System monitor removal

Discussion in 'adware, spyware & hijack cleaning' started by nerv2010, Jan 7, 2004.

Thread Status:
Not open for further replies.
  1. nerv2010

    nerv2010 Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    7
    Alright.
    I've been using spybot/adaware/NAV for quite some time now. I was referred to another company website: www.webroot.com to try out their spyware scanner. According to their scan, two of the systems I work with have "WinWhatWhere" but after contacting the producer of WinWhatWhere, we determined their program was not on the systems but there is some sort of system monitor. Is there any programs out there that would help with a removal of a system monitor? I've even tried to download webroot's own program which hasn't detected a system monitor. Any suggestions, insight would be greatly appreciated!
    Also, the company I work for has not installed any system monitoring programs on any consoles.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi nerv2010 :)

    Welcome to Wilders.


    If u follow the instructions here,

    http://www.wilderssecurity.com/showthread.php?t=15913

    Then post a HighJackThis log, one of our experts can tell u if any type of system monitor or any other suspicious
    things are running on your computers.


    Hope this helps



    snowbound


    EDIT- Could u tell us what kind of system monitor u think this could be?
     
  3. nerv2010

    nerv2010 Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    7
    Alright. Here's the laptop log. I've been able to locate the key in question:

    Software\CLASSES\dwshk36.KeyList

    Best guess would be a keylogger system but it may belong to something else.

    Thank you in advance!

    Logfile of HijackThis v1.97.7
    Scan saved at 8:17:59 AM, on 1/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\DELL\AccessDirect\DadTray.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kyle\Desktop\hijackthis\HijackThis.exe

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37812.385787037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
     
  4. nerv2010

    nerv2010 Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    7
    Here's the desktop log. I found the same key on the desktop.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:39:32 AM, on 1/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\MSMGT.exe
    C:\WINDOWS\System32\lexpps.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Lora\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - http://www.stamps.com/download/us/registration/2_0_0_745/sdcregie.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi nerv 2010,

    Can you check the registry for these two keys:

    HKEY_LOCAL_MACHINE\Software\WinWhatWhere Corporation\WinWhatWhere Investigator

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Uninstall\WinWhatWhere Investigator

    Supporting files to look for (but be careful in deleting these files as they may be required for other applications - it will not hurt to leave on the system!):
    \WINDOWS\SYSTEM\_zmStat.dat (probably a program stat file?)
    \WINDOWS\SYSTEM\Dwspydll.dll (Win process "hook" file)
    \WINDOWS\SYSTEM\dwspy36.dll (Win process "hook" file)
    \WINDOWS\SYSTEM\_ISource2.dll (image processing)
    \WINDOWS\SYSTEM\Dwshk36.ocx (Win process "hook" file) \WINDOWS\SYSTEM\dwspyvb6.dll (Win process "hook" file)
    \WINDOWS\SYSTEM\ExEMail.dll (suspect used for emailing log)

    And I would advise you to get rid of the MyWebSearch software.

    Regards,

    Pieter
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    For this computer:
    Go offline first, go to Add/remove programs and uninstall:
    'MS T Media Display' then delete C:\WINDOWS\MSMGT.EXE

    Check the items I quoted above in HijackThis.
    Close all windows except HijackThis and click Fix checked.

    Then reboot.

    Regards,

    Pieter
     
  7. nerv2010

    nerv2010 Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    7
    Thanks Pieter!
    I had already checked for the WinWhatWhere software and confirmed with the company it wasn't on the system. But I will check on the other keys. As for the MyWebSearch, I was thinking of the same thing. :D
     
  8. nerv2010

    nerv2010 Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    7
    For this computer:
    Go offline first, go to Add/remove programs and uninstall:
    'MS T Media Display' then delete C:\WINDOWS\MSMGT.EXE

    Check the items I quoted above in HijackThis.
    Close all windows except HijackThis and click Fix checked.

    Then reboot.

    Regards,

    Pieter
    Thanks, I already removed MS T Display but I will remove the other keys. What do you suggest about the dwshk36.KeyList key?
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi nerv2010,

    I found that key mentioned on a few sites, that I would rather not link to.

    And where it probably originated:
    http://www.desaware.com/WindowsHooksL3.htm#dwSpyVB Hooks

    What I would do is backup the registry (or, since you are running XP, make a Restore Point) and remove that key.

    Regards,

    Pieter
     
  10. nerv2010

    nerv2010 Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    7
    I found both the dwspy36.dll and dwshk36.ocx on the desktop. Nothing else though. I have not deleted these keys.
     
  11. nerv2010

    nerv2010 Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    7
    The spyworks program is the only one that I ran across also that used the key. I'm considering doing what you've suggested as a precaution.

    Thank you for the wonderful help!
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My pleasure. :)

    Pieter
     
Thread Status:
Not open for further replies.