Keylogger?

Hi Folks,

Been battling a set of nasties most of the day including a variety of mIRC trojans, worms and bots, oh my!!!

Think I've gotten most of it licked (famous last words), but upon login there's a little dos box that flickers briefly in the lower left corner of the screen, so am wondering if I've got a keystroke logger I haven't been rid of yet ? I managed to get a window shot and the Title Bar contains 'UserLogon.C'.

HiJackThis log doesn't have anything obvious to me - though there are a bunch of O23 - Service messages indicating an unknown owner and all of the service Paths have been redirected to a location under my profile ...

Any thoughts on how to identify whether I've got a logger or something else going on here ... HJT and other logs available on request ...

Thanks,
Chuck

 

Have you gone through the READ ME yet? If you haven't then please do so. Then tell us the results and send us a HJT log.

We ask that you please try to work through the following TUTORIAL first.
This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone wll help you. Everyone is quite busy, as you can see by the number of posts, so hang in there. Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

I had gone through the README - though admittedly, not in it's entirety.

System Info: Win2K Adv Server/SP4, Updates current as of 3/2/2005.

Step 1 - Virus And Trojan Scanning (Safe Mode):
=====================================
+ TrendMicro Housecall Scan - Found 3 Buggers that I had already moved and renamed ...
++ alte.exe - TROJ.DCOM.B
++ ipcfg.exe/wshield.exe - BKDOOR.FLOOD.J
+ Symantec Security Check - Found 1 that I had already moved and renamed ...
++ 090-ntpass.xpn - Hacktool.XScan

Step 2 - System Cleaning (Safe Mode):
=============================
+ CCleaner v1.17.094 -Done (There were a couple entries in the Advanced sectionthat appeared related to a couple of things I had previously removed.)


Step 3 - Primary Spyware Scan and removal (Safe Mode):
===========================================
+ McAfee Stinger (v2.5.3) - Found several IRC Trojans that I had already moved and renamed:
++ rcfg.ini/skerr.txt - IRC/Flood.bi Trojan
++ dl.exe - W32/SDbot.worm.gen.y Virus
+ Ad-AwareSE (Def. SE1R32-10/3/2005) - Full System Scan Result -Clean
+ Ad-AwareSE VX2-Cleaner (v1.03) - Scan Result -Clean
+ SpyBOT S&D v1.3.1TX - Scan Result -Clean

Step 4 - Secondary Spyware Scan and removal (Safe Mode):
==============================================
+ CWShredder (v2.13) - Not Found
+ Kill2Me - Look2Me Not Found
+ About Buster (v4.0-25) - Not found, no ADS on system
+ HSRemove (v2.40) - 8 items removed (a log with some detail as to what the heck these 8 items were would have been nice) ...

Step 5 - Other Tools (Safe Mode):
==========================
+ Symantec A-V Corporate Edition Client - v.8.1.0.825: Scan Engine - v.4.2.0.7: Def. - 3/10/2005 rev.18 - Scan Result -Clean
+ Trojan Hunter (v4.2-908) -Clean

+ RootKitRevealer (v1.20 Normal Mode) - Clean

Step 6 - HJT (Normal Mode):
=====================
+ HJT (v1.99.1) - Logfile attached


Would like some input on the O10 and O23 messages indicating the path to the service executable is missing, as well as insight on the box appearing at login that I described in the original post.

 

Guess I botched attaching the attachment last time ...

 

I have asked Chas to take a look at this for you.

 

Thanks, any help is much appreciated!

 

Incidentally, I should have mentioned this but I had modified the O17 entries myself - the scan reported the correct domainname values which I generified before uploading - apologies for not mentioning at the time of submission ...

 

BTW,

Re: O10 entry ... LSPfix doesn't have any issue with the Winsock shims.

Re: O23 entries ... It almost seems like %SYSTEMROOT% is getting replaced with %HOMEDRIVE%%HOMEPATH% - At least so far as HJT is concerned (Same w/ O10 entry above)... Registry values for ENV look kosher ...

I tried installing a util (ptsnoop) in order to try and get some info on the process that is launching the offensive, short-lived window at login, but I'm not sure its working properly - only seems to take a single snapshot of info, rather than a view every 5 seconds. It's configured to run at login (HKLM\Software\Microsoft\Windows\CurrentVersion\Run)

The info is brief, so I'll take the liberty of posting in the event it jingle's a bell somewhere ...

3/14/2005 5:22:23 PM - Logging Started
3/14/2005 5:22:28 PM - Start: SysFader
3/14/2005 5:22:28 PM - Start: NetDDE Agent
3/14/2005 5:22:28 PM - Start: Local Disk (C
3/14/2005 5:22:28 PM - Start: MCI command handling window
3/14/2005 5:22:28 PM - Start: Windows 2000 Configure Your Server
3/14/2005 5:22:28 PM - Start: About WinZip Quick Pick
3/14/2005 5:22:28 PM - Start: TrojanHunter Guard
3/14/2005 5:22:28 PM - Start: TrojanHunter Guard
3/14/2005 5:22:28 PM - Start: Snoop
3/14/2005 5:22:28 PM - Start: HkWndName
3/14/2005 5:22:28 PM - Start: Symantec AntiVirus Corporate Edition
3/14/2005 5:22:28 PM - Start: IconWindow
3/14/2005 5:22:28 PM - Start: Power Meter
3/14/2005 5:22:28 PM - Start: Connections Tray
3/14/2005 5:22:28 PM - Start: MS_WebcheckMonitor
3/14/2005 5:22:28 PM - Start: DDE Server Window
3/14/2005 5:22:28 PM - Start: SYSTEM AGENT COM WINDOW
3/14/2005 5:22:28 PM - Start: Scan
3/14/2005 5:22:28 PM - Start: ACTION
3/14/2005 5:22:28 PM - Start: VPIPCLINK
3/14/

 

I am moving you up in position, your dropping back aways and I don't want you to get lost. Chas must be busy. He said he will look at your log.

 

Something is way off here.

First of all, the OS is Windows 2000.

However, just giving a quick glance, there are Windows XP services listed in the O23's:

O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\Documents and Settings\ckenyon\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and Settings\ckenyon\WINDOWS\System32\services.exe (file missing)

We are missing some info here, something you haven't told us...

Did you attempt an upgrade to XP, only to have it fail?

 

To Chas:

System files don't actually exist under the user profile, only in %SYSTEMROOT%/system32. I believe this system is running Terminal Services in Application Mode, so perhaps that has some bearing as to why HJT shows the errant paths (In the properties on the services the fully qualified paths show up fine).

To Adyrn:

I've checked a couple of other win2k servers and both W32Time and WZC svcs appear to be standard fare ... I'll research the history of this system a little more to see if anything unusual turns up.

Any other suggestions regarding how to get a handle on what's behind the box that's popping up (popping by is probably a better description) upon login?

 

You did not mention you are running Windows 2000 server.

I standed corrected by w32time, someone told me there was no time synchrnization in 2K recently.

But for Wireless Zero, I've checked three sites now:

http://www.blackviper.com/WIN2K/servicecfg.htm
http://labmice.techtarget.com/articles/win2000services.htm
http://snakefoot.fateback.com/tweak/winnt/services.html

So unless these sites are Pre Sp4, and Sp4 added it, I don't understand how that service got there.

At any rate, you notice how the O23s say file missing? I'm guessing because you have the reg entries, but not the files.

Have you checked to see if the real counterparts are there? If they are, and show up properly in services.msc, then just nuke the O23s with HJT.

 

Adryn ... Sorry, but I beg to differ ...

In my second post (3rd in the thread) ...

I know there's a fair amount of detail here, apologies if it's not formatted so as to be conveniently accessible.

Any help/ideas are much appreciated!

Regards,
Chuck

 

re-read my last post. I've modified it.

 

Adryn - The table in the first link you provided seems to indicate that the Wireless Config service comes standard in Win2k Svr, but is installed in a 'Manual' state - i.e. it would be necessary to manually start the service or change its state to aoutomatic, if desired. Please correct me if I'm wrong. I've now checked 5 Win2k Servers (though all of them are at SP4) and all had the Wireless Config Service installed for Manual startup.

Regards,
Chuck

 

Chas,

Let me try to to be more clear ...

1. The Services exist with 'normal' Executable paths - i.e. C:\Winnt\system32\service_name.exe
2. The files referenced by the 'Executable paths' field in the Service properties dialogue also exist.
3. The files are fine, in the right location, and match the properties as displayed using Services.msc.

At this point, I don't think these represent a real system problem. HJT is apparently picking up the wrong executable path, presumably due to issues identifying the service owner. This may be completely unrelated to the system running TS in application mode - I was merely tossing the idea out there.

So for now, I'll ignore the O10 and O23 messages (though I'm completely willing to keep this open if anyone sees a reason to).

Is there anything in any of the other sections of the logfile that would indicate a potential problem? I'm still no closer to identifying the origin of the window that keeps popping up at login - this is currently of the most concern to me. Can anyone think of any other tools that would help trace the origin of this thing?

Thanks,
Chuck

 

Chas, Adryn,

Thanks for all the help and suggestions. It appears the popup Command Window may be related to running TS in Application mode, as it went away when I converted to Remote Admin mode. I'll do a little research and pop back in with the results ...

Regards,
Chuck