ZoneAlarm notes programs asking to log keystrokes

dumarest · 2006/02/02

I am on WIN-XP and have ZoneAarm, latest version. Frequently, sometime after I log on, I get an alert that Windows Messenger is requesting permission to log keyboard and mouse action. I deny it, but what is Messenger doing for such a request, and should I accept the request. I use Netscape as browser.

PeteC · 2006/02/02

dumarest

You should DENY the request - there is a possibility that you have an unwelcome keylogger on your system.

I suggest you run HijackThis and post the log here....

Download HijackThis through Quicklinks in my signature, save it to a folder on your hard drive, not to the desktop or a temporary location. Run it and post the log here.

dumarest · 2006/02/07

The HiJack file

Downloaded, removed many of the startup programs [ZoneAlarm, AdSubtract, et cetera] and ran. here is the file - well, maybe - no attachments allowed - I can put it in a place qwhere a link will work?

Welshjim · 2006/02/07

dumarest--Did you follow the procedure suggested here
http://www.windowsbbs.com/showthread.php?t=37074 ?
In any event you can just Copy and Paste the HJT file in a post. No need to "attach ".
It also is not clear why you uninstalled all those other programs. You certainly do not want to be using the Internet without a firewall, for example.

dumarest · 2006/02/07

HiJack This

HiJack This was of course downloaded - then I got off the internet for the test I did not uninstall the programs, just turned them off for the test.

The log.

Logfile of HijackThis v1.99.1
Scan saved at 2:25:26 PM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Intel\BootStrap Agent\Bsa.exe
E:\Program Files\Intel\LDCM\bin\IIDS.exe
P:\Program\Norton\NSW2005\Norton AntiVirus\navapsvc.exe
P:\Program\Stomp\STOMP7\NMSAccess.exe
P:\Program\Norton\NSW2005\Norton AntiVirus\IWP\NPFMntor.exe
P:\Program\Norton\NSW2005\NORTON~1\NPROTECT.EXE
P:\Program\Stomp\STOMP7\NSENGINE.exe
E:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
P:\Program\Norton\NSW2005\NORTON~1\SPEEDD~1\NOPDB.EXE
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\DMI\BIN\WIN32SL.EXE
E:\Program Files\Raxco\PerfectDisk\PDSched.exe
E:\Program Files\Intel\LDCM\bin\ssm.exe
E:\Program Files\Intel\LDCM\ci\cimgr\CiMgrLdr.exe
E:\PROGRA~1\Intel\LDCM\CI\CIMGR\CIMGR.EXE
E:\Program Files\ahead\InCD\InCD.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Messenger\msmsgs.exe
P:\Adobe\Acrobat\Distillr\acrotray.exe
P:\Program\WinZip\WZQKPICK.EXE
P:\PROGRAM\WINZIP\winzip32.exe
E:\WINDOWS\system32\NOTEPAD.EXE
P:\Program\HiJack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1035
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - P:\Program\Norton\NSW2005\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - P:\Program\Norton\NSW2005\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [InCD] E:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] E:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Microsoft Works Update Detection] E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StorageGuard] "E:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "P:\Program\Stomp\STOMP7\NbkCtrl.exe "
O4 - HKLM\..\Run: [Zone Labs Client] P:\Program\ZoneAlarm\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xReminder Pro] "P:\Program\xReminder\xRemind.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] P:\Program\SpyBot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AdSubtract.lnk = P:\Program\AdSubtractPro\AdSubtract\adsub.exe
O4 - Global Startup: Acrobat Assistant.lnk = P:\Adobe\Acrobat\Distillr\acrotray.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Desktop Application Director 10.lnk = P:\Program\COREL\Programs\DAD10.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = P:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - E:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - E:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel Bootstrap Agent - Intel Corporation - E:\Program Files\Intel\BootStrap Agent\Bsa.exe
O23 - Service: Intel CI Manager - Intel(R) Corporation - E:\Program Files\Intel\LDCM\ci\cimgr\CiMgrLdr.exe
O23 - Service: Intel IIDS - Intel(R) Corporation - E:\Program Files\Intel\LDCM\bin\IIDS.exe
O23 - Service: Intel SSM - Intel(R) Corporation - E:\Program Files\Intel\LDCM\bin\ssm.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - P:\Program\Norton\NSW2005\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - E:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccess - Unknown owner - P:\Program\Stomp\STOMP7\NMSAccess.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - P:\Program\Norton\NSW2005\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - P:\Program\Norton\NSW2005\NORTON~1\NPROTECT.EXE
O23 - Service: NsEngine - Unknown owner - P:\Program\Stomp\STOMP7\NSENGINE.exe
O23 - Service: PDEngine - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - E:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - P:\Program\Norton\NSW2005\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - P:\Program\Norton\NSW2005\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: win32sl - Smart Technology Enablers - E:\Program Files\Intel\DMI\BIN\WIN32SL.EXE

dumarest · 2006/02/10

Log of analysis

Fine, the entire log posted, and no one has looked at it [or at least, if looked, no comment or advice].

PeteC · 2006/02/10

dumarest

I am sorry to hear that you have had no response to your HJT log - fact is there are very few members on the Board at the moment who can analyse these logs. However, my inexperienced (HJT) eye does not see any immediate problem.

A spot of Googling has brought up the fact that ZA is inclined to accuse any program of keylogging - see these URL's ....

http://blogs.pcworld.com/staffblog/archives/001116.html

http://www.dslreports.com/shownews/66137

I suspect that the warnings you see are false.

I suggest you uninstall ZA and give Sunbelt Kerio Personal Firewall a spin - I have used this for years (as Kerio - now Sunbelt Kerio) on my main desktop with no problems. The download is the full version which reverts to a reduced, but highly effective, free version after 30 days.

James · 2006/02/10

Hi Pete

I know that ZA Pro has this sort of "problem" but I've never experienced this with their free version.

As for Kerio... don't you find it more difficult to configure than ZA free? I looked at it, given the fact that I'm a CounterSpy user (Sunbelt) but found it to be confusing. When I asked for assistance, I received the message to look at their Help Files .... a very long and somewhat complicated manual. Finally, I just gave up, uninstalled it and returned to ZA free which has served me well for five years. After all... why mess with success?

PeteC · 2006/02/10

Hi James

I can't say that I've had any problems configuring Kerio to my needs - I always use the learning mode and respond as appropriate to the popups. Last time I checked on Shields Up the compter was fully stealthed.

PeteC · 2006/02/15

HJT log analysers are very thin on the ground at the moment. To my inexperienced eye your HJT log is clean. I suspect you are seeing false positives and suggest you follow my suggestion in post #7.

markp62 · 2006/02/19

I have been out of the malware loop for awhile, I do see this for removal. It appears to be an orphan, but was put there as a result of a previous infection of Coolwebsearch.

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN

Log in or Sign up

ZoneAlarm notes programs asking to log keystrokes

dumarest Inactive Thread Starter

PeteC SuperGeek Staff

dumarest Inactive Thread Starter

Welshjim Inactive

dumarest Inactive Thread Starter

dumarest Inactive Thread Starter

PeteC SuperGeek Staff

James Inactive

PeteC SuperGeek Staff

PeteC SuperGeek Staff

markp62 Geek Member Alumni

Share This Page

Log in or Sign up

ZoneAlarm notes programs asking to log keystrokes

dumarest Inactive Thread Starter

PeteC SuperGeek Staff

dumarest Inactive Thread Starter

Welshjim Inactive

dumarest Inactive Thread Starter

dumarest Inactive Thread Starter

PeteC SuperGeek Staff

James Inactive

PeteC SuperGeek Staff

PeteC SuperGeek Staff

markp62 Geek Member Alumni

Share This Page

Useful Searches