Keylogger - Just When I Though All Was Safe!

[Guest]

[kc7brown]

After doing all that I was told and closing ports - I did a scan and found a keylogger.  I freaked and reinstalled Windows XP, all was clear for four days and now I have the same keylogger again.  I have about 7 FastStone screenshots that I will post, Comodo Firewall is running, AVG 7.5 is running, Ad-Aware 2007beta is running, Avast Pro is running.

AVG is currently running a scan, so I do not know the location of the Keylogger right now.  Last time it was in Advanced MP3 Convertor - a folder which was deleted.  The infected file was bass.dll.

[Toggie]

Hey kc7brown, welcome back

Let's take this from the top. You did a scan. What did you scan with, which program?
you found a keylogger. Which one?
I would interested in seeing the screen shots

Don't panic

[kc7brown]

It's the second from the bottom, AVG - the same program that found it a few days ago.  After the reinstall I rescanned in Safe Mode and Regular Mode, all clear until today.

I have not done anymore P2P and uninstalled both Limewire and Shareaza after you told me about those.

[Toggie]

Thanks for the images.

Apart from the AVG image, I can find nothing particularly odd, apart from one entry in the Hijackthis log.

O2 - BHO: (no name)

You also seem to have a rather large number of open ports?

We can come back to that later.

From the AVG Scan, have you managed to identify which file is supposed to contain the keylogger?

Also, do you know what each of the programs are, that can be seen running in process explorer?

BTW, I changed the title, as it's no longer a NetBIOS issue.

[kc7brown]

They are both in system restore, so maybe they were left over from the previous scan somehow.

Since I reinstalled XP, the only UDP ports that stayed open were 1025, 123, 123, 1116, 1734, and TCP 12080.  Then last night I noticed all these 3*** entries that are sometimes open, sometimes not.

[kc7brown]

Process Explorer - I can identify:

system:
Avast
AVG Anti-Spyware
COMODO BoClean
iPod (iTunes)
Ad-Aware

explorer:
COMODO
Avast
Quick Time
iTunes
Java
AVG Anti-Spyware
List Alphabetizer (does not depend on internet)
Ad-Watch
WWDC
Firefox
FastStone Screen Capture

The rest I have no idea.

Under HiJackThis:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "F:\WINDOWS\is-M67J1.exe" /REG

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL


The only ones I can guess at is that 09s and 018s are Live! Messenger related.  Adding Live! to MSN Messenger through Patchou website is one of the few things I have added.  And I thought my previous problems were Yahoo!Messenger related.

Can Messenger be opening ports that are allowing access?

[Toggie]

If it's in system restore, it's likely it's the same file. Personally, I don't use system restore, for exactly this reason, but that's a personal decision and not something I recommend. You should be able to purge the contents of SR by doing the following:

1. Right click on 'My Computer' and select properties
2. Select System Restore
3. Tick 'Turn off System Restore on all drives'
4. Reboot
5. If you wish to re-enable follow same steps but un-check the box.

When you see a large number of open ports, are you using a particular program?

[Toggie]

The rest of the items in PE look fine, standard processes. It;s just that one entry in the hijackthis log:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

no name, no file...it could simply be it's something that no longer exists, might be worth checking hat CLSID in the registry, see what's in there...

Open regedit and search on: {7E853D72-626A-48EC-A868-BA8D5E23E045}

[kc7brown]

Oh yeah, I don't mind you renaming - someone else may have a similar problem and need help.  I am familiar with SR, and before I turn my CPU off tonight I will purge SR.

Right now, all that I have in active windows are Firefox (with addons), AVG (because I haven't quarantined yet).

In the taskbar: Avast, COMODO FP, AVG Anti-Spyware, FastStone Capture, and Ad-Aware.

The only thing I closed was QuickTime in the taskbar, because it keeps autostarting - even though in msconfig I was sure I had disabled it on startup.

Right now all I have open are UDP 123, 123, 1734, 1025 and TCP 12080!  Before I closed QuickTime, I had all those open ports.

I rarely use QuickTime, so I don't need it running.

[kc7brown]

[Toggie]

It may well be Quicktime, I don't use it. You might want to look at this option QuickTime Alternative - Wikipedia, the free encyclopedia if QT is something you use. I have it as a firefox extension, but it works just as well outside the browser and negates the need to install all that nasty Apple crap.

The CLSID didn't tell us much   If it were me, I'd simple remove it, using Hijackthis. If the application that placed it there needs it, it will let you know soon enough...

[kc7brown]

Okay, I deleted the registry key - it seemed to be IE related and I only use Firefox (unless something only runs on IE).  I have it as a backup, and can reinstall if the regkey was important.

I can disable QuickTime.  The only program that seems to depend on it is iTunes, and I'm about to check out the QT alternative that you posted.  And through the past hour after closing QT in the taskbar, I have not had any extra ports opened.

I still wonder how I got the keylogger, but since I hadn't used Advanced MP3 in a while it could have been dormant there.

[Toggie]

It's always possible it was a false positive...

[kc7brown]

Okay, I downloaded and installed the QT Alternative.  When I ran the configuration, I got the QTPro screen with my registration code and it tried to connect to Apple through rundll (Comodo).  Almost as if I hadn't uninstalled QuickTime.

I checked regedit and deleted the keys I could find for QuickTime/Apple.  On my startmenu, everything looked fine except for it directing me to the original QuickTime screen.  Should I have uninstalled iTunes first?

I see you are logged off, so I'll wait for your reply whenever you can, and in the meantime I will set msconfig to not start any QT processes on startup.

Toggie, thanks once again, you are the best.  Instead of those Comodo Rocks signs there should be one that says Toggie Rocks!

[Toggie]

LOL, kc7brown 

I confess I'm not sure about Itunes, again not something I use. I'll find out...

[Tags:]