Jump to content

Build Theme!
  • Infected?


Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92137 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Active Keylogger-by Winsoul

  • Please log in to reply
4 replies to this topic

#1 patches


    New Member

  • New Member
  • Pip
  • 5 posts

Posted 25 June 2005 - 03:30 AM

Spysweeper found "Active Keylogger" (also known as "System Monitor") made by Winsoul, on my computer. This had to be installed by a remote computer as I am the only person with physical access to my computer. There has been evidence indicating that someone was remotely accessing my computer for along time, but no other spy detection programs found this program until I got Spysweeper. Is there anyway to findout when this program was put on my computer and who did it. Are there any identification numbers or other tracking methods? There are no boyfriends and no husband who would be interested in the contents of my computer. It is important that I find out when, and if possible who did this. Help would be appreciated. Patches :(


Register to Remove

#2 Micah_6:8


    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 25 June 2005 - 07:48 AM

Welcome to TomCoyote.org, Patches :)

Click on the link below to read about Active Keylogger by Winsoul:

Active Keylkogger by Winsoul

Is it possible the sofware was already on your machine when you received it?

Furthermore, it is possible that is is present but not "active".

Do you have a firewall on your PC to protect it while online? If not, it is possible the software was deposited on your machine remotely.

If that program is on your machine, look for this folder:

C:\program files\active key logger <--- FOLDER

If you <right-click> on it, and choose Properties, you can find the date/time of it's creation. I'm afraid finding out the "Who" part of your request may be much harder.

Please do this:

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Download HijackThis into this folder.

If required a tutorial is here = Hijackthis Folder Tutorial

Links to Hijack This! v 1.99.1:


Run it from that folder.

Click "Scan".


Click "Save log".

Reply to this thread, and "copy/paste" the ENTIRE CONTENTS of the log file into this thread.

I will examine the log for evidence of remote hacking programs.

Edited by Micah_6:8, 25 June 2005 - 07:50 AM.

Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#3 patches


    New Member

  • New Member
  • Pip
  • 5 posts

Posted 05 July 2005 - 06:02 AM

Dear Micah:

Thank you for the welcome and the help! :) I appologize for the delay in getting this information to you. I appreciate all the help you can give. If I should have restored the programs that are in quarantine, let me know and I will do that before you spend time on this. I have tried to include information that may be of help.

The active keylogger could not have been on the computter when I got it. My son had it built to order by Compaq and this was not among the programs on the invoice.

The page in etrust's encyclopedia indicates that this keylogger origninated in 2003. I got the computer in 2000. I have also found "Webmailspy". (I believe that was the name). It is a commercial email spy. Both word documents and emails have often just disappeared while I was working on them, probably due to these programs. There would be just a click and they would be gone. Often I wasn't even near the computer when it happened.

I believe that neither "Active Keylogger" nor the email spy would appear in the registry because they have been quarantined by Spysweeper and by another spyware detector. I have had no indications for alittle over a year that spyware was being used, but I still need to know when and who put it on my computer.

Should I have restored these before running the HJT scan? If so, I could restore them and run the scan again. I have had to transfer Zone Alarm alerts and logs to a cd because my c drive was full. Should I have restored them before the scan?

I believe that "At Hoc" and "Backweb" r Backweb lite" were originally used when the problems began in 2001. I knew nothing about computers when this started and did not have a firewall or spy detectors. I only had Mc Afee virus scanners.

One reson that I believe that Backweb was being used is that after I got a firewall and the intrudersd apparently get into my computer, I got an email with the subject line saying "stop storytelling" or something similiar. Backweb has a story program. Thy apparently could not get into my computer then and used my stepfather's name, that they had to have gotten from my computer, to get by my email block. The header showed a different path from that that an email from him would have been transmitted.

Other evidence that someone has had access to my computer include, but are not limited to: a statement made in aol instant messenger appeared the next day in a word document; a person familiar with computers asked me in an email, whether the intruder had obtained my user name. I said "no" but the next day a folder with my user name appeared on my desktop. Prior to that time, my user name had been altered in the pwl file, making it impossible for me to get online for about 3 weeks. I have been unable to access public websites that I needed for a project that I was working on. Now I know thwt this could have been done through my "hosts" file. Files and documents have been altered and deleted. There have been a couple of times when sentences have been flashed across the screen. My computer has become inoperable at crucial times and after the time for doing things had expired, it would start working again for no apparent reason. etc, etc....

I have transferred files. that might have helped in identification, from my computer to floppies and cds both because my C drive was full and because some of the files might have been dangerous. I have emails that were very large, (in excess of 300 bytes , but had no message or other thing to account for the size. When I tried to send them to a floppy or other email account, they had been reduced in size to just a few bytes, indicating that files had been deposited in my computer, even though no attachments were shown. I did find one file that was deposited, but did not open it. I believe it was entitled "ewolken".

My "Event System " (ES log" shows the following messages repeatedly beginning in 7/2000, which could have been when my computer was first accessed, to 6-12-05. I believe that the entries from 2000 through 2004 were from intruders. More recent one are probably because my ISP has been changed without my permission , from MSN to "UUnet" and everything goes through DNS.
Many of the earlier messages Iin the ES log were entered on a daily or almost daily basis. Rhe following messages were repeqted many, many times until 2004.

"4099 The COM+ Event System could not determine the name of the current user. A call to GetUserName returned error code 1245: "The operation being requested was not performed because the user has not logged on to the network. The specified service does not exist. "

4097 The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80080005 from line 39 of D:\n3\private\es\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. "

I did not find this log until after product support ended for my computer and cannot find out what the error codes mean.

I did not have a firewall for along time, but then used "Tiny Personal Firewall" and now use Zonealarm, AV, and Spysweeper, and Spybot". Different programs seem to pick up different spys. All but Spysweeper have been corrupted, possibly by something connected with the 198 address listed above.

The keylogger and email spy and "AtHoic" have never been listed in any program files or in the "Add/remove" program, so I cannot find them per your instructions. I have all files showing (none hidden) and they do not appear anywhere except in places in the registry where the spy programs found them. Yes, I believe that they were installed remotely and probably by something placed in the computer prior to my knowing about firewalls, etc. At hoc was put in my computer on 3/27/01. I can't find where the keyloger and email spy has been stored in quarantine so I cannot tell when they were put on the computer and don't know if it would show a correct date since it might have changed when quarantined.

Some zonealarm alerts appear to show that some thing is transmitting from my computer. Some results look like the computer accessing my computer and my computer have the same IP address. WBEM runs in several programs, including office. I don't know what this program is, but it seems to collect information.

I think I have answered most of all your questions and I hope the above helps. The following is the log from HJT.

Thank you very, very much for your help. As you can tell, I need all the help I can get!!!! :(


Logfile of HijackThis v1.99.1
Scan saved at 4:12:28 AM, on 7/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...=search&LC=0409
F1 - win.ini: run=lxdboxcp.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\INSTANT MESSENGER\AIM.EXE
O9 - Extra button: Girafa - {78A7D3B4-23E3-11D4-A682-0050DA502650} - C:\PROGRAM FILES\GIRAFA\GIRAFABAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by23fd.bay23....ex/HMAtchmt.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...432/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab

#4 Micah_6:8


    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 06 July 2005 - 07:26 PM

Sorry I took so long to reply... My Wife and Daughter have been playing a new game the past few days, so my PC time has been limited. :oops:

The log file you posted is free of amy signs of any "malware" or anything bad. I was going to suggest the online virus scans from Trend-Micro and Panda, but it looks like you've already been there.

About WBEM:


Something you can live without, but I don't see it in the log.

I would think that unless someone is sneaking thru your firewall, that you're looking "good to go" - nothing bad is showing up in the log file.

Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#5 patches


    New Member

  • New Member
  • Pip
  • 5 posts

Posted 06 July 2005 - 08:18 PM

Micah Thank you!! Patches

Related Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users