Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

eeep keylogger!


  • Please log in to reply
6 replies to this topic

#1 h2c4life

h2c4life

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 08 December 2004 - 10:57 PM

im not sure if this is the right place to ask questions about key loggers....hehe.. :thumbsup:

but i have a key logger on my comp and i was wondering what i could do to get rid of it. i tried doing hijackthis, adaware, trendo micro, spybot search and destroy, and lspfix...but no luck.
key logger isnt detected by any of the things above..and if it is detected...i cant delete them..because it says i cant delete..or it comes back. only scanner that worked was www.pestscan.com.
it isnt doing anything to my comp's performance...but i dont like it being there...

can some one help me?
Posted Image

BC AdBot (Login to Remove)

 


#2 h2c4life

h2c4life
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 09 December 2004 - 08:23 PM

bump
please help

#3 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:49 AM

Posted 09 December 2004 - 11:05 PM

I think that it is ok that you posted it here. I will talk with another moderator and if it needs to be moved, we will take care of it.

The reason why the other software will not find this, is because it is designed to be undetected.

I can think of a few ways to get this off your computer.

Lets start with the easiest one: Restart you computer in Safe Mode. Tap F8 as it is starting up. In Safe Mode, click Start -> search abss*.* By the way, this stands for AB System Spy. Mass move all the files to another folder. Restart the computer in normal mode, and run your test again. If it does not come back, and everything is working ok, then restart the computer in Safe Mode again, and find the entry in the add/remove programs to remove the application. Restart your computer once again in normal mode to assure that it is working properly. If everything is ok, then you can delete the moved files, and the recycle bin.

Another way that you can do it, is to re-install the application again. Now you might be thinking, why would I do that? The reason is because there is a free 30-day trial for the product, and it includes an uninstaller that may delete the version that is on the computer now. http://www.systemspy.org/
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#4 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:49 AM

Posted 09 December 2004 - 11:36 PM

Go ahead and post a HijackThis log so at least we are on topic and maybe HJT will pick up the registry hook.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#5 h2c4life

h2c4life
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 11 December 2004 - 12:03 AM

ohhhh i will restart my comp and do the things that you told me to do :flowers::trumpet:
and about the system spy...i dont think i installed the software my comp...or is that the program the person who key logged me used??


i will also do the highjackthis again :thumbsup::inlove:

edit:
Posted Image
heres a pic of the result

Posted Image
these are the running processes

Edited by h2c4life, 11 December 2004 - 12:10 AM.


#6 h2c4life

h2c4life
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 11 December 2004 - 12:12 AM

Logfile of HijackThis v1.98.2
Scan saved at 9:12:09 PM, on 12/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\James Song\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\James Song\Application Data\Mozilla\Profiles\default\u8bdcra5.slt\prefs.js)
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

#7 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:49 AM

Posted 11 December 2004 - 01:15 AM

Not much to go on

This thing is indeed hard to detect. If it is indeed running.

Press Right Ctrl+F9 to see if the window comes up.

If not it may be uninstalled or (worse) the hotkey has been changed.

You can go to Start -> Run and type regedit
Press Ctrl+f and type - spy
And the reg keys containing AB SystemSpy will turn up
Im not an expert on registry editting so you better back up the registry and make a restore point before editing anything.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users