Keystroke Logger using Lsass.com in microsoft kit

Hi,

On 3/25, I got an email from the owner of a membership site
I belong to. I knew he was making some changes to his site's
software so I didn't pay close enough attention to the email
until it was too late.

His email address was spoofed. I clicked on a link and
installed a file called Verify_Test_Procedure.exe. I had
both Spybot and NAV active but neither caught it and windows
firewall wasn't preventing it from sending out data.

What I've learned so far is that it installed a folder in
C:/Windows called microsoft kit. Within that folder is a
file called 'keyed'. Key is an active log of every keystroke
on the machine since the file was installed. There is also a
screen capture jpg (scrap.jpg). A subfolder with
myname.image contains seven additional screen shots from
random dates.

A few days ago, I installed Sygate firewall and that's now
blocking lsass.

I've run through all the procedures in the sticky post. None
of them have revealed anything. Neither have scans by McAfee
and Panda Titanium 2004.

I've turned off system restore as suggested but when I
delete the following entries with Hijack This, the files
return without me rebooting the machine.

I'm substituting "my name" for my real name here for
privacy.

04 - HKLM\ . . \Run: [My Name Microkit] C:\WINDOWS\microsoft kit\lsass.com
04 - HKLM\ . . \RunOnce: [My Name Microkit] C:\WINDOWS\microsoft kit\lsass.com /RunOnce

I can post the entire Hijack This log if needed.

fyi, the 17 year old that planted this had hacked into the
forum and was posting. After he did it, he apparently got
into some trouble with his parents. He actually came back to
the forum using someone else's id and password and confessed
to what he did.

He said that he'd 'turned off' the software and didn't do
anything with the data he gathered because he was scared. He
said Panda Titanium 2005 was the only program that would
catch what he did. Unfortunately, I'm unable to install
Panda Titanium 2005 on my machine. During the install, Panda
tells me I must uninstall Norman (not Norton) Virus Control
before I can install Panda.

The problem is, I don't have Norman Virus Control on my
machine and it doesn't show up in my add/remove programs
panel. I've put in a support email to Panda but haven't
heard back yet.

Thanks in advance for your help. I've, as far as I know,
stopped the data from getting out but it's still slowing
down my machine big time.

Thanks,

Bill

 

first off. . .
Have you already gone through this sticky if not please do so. . .
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal:
if you have double check everything and make sure you did do everything
and all software is up to date

and have you tried a² FREE?
good at finding keyloggers and such


just a thought. . .


and run through this before attaching a log
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting:
*Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis! Please do this!!!*

then we will go from there. . .

 

Hi,

I've run through all the suggested steps in
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and more.

A2Free didn't find it either. I even tried having A2Free scan the directory
that I've found the log and screen shot jpgs in.

I've read the NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting and have attached the Hijack This log.

Thanks,

Bill

 

Wanted to add that I saw Trojan Hunter recommended in another
thread so I installed it and gave it a try.

Trojan Hunter detected the modification of the lsass.com file in the registry. Something to do with a %1 added to the line so it would continue to replicate itself. The program asked if I wanted this fixed before starting the scan. I said yes.

But it quickly reappeared when I rebooted. I also notice that when I reboot, Spybot warns me about registry changes. And these were changes that were made 3-4 reboots ago when I had Hijack This remove them. Yet, each time I reboot, Spybot asks about the same changes again.

Bill

 

tea timer is known for catching every reg change, good or bad. .but mostly can be annoying. .IMO so I do not use it. disable it in SB S&D

here ar some things I saw in your HJT log

run hjt, check
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF:{F1FABE79-25FC-46de-8C5A-2C6DB9D64333}
O16 - DPF:{F1FABE79-25FC-46de-8C5A-2C6DB9D64333}
O16 - DPF:{56336BCB-3D8A-11D6-A00B-0050DA18DE71}
O16 - DPF:{56336BCB-3D8A-11D6-A00B-0050DA18DE71}

O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

close all browsers and click fix

 

I followed your instructions and given my results, you'll probably want to make sure that I've got System Restore turned off on all drives. I do.

Here's what happened:

O16 - DPF:{56336BCB-3D8A-11D6-A00B-0050DA18DE71}

O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - (no file)

- All Four Return on Reboot

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

- Returns on reboot although without the URL

What should I try next?

Thanks,

Bill

 

my wife was in i a hurry. .
sorry about that then. .anyway

post a new log and I will take a longer look

I think you have something in startup that I missed
andi want to see a more recent log

again sorry

 

Ok, here's a new log. (attached)

I've noticed that at the moment the 'keyed' file hasn't
recorded any new data since yesterday afternoon. Apparently,
something I do at startup triggers it. I have a hunch that it is
when I start Outlook.

It still, however, tries to send data throughout the day. Sygate
lets me know that it's being blocked. Sygate shows me that it's
trying to send the data to minimovics.redirectme.net [65.32.32.124]
Tracking that IP shows a Roadrunner block in Florida. That's the
machine the hacker said he took over to plant the trojan.

Thanks for your help. I'm eager to get rid of this, it's prevented me
from using my desktop and I'm really behind in my work.

Bill

 

Run HJT and check

O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) safe to remove
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file) safe to remove
O2 - BHO: (no name) - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - (no file) safe to remove
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKCU\..\Run: [EzineExpress] J:\MYDOWN~1\EZINEE~1\Client.exe -minimize(If you use Digi Guide you should leave this process running. otherwise terminating this process should not have any negative repercussions.)
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra ''Tools'' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -

close everything(all running apps, browsers,etc. . .)

click fix



Delete the C:\Program Files\MyWay\ folder.

Delete the file NZDD#.DLL which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\(The "#" in the filename means that the filename might contain numbers)

Uninstall Alexa.(add remove programs)
Delete the file AlxTB1.dll which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\

restart

 

Hi J Archer,

Unfortunately, that didn't do the trick. I made one mistake in following your directions. Initially, I did the fixes to hijack this but rebooted before doing
the rest of your instructions. (I'm reading this thread on my laptop and didn't
scroll down all the way).

When I rebooted, I went back and did the fixes again. However,
this folder wasn't there: "Delete the C:\Program Files\MyWay\ folder."

I then deleted the dll file and in the next step and rebooted.

Should this line stay:
O4 - HKLM\..\Run: [Bill 'Lastname' MicroKit] C:\WINDOWS\microsoft kit\lsass.com

The Microkit directory is where all the keystroke logs and screenshots are
stored and was created when the trojan activated.

Thanks,

Bill

The

 

do you have view hidden files enabled?
did you remove alexa?
and I admit I dont know much about this line

I have been looking for anything on it
and it appears that it might be a sasser worm
if you have HJT in ts own folder it will make a backup if you need to retrieve it


did you do the online scans in the first read me?

run hjt
and check(including the one above)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - (no file)
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -


close everything(all running apps, browsers,etc. . .)

click fix



Delete the C:\Program Files\MyWay\ folder.

Delete the file NZDD#.DLL which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\(The "#" in the filename means that the filename might contain numbers)

Uninstall Alexa.(add remove programs)
Delete the file AlxTB1.dll which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\

restart
if that fails, i apologize

 

I think the lines that refer to lsass and microkit are the key to this trojan.
When I start TrojanHunter, I get a warning message saying:

"The entry in your system registry that specifies how to open an executable
file is not set to "%*" %1 as it should be, but instead has the value
'C:\WINDOWS\microsoft kit\lsass.com "%1" %*'. Some trojans alter this key
to make themselves autostart.

Do you want to restore the default value for this key (recommended)?"

Of course I click "Yes" but it's back again after a reboot. I ran a lot of searches on lsass.com as you did and the only references seem to come up
with browser issues like about:blank. None of the descriptions I saw had anything about a keystroke logger.

I ran through everything again to no avail. There was a double entry on one
of your suggested fixes (see below) but I'm not sure if that will make a difference. I've attached the latest log.

Yes and yes. And yes I did run all the scans from the read me.

The lines that refer to lsass and microkit are the key to this trojan.
When I start TrojanHunter, I get a warning message saying:

"The entry in your system registry that specifies how to open an executable
file is not set to "%*" %1 as it should be, but instead has the value
'C:\WINDOWS\microsoft kit\lsass.com "%1" %*'. Some trojans alter this key
to make themselves autostart.

Do you want to restore the default value for this key (recommended)?"

Yes

 

Just a quick addition. When starting AntiVir, a warning message comes up saying:

With the safety check of the Registry a remarkable entry HKEY_CLASSES_ROOT\exefile\shell\open\command was found. This entry refers to the file C:\WINDOWS\MICROSOFT KIT\LSASS.COM. Please check the executability of your system and transmit at any problems the announced file with the AVWin.log file to virus@free-av.de.

Further evidence that Lsass is our problem?

Bill

 

I've gotten rid of it. Thanks anyway.

Bill

 

glad you got rid of it
sorry I couldn't help any