Can't get rid of this keylogger!

[SoGuyWhoKnowsNothing]

I have this "game" I enjoy to play, well the other day a person who i thought i could trust sent me a file to download containing a picture. Now just the next day, I got hacked, well I searched for information about finding keyloggers and stuff, well, I found one. Ive deleted it over and over again, downloaded that Ad-Aware, and others, but after i restart my computer there it is agian in my Task Manager Processes thing. The name of this Keylogger is under this name " Zikdaman.exe " please help me get rid of this problem!

 

[scriptghost]

try this little program: hijackthis

link: www.merijn.org/files/hijackthis.zip

i got rid of many keyloggers such as stelleremperor and [fixed my corrupted svchost.exe]

 

[SoGuyWhoKnowsNothing]

Thank you so much! Finally something that works.

 

[psd99]

glad its sorted

no longer do i open any files on my pc that are sent over the net

i must say before opening a file, so run a virs scan and look out for .exe's
if the bloke told u he is sending u a picture and the filname is an .exe
DO NOT OPEN IT!

THERE IS NO PICTURE FORMAT THAT WILL BE AN .EXE!
this is most likely something malicious!

 

[SoGuyWhoKnowsNothing]

Thanks for the tip, Ill be sure to watch out for that. =)

 

[Lost]

help me

My brother got mad and i suspect he placed a key logger on my laptop. I have three suspicious files. They are svchost which is an application... svchost.exe-2d5fbd18.pf and svchost which is an application...
Is my Pc bugged?????

 

[Adywebb]

svchost is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs.
As far as I'm aware its OK.......

 

[tjm4fun]

svchost is an integral part of the windows nt based os's. you can see many instances of it running in task manager, each with differrent threads, depending on what called it and whatit is doing.
It will also be run by malware, so you need to ascertain what particular process is suing svchost to see if it is a real baddy.

Most keyloggers are easily found with the various spyware programs as spybot s&d, adaware, and some
better antivirus programs. (and norton is not in that list)

 

[gabriella]

Hi

Hijackthis is very useful but is best used by expert users - in the wrong hands it can cause problems on your PC.

For very troublesome infections there's a very good site called Malware (link provided below) and the people who run the site will analyse your Hijackthis log and provide step by step support to remove the problem. They won't give up till you re sorted and it's a free service which is highly rated.

http://www.malwareremoval.com/

This may be of some help to someone.

Gabs x

 

[michael555]

I have this "game" I enjoy to play, well the other day a person who i thought i could trust sent me a file to download containing a picture. Now just the next day, I got hacked, well I searched for information about finding keyloggers and stuff, well, I found one. Ive deleted it over and over again, downloaded that Ad-Aware, and others, but after i restart my computer there it is agian in my Task Manager Processes thing. The name of this Keylogger is under this name " Zikdaman.exe " please help me get rid of this problem!

Never download any files from people you don,t really know.

Try a firewall and block the program.

picture files are not exe.
So what is going wrong with your pc now.

Download a free spyware remover , and a virus checker (update one).

goto : http://www.spywareinfo.com/~merijn/downloads.html for hijack this.

 

[tjm4fun]

While picture files are not exe's, they CAN be infected in such a way that it will exploit a weakness in windows picture viewers and install malicious code. Most of these were fixed in various service packs, but there could be new undetected ones now.

Most likely it was an infection from surfing with poor protection.
Use spywareblaster along with a good anti virus to keep 99% of that crap off your pc.

there are also numerous writeups on how to set the browser up for safe surfing,
and if you do have bad things enabled, spyware blaster will tell you and give you some info on what to do.

 

[shearm]

I have this keylogger on my computer named "EgySpy", but I can't get rid of it. I know the name of it because my Symantec Antivirus catches the e-mail trying to be sent, but now I have to put up with this pop-up from my anti-virus because it doesn't get it in an actual scan. When I google the keylogger all the websites are in arabic and for some reason the keylogger changes my regional and language settings to arabic. Can anyone help me?

 

[muckshifter]

... ALL of these

http://www.spywarepoint.com/downloads/Ad-Aware_SE_Personal_Edition/

http://www.spywarepoint.com/downloads/Microsoft_Windows_Defender/

http://www.spywarepoint.com/downloads/SpywareBlaster/

http://www.spywarepoint.com/downloads/HijackThis/

http://www.spywarepoint.com/downloads/Spybot_-_Search_and_Destroy/

http://www.kaspersky.co.uk/uk/trials


Get rid of Norton crap.

 

[michael 118]

http://www.kaspersky.co.uk/uk/trials


Get rid of Norton crap.

I second that, Norton brings misery

 

[shearm]

Can't get rid of it, my school requires it to get on their network, and I HAVE all those programs, and they didn't get rid of them. Norton is the only thing that has helped me.

 

[tjm4fun]

Norton is absolute crap. we run it on our work machines, and I have often had to do the following:
Go to free-av.com and download anti-vir, but donot install it yet.

start spybot search and destroy. go to advanced mode, then tools and startup.
uncheck all the norton startup stuff. don;t delete it as you need to have it.
Next, go to control panel.
Computer management
services.
find the norton/symantec entries and disable them. (right click, properties ther is a pulldown box, it is likely set to auto, set to disable) You may want to note which ones, so you can re-enable them when done.
after that, reboot.
nortotn should not be running.
install anti-vir.
Carefully note the full name of the directory it is in.
let it do it's update. and run the scan.
let it remove everything it finds.
in the options setting, there are options for removing win32 malicious software, turn that on to medium setting, and rescan.
you didn;t mention the os version, but on any xp, reboot and hit f8 and go into safe mode command prompt.
cd to the directory you installed anti-vir to.
run avcenter.exe, it will open the control center , and rerun the scan.
remove anything it finds.
if it needs rebooting to remove anything, do it.
when it is clean, boot normally and use add/remove programs to uninstall antivir.
re-enable the startup stuff with spybot, go back to services and re-enable norton/symantec services.

if it's still there, you are likely root kitted. format cL and start over. it will be faster.

 

[RomanGonche]

Logfile of HijackThis v1.99.1
Scan saved at 3:32:02 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
C:\Program Files\Common Files\AOL\1153291672\ee\AOLSoftware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\DOCUME~1\DUTCHN~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\4.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1153291672\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJ
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe



do i have a keylogger?

 

[Adywebb]

No - but you do have a shed load of serious spyware/malware on there!!

1. You are infected by New.Net/NewDotNet Hijacker - you need to use LSP-Fix - follow the instructions HERE

2. You have MyWebSearch Spyware - remove using the instructions HERE

Once completed please re-post a new HijackThis log

 

[RomanGonche]

omg good thing im not infected with that stuff thx alot for the help

 

[tjm4fun]

After running those cleanup tools, download and run spybot search and destroy. run it and clean up the rest of the crap that it will find. it may require a few reboots to get it all.

Then run hijackthis and post the log.

you may want to consider getting spywareblaster, it;s free and it keeps alot of the crap off the machine. it is the infections of the simple common malware that creates an easier opportunity for really bad infections to embed themselves.
their links get compromised and you won;t notice yet another popup, and then you can get really clobbered.

it is good practice to scan with spybot after an update weekly and keep the machine as clean as possible. there are so many spyware type programs that can infect the machine and not be removed by these cleanup programs, care should always be taken.