Possible Keylogger

Hi,

I play WoW, and recently my account had been hacked. I scanned with the scanners I had acquired and some that had been recommended. I had thought I had fixed the problem. Turns out I was wrong and got hacked again. Clearly I missed something. So I just followed the Malware Removal Guide and am now attaching all the logs hoping someone is able to help me with my problem, I dont need other more important stuff like bank accounts and personal information being ripped off.

Thanks for your assistance.

 

and MGTools

 

Sorry for the delay Deviant210.

Please see here. Warning about Porn, Keygens, Cracks, and other Illegal Software

Remove all cracked software before I will continue help beyond this first set of instructions.

If this is a keylogger or password stealing trojan you need to take other precautions besides just working with us. While we will do our best, be aware that the only method of being sure that all of said malware is gone is a complete reformat and reinstall of Windows.

Anything that involves online banking is an extremely high risk.

I suggest you do the following immediately:

• Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
• From a clean computer change ALL of your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer. If you do the attacker can get the new passwords and transaction information. Refrain from using this computer for online-banking/financial purpose until we give it all clear.

----------

Before we continue you must get an antivirus installed. It is very dangerous to connect to the internet without one especially when you think you are infected with malware.

Please choose only one of the following to install now. Both are free and very reliable.

• AntiVir Personal Edition
• Avast! Home Edition

Once installed be sure it is up-to-date and run a full system scan.

After the antivirus scan is finished download and scan with the new version of MGtools letting the new version overwrite the old one. Attach the new MGlogs.zip file to your next reply.

If needed see here: Using MGtools

 

Dont worry about the delay, its completely understandable with all the people coming here for help.

I have deleted the cracked adobe from my computer as well as deleting the install files. I did this afterwards so they could be scanned first.

here are logs from mgtools and avira antivirus.

 

Thank you.

Are you sure you deleted the Adobe Crack? I still see it on the desktop.

Suspicious files to scan

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

C:\WINDOWS\System32\winsys2.exe

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

Note: If using FireFox you will need to copy the link in the address bar and post it back here instead. The Copy to Clipboard feature will not work.


Also I see this in the HijackThis log. Do you have overclocking software installed?

 

Hi,

you still see the adobe crack because I deleted it after i scanned with avira and mgtools.

Here is the VirSCAN report.

Code:

VirSCAN.org Scanned Report :
Scanned time   : 2009/10/02 18:54:28 (EDT)
Scanner results: All Scanners reported not find malware!
File Name      : WinSys2.exe
File Size      : 208896 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : 27949ccd505a6be082d15547b1dff90d
SHA1           : 569f27f34d53ec7f3eb0151108f3d4f0b4e54140
Online report  : http://virscan.org/report/cd2b3d7ac296c4b7239d2edc93617e6d.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.5.0.8         20091003043819    2009-10-03  10.11  -
AhnLab V3      2009.10.03.00   2009.10.03        2009-10-03  0.95   -
AntiVir        8.2.1.27        7.1.6.68          2009-10-02  0.22   -
Antiy          2.0.18          20091002.2949820  2009-10-02  0.12   -
Arcavir        2009            200910020826      2009-10-02  0.06   -
Authentium     5.1.1           200910021709      2009-10-02  1.74   -
AVAST!         4.7.4           091002-0          2009-10-02  0.02   -
AVG            8.5.288         270.14.3/2410     2009-10-03  0.34   -
BitDefender    7.81008.4307863 7.28027           2009-10-03  3.70   -
CA (VET)       9.0.0.143       31.6.6773         2009-10-03  9.32   -
ClamAV         0.95.2          9862              2009-10-02  0.04   -
Comodo         3.11            2495              2009-10-02  0.86   -
CP Secure      1.3.0.5         2009.09.30        2009-09-30  0.07   -
Dr.Web         4.44.0.9170     2009.10.02        2009-10-02  5.53   -
F-Prot         4.4.4.56        20091002          2009-10-02  1.94   -
F-Secure       7.02.73807      2009.10.02.08     2009-10-02  8.46   -
Fortinet       2.81-3.120      10.899            2009-10-02  0.25   -
GData          19.8178/19.497  20091002          2009-10-02  5.40   -
ViRobot        20091002        2009.10.02        2009-10-02  0.41   -
Ikarus         T3.1.01.72      2009.10.02.73900  2009-10-02  4.15   -
JiangMin       11.0.800        2009.09.26        2009-09-26  3.92   -
Kaspersky      5.5.10          2009.10.02        2009-10-02  0.13   -
KingSoft       2009.2.5.15     2009.10.2.18      2009-10-02  0.49   -
McAfee         5.3.00          5759              2009-10-02  3.30   -
Microsoft      1.5101          2009.10.02        2009-10-02  5.64   -
Norman         6.01.09         6.01.00           2009-09-16  1.82   -
Panda          9.05.01         2009.10.02        2009-10-02  2.06   -
Trend Micro    8.700-1004      6.500.01          2009-10-02  0.03   -
Quick Heal     10.00           2009.10.01        2009-10-01  1.22   -
Rising         20.0            21.49.22.00       2009-09-30  0.94   -
Sophos         2.90.1          4.45              2009-10-03  3.51   -
Sunbelt        5427            5427              2009-10-02  1.82   -
Symantec       1.3.0.24        20091002.003      2009-10-02  0.06   -
nProtect       20090930.01     5696930           2009-09-30  7.00   -
The Hacker     6.5.0.2         v00027            2009-10-02  0.70   -
VBA32          3.12.10.11      20090930.1230     2009-09-30  2.15   -
VirusBuster    4.5.11.10       10.112.56/1938802 2009-10-02  2.50   -

also, to my knowledge i have no overclocking done on this computer.

 

Code:

VirSCAN.org Scanned Report :
Scanned time   : 2009/10/05 13:29:07 (EDT)
Scanner results: All Scanners reported not find malware!
File Name      : winsys2.exe
File Size      : 208896 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : 27949ccd505a6be082d15547b1dff90d
SHA1           : 569f27f34d53ec7f3eb0151108f3d4f0b4e54140
Online report  : http://virscan.org/report/a1fa94b3b37bc95fd618d18946683645.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.5.0.8         20091005163530    2009-10-05  4.35   -
AhnLab V3      2009.10.06.00   2009.10.06        2009-10-06  1.67   -
AntiVir        8.2.1.33        7.1.6.75          2009-10-05  0.29   -
Antiy          2.0.18          20091005.2966709  2009-10-05  0.12   -
Arcavir        2009            200910050915      2009-10-05  0.06   -
Authentium     5.1.1           200910051400      2009-10-05  1.72   -
AVAST!         4.7.4           091004-0          2009-10-04  0.02   -
AVG            8.5.288         270.14.3/2415     2009-10-05  0.34   -
BitDefender    7.81008.4315300 7.28102           2009-10-06  3.73   -
CA (VET)       9.0.0.143       31.6.6774         2009-10-05  8.23   -
ClamAV         0.95.2          9866              2009-10-03  0.04   -
Comodo         3.11            2519              2009-10-05  0.82   -
CP Secure      1.3.0.5         2009.10.05        2009-10-05  0.07   -
Dr.Web         4.44.0.9170     2009.10.05        2009-10-05  5.58   -
F-Prot         4.4.4.56        20091005          2009-10-05  1.94   -
F-Secure       7.02.73807      2009.10.05.11     2009-10-05  0.17   -
Fortinet       2.81-3.120      10.908            2009-10-05  0.26   -
GData          19.8233/19.499  20091005          2009-10-05  5.24   -
ViRobot        20091005        2009.10.05        2009-10-05  0.41   -
Ikarus         T3.1.01.72      2009.10.05.73940  2009-10-05  4.18   -
JiangMin       11.0.800        2009.10.05        2009-10-05  4.24   -
Kaspersky      5.5.10          2009.10.05        2009-10-05  0.13   -
KingSoft       2009.2.5.15     2009.10.5.7       2009-10-05  0.50   -
McAfee         5.3.00          5762              2009-10-05  3.31   -
Microsoft      1.5101          2009.10.05        2009-10-05  5.46   -
Norman         6.01.09         6.01.00           2009-09-16  1.83   -
Panda          9.05.01         2009.10.04        2009-10-04  1.75   -
Trend Micro    8.700-1004      6.506.02          2009-10-05  0.03   -
Quick Heal     10.00           2009.10.05        2009-10-05  1.22   -
Rising         20.0            21.49.22.00       2009-09-30  0.87   -
Sophos         2.90.1          4.45              2009-10-06  3.55   -
Sunbelt        5430            5430              2009-10-05  1.61   -
Symantec       1.3.0.24        20091005.003      2009-10-05  0.06   -
nProtect       20091005.01     5733682           2009-10-05  6.83   -
The Hacker     6.5.0.2         v00029            2009-10-04  0.73   -
VBA32          3.12.10.11      20091004.1919     2009-10-04  2.08   -
VirusBuster    4.5.11.10       10.112.59/1942018 2009-10-05  2.53   -

this is the updated scan, I apparently didnt let the actual scanner do it the last time, so here it is.

 

I'm not finding anything that would point to malware but I'm also not sure what these two entries are. Do you know where they came from?

O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\System32\winsys2.exe

O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I \"C:\Program Files\Common Files\Wise Installation Wizard\WIS1C4551A64743409391E41477CD655043_9_09_0203.MSI\" WISE_SETUP_EXE_PATH=\"c:\documents and settings\erik defosses\desktop\nvidia_185.85_xp\nvidia_185.85_xp\PhysX_9[1].09.0408_SystemSoftware.exe\"

 

off hand, i have no idea where or what those two files mean. the only thing i can see is maybe that the second one has to do with my video card, but thats all i can gather.

 

Yes I believe that is the case. Let's do this.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Once finished exit HijackThis.



Delete ComboFix and download the new version.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
C:\WINDOWS\System32\winsys2.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



After the ComboFix scan is finished run a new scan with MGtools and attach the new MGlogs.zip file to your next reply.


Next post:

• ComboFix log
• New MGtools log

 

Logs

 

On another note hopefully not related to what we are doing here. My computer doesnt want to load the desktop. It loads everything just fine, but just sits at my wallpaper without loading anything on the desktop or the start bar. I can crtl+alt+del to the task manager and thats the only way I got my browser to work.

 

Your logs are clean so whatever issues still remain is likely not malware.

Have you tried restarting the computer more than once?

Does it also happen in Safe Mode?

 

Safe mode the taskbar and desktop load just fine, normal mode however they still dont.

Thanks for the trying though, and thanks for the malware help too

 

Since this is no longer a malware issue I suggest starting a new topic in the Software forum. Someone there will surely have some ideas. Personally, if you can't find a quick solution, I would try creating a new profile and if it works then move all of your documents over. How to copy data from a corrupted user profile to a new profile in Windows XP

What we also need to do is get some of the tools we have used cleaned up. They aren't for general malware removal and could cause damage if launched or used accidentally. But it will also be much easier with a fully functioning desktop.

From the Task Tanager go to File > New Task (Run) then type "%userprofile%\Desktop\combofix" /u to remove ComboFix and also reset your Windows settings to their secure settings.

Or read through the instructions from Safe Mode. Removing ComboFix and any custom script files we used is the most important.

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Ok well thanks again, I followed the clean up instructions and then tried to copying of the user profiles, made my new one and a temp as the article said, logged back onto my main one to completely shut it down and low and behold it had a desktop and a start bar! And everything seems to be working well! xD


Thanks again!

 

Sometimes it happens that way. Glad it's back!


It probably wouldn't hurt to run the System File Checker as an extra measure.

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.


Your welcome and safe surfing...