Logging software - invisible

[cmdrdata]

A couple of months ago I installed a piece software that have since
forgotten all about it. Now I am getting emails of websites visited,
but I havent got a clue how to get rid of it. I checked via the task
manager, msconfig, autoruns, and hijackthis. None of them shows this
application. I also did a search for my email addy in the regedit
window hoping that it will point to the application doing it, but still
no dice. I think it was a freeware mentioned here a while back.
How can I find out what this software is, and how can I remove it? TIA
for your help.

 

[tf76]

You haven't given much detail about what kind os software it is, so
it's real hard to help you.

What about system restore?

tf76
http://www.topfreeware.net
Best Freeware Downloads and tips to optimize your system
Member of The Freeware Revolution

 

[cmdrdata]

You haven't given much detail about what kind os software it is, so
it's real hard to help you.

What about system restore?

That's the point. I don't know ( or remember) what software it was that
I installed. All I know is that I started getting email daily about the
websites that was visited. The sender was me and the mail is also to
me. The subject title says Logs, and here's a partial list of the first
few lines:

--------Outgoing-------
DateTime From

Acess URL Action
[2006-03-14 19:57:38] | [192.168.1.101] | [www.weatherunderground.com]
|
[Forward]
[2006-03-14 19:57:39] | [192.168.1.101] | [icons.wunderground.com] |
[Forward]
[2006-03-14 19:57:40] | [192.168.1.101] | [an.tacoda.net] | [Forward]
[2006-03-14 19:57:40] | [192.168.1.101] | [anrtx.tacoda.net] |
[Forward]
[2006-03-14 19:57:42] | [192.168.1.101] | [browser.cdn.aol.com] |
[Forward]
[2006-03-14 19:57:42] | [192.168.1.101] | [www.wunderground.com] |
[Forward]
[2006-03-14 19:57:42] | [192.168.1.101] | [banners.wunderground.com] |
[Forward]
[2006-03-14 19:57:42] | [192.168.1.101] | [ads.wunderground.com] |
[Forward]
[2006-03-14 19:57:43] | [192.168.1.101] | [adq.nextag.com] | [Forward]
[2006-03-14 19:57:43] | [192.168.1.101] | [content.ipro.com] |
[Forward]
[2006-03-14 19:57:43] | [192.168.1.101] | [c5.zedo.com] | [Forward]
[2006-03-14 19:57:49] | [192.168.1.101] |
[stationdata.weatherunderground.com] |
[Forward]

 

[Justin_Bailey]

It sounds like you've installed a keylogger. It will be difficult to
find and remove, because its NOT supposed to be easy to find and
remove. Your best bet to get rid of it, is to first get some
keylogging finding software, like some spyware removing programs do.
(ie. Spybot, Adaware, Spywareblaster, to name a few)

If they don't work and an antivirus check doesn't give results then you
should just start over from scratch and reformat you hard drive.
Unless it doesn't bother you that much and you can live with it. Well
I hope this helps you.

Cheers,

Justin Bailey

 

[John Smith]

check this registry key and see if it begins with startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

[jmatt]

Try this tool.

BlackLight Rootkit Elimination Technology
http://fileforum.betanews.com/detail/FSecure_BlackLight/1110906204/1
http://www.f-secure.com/blacklight/

 

[Lou]

Try this tool.

BlackLight Rootkit Elimination Technology
http://fileforum.betanews.com/detail/FSecure_BlackLight/1110906204/1
http://www.f-secure.com/blacklight/

Who are you talking to? What did they say?

This is a usenet discussion group, not a message board on a website.

Please follow the generally-accepted usenet convention of quoting at
Least part of whatever message you're replying to.

Newsgroup propagation being what it is, some folks will see your
response before they see the post on which you're commenting.
Others, in fact, may NEVER see the original post or didn't bother
reading it.

Another problem is that given the way threads drift, a subject line
may have little or nothing to do with what the current discussion
involves.

When you fail to cite a bit of the original message, your own
comments just hang out in the air, connected to nothing and making
little or no sense.

If you are posting through google-groups, you can quote properly by
using the "options" selection and NOT the "reply" button, as shown here:
http://www.safalra.com/special/googlegroupsreply/

For a comprehensive, net-wide FAQ, check this site:
http://www.netmeister.org/news/learn2quote.html

 

[cmdrdata]

check this registry key and see if it begins with startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I did. No Run entry. the only folder in CurrentVersion is SharedDLLs
and it looked harmless.
BTW, my OS is XP SP2

 

[jmatt]

If you are posting through google-groups, you can quote properly by
using the "options" selection and NOT the "reply" button, as shown here:
http://www.safalra.com/special/googlegroupsreply/

Thanks Lou, did'nt know about the Usenet problem. Let me know if this
is OK.

 

[cmdrdata]

Try this tool.

BlackLight Rootkit Elimination Technology
http://fileforum.betanews.com/detail/FSecure_BlackLight/1110906204/1
http://www.f-secure.com/blacklight/

I just downloaded and tried this tool. It did not find it.
Also AdAware and SpyBot S&D did not see it. My Task Manager shows a
lean system, only 26 processes running.

 

[cmdrdata]

More info: I just "sent" myself another email with this heading:
"Secirity Alert" [55:48:A6]
and the content of this email is:

"2006-03-16 06:28:50 - Ip Spoofing - Source:172.130.34.229
,0,LAN - Destination:205.188.78.204,0,WAN"

So evidently this piece if hidden software is monitoring net access
too. Hopefully this will give yall additional clue to help me. Thnaks.

 

[jmatt]

"2006-03-16 06:28:50 - Ip Spoofing - Source:172.130.34.229
,0,LAN - Destination:205.188.78.204,0,WAN"

Try this way.
http://www.google.com.au/search?hl=en&q=Ip+Spoofing+&btnG=Google+Search&meta=

 

[John Fitzsimons]

A couple of months ago I installed a piece software that have since
forgotten all about it. Now I am getting emails of websites visited,
but I havent got a clue how to get rid of it. I checked via the task
manager, msconfig, autoruns, and hijackthis. None of them shows this
application. I also did a search for my email addy in the regedit
window hoping that it will point to the application doing it, but still
no dice. I think it was a freeware mentioned here a while back.
How can I find out what this software is, and how can I remove it? TIA
for your help.

Such programs must make at least a temporary file to list the web
sites visited. Find that file and it will probably give you a good
idea what file is referencing it. In any case it will probably be in
the keylogger directory.

Here is a way to find that file.

(1) Start your system and ONLY open your browser.

(2) Make sure that you have no "hidden" files set in explorer.

(3) Do nothing at all for an hour and ten minutes.

(4) Start browsing, and do nothing else, for the next half hour.

(5) List all files accessed in the last hour.

Anything that isn't browser related is probably keylogger related. You
may have hundreds of files to check BUT if you sort them by directory
then you should be able to find the right directory reasonably
quickly.

Regards, John.

--
****************************************************
,-._|\ (A.C.F FAQ) http://clients.net2000.com.au/~johnf/faq.html
/ Oz \ John Fitzsimons - Melbourne, Australia.
\_,--.x/ http://www.vicnet.net.au/~johnf/welcome.htm
v http://clients.net2000.com.au/~johnf/

 

[Al Klein]

More info: I just "sent" myself another email with this heading:
"Secirity Alert" [55:48:A6]
and the content of this email is:

"2006-03-16 06:28:50 - Ip Spoofing - Source:172.130.34.229
,0,LAN - Destination:205.188.78.204,0,WAN"

So evidently this piece if hidden software is monitoring net access
too. Hopefully this will give yall additional clue to help me. Thnaks.

Sounds like a firewall is generating the email.