Key-logger

Discussion in 'Malware Help (A Specialist Will Reply)' started by geniegirl, Sep 9, 2009.

  1. geniegirl

    geniegirl Private E-2

    I think I have picked up a key logger. Within minutes of my logging into my web hosting account, a hacker logged in and started rearranging stuff.

    I have run all of the tools listed in

    http://forums.majorgeeks.com/showthread.php?t=35407

    All I found was a rogue installer, which was fixed and some stuff locked to the Windows API (RootReveal), which I did not know how to handle.

    Can y'all provide me with some help?
     

    Attached Files:

    geniegirl, Sep 9, 2009
    #1
  2. geniegirl

    geniegirl Private E-2

    Last log file added to posting.
     

    Attached Files:

    geniegirl, Sep 9, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I suggest you first use a different computer and change your password on your account.

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now, please double-click the RootRepeal.exe previously downloaded.

    * Select File then Scan
    * On the Select Drives form select drive C by "ticking" the box for drive C and click OK
    * When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file


    • C:\WINDOWS\Temp\ib1.tmp

    • C:\WINDOWS\Temp\ib2.tmp
    • C:\WINDOWS\Temp\ib3.tmp
    • C:\WINDOWS\Temp\ib4.tmp
    • C:\WINDOWS\Temp\ib5.tmp
    * After Wiping all files, immediately reboot your pc!

    Now use windows explorer to find and delete:
    c:\windows\isRS-000.tmp

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Sep 14, 2009
    #3
  4. geniegirl

    geniegirl Private E-2

    This file: c:\windows\isRS-000.tmp not found on my computer. I used Windows search and only searched on isRS as a part of the file name.

     

    Attached Files:

    geniegirl, Sep 20, 2009
    #4
  5. geniegirl

    geniegirl Private E-2

    Running trendmicro's housecall triggers a message that I have downloader.obfuskated
     
    geniegirl, Sep 21, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I forgot to ask you for the log after running RootRepeal. Please attach that to your next reply.

    In the meantime, Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\Temp\ib1.tmp       
C:\WINDOWS\Temp\ib2.tmp    
C:\WINDOWS\Temp\ib3.tmp    
C:\WINDOWS\Temp\ib4.tmp      
C:\WINDOWS\Temp\ib5.tmp      
C:\WINDOWS\Temp\ib6.tmp      
C:\WINDOWS\Temp\ib7.tmp       
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO1AD.TMP    
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO1AE.TMP   
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO1AF.TMP  
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO1B0.TMP    
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO32.TMP     
C:\Documents and Settings\Joy Fisher\Local Settings\temp\MSOHTML       
C:\Documents and Settings\Joy Fisher\Local Settings\temp\MSOHTML1     
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTMP      
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTM~1      
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTM~2     
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTM~3     
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTM~4      
C:\Documents and Settings\Joy Fisher\Local Settings\temp\UNTITL~1 

Folder::
C:\WINDOWS\Temp\ib1.tmp       
C:\WINDOWS\Temp\ib2.tmp    
C:\WINDOWS\Temp\ib3.tmp    
C:\WINDOWS\Temp\ib4.tmp      
C:\WINDOWS\Temp\ib5.tmp      
C:\WINDOWS\Temp\ib6.tmp      
C:\WINDOWS\Temp\ib7.tmp       
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO1AD.TMP    
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO1AE.TMP   
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO1AF.TMP  
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO1B0.TMP    
C:\Documents and Settings\Joy Fisher\Local Settings\temp\7ZO32.TMP     
C:\Documents and Settings\Joy Fisher\Local Settings\temp\MSOHTML       
C:\Documents and Settings\Joy Fisher\Local Settings\temp\MSOHTML1     
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTMP      
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTM~1      
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTM~2     
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTM~3     
C:\Documents and Settings\Joy Fisher\Local Settings\temp\PLUGTM~4      
C:\Documents and Settings\Joy Fisher\Local Settings\temp\UNTITL~1
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * RootRepeal log
    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 25, 2009
    #6
  7. geniegirl

    geniegirl Private E-2

    I have isolated the infected computer by disconnecting it from my network and modem. I forgot to get a fresh copy of combofix [sigh]

    As soon as combofix rebooted the ib_.tmp files came back and the files in Qoobox were updated.

    I found a suspicious file in my root directory:

    CSR00027842-1238695128.exe

    From properties:
    This file came from another computer and might be blocked to help protect this computer.

    Identified as:
    SuperSystemAdministrator
    superadblocker.com

    And..

    As soon as I turn on the computer, I get the following in windows/tmp:

    dw.log which (in addition to a date stamp) says:

    ship dw20.exe 11.0.8160.0
    Manifest mode

    DW20 is supposedly a part of Microsoft Office's Error Reporting service, but I have not used Office in the last month.
     

    Attached Files:

    geniegirl, Sep 26, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sorry for the delay..isp problems.

    Now download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\TEMP\TMP0000003104ECFE7A9AE89F6B
E:\LaunchU3.exe

DirLook::
c:\3d2c43d65753e7aae1796cddbb30

FCopy::
C:\MGtools\temp\beep.sysmg | C:\WINDOWS\system32\dllcache\beep.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0be99a57-bcb8-11dd-b39d-00038a000015}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef2946e7-39bb-11de-a2f0-00038a000015}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Oct 1, 2009
    #8
  9. geniegirl

    geniegirl Private E-2

    For the first time, the ib_.tmp files did not reappear in the windows/temp directory when combofix rebooted.

    Logs attached

    Is there any way I can delete the left over WIN update directory:
    c:\3d2c43d65753e7aae1796cddbb30
     

    Attached Files:

    Last edited by a moderator: Oct 3, 2009
    geniegirl, Oct 2, 2009
    #9
  10. geniegirl

    geniegirl Private E-2

    Today, the ib1.tmp through ib5.tmp files reappeared, but they are no longer locked to the WIN API

    Also, in my local settings/temp/ directory, there are the following files

    etilqs_mQy4lhGhIsLkaGhiQsNr

    V5EOUKa00976 - identified as Downloader.Obfuskated by housecall.trendmicro
    housecall can not quarantine or remove the file, but I can delete it
     
    geniegirl, Oct 5, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There is no need to delete that directory. Your previous MGLog was not showing anything in your temp folders. The etilqs_mQy4lhGhIsLkaGhiQsNr files are not malware.

    What issues are you having?
     
    TimW, Oct 9, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds