Key logger in my system restore

well if you guys read my my earlier in the week i caught i bad bug now i just did another scan with avg and it found a keylogger in my system restore problem is i cant turn off system resore is there any other way for me to turn it off so i can get rid of all the viruses here is the avg report and another hijack this file

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:53:09 AM 11/3/2006

+ Scan result:



F:\Downloaded Programs\registry clean up and tune up tools\RegDoctor v1.63\RegDoctor_keygen.exe -> Logger.Perfloger.o : No action taken.
F:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP342\A0041579.exe -> Logger.Perfloger.o : No action taken.
:mozilla.28:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.29:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.30:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.33:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.94:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.95:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.96:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.97:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.98:C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3dozvrpu.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 7:56:15 AM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\1147911720\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
F:\Games\Warcraft III\Warcraft III\Warcraft III.exe
F:\Games\Warcraft III\Warcraft III\Warcraft III.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147911720\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://usa.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - F:\Tune Up Utilitys\WinStylerThemeSvc.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

hope this helps

 

Run AVG AntiSpyware, update it for the latest signatures, click on [bold]Scanner[/bold], click on the [bold]Settings[/bold] tab, under "How to act?" chose [bold]Delete[/bold]. Then click the [bold]Scan[/bold] tab, choose [bold] Complete System Scan[/bold]...

After that, post logs from Hijack This and from AVG AntiSpyware...

 

where would i find that file i did a search and it comes up empty

(%Windir%\ServicePackFiles)

 

Did Windows prompt you to find this folder?

If yes, then...

did you enter [bold]%Windir%\ServicePackFiles[/bold] in the Start->Run entry exactly?

I tried and it works...

Anyways, it should be located in the hard drive that Windows is installed, find the folder: [bold]Windows[/bold], find the folder: [bold]ServicePackFiles[/bold], then there's another folder to go thru...

 

everything you stated worked but once i was prompted to find the files i copied and pasted what you wrote on the line and it stated something like no file found i cant even type that in the run inside the start menu i cant find no file name of that sorts service pack files folder does not exist in my pc i though it might be under another name

 

Few questions

1 - did you ever install sp1a or sp2? Im not sure but I think sr.inf came in a service pack. Good reason you can't find a servicepack folder.

2 - Did you make all your files visable? It could be hiding.

It should be in the c:windows inf folder. If not it's going to be in a .cab file somewhere and that is a pain.

I just looked at the contents of the file and it looks like it makes calls to other files. While small and easy to send to you I don't think that file by itself will do the trick. I think your best hope is install one of the service packs if you can't find that file.

 

i never installed anything my dell came with win xp professional media center service pack 2 already installed

 

Then it has to be somewhere on the disc that came with the dell if it's no longer on your computer. I don't know much about dell recovery discs but I would think the disc would have an i386 folder. Thats where itt would be.

 

Bkf thank you so much for helping me but i got another curve ball for you my dell didnt come with a disk thats what system restore is for that is what dell tells me so now no disk and no system restore wanna talk about being stuck between a rock and the hardest place on earth im here

 

Sounds like the way Dell works. But for another $90 they would be glad to send you a disc. That company should be shot. Guess you going to have to fight it out will them. Sorry

ps: as if restore does not mess up all by itself. Microsoft even admits it. I have seen my restore points vanish before and I did not have any bugs. It's a known flaw. How can anybody sell a computer without some sort of disc?

Start calling them every hour if necessary. Tell them you got a bug and you want them to give you the files you lost. Be professional but also be firm.

 

You didn't get the XP OS install disc from Dell? That's strange.

 

Pm me with an email address and ill send you the sr.inf file as a zipped file named sr.zip 141k in size. Just extract it on your desk top then right click on it and click install. Maybe it will work, maybe it won't but at this point what have you got to loose. I can't garantee anything.


I wish people would stop buying computers unless there is a recovery disc included and they should make sure it's in the box.

 

I have a friend in Ireland who has a packard hell, and it sounds similar
The OS has been pre installed and there is a partition with a system recovery/restore No install/recovery disc. Pretty strange set-up. Maybe the answer to that is to aquire a copy of the particular OS and use your original key. Blend the OS with Nlite ( with all your drivers and suchlike )and bang there you have a customised OS for your system. Surely if you have a key from the OEM this would be OK morally.

 

Chop sent file reply when you get it.


@ joe777 those types of machines are a pain in the butt. So I build my own systems and bought the retail XP disc. That way even if I loose a hard drive I can reload without all the bull. If I have to reload and the drive is ok I just blow away the first 64 bytes? the master bood record and the hard drive is clean then I still do a full format before reloading. Weeds out bad sectors if any.

 

Ok guys check this out i called tech support (which was cool the indian girl sounded like a hotty) anyways we went through some things and come to find out that the system restore files dont even exist on my computer no more it just disappeared "wonder how that Happened" anyways then she states that she will send me all the cds :guess i sound sexy too: i didnt even ask for them but then i find out that they didnt send them with their systems for a while now they go out with every new system guess they figured they screwed up so needless to say that by thursday i should have my cds and she is going to send the case # to my email so that when i get the cds i reply to it and get this she will be calling me back guess i do sound sexy lol and finish with fixing the problem so there you have you were all right but it doesnt help if i dont have the file lol so once again i thank you all that participated in my problem and ill let you all in on the details when im finished