Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kelogger


  • This topic is locked This topic is locked
4 replies to this topic

#1 lonely_salvation

lonely_salvation

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 28 February 2005 - 03:39 PM

Hi, I have been playing an online game for a few months now, and have had my account hacked 3 times :-( I have good reason to believe this is the result of a keylogger installed on my system, as I change my password all the time, but I have been unable to find a keylogger :-( I'd be very grateful if someone could help me find and eliminate this problem, as it's driving me crazy! :-( Here is a copy of my Hijackthis log

Logfile of HijackThis v1.99.0
Scan saved at 20:34:07, on 28/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\isass.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Fiona.HOME\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\FIONA~1.HOM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\FIONA~1.HOM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Internet Security Pack] C:\windows\system32\isass.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\System32\iexplorer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\FIONA~1.HOM\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:39 AM

Posted 28 February 2005 - 10:28 PM

Hello lonely_salvation and welcome to BleepingComputer.

I don't see any keyloggers, but C:\windows\system32\isass.exe is most likely Backdoor.Futro.


Your log shows that you are seriously behind on windows updates. It is essential that you update your operating system as otherwise any infections we remove could reoccur. Go to Windows Update and if it asks to install software, allow it to do so. Install the offered Critical and Security updates, reboot as requested and return until you have installed all available Critical and Security updates.


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\FIONA~1.HOM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\FIONA~1.HOM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [Internet Security Pack] C:\windows\system32\isass.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\FIONA~1.HOM\LOCALS~1\Temp\se.dll,DllInstall

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders if found:

C:\windows\system32\isass.exe <--File
C:\DOCUME~1\FIONA~1.HOM\LOCALS~1\Temp\se.dll <--File

If any of these resist being deleted, boot into Safe Mode and try from there. Then reboot back into normal mode.


Please download DLLCompare.exe to your desktop.
http://www.bleepingcomputer.com/files/dllcompare.php.

Double click on DLLCompare.exe to run the program. When it is open, click on the Run Locate.com button. When that has completed, click on the compare button and then finally on the make log button. Post the contents of the resulting log as a reply to this topic.


You are using a slightly outdated version of Hijackthis. Please download and install the newest version, v1.99.1, from this HijackThis download site.


Post the DLLCompare log file along with a new HJT log.

Edit: Also please navigate to C:\WINDOWS\System32\iexplorer.exe, right click on the file and select Properties. Post the file size and any pertinant information under the Version tab.

Edited by ddeerrff, 28 February 2005 - 11:48 PM.

Derfram
~~~~~~

#3 lonely_salvation

lonely_salvation
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 01 March 2005 - 06:28 AM

Hi, thanks for all your help, here's my updated logs, and this may sound stupid, lol, but I can't find the iexplorer.exe file, it doesnt appear in system32, and I've done a search of my C: drive for it. I have "Show Hidden Files" checked, and file extensions not hidden. So I've no idea what that means, but I guess it's not good!


* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\iexplo~1.dll Wed 28 Jul 2004 15:17:10 A.SH. 65,024 63.50 K
________________________________________________

1,161 items found: 1,161 files (1 H/S), 0 directories.
Total of file sizes: 229,433,470 bytes 218.80 M

Administrator Account = True

--------------------End log---------------------



Logfile of HijackThis v1.99.1
Scan saved at 11:23:16, on 01/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fiona.HOME\Desktop\DllCompare.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Fiona.HOME\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\System32\iexplorer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109670530717
O20 - Winlogon Notify: iexplorer - C:\WINDOWS\SYSTEM32\iexplorer.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:39 AM

Posted 01 March 2005 - 05:55 PM

1. Download Registrar Lite from here, and install it.

- Once it is installed, double click on the icon that should now be on your desktop. If an icon is not there, then check under the programs section of your Start Menu.

- Copy and paste the below line, into the address field of Registrar Lite:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
and press the enter key on your keyboard.

- You will now be presented with new information in the bottom right and left sections and on the right section the key called AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs key and write down the text found in the value field. It is possible that there is no file name in the AppInit_DLLs listed in the key when you double-click on it. Please continue with these steps anyways.

- Exit Registrar Lite.


2. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows


3. Create a new folder on your hard drive called c:\regbackup.


4. Run Registrar Lite again.

- Enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows into the address field and press enter on your keyboard. On the left side of the screen the Windows key should be selected and highlighted purple.

- With the Windows key highlighted click on the File menu, and then click on export.

- Enter winkey.reg in the name field and change the Save as Type to Regedit4 standard .reg files (*.reg)

- Change the Save in: dropdown menu to c:\regbackup, then press the Save button.

- With the Windows key highlighted again click on the File menu, and then click on export.

- Enter Winkey.hiv in the name field and change the Save as Type to Regedt32/WinApi hive files (*.hiv,*.dat, *.*)

- Change the Save in: dropdown menu to c:\regbackup, and then press the Save button.

- When both backups are successfully saved, right-click on the highlighted Windows key and click on the rename option. Rename the Windows key to Windows1.

- With Windows1 highlighted, look in the right section and double-click on AppInit_DLLs and clear the text in the Value field. That is the dll you have seen previously in Step 4. If a file name does not exist there, then just press the OK button.

- Rename Windows1 back to Windows and exit the Registrar Lite.


5. Reboot your computer.


6. When you are back at your desktop, navigate to the c:\regback folder. Double-click on the winkey.reg file. When it prompt if you would like to import/merge the data press the Yes button


7. Run Registrar Lite again

- Enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows into the address field and press enter on your keyboard. On the left side of the screen the Windows key should be selected and highlighted purple.

- While the Windows key is selected (highlighted purple/blue) in the left window, click on File and them Import.

- Browse to c:\regback and select the winkey.hiv file that we created earlier and press the Open button. Then press the OK button.

- Now double-click on the AppInit_DLLs key in the right section of the windows and clear the text in the Value field. If their is no DLL listed there, then just press OK.

- Exit Registrar Lite


8. Now download Cwshredder from here.

- After you download the program, unzip it into the directory c:\cwshredder. Make sure all browser windows are closed and double-click on the cwshredder.exe to start the program.

- Next click on the FIX button, not the Scan Only button, let it scan your computer. When it is done, exit the program.


9. Next, using Internet Explorer, run both of these two online virus scans:

http://housecall.antivirus.com/

http://www.pandasoftware.com/activescan/


10. Please download and install the latest version of Ad-Aware SE from here.

- When you run the program make sure you update it and then run a full scan and allow it to fix any problems it finds.

- Exit Ad-Aware SE.


11. Finally, check to see if the file found in Step 4 still exists on your computer. If it does, delete it.


Reboot and post a new HJT log.

Edited by ddeerrff, 02 March 2005 - 12:45 AM.

Derfram
~~~~~~

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:39 AM

Posted 17 March 2005 - 02:25 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users