Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keylogger


  • Please log in to reply
7 replies to this topic

#1 Dishmo

Dishmo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 30 April 2008 - 11:45 AM

Hey, I'm quite inexperienced with malware and such but I hope someone can help me out.

Problem:
A couple of weeks ago I was browsing some forums and I think I clicked on a keylogger link.
I downloaded Spybot - search & destroy and it checked for malware and such. It found some malware which it removed, but I'm not sure how effective it is.

I'm clueless what to do next.

I'm running on windows XP.

Any help is appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:34 AM

Posted 30 April 2008 - 12:41 PM

Hello please run SuperAntiSpyware from safe mode after install and update. Perform a complete scan and post back the log for review if you wish.
Follow with ...
Download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to begin installation.
  • Click Next to select the Normal interface.
  • Accept the license and follow the prompts to install. (By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit)
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with three buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, if anything was found, click "Remove selected items"
  • If nothing is found, a message will appear "Congratulations! There were no installed rootkits found on your computer."
  • Click close, then select "Perform in-depth Search".
  • When the scan has finished, if anything is found, click "Remove selected items"
  • Again, if nothing was found, you will see the message "Congratulations! There were no installed rootkits found on your computer."
  • Exit AVG ARK.
Note: Close all open windows, programs, and DO NOT USE the computer while scanning. If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted automatically.

Let us know.
EDIT: Forgot to say Welcome to BC !!!

Edited by boopme, 30 April 2008 - 12:42 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Dishmo

Dishmo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 30 April 2008 - 04:45 PM

Hello again.
Okay, so I used the SuperAntiSpyware program to scan the computer.

SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/30/2008 at 10:41 PM

Application Version : 4.0.1154

Core Rules Database Version : 3450
Trace Rules Database Version: 1442

Scan type : Complete Scan
Total Scan Time : 00:30:46

Memory items scanned : 142
Memory threats detected : 0
Registry items scanned : 5422
Registry threats detected : 0
File items scanned : 21445
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\ERIK\Cookies\erik@cgi-bin[2].txt
C:\Documents and Settings\ERIK\Cookies\erik@atdmt[1].txt

Adware.WhenU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{619781AC-CF96-4B2F-8E58-2353903809FC}\RP400\A0395149.EXE



Then I ran the AVG anti-rootkit and "Searched for rootkits"
It found one thing called:

C:\WINDOWS\System32\Drivers\xxx.SYS

The last part i wrote xxx because I can't remember exactly (is there someplace you can see it?).
Anyway When I had removed it and rebooted the computer I scanned it again with "search for rootkits" just to be sure and it found the following:

C:\WINDOWS\System32\Drivers\xxx.SYS

The xxx part was not exactly the same, but some seemingly (to me) random letters.
It was exactly the same with the "perform in-depth search" part.

Thanks for replying :thumbsup:

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:34 AM

Posted 30 April 2008 - 07:41 PM

Spybot is a good tool, Also failed to mention that it has a function called TeaTimer . Without explaining it it prevents a lot of hikacks. But it also sometimes inteferes wit other malware products. So I want you to temporarily disable it while you run these 2 scans and if you want the SAS again. Also I just found that the AVG rootkit scanner is no longer available hence I could not find out where the log is. SO I have another Logger detecter to run.

KL-Detector

next run MALWARE BYTES

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Dishmo

Dishmo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 01 May 2008 - 07:19 AM

Alright, this is the log from MBAM:

Malwarebytes' Anti-Malware 1.11
Database version: 704

Scan type: Quick Scan
Objects scanned: 37998
Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\ERIK\Application Data\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\ERIK\Lokala inställningar\Temp\blr7bj65.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:34 AM

Posted 01 May 2008 - 10:01 AM

It appears you gad picked up a rogue spyware program and it was removed. Did you try the detector/ How isthe PC now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Dishmo

Dishmo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 01 May 2008 - 10:42 AM

I haven't noticed any change on the PC, but there was no real "problems" ( in lack of a better word ) to begin with. I just suspected I had some malware.
Anyway this is the log from Keylogger-detector:

KL-Detector has found some suspicious files:
C:\Documents and Settings\ERIK\Application Data\Mozilla\Firefox\Profiles\1selue72.default\sessionstore-1.js
C:\Documents and Settings\ERIK\Application Data\Mozilla\Firefox\Profiles\1selue72.default\cookies-1.txt
C:\Documents and Settings\ERIK\Application Data\Mozilla\Firefox\Profiles\1selue72.default\history.dat

Please check; someone might have installed a keylogger on your computer!


You MAY want to take a look at:
C:\Documents and Settings\ERIK\
C:\WINDOWS\system32\config\
C:\Documents and Settings\ERIK\Mina dokument\Mina bilder\Paint\
C:\Documents and Settings\ERIK\Application Data\Mozilla\Firefox\Profiles\1selue72.default\
C:\Documents and Settings\ERIK\Application Data\Mozilla\Firefox\Profiles\
C:\Documents and Settings\ERIK\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\1selue72.default\Cache\
C:\Documents and Settings\ERIK\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\1selue72.default\
C:\WINDOWS\Prefetch\

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:34 AM

Posted 01 May 2008 - 10:37 PM

Hello please run this tool next.
Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users