Please help me remove this keylogger and cracking tool found by PestScan

Factual Questions
1

I apologize for the length.

Some general information to start:

I’m running Windows XP SP2, and browsing with IE 6.0 (no drive-bys please; I use Firefox sometimes, and may consider it more heavily in the future). I update and run regularly Spybot S&D, SpywareBlaster, Ad-Aware 6, Norton Anti-Virus, and the ZoneAlarm firewall. I also make an occasional visit to Trend Micro, Trojanscan.com. and Pestscan.com. The latter of which is where I begin my tale.

I was running Pestscan last night after finding some junk on my system a few months ago. Since then, I have coupled occasional visits to Pestscan.com along with my usual anti-scumware battery as mentioned. I have been clean for a while (as well as running my anti-scumware programs to the hilt, scanning for virii nightly, etc.), which is why I was slightly surprised to find “System Spy - Key Logger” and “Fake CD .99 - Cracking Tool” as found within the status window.

Instead of buying the program they sell to detect and remove all of this stuff, they give you instructions on how to manually remove it by identifying the offending registry key or listing the location of the offending file, features which I have used in the past with good success.

However, my other programs do not find any trace of this whatsoever. Upon manually looking for the registry key, it lists:

hkey_local_machine\software\microsoft\internet explorer\main

I have managed to delete this key, and a subsequent scan reveals nothing. However, a scan after that reveals that the stinkin’ thing came back and I’m back to square one.

I have looked at all of the possible registry keys, locations, running processes, etc. to check (as listed at the diagnostic links [eTrust Pest Patrol Encyclopedia] provided at Pestscan), and I found nothing that matched. I attempted to unregister a DLL, but the file wasn’t found—which I presume to mean “I don’t have it”?

I have tried deleted the offending registry entry in Safe Mode. That didn’t work.

Also, I ran a trojan portscan (and a couple others) at Sygate for good measure; every one was “blocked”, which apparently is ideal.

I have downloaded Task Manager 16, a program that promises to look deep into running processes. Every running process came listed as “harmless” or “seems to be harmless”, with nothing apparently suspicious.

I’d love to try MooSoft’s Cleaner, but I have already used the trial version in the past.

I do remember seeing that System Spy doesn’t run on XP—could this be taken to mean that it wouldn’t work as a key logger on my machine as well?

Basically, my question asks of how to remove these obviously regenerating files. I’m considering the purchase of Pest Patrol as offered at Pestscan.com, but since money is something of an object these days, I would like to exhaust all avenues in the case that this isn’t a large problem (due to possible incompatibility) as may be suspected.

Again, all other programs (my anti-virus, anti-scumware programs) do not detect these issues.

Many thanks for any help or advice that is provided.

2

Run HijackThis and post the log here.

From what you describe it does seem likely that the Pestscan result is a false positive.

3

I had forgotten about HiJack This, which I have. Here is the logfile:

Thanks!

4

I don’t recognize the following items. Remove them if they aren’t something you intentionally installed.

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Otherwise it looks clean.

5

You are running a very old version of HijackThis. Download the current version 1.98.2 and repost the log.

6

Thanks for the tip. New log:


Logfile of HijackThis v1.98.2
Scan saved at 5:17:12 PM, on 11/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Time is not an herb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.240:8000/Java/cfs40320.cab
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://us.i1.yimg.com/us.yimg.com/i/chat/webcam/v110/yvwrctl.cab
7

I think you are misinterpreting the Pestscan results. The first thing to notice is that the registry key “hkey_local_machine\software\microsoft\internet explorer\main” is not actually listed as one of the keys that needs to be removed.

Another relevant piece of the puzzle is that this particular subkey is listed in the Microsoft Knowledge Base as a legitimate key. I found it listed in five Knowledge Base articles and none of them give any indication that it is anything other than a necessary and legitimate part of Internet Explorer.

If you’re basing your worry solely on the simple fact that you have this registry key, then I think your worry is unfounded.

In my experience, Pestscan gives false positives. I’ve never found any of the processes, reg keys, files, etc. actually residing on my machine that it says I need to remove to eliminate the “pests” it has found. I’m not saying that you shouldn’t use it, I’m just saying that my experience is that it gives false positives. As always, YMMV.

8

I had the exact same thing happen to me last night. Since the only evidence of these programs is the registry stuff, which is not even mentioned under the removal instructions, I decided to ignore it.

9

So, basically, what you all are saying is that if I didn’t find the relevant keys, locations, etc. as listed in the Knowledge Base articles, I don’t have the listed pests?

If so, boy, is that ever a relief.

In any case, I did delete earlier the processes Number didn’t recognize, as I didn’t recognize them either.

I will, based on the experiences related here, keep a critical eye upon PestScan.

Everyone here has helped greatly. Thanks so much!

10

Hi Joe K
Just thought I’d also add that Pestscan is used as a marketing tool for users to purchase Pest Patrol.
Also ran across this:

From Here.

11

I remember having that thought last night. I must have, I don’t know, thought that this practice was beneath them. :slight_smile:

Thanks very much.

12

You’re most welcome. :slight_smile:

You’ve been given absolutely solid advice so far, so I’ve very little to add, except to ask if you have the latest versions? Spybot 1.3 and Ad-Aware SE Personal Edition 1.05 ?

13

I remember something about the system restore feature being able to bring back from the dead, files that Windows thinks were deleted in error. When I was trying to get rid of the Cool Web Search bug I had to disable SR otherwise the deleted registry keys came right back as soon as I rebooted.

14

Another good app is Bazooka. It won’t remove anything automatically but it will link you to very detailed instructions on have to remove them manually.

I was able to remove a dozen or so things that neither AdAware nor SpyBot could even detect.