PDA

View Full Version : Possible Keylogger



Oldaad
2008-10-22, 07:57
My son downloaded and ran "flashplayer.exe" from a link on the World of Warcraft forums. The forums there said it was a keylogger. The exe file disappeared after he ran it.

The log from Norton Internet Security says that "flashplayer.exe" made two modifications to the computer:

c:windows\system32\lka732_690.dll (which I deleted in safe mode before HiJT scan)

Registry\machine\software\microsoft\windows NT\current version\svc host\netsvcs

Spybot (run in safemode) only picked up a tracking cookie (excite).

Here is the HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:02 AM, on 10/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\The Eldest\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218850860343
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222445668626&h=49a4db7f0aad54a1c2b9f54cc21a5f28/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7123 bytes


Any help would be appreciated. Thank you.

Ted Blaszczyk

shelf life
2008-10-23, 00:33
i dont see anything in the log. about all you can do is try a different malware scanner and/or a online scan to see if it can dig up anything. there are ways you can monitor your own computer, keyloggers have to send info out, hence netstat to monitor and fport to find the exe. if any.

i suggest superanitspyware:
http://www.superantispyware.com/

online scan:
http://www.eset.com/onlinescan/



uses Internet Explorer only

check "YES" to accept terms

click start button

allow the ActiveX component to install

click the start button. the Scanner will update.

check both "Remove found threats" and "Scan unwanted applications"

click scan

when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt

please copy/paste that log in next reply.

Oldaad
2008-10-23, 05:35
shelf life,

Thanks for the reply.

Superantispyware turned up some tracking cookies.

Here is the eset log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3547 (20081022)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=4e001982d447fa4c9ba653142b8299e2
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-23 02:12:19
# local_time=2008-10-22 10:12:19 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=172760
# found=0
# scan_time=2470

Here is the recent history from Norton Internet Security (edited a bit):

10/21/2008 10:23 PM,Low,"flashplayer.exe made 2 modifications to your computer., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\the eldest\my documents\utilities\flashplayer.exe,"Tuesday, October 21, 2008 10:23 PM",System Configuration,"\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs, c:\windows\system32\lka732_690.dll",

Category: Norton Product Tamper Protection
Date & Time,Risk Level,Activity,Status,Recommended Action,Date,Actor,Actor PID,Target,Target PID,Action,Reaction
10/22/2008 8:56 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Wednesday, October 22, 2008 8:56 PM",c:\program files\superantispyware\superantispyware.exe,2728,C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe,684,Open Process,Unauthorized access logged
10/22/2008 8:18 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Wednesday, October 22, 2008 8:18 PM",c:\windows\system32\svchost.exe,1448,"C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp6d5a.tmp\cur.scr",0,Open File,Unauthorized access blocked
10/21/2008 9:14 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Tuesday, October 21, 2008 9:14 PM",c:\documents and settings\the eldest\local settings\temp\aim_6.8.12.4\ocpinst.exe,212,C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe,356,Open Process,Unauthorized access logged
10/21/2008 9:14 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Tuesday, October 21, 2008 9:14 PM",c:\documents and settings\the eldest\local settings\temp\aim_6.8.12.4\setup.exe,2284,C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe,356,Open Process,Unauthorized access logged

Do I need to do anything with "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs"?

Any reccommended links for netstart or fport?

Thanks for the help...Ted Blaszzczyk

shelf life
2008-10-24, 04:22
hi,

you dont have to do anything with:\CurrentVersion\SvcHost\netsvcs
scvhost is a legit os file, many legit processes can use it, runs out of the system32 dir only.

from your norton log it looks like every "event" logged has a legit reason.
the online scan looks ok as well as the SAS log.

on second thought i would only recommend netstat and fport if you are familiar with them. hunting the process may also require additional tools. they really are only investigating tools to help weed it out, the process isnt so cut and dried.
i know of two apps that will help to tell you if you might have a keyboard logging app, i have never used either of them. check out both the links and read thru the documentation first. its hard to tell if these are being kept updated from the websites. one is open source. both are free. as far as i can tell both function on XP. the open source one looks like it has good online documentation, the other looks like it just blocks the malware.hard to tell. in any case iam not that saying you have a keylogger on your computer.

open source;
http://psmantikeyloger.sourceforge.net/prod01.htm

other:
http://www.snoopfree.com/default.htm

Oldaad
2008-10-24, 06:37
shelf life,

Thanks again for the help.

The open source PSMAntikeyloger didn't install correctly (BSD and restart on XP). I had to manually uninstall in safe mode.

Snoopfree installed and only detected an ATI hook and two Logitech hooks for keyboard hotkeys.

I don't know if the file my son downloaded was a joke or if the system32 file I deleted disabled it. I won't be buying anything online on this computer for a while anyway!

I appreciate the time you took to help me out. You guys do a great job on this site.

Ted Blaszczyk

shelf life
2008-10-25, 01:12
hi,

glad to help. maybe that dll you deleted did the trick. not suggesting that anyone click on links but you can get files (before installing them) checked out here:
http://www.virustotal.com/

if all is good i leave you with:

My Top Ten List
The Short Version:

1)Keep your OS, (Windows) browser (IE, FireFox) and other software up to date.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.
3) Install and keep them all updated: one antivirus and two or three anti-malware applications.
4) Refrain from clicking on links or installing files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message may seem.
5) Don't click on ads/pop ups or offers from websites requesting that you install software to your computer.
6) Don't click on offers to "scan" your computer.
7) Set up and use limited accounts for everyday use, rather than administrator accounts.
8) Install and understand the limitations of a third party software firewall.
9) Consider using an alternate browser and E-mail client.
10) If your habits include visiting or downloading/installing files from: warez, crack sites or p2p (file sharing) networks: then you are much more likely to encounter malicious code. Do you trust the source?

longer version in link below

happy safe surfing out there