Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is This Website A Keylogger?


  • Please log in to reply
7 replies to this topic

#1 skajt

skajt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 05 September 2007 - 11:02 PM

Is there any way to check if this particular website is a keylogger without risking infection/actually going on the website?

www.gamerains.com <-- don't click on this if you don't know what you're doing

Someone posted a link to a file download (like gamerains.com/downloads/movies/movies.zip) which was a keylogger, so I went on the actual gamerains.com site out of curiosity, which I know is extremely stupid, I came up with a blank page with a little dot in the top left corner, and I checked the source code and it had a javascript thing or something as the only thing on the page.

So i'm guessing i'm infected now? I'm running AVG atm, but can anyone check if the actual main site, gamerains.com is even a keylogger without actually clicking on it or something? since the poster didn't actually link to it, but rather to a file on the site..

BC AdBot (Login to Remove)

 


#2 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:07:21 PM

Posted 05 September 2007 - 11:24 PM

I have no idea if that site has a keylogger, but i would suggest that you take some preventive measures just in case.

Please download the program KL-Detector from here.

Run the program and follow the promtp's instructions. Then post all the results the program finds here (if any), so that an expert will be able to adviose you on what to do.
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#3 skajt

skajt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 06 September 2007 - 12:24 AM

This is a reaaally reaaally long results page, should I post it all?

well here's the report, I won't post the full report I guess

KL-Detector has found some suspicious files:
C:\Windows\System32\config\SOFTWARE
C:\Users\Simon Pan\AppData\Roaming\Mozilla\Firefox\Profiles\4cl2jloc.default\sessionstore-1.js
C:\Users\Simon Pan\AppData\Local\VirtualStore\Program Files\mIRC\mirc.ini
C:\Users\Simon Pan\AppData\Local\Mozilla\Firefox\Profiles\4cl2jloc.default\Cache\3C081DA7d01
C:\Users\Simon Pan\AppData\Roaming\Mozilla\Firefox\Profiles\4cl2jloc.default\cookies-1.txt

Please check; someone might have installed a keylogger on your computer!


You MAY want to take a look at:
C:\Users\Simon Pan\AppData\Local\Microsoft\Windows\
C:\Windows\System32\config\
C:\Users\Simon Pan\
C:\Windows\Prefetch\
C:\Users\Simon Pan\AppData\Local\Mozilla\Firefox\Profiles\4cl2jloc.default\Cache\
C:\Users\Simon Pan\AppData\Roaming\Mozilla\Firefox\Profiles\4cl2jloc.default\
C:\Users\Simon Pan\AppData\Roaming\Mozilla\Firefox\Profiles\
C:\Users\Simon Pan\AppData\Local\VirtualStore\Program Files\mIRC\
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\
C:\World of Warcraft\Cache\WDB\enUS\
C:\Users\Simon Pan\AppData\Local\Mozilla\Firefox\Profiles\4cl2jloc.default\

Edited by skajt, 06 September 2007 - 12:28 AM.


#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:02:21 AM

Posted 06 September 2007 - 12:57 AM

Linkscanner didn't find any exploits, at www.gamerains.com.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#5 skajt

skajt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 06 September 2007 - 01:12 AM

Hmm, that's a relief. Do you know how accurate it is?

#6 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:02:21 AM

Posted 06 September 2007 - 01:38 AM

I use Linkscanner all the time, and it hasn't steered me wrong, yet.
But, nothing is 100%. :thumbsup:
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#7 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:07:21 PM

Posted 06 September 2007 - 02:02 AM

I think your comp is fine, isn't that a relief?

Have a great day:)
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#8 HIPPO1023

HIPPO1023

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 06 September 2007 - 04:09 AM

Result of investigation [Remove]gamerains.com

General Information
[Title]
The information is not valid.

[Actual URL]
[Remove]gamerains.com/Index.htm

[IP address]
74.86.68.129

[Reversed IP Address]
nuo.cn

[Screenshot(Click to enlarge)]
Information cannot be acquired.

Detailed information

[Web server]
Country : United States
City : Dallas

Domain information of gamerains.com

[Registrant]
lcd
1459 norfolk ct
Ponder, Texas 75002
United States

[Domain Name]
GAMERAINS.COM

[Administrative Contact]
Blackwell, Carin
lcd
1459 norfolk ct
Ponder, Texas 75002
United States
9725424465 Fax --

[Technical Contact]
Blackwell, Carin
lcd
1459 norfolk ct
Ponder, Texas 75002
United States
9725424465 Fax --

[DNS Servers]
NS35.DOMAINCONTROL.COM
NS36.DOMAINCONTROL.COM

[Created]
03-Aug-07

[Expires]
03-Aug-08

[Record last updated]
03-Aug-07

Contact information of 74.86.68.129

[Organization]
Address : guangzhou
City : guangzhou

[Record last updated]
20070722

Other information

[Blacklist Decision Results gamerains.com]

mailpolice(Blacklist of Phishing sites provided by Nebularis(private company))==== safe
Mail Security(Blacklist of Phishing sites provided by MailSecurity(private company))==== safe
mailpolice(Blacklist of the adult sites and Spammers provided by Nebularis(private company))==== safe
The spamhaus project(Spammer Blacklist generated by Spamhaus(Non-profit organization))==== safe
SpamCop.net(Blacklist generated by SpamCop volunteer-community)==== safe
Bill Stearns' web site(Blacklist of Spammers provided by Bill Stearns and WIlliam Stearns)==== safe
Abuse Butler(Blacklist of Spammers provided by Andy Warner)==== safe
Joe Wein's Homepage(Blacklist of Spammers provided by Joe Wein, Dijkxhoorn)==== safe
RBL.JP(Blacklist of Spammers provided by Hart Corp. and volunteers)==== safe
Google API(Result by Google Safe Browsing API)==== safe
SCO/Spamip(Blacklist of Spammers provided by Source Checker Online)==== safe
SCO/OneClick(Blacklist of Phishing sites provided by Source Checker Online)==== safe
SCO/KikenUrl(Blacklist of websites containing Malware/Script provided by Source Checker Online)==== safe

***********************************************************************

I think this site is basically fine.

Edited by HIPPO1023, 06 September 2007 - 04:12 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users