, she needs to just go ahead and buy it outright.

    Your idea about checking for a hardware keylogger was good - but only if one of the two individuals mentioned still has physical access to the domicile in which the computer resides.

    Shelly - see this link: http://spycop.com/keyloggerremoval.htm for what a hardware keylogger may look like.

    I like both of Dan's ideas (getting the trial versions of TDS and PortExplorer) with the exception of the fact that both programs can be rather intimidating to learn under pressure - not to mention the fact that any GOOD keylogger isn't going to transmit ALL the time (and hence won't show up in PE unless you just happen to be looking at it when the transmission takes place).

    Of course, you could spend a lot of time perusing the log files...).

    But at least TDS would help rule out a trojan infection - as long as she set it up properly and updated it before scanning.

    Pete
     
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Re:Someone is spying on me

    You're absolutely right spy1. In this case the trial version of Spycop would be virtually useless.

    As for looking for hidden keylogger devices, Shelly mentioned her boyfriend so i figured he probably at some time had access to her computer.

    I like Dan's ideas too. If there is anything going on, i'm sure they would be found out by TDS or Port Explorer.


    Hope u get this figured out Shelly




    snowbound
     
  11. Doc Watson

    Doc Watson Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    3
    Location:
    New Jersey, USA
    Hi Shelly,

    I'm curious how this teacher accesses your "school file". Does he have remote access ?? If so, perhaps you could cut off his access and manually deliver copies of the file to him. Also, I have neither seen nor heard any mention of a firewall on your system. A firewall log file would go a long way in determining what is going in and out of your computer. And if your boyfriend is a computer engineer, why hasn't he gotten involved to remove this "suspected" Trojan that appears to have the capabilities to do whatever it wants on your system o_O

    Install a firewall and stop ALL in and out activity on your computer. Then SELECTIVELY allow access in and out to only those programs you recognize. When one tries to get in or out that you don't recognise, investigate its origin and purpose. Process of elimination should find the troublemaker. Personally, given all the problems and poor performance you have mentioned, I'd consider a reformat and reinstall of the OS and programs. Carefully monitoring activity on the computer after that.
     
  12. My boyfriend did have physical access to my computer. In fact, he ordered it, and set it up for me. He has since sent me software to install or had me download things from his server. So yeah, it would seem more likely that he is messing with my computer than my teacher. Except for this: Because I knew he would have the ability to hack into my computer I have given him all of my email passwords from the beginning. I have even given him remote access at times. I have nothing to hide from him. But I didn't know about the ability for anyone to capture every keystoke until my computer teacher covered it in class. By this time I am already wondering why he seems to guess so many things about me correctly. In this particular lecture, he mentioned his web site that he had us visit the first day of class. And how if he had wanted to, he could get our IP adresses and get access to our computers. A light bulb went off for me and I think he saw the look on my face. I didn't start having real problems until after that day. I asked my boyfriend (he lives 1000 miles away) how to find out if someone was snooping. Now as I said before, if anyone knows how to hide spying software and keep it hidden it is one of these two. But they also both now knew I was on to one or both of them. I have wondered if my problems started when they tried to get it off my computer. I am behind a firewall now. But I have only recently really been so. I have only had a computer for a year. I am a computer virgin. But I am learning fast and I want to beat them at their own game. My money is still on my teacher. He use to work for the CIA. I was running spybot one time. And I saw a file name that struck me as odd: carnivore. That word was in my computer book this semester. It said it was some kind of surveillance thing the government used to use. When I tried to search out this file on my own, I couldn't find it. I am going to take all of your suggestions and try them today. I think I am going to have a look at the back of my modem also. I was placed in an awkard situation all semester with my computer teacher. I didn't want to thwart his advances for fear of it affecting my grade. But I also didn't want to encourage him. And that just isn't right or fair. Thanks all, Shelley Morris
     
  13. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Shelley,

    A couple more suggestions for you;

    Can you please download ProcessView from

    http://www.xmlsp.com/pview/PrcView.zip

    and extract the pv.exe file into your Windows directory. Open up your Command Prompt and type

    pv -m explorer.exe > modules.txt

    and hit "Enter". Then type

    modules.txt

    and hit "Enter" and copy the contents from Notepad and paste here so we can review the modules loaded.

    Also, if you have another PC or know someone that can help you, you might take your HD out of the suspect system and put it another and boot on that systems regular hard drive and run scans from that system on your suspect drive. This way we can bypass the normal means for hiding running malware processes/files. You might even hire out a reputable local consulting company to analyze the system for you in this fashion. I suggest, though, that if any trojan or keylogger is found that the files should be saved safely and that the location and names of the various components should be fully documented, as well as the respective file modify creation dates. It is usually the case that once a backdoor is found if you search for files created or modified at the same time you will find more evidence, frequently pointing to the origin of the hackers as well as their means of entry or redundant backdoor access.

    Another thing you might try is to call your nearest FBI Branch Office. Each office has their own Computer Crime Squad and though they may be unwilling to offer material assistance (it might be that they will feel the indications of wrongdoing are too sketchy) they may be able to offer good suggestions.

    :)
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    All I want is the link for your professor's website.

    Email it to me at spy1@comporium.net if you don't want to post it publicly - although you should.

    I'm quite sure a few of us would like to "sign" his guestbook. Pete
     
  15. FukenFooser 007.5

    FukenFooser 007.5 Registered Member

    Joined:
    Sep 28, 2003
    Posts:
    118
    Location:
    High Mnt West. Idaho
    "post it publicly - although you should.

    I'm quite sure a few of us would like to "sign" his guestbook"


    Yes POST his web site.

    Sorry for all your troubles, I also have had the feeling "not alone" and thats why I study here @ "Wilders" ( Not that I'm getting very good but do have less of those feelings)

    Happy Holidays Anyway.

    ff
     
  16. GoonMan

    GoonMan Registered Member

    Joined:
    Sep 20, 2003
    Posts:
    125
    Location:
    Louisiana, USA
    I agree post his web site here I would like to check it out also.

    Randy

    Shelly if you live in a large city some times the local police Department will have a Computer Crimes Unit. That may check out your computer and or this gentleman who knows too much about you.

    I know LSU has bust a few Employees for improper use of their computers including a Professor or 2.
     
  17. The funniest thing happened the other night. I don't remember what I was using, one of your suggestions. I "caught" someone "listening". Not only that but I had my msn messenger showing me as "appearing to be offline." And someone was trying to sign in as me somewhere else. They tried several times and each time I was prompted to keep myself signed in and stay signed in on my computer. I wiped out my computer the next day. I restored it. I have been busy trying to get all of my windows updates and driver updates reinstalled. Yeah, I need to look up my teacher's email address. Someone told me it may be possible to see if he has any spy software hidden on it somewhere. Hopefully, my restoration got rid of my spy. But time will tell. One thing is for sure, there is nothing on here of importance to look at anymore. Thank you for all of your suggestions, and interest. I have learned a lot from this experience. Shelley Morris
     
  18. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Hi Shelley!

    You are in good hands with these people. They know what to do with spywares. I can perhaps help with some of the other things you mentioned. I am a paralegal in the business of realtime security and rescue.

    In both the Commonwealth countries and the USA sexual harassment is illegal. Universities take a dim view of it too, especially from staff. You do not have to give in to it, nor walk a tightrope of doubt about your grades. Find a female counselor (psych or legal) that you trust and respect and tell her everything about your harasser and his advances, with the view of filing a formal complaint. You suspect that your harasser is or has been spying on you. This is called stalking. Both stalking and sexual harassment can lead to criminal charges. Laws may vary in different states but find out what you can do.

    I know it's tough to share this sort of thing with other people, but you need their help to fight back against these forms of violation. You started contacting others by coming here for help. Keep doing that.


    Best regards from Larry
     
  19. FukenFooser 007.5

    FukenFooser 007.5 Registered Member

    Joined:
    Sep 28, 2003
    Posts:
    118
    Location:
    High Mnt West. Idaho
    :cool:
    Glad to hear you "wiped" your system.
    Change all the names you used to use.
    Get a couple extra "free on-line" Email Eddresses! (myownemail.com)a great place to get many and/or (hotmail)
    Use them as you see fit but keep a log, (on paper not in sys)!
    as to who you gave them to and always keep at least one clean and clear. If the school makes you keep their's then only us it from their systems and not yours.
    And please post his "web page" not his eddress.
    Is the class he is teaching called "stalking 101" by any chance??


    Happy Holidays to you.!!

    ff
     
  20. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Shelly - I don't want his email address - I want a link to his website that you mentioned. Pete
     
  21. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Yes, they need the URL, the web address of his site so they can check if it is "dirty." Then they can help you some more.

    Here is a little freeware application to store all those passwords where they will be available only to you on your system.

    Any Password


    Best regards
     
Thread Status:
Not open for further replies.