Results 1 to 6 of 6

Thread: Please help; I think I have a keylogger or backdoor program.

  1. #1
    virginian Guest

    Default Please help; I think I have a keylogger or backdoor program.

    Hi there,
    I am getting messages from Zone Alarm that AOL is trying to monitor my activity by saving keystrokes, etc.
    It first told me that waol.exe is trying to do this, and now it is saying that AOL Dialer is trying to do it.

    These show up in the OSFirewall as "Execution" "Global Windows Hook"


    I also got a barrage of messages that AOL was trying to communicate with virtually every running program (e.g., lsass.exe, winlogon.exe, etc....).

    I also got a barrage of similar messages warning that Ad-watch
    was trying to communicate with every program.
    At the same time, I can no longer download updates to the Ad-watch definitions file.
    I uninstalled Ad-Aware SE and redownloaded the program, but again got the error message when trying to update definitions.
    I tried a second time and was successful with the update.
    However, I then tried to check again for updates (out of curiosity) and have
    gotten the error message again every time I have tried.

    I tried to use system restore to take the computer back to
    an earlier time.
    The restore box comes up and appears to start restoring, but then the bar goes across too quickly, the computer restarts, and I am told that it is impossible to restore to that day.
    I have tried several different days, and it will not restore to any time.
    After I tried to use system restore, Zone Alarm started up but all my settings were gone and it was back to defaults.

    I tried to uninstall AOL, since whatever is going on seems to be trying to use AOL.
    When the add/remove programs list comes up, I click on AOL, and it gives me
    only one version to remove,
    and the
    date on it says
    I haven't
    used it since mid-October, even though I use AOL every day.
    I
    don't think it is letting me delete
    later versions.

    (I have not tried to delete that version yet...the date bothered me.).

    I ran Ad-Aware, Spybot, and ZA Antivirus and got clean scans.
    However, something is clearly happening here.
    Can you help?
    In case it helps, here is my Hijack This log from tonight.
    You will notice that there are 2 versions of Ad-watch noted.
    When I opened Ad-watch after downloading the new version (and before trying to update definitions on the new version), two identical Ad-watch boxes popped up, along with an alert box with a message in German I could not read.
    One of the boxes said there were 29 running processes, and the other said there were 58.
    When I checked the 58 processes it was reporting, I was able to see that it was registering two copies of each program.
    Also the first entries in the list had question marks next to them (I never noticed if that is normal or not before).



    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\COMMON~1\AOL\116042~1\EE\AOLHOS~1.EXE
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\PROGRA~1\COMMON~1\AOL\116042~1\EE\AOLServiceHos t.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /waitstart
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160428305\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1159558892341
    O17 - HKLM\System\CCS\Services\Tcpip\..\{97D7AD60-B0E5-4386-BB4C-70E9C3BBB575}: NameServer = 205.188.146.145
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Thank you in advance for any help you can offer.
    I am always so grateful this forum is here.
    Virginian





    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Antivirus
    Software Version:6.5

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Please help; I think I have a keylogger or backdoor program.

    Hi

    It is very late for me.

    The HJT looks okay.
    I had a quick look.

    I have had two Ad-Aware SE free discovered once as well. I uninstalled one and there was one still working. Same thing for Firefox. Manual cleanup was the answer. Ad-Aware comes from Germany and has language packs included which explains why there is a German version. Uninstall it and clean up the second one and reinstall it once again.

    The global window hooks are accurate but take these ones lightly. These ones are safe. To explain this better- my Toshiba laptop keyboard is a hook and the touch pad is a hook. Both are safe. The AOL components are connected to give better access to AOL (makes AOL look real good) and it is really not a keylogger. Just a soft for easy access and connection.

    AOL is a tough one to remove. It is everywhere in the OS, both in files everywhere and in the registry. The AOL tool bar probably has to be uninstalled seperately as well as the AOL connection application. Try both the Add/Remove and the IE Tools and do a complete file Search in the PC and a complete Find in the registry.

    AOL cleanup tool...

    http://www.majorgeeks.com/MR_Tech_AO...ner_d4535.html.

    Also after using this and before re-installing the Ad-Aware use

    http://www.majorgeeks.com/CCleaner_S...ish_d4191.html

    and reboot and defrag the drive.

    Good night or Good morning.

    Oldsod

    Message Edited by Oldsod on 11-09-2006 01:53 AM
    Best regards.
    oldsod

  3. #3
    virginian Guest

    Default Re: Please help; I think I have a keylogger or backdoor program.

    Thank you
    so much, OldSod.
    You have calmed me down, and I appreciate it more than I can express.

    I had someone threaten to hack me a while back, so I do tend to get paranoid about these things.


    Just a couple of things I am still wondering, if/when you get a chance:
    1.
    Do you know why the global Windows hook messages would occur only now, when I have had AOL and the ZA antivirus/firewall for some time?
    It was these messages out of the blue, along with the barrage of "communication" messages I had never seen before, that scared me and made me think something was wrong or had changed.
    Is there a reason that AOL and Ad-watch would both be trying to "communicate" with every file on my computer now?
    Do you think they are excited about the election and just want to chat????

    (j/k)

    Also, why would AOL be trying to replace or modify a driver?

    2.
    I will try uninstalling the Ad-aware duplicates and re-installing.

    If that doesn't work, can you think of any other
    reason that it gives me an error when I try to update?


    3.
    Since you are saying that AOL is not spying on me, I probably don't actually need to uninstall it, right?
    Is there anything I should be cleaning up if I do keep it?
    It is my main browser now.

    4.
    I did a search on System Restore and found several sites that advise turning it off, rebooting, and turning it back on.
    I was scared to try that before, because I thought I was hijacked and doing so would erase any restore points that might still be operative.
    But it sounds like you don't think I actually have any malicious programs running.
    So that should work, right?

    I realize I really need to do some of these things to see if they work
    before asking the questions.
    I just wanted to get my questions down here in case it doesn' t work and I forget them.

    Thank you so much.
    I really,
    really appreciate your taking the time to write me back before you went to bed.


    Sleep well.

    Virginian






  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Please help; I think I have a keylogger or backdoor program.

    Hi

    Nah neither Lavasoft nor AOL softs can vote, so elections hold little interest.

    1. Was there an update recently of the AOL? Any possible chance that it updated without your knowledge?

    2. Uninstall all of the Ad-Aware plugin, addons, skins and tools, etc first before uninstalling the actual Ad-Aware. Comes out a little cleaner.

    3.If there is a AOL toolbar in the IE, I would uninstall that definitely. It is unrequired and not needed if you have the AOL browser.

    4. Turning off the System Restore and restarting it is good for: cleaning the old files and it is also done to remove any malware that is sitting in the Restore files. If you do turn it off, then use the exta options in the Disk Clean utility to clean them and after enabling the System Restore, keep creating new restore points for a speedy replacement.


    To be sure there is no malware, then use the IE and try a few online scans and/or suggested utilities from spywarewarrior.com or

    http://spywarewarrior.com/sww-help.htm

    Oldsod
    Best regards.
    oldsod

  5. #5
    virginian Guest

    Default Re: Please help; I think I have a keylogger or backdoor program.

    Sorry it took so long to answer.
    There is a lot going on here, and I haven't had time to try
    these additional steps yet.
    Thank you so much for all your help.
    I'll write again if I come across any questions.

    Thanks for being here.Virginian

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Please help; I think I have a keylogger or backdoor program.

    No problem and please do.

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •