Keylogging in MSN, Outlook Express, and CuteFTP

Discussion in 'Malware Help (A Specialist Will Reply)' started by jadiknight, Jan 25, 2007.

  1. jadiknight

    jadiknight Private E-2

    I have many layers of defence on my computer, including a 0-day attack app called CyberHawk. Everything was going fine, until the other day, CyberHawk started alerting me that Outlook Express was logging keystrokes. I chose to deny it, and it was shut down immediately, and then once or twice more, and now it does occasionally, but not often.

    Then CH alerted me that MSN was logging keystrokes. After denying it, now MSN continues to shut down during conversations, and it is very frustrating. Then CuteFTP it turns out was logging strokes but due to the necessity of transferring large files I have chosen to allow it.

    I have tried all kinds of rootkit and malware detectors and at worst they found a couple of low risk Ad tracking cookies, but the problem persists.

    Is the keylogging normal in these apps?? What should I do?

    Thanks kindly in advance for any input.
     
    jadiknight, Jan 25, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    TimW, Jan 26, 2007
    #2
  3. jadiknight

    jadiknight Private E-2

    Keylogging found. Scans and logs potsted

    Hello, I had posted a question a little while ago suspecting some malware on my computer, as I found out that some programs like MSN, Outlook Express, and CuteFTP were keylogging. I was told to run some scans and post the results. I have not cleaned anything from the scan results, beyond what some of these programs have done automatically.

    I am attaching a zip of the 6 logs from my scans. I will note that even though the HijackThis scan seems ok, it gave me an error message the first time I ran it, and then compiled the log. When I ran it again to see the error message again, I didn't get it, and it created what looks like an identical log.

    I would very much appreciate your input on what I should do next.
     

    Attached Files:

    jadiknight, Mar 4, 2007
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please re-run Counterspy and have it remove/quarantine everything that it finds!

    Why did you not do this?

    It didn't fix anything!! Did you not allow it to?


    You also did not do this!

    Use windows explorer to find and delete this:
    C:\WINDOWS\system32\amnau32.dll
    C:\WINDOWS\System32\irdvxc.exe <--- if found.

    Use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 1"
    J2SE Runtime Environment 5.0 Update 10"
    J2SE Runtime Environment 5.0 Update 11"
    J2SE Runtime Environment 5.0 Update 2"
    J2SE Runtime Environment 5.0 Update 4"
    J2SE Runtime Environment 5.0 Update 6"
    J2SE Runtime Environment 5.0 Update 8"
    Java 2 Runtime Environment, SE v1.4.2_01"
    Java 2 Runtime Environment, SE v1.4.2_03"
    Java 2 Runtime Environment, SE v1.4.2_05"
    Java 2 Runtime Environment, SE v1.4.2_06
    REboot and install:
    Java Runtime 6

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to MSDisk
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    * Click OK until you get back to Windows.

    * Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste MSDisk into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.
    * Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

    After clicking Fix, exit HJT.
    Now attach the below new logs (Individually - not as zip files) and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    TimW, Mar 5, 2007
    #4
  5. jadiknight

    jadiknight Private E-2

    Hello Tim,

    Thanks very much for your help. I have tried to stick to the letter of everything you have instructed, and here is what happened:

    - Re-ran CounterSpy and had it remove everything, with the exception of an exe it indicated was low risk, and in fact, I know it to be safe. Attached log fyi.

    - Emptied whatever quarantine folders I could find, including the Norton protected recycling bin, though it seems that BitDefender still seemed to find stuff in quarantine folders, it did not delete everything it found, or seem to give me the option to do so. Anyway, I accepted license and ran scan without touching configuration. Attached log that was saved as instructed.

    - Had CCleaner from before and I ran it.

    - Did not find C:\WINDOWS\system32\amnau32.dll or C:\WINDOWS\System32\irdvxc.exe in System32

    - Took care of the java removal.

    - Merged the fixME.reg

    - MSDisk was no where to be found in services, so I simply proceeded to the HJT step.

    - Ran HJT and attached log (deleted the line as instructed).

    - Ran GetRunKey and ShowNew. Will attach them in following post.
     

    Attached Files:

    jadiknight, Mar 7, 2007
    #5
  6. jadiknight

    jadiknight Private E-2

    Here are the remaining two logs you requested.

    I look forward to your input. Thanks much again.
     

    Attached Files:

    jadiknight, Mar 7, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Open notepad and copy and paste the following text in the quote box into the window:
    Save this as fix.bat
    Choose to save as all files.

    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Now run HJT and have it fix:
    O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

    After clicking fix, exit HJT and attach a new HJT log.
     
    TimW, Mar 7, 2007
    #7
  8. jadiknight

    jadiknight Private E-2

    I have attached the log. Thing is, the log gets created and then I delete the line. But when I ran the scan again, that line seemed to still be there.
     

    Attached Files:

    jadiknight, Mar 7, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Problems that I see:
    1. Morpheus 5.1 (remove only) should have been uninstalled in step 0 of the READ ME.
    2. Multiple antivirus programs are running which means step 3 of the READ ME was not followed. One must be uninstalled now.
    3. Spybot 1.3 is installed meaning the version given in the READ ME was not installed. Spybot 1.3 has not been used for over two years.
    4. While not part of the READ ME, Ad-aware 6 Personal is being used and it is also at least two years out of date.
    While uninstalling one of the antivirus applications, CounterSpy should be uninstalled since it is no longer needed and also because Spy Sweeper and AVG Antispyware are already installed.

    Suggestion for Tim: use normal procedure with services.msc to stop and disable the service. Then use HJT to delete the NT Service.
     
    chaslang, Mar 7, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to Network helper Service
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    * Click OK until you get back to Windows.

    * Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste Network helper Service into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.
    * Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

    After clicking fix, exit HJT and attach a new HJT log.
     
    TimW, Mar 7, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! You enter MSDisk in the the box in HijackThis not Network helper Service.

    This is also why your sc commands did not work. The following sc stop Network helper Service is not a valid command for sc. All it will see is sc stop Network and that service does not exist.
     
    chaslang, Mar 7, 2007
    #11
  12. jadiknight

    jadiknight Private E-2

    Hello to both of you,

    I am attaching the log of HJT performed after I deleted "MSDisk" in the 'delete NT service' box. The line in question did not show up in the scan, so there seemed to be nothing to fix.

    I have also uninstalled redundant programs.

    Many thanks for any advice.
     

    Attached Files:

    jadiknight, Mar 8, 2007
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You may uninstall any programs we had you download.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Mar 8, 2007
    #13
  14. jadiknight

    jadiknight Private E-2

    Thank you very very much for all your help. I really appreciate it. So everything should be good now (I will follow all instructions in the malware protection page)?

    This whole thing started when I discovered that MSN, Outlook, etc. were keylogging. Should I not expect them to do that anymore? Is there any evidence that they do this normally? My friend installed CyberHawk on his computer and they seem to be doing the same thing. He thinks his computer is clean.

    Thanks again,

    Jad
     
    jadiknight, Mar 8, 2007
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you look at your logs? Most of your problems arose from P2P software ....

    I am not sure what you mean by Keylogging....do you mean that your firewall was reporting them trying to get on the internet? If so, yes they do that...looking for updates and "reporting home to MS". But the malware you had was and should be your main concern.

    Do read and follow the link for how to protect yourself.
     
    TimW, Mar 8, 2007
    #15
  16. jadiknight

    jadiknight Private E-2

    What I had meant by key logging was the fact that my security program "CyberHawk", which monitors suspicious behavior, and is meant as a defense against 0-day attacks, popped up a message with each of these programs saying that they were "logging keystrokes", did I want to allow that or not. That's what I was wondering about.

    I absolutely appreciate the p2p issue, and will not be installing any again. But is there any more cleaning I should be doing?
     
    jadiknight, Mar 11, 2007
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can set cyberhawk to always deny those programs from "calling home".

    If you follow the instructions in the how to protect yourself ....run the cleanup programs and keep your anti-virus and anti-spyware up to date, you shouldn't have problems ...depending on your surfing habits and such.
     
    TimW, Mar 11, 2007
    #17
  18. jadiknight

    jadiknight Private E-2

    I will follow your advice religiously! I just wanted to post one final reply to thank you very much for all of your help. So very kind of you.

    All the best!

    Jad
     
    jadiknight, Mar 12, 2007
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem....safe surfing.
     
    TimW, Mar 12, 2007
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds