Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am i being key-logged ?


  • Please log in to reply
10 replies to this topic

#1 NevilleBartos

NevilleBartos

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 27 September 2010 - 12:51 AM

First of all I would like to say I am very grateful that I discovered this forum

I would hate to create a thread about my PC issues straight away, but there is a pressing matter that i have to resolve first. Hope you can understand.

Well here goes

Four days ago I reformatted my computer for the first time. Everything went smooth and no issues arose. The programs that I installed were Limewire, MSN, Firefox, Windows Media Player and that was pretty much it.

However I started talking on Windows Live Messenger with one of my so called "mates". He sent me this YouTube link and I trusting him that it was safe opened it up. It seemed like the legit YouTube site however, I noticed that my CPU shot up to like 80-90 and not drop even with no websites or programs running. So I assume that the link had something to do with it. I downloaded ‘Malwarebytes’ did a scan and found two things one of which was a Trojan. After the scan the CPU dropped down to 5-10 as it was prior to opening the link. I deleted him off MSN as-well.



But now I can’t help but to feel paranoid that the link contained a key logger or something that enabled him to see what I’m doing. Should I be concerned ?


Thanks for hearing me out guys

Edited by Budapest, 27 September 2010 - 01:02 AM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:35 AM

Posted 27 September 2010 - 08:31 AM

There is nothing wrong with being concerned after encountering some types of malware. How concerned would depend on what was actually found and removed. For example, rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Keyloggers are dangerous because they sit stealthy on your system, monitor all the keys you press and can steal sensitive information to include your logins, passwords and private (financial) data.

The specific file name associated with the malware threat(s) detection and where it was located (full file path) on your system can sometimes be more useful when investigating. This is because each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the infection without knowing more information about the actually file(s) involved. See Understanding virus names.

Get a second opinion by performing an Online Virus Scan like ESET or Kaspersky.

Four days ago I reformatted my computer for the first time. Everything went smooth and no issues arose. The programs that I installed were Limewire

Using any peer-to-peer (P2P) or file sharing program (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BearShare, Azureus/Vuze) is a security risk which can make your system susceptible to a smrgsbord of malware infections, remote attacks, and exposure of personal information.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications.Using such programs is almost a guaranteed way to get yourself infected!!

Edited by quietman7, 27 September 2010 - 08:38 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 straightupwv

straightupwv

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 AM

Posted 27 September 2010 - 10:53 AM

Excuse me for interjecting here, but I have found a safer way to use Limewire. When searching for a title, use keywords instead of the entire title. Let me explain. The bad guys see what you're searching for and return results with the same words you used, making you thing it's a real hit. For example, let's say you're searching for "The Beatles - I Wanna Hold Your Hand". You might receive 50 hits and it's impossible to tell which ones are legit and which ones are malicious. Instead of searching for it using these exact words, search for "Beatles Hand". The legitimate results will be displayed as "The Beatles - I Wanna Hold Your Hand" with your keywords in bold. The bad results will be displayed as "Beatles Hand" or sometimes "Hand Beatles". Block all of the bad results and use this approach every time you search. In time, the bad results will occur less and less often. I don't claim this to be the perfect fix but using this method and a bit of diligence, you can successfully use P2P programs more safely.

Edited by straightupwv, 27 September 2010 - 11:00 AM.

Life is too short to have anything but delusional notions about yourself.


#4 NevilleBartos

NevilleBartos
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 27 September 2010 - 09:01 PM

Thanks for the reply and advice on Limewire :thumbsup:

With that said, are there any scans or logs that i can post so that someone can read them for me and just make sure there are no key-loggers on my system and end my paranoia once and for all. Would be much appreciated.

#5 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:35 AM

Posted 27 September 2010 - 11:01 PM

Yes indeed there are. Do me a favor and retrieve the Malwarebytes log by going to the logs tab, and then clicking view log on the one that corresponds to the date in which you scanned your system. Post that in your next reply. And by the way, you said that you got the link that started your computer thrashing from a friend on MSN? Are you sure you were talking to a real person? I know this because it has happened to me before. Did the person you were supposedly talking to seem like they talked in your friend's dialect, or did they seem more scripted? If the latter, then you were probably conversing with a bot who's only mission is to send that probably, in fact, most likely, infected link. When I got one, I decided not to click on it. My poor friend on the other hand? He got screwed by it. He got infected with Win32/Cryptor. Another way to tell who you were talking to is if you have MSN save your conversations into the XMl log format that it uses. If the link is stripped off the log, then it means that it wasn't legit. Keep this in mind.

Hope this helps,
Chroembuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#6 NevilleBartos

NevilleBartos
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 27 September 2010 - 11:24 PM

Hi chromebuster, thanks for the reply.

I'm pretty sure i was talking to a real person, we were talking about topics that talked about earlier in the link so i doubt it was a bot. The actual log of the scan i did after my CPU went high is long gone unfortunately :thumbsup: , ill post the scan log i did earlier today with Malwarebytes.

In regards to "Win32/Cryptor" I did have a few pop-ups this morning from "ClamAV for Windows" that a threat by the name of "W32.Crypt" was detected and another "f_0008d4" was quarantined on my computer. Malwarebytes however cam back clean. I also have "Avast Anti-Virus" and "SUPERAntiSpyware".

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4707

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

28/09/2010 12:39:03 PM
mbam-log-2010-09-28 (12-39-03).txt

Scan type: Full scan (A:\|C:\|D:\|)
Objects scanned: 200093
Time elapsed: 35 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I also have "HijackThis" so if you need that log aswell. Ill post it asap.


Thanks again

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:35 AM

Posted 28 September 2010 - 06:34 AM

HijackThis logs are not permitted in this forum. Further, HijackThis only scans certain areas of a computer's system/registry to help diagnose the presence of undetected malware in known hiding places. Therefore, it is limited in its ability to detect infection and generate a report outside these known hiding places and its log may not always reveal all the malware on a computer. As such, HijackThis has been replaced by other preferred tools like DDS, OTL and RSIT that provide comprehensive logs with specific details about more areas of a computer's system, files, folders and registry keys which may have been modified by malware infection.

The Malware Response Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. Referrals are made to the Virus, Trojan, Spyware, and Malware Removal Logs forum if we cannot assist you here and we need to use more powerful tools or you don't mind waiting.


Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:35 AM

Posted 28 September 2010 - 12:03 PM

Oops. Sorry guys. Maybe I was out of line with the whole MSN thing. I'm just speaking from experience. Sorry for the confusion.

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#9 NevilleBartos

NevilleBartos
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 28 September 2010 - 10:10 PM

Hi quietman7, Thanks for the reply. Here is my log from the scan.


C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\30\1f5af39e-25df4339 multiple threats deleted - quarantined
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\41\312015a9-695c465b a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\5\7e502985-6448f25b multiple threats deleted - quarantined
C:\Documents and Settings\User\My Documents\Downloads\MsgPlusLive-485.exe a variant of Win32/MessengerPlus application cleaned by deleting - quarantined

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:35 AM

Posted 29 September 2010 - 06:19 AM

There is no evidence to suggest a keylogger.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:35 AM

Posted 03 October 2010 - 12:13 AM

Nopers. But it sure looks like you were having too much fun extending Windows Live LOL.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users