PDA

View Full Version : Infected by Keylogger


Maxou
2008-03-27, 18:35
I am a MMORPG player, and 10 days ago, my account on a famous Multiplayer Game was stolen : I was at work and a friend of mine saw me connected in the game, back at home, I tried to connect, but my pass was invalid. I advised the company owner of the game and they closed temporarly my account. Now after 10 days of inquiry they sent me an e-mail with details of reasons why my account was stolen, and its specified "key logger". So they advised me to change all my passes of everything I have (mailbox pass, Internet provider pass etc), and make a scan of my PC with Spybot and few online scanner (like Avast or symantec or kapersky).

In fact the next day my account was stolen, I did a full scan with Spybot, a scan with my avast anti-virus, and a scan with symantec online scan, and nothing was detected... After that, I re-formated the HD of my pc, but before that, I made a back up of the folder where the game was installed (I mean all patches necessary to make the game work, if you don't back up that, there's 8 hours of download after a fresh install of the game), and I re-installed win XP etc... As I am paranoiac now, after that I re-scanned this folder where the game was with Avast/spybot/etc and no problem.

I am afraid with the fact that this keylogger is still on my pc, and I have no idea how to detect it. Here are my kapersky log and Hijack log, many thanks in adavance for helpîng me :

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 27, 2008 5:34:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/03/2008
Kaspersky Anti-Virus database records: 667041
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 32702
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:39:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Historique\History.IE5\MSHist012008032720080328\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Protection résidente.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8EFC81DA-32A9-4F89-AC79-F3FF538FEA01}\RP41\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\XPSP2-E2B38EBB2.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{98CBE7FD-DD34-4978-965D-39B007482AE8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_714.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT00bed.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT00bf1.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:27, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.fr/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.fr/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE RÉSEAU')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205612293562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205623743671
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4580 bytes
ken545
2008-03-28, 01:30
Hello Maxou

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


From what I can see your HJT log is fine. If you had a keylogger before the damage is already done, what you need to do is use a known good clean computer and change all your passwords and log on names.

Kaspersky picked up one entry but I believe its ok, do a couple of things for me please

You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

C:\WINDOWS\system32\cmdow.exe Browse to this file and right click on it and go to Properties and let me know the file size.



Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
C:\WINDOWS\system32\cmdow.exe

Let me know about the file size, if it says 31kb then its nothing to worry about.

Post the VirusTotal report please
Maxou
2008-03-28, 01:58
many thanks for the help.

the cmdow.exe file is :
size : 30.5 ko
size on disk : 32,0 ko
-------------------------------------------------------
Virus total analize :

File cmdow.exe received on 03.26.2008 07:39:31 (CET)
Current status: finished

Result: 19/31 (61.29%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.26 -
AntiVir 7.6.0.75 2008.03.25 SPR/HideWindows.I
Authentium 4.93.8 2008.03.26 -
Avast 4.7.1098.0 2008.03.25 -
AVG 7.5.0.516 2008.03.25 Potentially harmful program HideExec.BD
BitDefender 7.2 2008.03.26 -
CAT-QuickHeal 9.50 2008.03.26 RiskTool.HideWindows (Not a Virus)
ClamAV 0.92.1 2008.03.25 -
DrWeb 4.44.0.09170 2008.03.25 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5644 2008.03.26 -
Ewido 4.0 2008.03.25 Downloader.Delf.ain
FileAdvisor 1 2008.03.26 High threat detected
Fortinet 3.14.0.0 2008.03.26 HackerTool/HideWindow
F-Prot 4.4.2.54 2008.03.25 W32/HackToolX.DY
F-Secure 6.70.13260.0 2008.03.26 -
Ikarus T3.1.1.20 2008.03.26 not-a-virus:RiskTool.Win32.HideWindows
Kaspersky 7.0.0.125 2008.03.26 not-a-virus:RiskTool.Win32.HideWindows
McAfee 5259 2008.03.25 potentially unwanted program Tool-HideWindow
Microsoft 1.3301 2008.03.26 Tool:Win32/Cmdow
NOD32v2 2973 2008.03.26 Win32/CMDOW.143
Norman 5.80.02 2008.03.25 -
Panda 9.0.0.4 2008.03.25 Application/HideWindow.S
Prevx1 V2 2008.03.26 HideWindow
Rising 20.37.02.00 2008.03.24 -
Sophos 4.27.0 2008.03.26 HideWindow
Sunbelt 3.0.978.0 2008.03.18 Trojan.HideWindow
TheHacker 6.2.92.255 2008.03.26 Aplicacion/HideWindows
VBA32 3.12.6.3 2008.03.25 Trojan-Downloader.Win32.Delf.ain
VirusBuster 4.3.26:9 2008.03.25 -
Webwasher-Gateway 6.6.2 2008.03.26 Riskware.HideWindows.I
Additional information
File size: 31232 bytes
MD5: 48a78bf8ef453d9ca4d6c0587ae2de94
SHA1: fdcc71edb09d13165abb106dec95b5376cc05527
PEiD: -
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=48a78bf8ef453d9ca4d6c0587ae2de94
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=82F98BE2004950627A2C007548EB95008D52F174
--------------------------------------------------------------------------------------------------------------------




Just one thing, what do you mean by
"If you had a keylogger before the damage is already done, what you need to do is use a known good clean computer and change all your passwords and log on names."

I have to re-format my pc again with a fresh install of windows and reset all my passes ?
ken545
2008-03-28, 02:22
Maxou,

That file is safe and nothing to worry about.


Now after 10 days of inquiry they sent me an e-mail with details of reasons why my account was stolen, and its specified "key logger". So they advised me to change all my passes of everything I have (mailbox pass, InternetYou posted this. I am only going by what you said. If I could have looked at your HJT log from before you reformatted I could tell if you had a keylogger but its to late now. I see no keylogger on your current system



I have to re-format my pc again with a fresh install of windows and reset all my passes ? NO, you do not have to reformat, but you should change all your passwords to be on the safe side


You system seems safe right now, your HJT log is clean, but if things were stolen from you in the past you will have to deal with that as they show up.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



I will leave this thread open for you for a few weeks in case something pops up in the future. If you do have issues again I would tend to be Leary about the game folder you saved and reinstalled, but time will tell.


Ken:)