Keylogger

Discussion in 'System Security & Infection Support' started by sh4d0w1ink92, Jun 22, 2005.

  1. sh4d0w1ink92

    sh4d0w1ink92

    Joined:
    Jun 30, 2004
    Messages:
    79
    Likes Received:
    0
    Location:
    Jersey
    Well my so called 'friend' told me to get on AIM to look at some picture and not thinking twice i accepted it without looking at the file type... it was an exe. So I open it and it gives me some error, so I just tell him to forget about it, that it wont open up. Next day people are messaging me saying they hate me for scamming them (people on my friends list from Runescape) Even though I hadn't been on in about a week... I go to login and it says invalid username or password (yes, I know I had the username and password right) Basically, I wanna know if there is any way to know FOR SURE that the keylogger has been removed from my computer so I can attempt to get my password from the game and change it (my mother's credit card pin number is required, that's why I'm so hesitant) If anyone can help it'd be greatly appreciated.
     
    sh4d0w1ink92, Jun 22, 2005
    #1
    1. Advertisements

  2. sh4d0w1ink92

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Keyloggers can be hard to detect at times. Post your Hijackthis log here and we should be able to pick it up.
     
    James, Jun 22, 2005
    #2
    1. Advertisements

  3. sh4d0w1ink92

    sh4d0w1ink92

    Joined:
    Jun 30, 2004
    Messages:
    79
    Likes Received:
    0
    Location:
    Jersey
    Here you are Sir :p

    Logfile of HijackThis v1.99.1
    Scan saved at 6:19:29 PM, on 6/22/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\AlienGUIse\wbload.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\syssys\svchost.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Conquer 1.0\Conquer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\FlashGet\flashget.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.219\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1114272780671
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    sh4d0w1ink92, Jun 22, 2005
    #3
  4. sh4d0w1ink92

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    do you remeber what the file name was?
     
    spike228, Jun 23, 2005
    #4
  5. sh4d0w1ink92

    sh4d0w1ink92

    Joined:
    Jun 30, 2004
    Messages:
    79
    Likes Received:
    0
    Location:
    Jersey
    Umm no I don't, sorry. It might have been something to the effect of bankpic or somethin... not sure though. Didn't get a good look at it...
     
    sh4d0w1ink92, Jun 23, 2005
    #5
  6. sh4d0w1ink92

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    i'm not too familiar with keyloggers but here's something that looks suspicious.

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

    not sure what it is so scan it or something
     
    spike228, Jun 23, 2005
    #6
  7. sh4d0w1ink92

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    C:\Program Files\Conquer 1.0\Conquer.exe

    That's the only thing that does not sound right to me. Are you sure that you didn't just have a simple password?
     
    James, Jun 23, 2005
    #7
  8. sh4d0w1ink92

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    i went ahead and looked that up. its a game. but i find it a little odd that he has a game, and a download manager running while scanning for these things.
     
    spike228, Jun 23, 2005
    #8
  9. sh4d0w1ink92

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    Zeus, Jun 23, 2005
    #9
  10. sh4d0w1ink92

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    You might want to consider getting rid of this resource hog as well:
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    This is not malicious, but eats up processor. It is used with microsoft office, and starts during boot up. It claims it helps open the office suite faster, but it doesn't help enough to make a difference, and it does slow down your boot up enough to :)

    Here is also a quick write up of it:

    http://www.auditmypc.com/process/osa9.asp
     
    Zeus, Jun 23, 2005
    #10
  11. sh4d0w1ink92

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    This could also be a problem:
    C:\WINDOWS\syssys\svchost.exe

    This is not running from the system 32 file like it should be. I couldn't find anything on this path name through google though.
     
    Zeus, Jun 23, 2005
    #11
  12. sh4d0w1ink92

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    :shock This could be a problem:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 168.94.74.68:8080

    If 168.94.74.68 is not your IP address, then this entry is telling your computer that this IP address is the one connected to the internet, and all traffic should be routed to this IP. If this is not your IP, make sure it is not your ISPs gateway. If it is not, then this is most likely your problem.
     
    Zeus, Jun 23, 2005
    #12
  13. sh4d0w1ink92

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Ah... Good catch there.

    168.94.74.68 is registered to Best Buy. :|
     
    James, Jun 23, 2005
    #13
  14. sh4d0w1ink92

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    :thumbs I should've done a DNS lookup before posting.
     
    Zeus, Jun 23, 2005
    #14
  15. sh4d0w1ink92

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    wow zeus, your good at this. i'll know who to turn to now if i have questions on HJT logs :)
     
    spike228, Jun 24, 2005
    #15
  16. sh4d0w1ink92

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    Thanks. :) You have to get good at looking through logs if you want to be in security.
     
    Zeus, Jun 24, 2005
    #16
  17. sh4d0w1ink92

    nameless VIP Member

    Joined:
    Dec 27, 2004
    Messages:
    183
    Likes Received:
    2
    Location:
    usa
    i agree w/ this this path cause the svchost should be running from sys32. good keyloggers are masked as real processes and depended that it isnt noticed.
     
    nameless, Jul 12, 2005
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.