Tech Support Forum banner
Status
Not open for further replies.

tracking tracker

817 views 3 replies 2 participants last post by  MicroBell 
#1 ·
I feel that someone is monitoring me. I have a couple of emails address that I can not log into from yahoo. I was wondering if there is some type of software that can track someone monitioring my computer. For example, win-spy is a monitoring spyware that allows the remote user into your computer, when you are online. It has keylogging, snapshots, email tracking and other things for a person to track you
For now, I have keylogg hunter, and spy cop installed on my computer. But win-spy states it can stop anti-spyware. What can I do ? I am just average user

HIJACJTHIS LOG:


Logfile of HijackThis v1.99.1
Scan saved at 4:19:04 AM, on 2/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Common Files\AOL\1139369800\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Keylogger Hunter\KeyloggerHunter.exe
C:\DOCUME~1\David\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139369800\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Keylogger Hunter.lnk = C:\Program Files\Keylogger Hunter\KeyloggerHunter.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {434A2E00-1F9C-4DD6-ADE5-49923398FAB7} (ctlProductChecker.ProductChecker) - http://bcontractors.safeguardproperties.com:8080/property/ProductChecker.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
 
See less See more
#2 ·
Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!



Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
 
#3 ·
tracking the tracker

OK, I believe I follwed your instruction to the tee. The first log is from WinPFind. Before you go any further: there should be know image files except those from a camera. If you tell the diffrence. Only one maybe two email files from outlook express, I do have a accounting software but not located on the c drive it is on a external drive, which was on.There are also some other software. I really experience a slow down of my computer when I go to yahoo and try and open those email accounts. And after I have tried to open those accounts my computer runs slow. If needed I will do this process again after visiting yahoo.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/3/2004 5:07:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 5:07:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 5:07:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/3/2004 5:07:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/12/2006 5:20:16 PM S 2048 C:\WINDOWS\bootstat.dat
2/6/2006 6:52:10 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
2/6/2006 6:52:18 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
2/6/2006 6:53:10 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
2/6/2006 7:02:28 PM H 0 C:\WINDOWS\inf\oem0.inf
2/6/2006 6:52:18 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
2/6/2006 6:52:38 PM RHS 727 C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab
2/6/2006 6:52:38 PM RHS 19854 C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab
2/6/2006 6:52:38 PM RHS 244933 C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab
2/6/2006 6:53:48 PM H 229376 C:\WINDOWS\repair\ntuser.dat
2/6/2006 6:52:10 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
2/6/2006 6:52:16 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
2/6/2006 6:52:10 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
2/6/2006 6:52:10 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
2/6/2006 6:52:10 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
2/6/2006 6:52:16 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
2/6/2006 6:52:10 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
1/2/2006 3:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
2/12/2006 5:20:06 PM H 8192 C:\WINDOWS\system32\config\default.LOG
2/12/2006 5:20:36 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
2/12/2006 5:20:18 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
2/12/2006 5:20:36 PM H 61440 C:\WINDOWS\system32\config\software.LOG
2/12/2006 5:20:22 PM H 708608 C:\WINDOWS\system32\config\system.LOG
2/6/2006 10:40:28 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
2/6/2006 10:40:30 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
2/6/2006 9:13:30 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2/6/2006 10:42:00 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
2/6/2006 7:02:44 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
2/6/2006 7:02:44 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
2/7/2006 7:04:04 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
2/6/2006 7:02:44 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
2/6/2006 7:02:44 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
2/7/2006 7:04:04 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
2/6/2006 10:42:00 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
2/6/2006 7:00:08 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
2/6/2006 7:00:08 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
2/6/2006 7:00:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
2/6/2006 7:00:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
2/6/2006 7:00:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CMYYHO93\desktop.ini
2/6/2006 7:00:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG466V6H\desktop.ini
2/6/2006 7:00:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KSNEZKCJ\desktop.ini
2/6/2006 7:00:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\V8RR588J\desktop.ini
2/6/2006 6:52:20 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
2/6/2006 10:42:00 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
2/6/2006 6:53:48 PM HS 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
2/6/2006 6:53:46 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
2/6/2006 6:53:46 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2/6/2006 6:53:48 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2/6/2006 6:53:46 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
2/6/2006 7:00:12 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\7fba3cf3-a7ae-4fa3-a604-7396e06f7d02
2/6/2006 7:00:12 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2/12/2006 5:18:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/3/2004 5:07:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2/8/2006 6:41:34 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 8/3/2004 5:07:00 PM 162304 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/10/2006 12:06:22 PM 1832 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
2/6/2006 6:53:46 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/6/2006 9:47:40 PM 1604 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lexmark X125 Settings Utility.lnk
2/8/2006 10:26:06 PM 1733 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/6/2006 10:42:00 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2/6/2006 6:53:46 PM HS 84 C:\Documents and Settings\David\Start Menu\Programs\Startup\desktop.ini
2/8/2006 5:58:30 AM 725 C:\Documents and Settings\David\Start Menu\Programs\Startup\Keylogger Hunter.lnk

Checking files in %USERPROFILE%\Application Data folder...
2/6/2006 10:42:00 AM HS 62 C:\Documents and Settings\David\Application Data\desktop.ini
1/18/2002 7:52:12 AM 3932 C:\Documents and Settings\David\Application Data\LMLayout.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
Shell Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
BluetoothAuthenticationAgent rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
CaISSDT "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
CaAvTray "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
CAVRID "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
LMPDPSRV C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
HostManager C:\Program Files\Common Files\AOL\1139369800\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/12/2006 5:27:27 PM


This is log file from Trackqoo.vbs

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"LMPDPSRV"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LMPDPSRV.EXE"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1139369800\\ee\\AOLSoftware.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll

Subkey --- CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431}
C:\WINDOWS\avshlext.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Acrobat Assistant.lnk
desktop.ini
Lexmark X125 Settings Utility.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\David\Start Menu\Programs\Startup

Acrobat Assistant.lnk
desktop.ini
Lexmark X125 Settings Utility.lnk
Microsoft Office.lnk
desktop.ini
Keylogger Hunter.lnk
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top