Key Logger

Discussion in 'Malware Help (A Specialist Will Reply)' started by geniegirl, Nov 19, 2008.

  1. geniegirl

    geniegirl Private E-2

    I seem to have picked up a key logger similar to Anti-Virus2009. I have run all the tools in your "Do This First" file. Everything seemed to come up clean. I am attaching the MGTools.zip file and I also zipped the results of the combofix scan.

    I would appreciate any help.
     

    Attached Files:

    geniegirl, Nov 19, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Is this something you installed:
    C:\Documents and Settings\Joy Fisher\Application Data\KeyingTool

    Use windows explorer to find and delete:
    c:\program files\rxuleo
    C:\Documents and Settings\All Users\Application Data\opynghaf

    Tell me why you suspect a keylogger? Did some program alert you...if so which one and what exactly did it show?
     
    TimW, Nov 20, 2008
    #2
  3. geniegirl

    geniegirl Private E-2

    On previous scanning operations, I found and removed

    Adware.Vundo Variant
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\OPYNGHAF\QDGFADSD.EXE.BAK

    Trace.Known Threat Sources
    C:\Documents and Settings\Joy Fisher\Local Settings\Temporary Internet Files\Content.IE5\SN6DELMZ\516158[1].pdf

    [above 2 items found with Super Anti-Spyware]

    and

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{68A7FCA6-92FF-5B39-EF68-02F21953FCEA} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{755c6bc2-a679-4025-84d3-4ae283a87b14} (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{755c6bc2-a679-4025-84d3-4ae283a87b14} (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\uichk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dllschannel.dlldigest.dllmsnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.

    [above items found with Anti-Malware]

    The two directories you mentioned were empty folders.

    I have no idea what the Keying Tool is/was. There were 2 .bin files in the directory. I deleted the directory.

    The reason I suspected a Key Logger is that just before I ran those scans my web account was accessed and the .htaccess file was changed to redirect anyone who came in via one of the big search engines to a virus infected site in Moldova. [probably AntiVirus2009]
     
    geniegirl, Nov 20, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Any time you suspect a keylogging type program, always use a different computer to change your passwords.

    I did not notice any firewall application...do you have one?

    The scans with SAS and MBAM did their jobs. :)

    If you are not having any other malware issues, then:
     
    TimW, Nov 21, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds