griff_2

hello to everyone,

i have a red dot in my task bar which when moused over says ''your activity is recorded'' i have had this around about two weeks.
i have been in contact with another forum to try and rectify this problem, but unfortunately they were not able to get rid of the dot.
i have run dackards system scanner and posted my log, also hjt log and have run the latest version of spy ware doctor but nothing was discovered.
i also tried to run combofix but the program keeps hanging on the scan screen, so i can't produce a log.

i have goggled the problem and gather it's some kind of parental control also the tech from the other forum told me as much, i haven't knowingly downloaded any parental control software and have looked in all the usual places to uninstall programs but can't see anything like that.

if anyone can help remove this pest i would be very grateful.

thanks Griff.

Strider

I have seen all the posts you mentioned after a quick Google search. So let's start from the beginning again.

1. First of all, go to add/remove programs and remove all the unwanted programs.

2. Now go to Start > Run and Type in msconfig.

a. Click on the Services tab and check the checkbox Hide all Microsoft Services. This will hide all windows related services and you'll get a list of third party services. Uncheck all of them.

b. Now go to the Startup tab and uncheck all the startup.

c. Click OK and restart your PC once prompted.

2. After reboot, just like the other forum guys asked, run hijackthis and post the log.

http://download.bleepingcomputer.com...HJTInstall.exe

2. Then post a screenshot of your desktop so that we can also see the red dot.

Regards..

__________________




Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

griff_2

thank's strider,
here's the log.


Logfile of HijackThis v1.99.1
Scan saved at 17:20, on 2007-12-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\internet downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15026/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

iv'e tried uploading the screen shots but the upload keeps failing, i have tried bmp,rar, word doc.
please advise.

Strider

I can't find anything suspicious in the log. It should be a keylogger with stealth protection if you are seeing it after uninstalling all unwanted programs. But it's showing a notification about the monitoring means it's not a malware but an established security software.

Are you the Administrator of the computer? Is there any other Admin users using your PC, like your parents or friends?

You may upload the screenshot in sites like http://imageshack.us or http://www.tinypic.com

__________________




Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

stuartbe

It sounds like a rootkit may be installed. I would recomend you install this - http://free.grisoft.com/doc/download...otkit/us/frt/0

Then scan the computer and follow it up with a full AV and spyware scan in safe mode.

__________________
There are only 10 types of people in the world, those who understand binary and those who dont !

griff_2

i'll try that guys thanks
griff.

griff_2

here are the screen shots, the first is when moused over, and the second when clicked.

i am an administrator, but all the accounts on the pc are.
there are four accounts including myself my wife and two children. it is possible that my daughter who is the youngest could have done something.
she is only six and usually goes on cbeebies website ect....
my son is older and knows not to download anything without asking first and my wife rarley uses the pc.

I'll try the download that stuartbe suggested and see what happens.
thanks again Griff.

stuartbe

Hmmm..... It looks more like form of parental control software has been installed.

I would allso recomend a diferent antivirus program as personaly I dont think much of Norton AV

When the above box is open if you go into task manager what does it identify itself as ?

NB I dont like the look of the running task "services" does the dot disapear if you end that task ?

__________________
There are only 10 types of people in the world, those who understand binary and those who dont !

griff_2

i tried to end the ''services exe'' in task manager but it won't let me it says it is a critical system process.

i have taken two screenshots of task manager one with the box open and one without, ''i don't realy understand task manager'' see if you can spot anything different.





what i have noticed recently is i have an iexplorer shortcut in my quick launch on the left of the taskbar as you can see in my screenshot but i never had one on my desktop until recently, even though i delete it and have done several times, it keeps reappearing. do you think this could be conected?.

stuartbe

ok. services.exe can be a system proccess but it can allso be a virus, It depends on where exactly the file is running from.

You have a few bits of junk running but nothing to bad. I would sugest at this point you run blacklight on the system and see if it can find anything. - http://support.f-secure.com/enu/home/ols.shtml

This is looking more like either a rootkit or some form of parental control software.

Run the above scanner and see if that finds anything.

__________________
There are only 10 types of people in the world, those who understand binary and those who dont !