Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Steam .scr file hidden keylogger on pc?


  • Please log in to reply
4 replies to this topic

#1 flyingbananacar

flyingbananacar

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 23 May 2015 - 04:37 PM

My first question is if the keylogger is some how hidden in this drive and i buy a new hard drive and want to move some pictures/videos/data from that drive to this new drive by a hard drive to usb adapter 

is there a possibility of the keylogger can go on the new hard drive. 

 

I'm not sure how  is or if it's even here anymore i use new emails besides my original steam account and nothing has changed after 2 months

 

But besides all that this is what my original post was gonna be 

I got this message from a "friend" who added me about wanting to trade he sent me some link and out of my ignorant stupidity i clicked it and it downloaded i opened it thinking it was some screenshot since it had the whole .scr thing at the end and it basically exited me out of steam and brought out the Login screen (the steam log in screen looked slightly differant) by this time i figured it was some kind of key logger so i immediately uninstalled steam logged on my other PC changed my passwords for everything... about a minute after i think my internet went off for 30 secs and wondered why my antivirus or anti malware didn't picked it up till avast finally said it blocked a threat .

 

2iv1jy9.png

as soon as it was quarantined i just deleted it... But i'm still not sure if some kind of keylogger is hidden on this pc. i've ran malwarebytes avast spybot super antispyware none of them detected anything related.

 

i've followed discussions on this 

and tried using google on what the file name was not sure if it's the same thing though it seems so
https://malwr.com/analysis/NmEzZmYzZDI4NTIwNDU5ZTg4ZDRl...
http://www.reddit.com/r/pcmasterrace/comments/2m90a8/st..

 

i've read some comments saying it isn't a keylogger saying it directly controls your steam.exe program as it's running and trades the items from your account in an instant. I just reinstalled steam on the same pc and risked using the account again no items  were traded and no it hasn't loged me out of steam while i leave it on 24/7.  I don't want to have to reinstall windows and everything all over again but if it's the only way to be sure i will what do you guys think.

 



BC AdBot (Login to Remove)

 


#2 ransomwolf

ransomwolf

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe
  • Local time:04:45 AM

Posted 23 May 2015 - 07:17 PM

If you buy a new drive and want to move pictures/videos/data from the old one to the new one, I suppose it's possible malware could spread to the new one, though it's a bit unlikely, I'd say.

 

Here's a way I believe is safe to do what you want:

 

1. Copy all the photos and stuff you want to a flash drive.

 

2. Type "folder options" in your start menu, select the "view" tab, and select the "Show hidden files, folders and drives" option, then press "apply", just like this picture shows you:

apps-1.jpg

 

3. Search the flash drive for extensions like .dll, .exe and .scr. If you find something you don't know what it is, delete it! Keep in mind that if you're transferring apps, there may be a lot of .dll and .exe files, so maybe keep applications in separate folders from videos, pictures, etc.

 

------------

 

On the other topic, you don't have to reinstall Windows. You said Malwarebytes didn't detect anything, so please try Hitman Pro:

 

1. Download Hitman Pro 32 bits if your OS is 32 bits or Hitman Pro 64 bits if your OS is 64 bits.

2. Run it. You should see this screen. Press next:

l0a2dmL.png

 

3. Select "no, I want to perform a one time scan to check this computer" and press "next":

4xy072A.png

 

4. After the scan completes (could take a while, since some suspicious files in your PC can get uploaded to the cloud for scanning), DON'T REMOVE ANYTHING YET! In the bottom left of the screen, click "Save log":

OZbZSZn.png

 

5. Close HitmanPro and please copy the log and post it here.


Edited by ransomwolf, 23 May 2015 - 08:17 PM.


#3 flyingbananacar

flyingbananacar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 23 May 2015 - 11:29 PM

ok it's scanning now



#4 flyingbananacar

flyingbananacar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 23 May 2015 - 11:41 PM

HitmanPro 3.7.9.241
www.hitmanpro.com
 
   Computer name . . . . : PRAYER
   Windows . . . . . . . : 6.1.1.7601.X64/8
   User name . . . . . . : Prayer\†
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free
 
   Scan date . . . . . . : 2015-05-23 23:29:02
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 6m 9s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 27
 
   Objects scanned . . . : 1,890,509
   Files scanned . . . . : 165,418
   Remnants scanned  . . : 702,515 files / 1,022,576 keys
 
Suspicious files ____________________________________________________________
 
   C:\Users\†\AppData\Local\PunkBuster\APB\pb\dll\wc002327.dll
      Size . . . . . . . : 968,536 bytes
      Age  . . . . . . . : 269.4 days (2014-08-27 13:03:43)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 5B7AAFE720F6D7E618784C9AC16A6FD2329B7B0170E24B642D0059971B6C5B7A
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\AppData\Local\PunkBuster\APB\pb\dll\wc002345.dll
      Size . . . . . . . : 1,018,416 bytes
      Age  . . . . . . . : 221.3 days (2014-10-14 16:25:45)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : BE5E9B9749DA372459DF60E1E836D74873048B041E3E740137EBAD32C3F98D2B
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\AppData\Local\PunkBuster\APB\pb\pbcl.dll
      Size . . . . . . . : 1,018,416 bytes
      Age  . . . . . . . : 205.8 days (2014-10-30 04:20:21)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : BE5E9B9749DA372459DF60E1E836D74873048B041E3E740137EBAD32C3F98D2B
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\AppData\Local\PunkBuster\APB\pb\pbclold.dll
      Size . . . . . . . : 1,018,416 bytes
      Age  . . . . . . . : 269.4 days (2014-08-27 12:57:40)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : BE5E9B9749DA372459DF60E1E836D74873048B041E3E740137EBAD32C3F98D2B
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\AppData\Local\PunkBuster\APB\pb\PnkBstrK.sys
      Size . . . . . . . : 139,904 bytes
      Age  . . . . . . . : 269.4 days (2014-08-27 12:57:53)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : 5FFC3A37106249E619700B233D73AC3024B5902A76A6FCEA687B7123DD8D68AD
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\AppData\Local\PunkBuster\BF3\pb\dll\wc002344.dll
      Size . . . . . . . : 1,014,616 bytes
      Age  . . . . . . . : 142.5 days (2015-01-01 11:28:55)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
      Size . . . . . . . : 1,014,616 bytes
      Age  . . . . . . . : 139.1 days (2015-01-04 20:55:49)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
      Size . . . . . . . : 1,014,616 bytes
      Age  . . . . . . . : 142.6 days (2015-01-01 10:05:11)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
      Size . . . . . . . : 139,944 bytes
      Age  . . . . . . . : 142.6 days (2015-01-01 10:05:24)
      Entropy  . . . . . : 7.7
      SHA-256  . . . . . : E0AB414DBD7AA5888B861AE64B0F9674CED054C755502DDE124A91D6CD6CE97A
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\†\Documents\Ubisoft\FarCry 3\bin\FC3.dll
      Size . . . . . . . : 29,926,480 bytes
      Age  . . . . . . . : 62.6 days (2015-03-22 09:57:20)
      Entropy  . . . . . : 7.1
      SHA-256  . . . . . : 7DBDCD44B3EF002A7FA87F2BF5EFF1597EDE7C87575E3C679503855165DBCF5F
      Product  . . . . . : Far Cry 3
      Publisher  . . . . : Ubisoft Entertainment
      Description  . . . : Dunia Engine/Far Cry 2 Dynamic Link Library
      Version  . . . . . : 0.1.0.1
      RSA Key Size . . . : 2048
      LanguageID . . . . : 9
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
 
   C:\Users\†\Documents\Ubisoft\FarCry 3\bin\FC3_d3d11.dll
      Size . . . . . . . : 29,989,456 bytes
      Age  . . . . . . . : 62.6 days (2015-03-22 09:57:22)
      Entropy  . . . . . : 7.1
      SHA-256  . . . . . : 5B1CBD5F1D9DAC77C028158DD843A0CD5FCBEB360359FB8B2BDAD007B4BBF852
      Product  . . . . . : Far Cry 3
      Publisher  . . . . : Ubisoft Entertainment
      Description  . . . : Dunia Engine/Far Cry 2 Dynamic Link Library
      Version  . . . . . : 0.1.0.1
      RSA Key Size . . . : 2048
      LanguageID . . . . : 9
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
 
   C:\Users\†\Documents\Ubisoft\FarCry 3\bin\pb\dll\wc002312.dll
      Size . . . . . . . : 953,886 bytes
      Age  . . . . . . . : 62.6 days (2015-03-22 09:57:27)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 6D5E2CD4A7A43EB00B600BA783AD3BEE6B817C030A40600D40367173A6ECEB13
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
 
   C:\Users\†\Documents\Ubisoft\FarCry 3\bin\pb\pbcl.dll
      Size . . . . . . . : 953,886 bytes
      Age  . . . . . . . : 62.6 days (2015-03-22 09:57:27)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 6D5E2CD4A7A43EB00B600BA783AD3BEE6B817C030A40600D40367173A6ECEB13
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
 
   C:\Users\†\Documents\Ubisoft\FarCry 3\bin\pb\pbcls.dll
      Size . . . . . . . : 953,886 bytes
      Age  . . . . . . . : 62.6 days (2015-03-22 09:57:27)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 6D5E2CD4A7A43EB00B600BA783AD3BEE6B817C030A40600D40367173A6ECEB13
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
 
 
Potential Unwanted Programs _________________________________________________
 
   ask.com
   C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Web Data
 
 
Cookies _____________________________________________________________________
 
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\1LCRJ4TV.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\3R46G6HW.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\B53UN33V.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\DWC7WYG9.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\JXK0SS0J.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\MJZSM4HF.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\P6ZK6MGM.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\Q9UZQ3ZY.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\SFR7UGG9.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\UGL9U57Y.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\WIS7BY25.txt
   C:\Users\†\AppData\Roaming\Microsoft\Windows\Cookies\Z3XC7G9D.txt
 
 
 
from what i've seen none of those are really threats pb is punkbuster a program used on games to block cheaters and stuff the rest are cookies i believe.


#5 ransomwolf

ransomwolf

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe
  • Local time:04:45 AM

Posted 24 May 2015 - 03:45 AM

from what i've seen none of those are really threats pb is punkbuster a program used on games to block cheaters and stuff the rest are cookies i believe.

 

You're correct. Aside from this entry:

Potential Unwanted Programs _________________________________________________
 
   ask.com
   C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Web Data

Your log is clean. And ask.com is a toolbar, not a keylogger, and isn't really malicious anyway.

 

So... your PC is safe! :D

 

If, however, you're still paranoid that something is wrong with your PC, even if several malware scanners didn't find anything, you could read the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help thread and create a thread in Virus, Trojan, Spyware, and Malware Removal Logs.

 

Are there any other issues you need help with?


Edited by ransomwolf, 24 May 2015 - 03:48 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users