Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Certain and intentional infection by Spyware (keylogger?)


  • This topic is locked This topic is locked
4 replies to this topic

#1 fpelicar

fpelicar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 26 January 2009 - 02:47 PM

Hi everyone,

In a few words: the problem is with a computer that was infected by a person who had physical access to it with some sort of program that allows him to monitor everything done (inlcuding passwords etc). This is 100% certain. No actual symptoms are visible.

Background:
I am helping my friend whos computer is infected since she is not tehnically skilled. Please take this into account when offering solutions, as I can only advise her over the telephone, I dont live in the same city as she does.

Her ex-boyfriend, the over jealous and obviously technical type installed something that allows him full monitoring (maybe access?) to her computer. This is certain as he confessed some information like her recent emails etc. despite her changing passwords frequenetly and several times after last seeing him.

Please help, as this is obviously very important and stresful. Thank you.


DDS (Ver_09-01-19.01) - NTFSx86
Run by pc at 20:34:24.23 on 26/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.734.388 [GMT 1:00]

AV: avast! antivirus 4.8.1296 [VPS 090126-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\KGB\Mpk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Documents and Settings\pc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: N/A: {9cb65206-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [TPSMain] TPSMain.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [nMTaskBarService] nMtsk.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mExplorerRun: [Mpk.exe] c:\windows\kgb\Mpk.exe
StartupFolder: c:\docume~1\pc\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://0-site.ebrary.com.libunix.ku.edu.tr/lib/kocuniv/support/plugins/ebraryRdr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-3 111184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-3-21 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-3-21 352920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-2-13 225792]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-3 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-3-21 155160]
R4 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
S3 netModUSBlfService;netMod USB Lower Filter Service;c:\windows\system32\drivers\nMUSBlf.sys [2008-3-22 20896]
S3 netModUSBService;Service for netMod USB CAPI Driver;c:\windows\system32\drivers\nMUSB.sys [2008-3-22 45768]

=============== Created Last 30 ================

2009-01-11 12:16 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-09 14:28 <DIR> --d----- c:\program files\AskTBar
2009-01-09 14:26 4,767 a------- c:\windows\Irremote.ini
2009-01-09 13:56 <DIR> --d----- c:\program files\Nero
2009-01-09 13:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2008-12-31 13:22 3,462 a------- c:\windows\MDVDP.Ini

==================== Find3M ====================

2008-12-11 11:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-08-09 01:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080920080810\index.dat

============= FINISH: 20:35:04.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:03 PM

Posted 27 January 2009 - 05:10 AM

Hi,

Background:
I am helping my friend whos computer is infected since she is not tehnically skilled. Please take this into account when offering solutions, as I can only advise her over the telephone, I dont live in the same city as she does.

Her ex-boyfriend, the over jealous and obviously technical type installed something that allows him full monitoring (maybe access?) to her computer. This is certain as he confessed some information like her recent emails etc. despite her changing passwords frequenetly and several times after last seeing him.

There's indeed a keylogger present. (KGB Keylogger)
As long as this boyfriend still has access to the computer, even though if we remove the keylogger, he would just install it again.
So imho, it would be only a waste of time though. That's why, the best solution in such cases is to talk with eachother - or even go to the police, because the exe boyfriend may not do this.

Anyway, I'll post instructions to get rid of it, which you can use afterwards again in case he reinstalls it.

But first, I need to see an extra log..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fpelicar

fpelicar
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 27 January 2009 - 04:36 PM

He no longer has acces to the computer, this was "left behind" in a sense. The guy is an "ex" in every sense (and for good reasons it seems)

Thank you for the suggested solution, however my friend is quite computer illiterate and as I said, I live elsewhere and can not at this time come personaly to help. The ComboFix part seems rather complicated. I will explains the alternative steps that we took, with my limited knowledge of security issues and my friends limited knowledge whatsoever, hopefully you can advise further.

Having identified the program, I googled it and found several manual removal instructions along with paid removal programs.

This is what we managed to do over the phone:

1. find the KGB folder (it was in C:/windows/kgb/)
2. delete all files inside except 3 of them (access denied, that would mean in use at the moment, right?)
3. "fix" the entry of KGB with Hijack This
4. reboot into safe mode
5. successfully delete the remaining 3 files in the folder
6. remove all past restore points (disable restore, reenable)

following these steps, a new Hijack This log reveled no similar "KGB" entry

I am aware that the program is not completely removed, specifically the DLL libraries that they were talking about in the manual removal instructions and the registry entries. The first I have no experience with and the second I was reluctant/unable to guide my friend through over the phone, aware of the sensitivty of the registry.

The situation is as follows: my friend will be coming back home next week, and at that point will be able to give the computer to an expert, who (I assume) should be able to clean the situation up and double check everything, especially since she will instruct him on the name of the program used that you provided.

My question is:
are the steps we took sufficient to "disable" the threat at this point, even if not completely cleaned? Long enough at least for the expert to work on it properly?

I am sorry that we could not follow your instructions, your expertise and willingness to assist is both welcome and respected, but please understand it is difficult to do with people not familiar with computers.

Thank you.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:03 PM

Posted 27 January 2009 - 05:10 PM

Hi,

The c:\windows\KGB folder contains the files to perform the "keylogging" - so if you removed that folder, then you should be OK.
And since you already deleted the references with HijackThis as well, then you already did a great job and actually removed it - except for some small registry leftovers which wont / can't do anything.
Normally most Antispywarescanners detect this keylogger as well though, so it may be a good idea to perform a scan with an up to date Antispywarescanner (Spybot s&d or Adaware) to get rid of the leftovers if still present.

Extra note... I see the Ask Toolbar installed here - This one is not recommended, so ask your friend to uninstall it. It's not urgent though. :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:03 PM

Posted 05 February 2009 - 06:54 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users