Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible Keylogger

  • Please log in to reply
No replies to this topic

#1 Bluejean


  • Members
  • 1 posts
  • Local time:02:47 PM

Posted 02 May 2010 - 04:47 AM

I deleted what could have been a keylogger, but I'm not sure if the problem is completely dealt with, or if there even was one and this was simply a case of a false positive. Either way I'm abstaining from logging into World of Warcraft and my email on this computer for now. I checked both on another computer and the passwords haven't been changed and show no signs of unusual activity, which is a good sign.

When I clicked on a link on a WoWwiki page I got redirected to a minimized site and a message to the effect of "You may have malware on your computer, click OK to scan" with only an OK button. Sounding like the prelude to a typical rogue antivirus infection I just closed Firefox down with the task manager. Nothing happened, but I was concerned that there may have been a keylogger put on my computer since it's usually keyloggers that plague malicious sites related to World of Warcraft.

I updated and ran both Spybot and Malwarebytes which picked up nothing. Next I downloaded AGV Free Edition and ran that which found nothing. Then I updated and ran SUPERAntiSpyware, which I forgot was still even on my computer - it picked up a lot of Adware tracking cookies and a Hiloti.V trojan in a htm file in my Temporary Internet Files (which, upon picking it up in the scan, caused AVG's Resident Shield to alert me to it). I looked it up in a search and read posts from people with it reporting problems such as being redirected to completely different sites upon entering URLs and unable to open certain applications, but I wasn't having any of that so it's possible that the infection picked up was a harmless remnant of one of my past 3 rogue antivirus infections (even after removing a number of infected files and seeing no more problems, occasionally after an update on Spybot or Malwarebytes or using a different scanner I picked up a file that sounded related to the others removed previously) although I often Clear Recent History in Firefox at least once a month, which I assume cleans out the Temporary Internet Files folder, and my last rogue antivirus infection was about 5 months ago.

I decided to try my luck running scans in Safe Mode. Spybot and Malwarebytes found nothing, but AVG's scan (which, in Safe Mode, is just a command line scanner) apparently "locked" about 7 files saying something to the effect of "not tested", then found another trojan infection and automatically added it to AVG's Virus Vault: PSW.Agent.XYB in the file "HookAPINT.dll". A Google search on this trojan only came back with one thread about AVG detecting it in the same exact file when setting up drivers, which was met with a reply from a moderator saying it was probably a false positive, and a separate post on another site saying that an AVG scan was reporting a different PSW trojan that he can't find any information on. It could simply have been a false positive, but I became worried when I found out that PSW.Agent trojans are specifically keyloggers. Upon the scan's completion (I assume, anyway - it did run for about the same time as the other scans) it just closed without warning. After running SUPERAntiSpyware and coming up with nothing I restarted in Normal mode.

The first thing I did was check AVG's "Virus Vault" to see what my options were. I was surprised to see the Hiloti.V trojan in there along with the XYB though - I had thought that SUPERAntiSpyware quarantined it, but it's possible that it didn't and it just ended up getting snatched by AVG immediately upon detection. The Virus Vault only gave the options of restoring or deleting the infected files, so after making sure "HookAPINT.dll" wasn't anything important I deleted that. I did some more reading on it and found that the file was usually in the same folder as "AMTSetup.exe", another undesirable linked with trojan infections; so I did Start > Run > cmd, had it display the contents of the folder the trojan was in, found it listed, and, after making sure that this file wasn't necessary either, manually deleted it.

One strange thing I noticed while doing the initial scanning was that it wouldn't let me delete my Browsing & Download History - I had no problems deleting all the other stuff under Clear Recent History (Cookies, Cache, Active Logins, Form & Search History), but every time I tried to remove that Firefox would hang and I'd have to close it with the task manager and restart it. I assumed it may have had something to do with the spyware/malware/virus scans going on, but I forgot to confirm it before going into Safe Mode to scan there. While in Safe Mode I had no trouble clearing my history and no longer have a problem doing so in Normal mode.

Another thing that may warrant mentioning is my confusion involving this "stub.exe". I recall seeing it listed under Processes in the task manager while installing AVG, and information online tells me that there's a good one associated with AVG and a bad one associated with trojans like Assassin.20.b. However, I noticed that the trojan ones were also associated with prefetch files and when I did a search on my hard drive while in Safe Mode I found a stub.exe as a .pf file, except it had additional numbers and letters at the end. It said it was last modified at the time around when I was installing and updating AVG. The file, however, doesn't seem to come up in a search while in Normal mode.

Assuming the XYB is a real trojan and not just a false alarm it is likely that I got it only from this specific site I went to; I usually only visited the same few sites every day that I knew were safe until I got involved in World of Warcraft again and began checking out a few gaming sites recently, and this was the only one I had a problem with. If necessary I can give the link which led me to that site, although it should probably be through private message so other people here don't go into it. It may not even be the site itself though - could be I was redirected or there was a virus in one of the ads on the page or something.

Would appreciate any help; I'm at a loss here.

Edited by Bluejean, 02 May 2010 - 04:48 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users