Keylogger - Just When I Though All Was Safe!

[Guest]

[kc7brown]

I did find out that iTunes does not run without it, so I'll make sure it only runs when I let it.  And of course be sure to close it when I finish.

Right now I have ports 2902, 2903, 2913, 2914, 2915, 2916 open along with the usual:

123,123, 1734, 1025, 12080

I do think that QT was my problem, I just don't understand why it needs to open so many ports!  Maybe Apple wants Windows users to get like really pissed and switch to Macs!!   

You said you had a Firefox extension, what do you use?  I don't know what the half of them are, I am not technical  enough to understand most of them.   I have Clipmarks (rarely used), Cookie Manager Button, DOM Inspecter, WOT (I love it), Download StatusBar, FasterFox, ShowIP, Talkback, FirePhish (not initialized), and Verification Engine.

So I guess I will run WWDC  and TCPView over to the side where I can keep an eye on what's going on for a few days. 

Most likely when I reinstalled Windows I overlooked a setting from the previous thread.  Sure did think I got them all!

[Eric Cryptid]

FYI the Keylogger your referring to is a WIN32.Keylogger it takes a bit of trolling through a google search to find out. Haven't had a minute to find a removal program for you though...


Eric

[Toggie]

Sorry about the QT alternative thing, I forgot you use ITunes.  QTA is just a lightweight QT. I use it simply by copying  the  plugin DLLs from the QT directory to the fx/plugin directory.  To be honest, I will probably remove it soon, as I never have need for it.

I don't have an answer as to why QT opens so many ports, assuming that's what's it's doing, but I like your answer

I still find it strange that you have, even with QT off, so many consecutive UDP ports open. Do you know which program is using them?

You can close port 123 if you wish, it's simply windows Internet time synchronisation. just go to services and stop/disable the Windows Time Service.

I tried quite a few of the fx extensions over time, and I've settled on 27, which I use, in one way or another, everyday. Of all of them, scrapbook is one I wouldn't want to be without.

Fasterfox is ok, but you can do everything it can, through user.js, just requires a little hacking   
 
We do have a couple of browser threads here, although they have gon a bit quite recently:

What Firefox extensions do you use?
The browser thread

[JamesFrance]

Hi,

That 02 line you fixed was Windows Live Messenger also.

[kc7brown]

And what the heck is "Net Sentry" (nscnap.net)?


If I have several windows open at the same time, even with FasterFox, the browser is really slow.  Almost like dialup!  I've been monitoring with TCP, and it's fairly usual for firefox to have about 20 process threads going!  I've seen the above one, but WWDC still shows only minimal ports open.  Right now all I have open is only UDPs:  123, 4671, 123, 1025  NO TCPs al all.

Actually, I think I inadvertently switched a setting in Services when I reinstalled Windows.  Is there anything I could have done to slow this down?

Sidenote:  I did get rid of the keylogger, and AVG Anti-Spyware gave me a popup tonite about Virtumundo?  As did BOClean.  I had both delete that one.

[Toggie]

Hi kc7

Where are you seeing Net Sentry? Can you provide some more details

As for the ports:

123 is Network Tome Protocol..I think we covered that?
4671 is that a local port or a remote port?
1025 is probably being used by svchost.exe (normal)

Sounds like something may be blocking comms...

I'm sure we can work it out, just gimme the details

[kc7brown]

I've been hawkeyeing it, and it seems to only show up when I'm in myspace forums.  It was not there when we were working on this a few weeks ago.

And that is the remote address:
unknown.nscnap.net:http

Perodically I see something for "nebulazone" (it only lasts a few seconds), and "websecurity"

4671 is svchost.exe:832

And yes we did cover 123 already, good memory.....

I had a browser hijack attempt earlier tonite, but I went into Hijack This and deleted some processes and that got Avast and AVG operational again.

[Toggie]

Well nscnap.net seems to be a rogue site. There is, however, an opensource security product called net sentry...

As for nebulazone and websecurity, I've no idea, could be anything, apparently youtube has something called nebulazone, do you use youtube?

4671...ok, but is it a local port (your computer) or a remote port (somewhere out there) I guess it's local, but you need to find out what's connecting to it and from where.

You seem to suffer with a lot of hijacks, perhaps we should look at your overall security...

[kc7brown]

I'm thinking that since it only comes up when I'm in a myspace forum, they DO have filters to keep someone from uploading porn into a thread.

I do use YouTube, and have it in one of those "quicklaunch" bars at the top in the browser.  I also have one for Yahoo,  Photobucket, and Myspace.

I really need to clean my C: drive, I am on F: drive now.  C: drive was my original, and that was when I was prone to downloading warez.  I don't download them anymore, it was from when I used a CyberCafe.  But I am sure there are still traces of stuff on there, and when I have to access the drive for something, well......  And the attempts usually occur after I run programs that are on that drive.

Avast shows no viruses, AVG is clear, BOClean catches stuff, I don't run Ad-Watch in the tray since I read that it mainly only works with IE.

4671:  the command line is this if it helps   F:\WINDOWS\System32\svchost.exe -k netsvcs

And on WWDC I did get an error popup a few times re: TCP/IP something and it had to rely on registry?

Just found out that by ending the nscnap.net process in TCP, the whole browser shuts down.

[Toggie]

I hate to say this, but I think it might be better if you were to wipe your disks and start again. I use firefox exclusively and I've never seen nscnap.net, there again, I don't use myspace, youtube or any of the so called, web 2 sites.

I'm sure you know, downloading warez, is asking for problems, so I won't preach. But seriously, If I were you, I'd back-up anything important (not warez), wipe my disks and reinstall. I know it's hard , but sometimes it's necessary.

[kc7brown]

Yeah, I kinda agree.  Especially on the C: drive - I quit booting to it because it was SO sluggish.  I started backing up some of the stuff on there awhile ago.  So my plan will be to backup/wipe/install on C: and then boot to C: and work from there on this one (F:).  Thank God I have partitions!  I don't have a separate tape/backup drive so I have to transfer to another partition and then back.

Toggie, you have been so much help and thanks for not preaching!  Before I had internet here (home) I used a CyberCafe that didn't care what you did or downloaded.  Now that the fallout is on me, I know the pitfalls involved.

I know there is a Files and Settings wizard, and I have a copy of a disk imaging program.  F&S wizard seems to be for computer-computer and NOT drive-drive, so I guess I can use the disk imaging?

And the Net Security thing seems to be exclusive to myspace browsing - it doesn't run unless I'm in the forums.

I trust your knowledge, so I will move forward however you think best.

[kc7brown]

I did format/install xp to C: (boot drive XP) last night.  So I have a clean install there.

Right now I am working on how to recover data from my second drive (F: XP), as I totally forgot that C: contained the boot record to allow me to boot into either one!  HA! I can only boot into the one.  But I am doing Google searches to make sure I install a second OS on the other drive.  I am paranoid that way, in case of physical drive failure.

So hopefully I will have no more problems with "foulware"!

[Toggie]

Hi kc7.

One way to re-establish contact with your lost boot partition, is to edit the boot.ini file, which you'll find in the root of drive C:\ (it's a hidden file)

Right now I imagine your boot.ini file looks something like this:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

To access your F: installation, you'll need to add an additional line at the bottom, however you'll have to make sure you get the numbers right. I'll explain.

This notation is call the ARC (ARC RISC Computing) path, it's a bit of a hang over from when Windows ran on different hardware platforms, not just Intel.

multi(0)
Refers to the disk controller. (0) is normal for IDE drives. No need to change.
disk(0)
Not used with IDE drives. Don't change it.
rdisk(0)
This value may need to be changed.

On Windows, the first physical disk is disk(0), the second physical disk is disk(1) etc. Normally disk(1) equates to drive C: and disk(1) to D: etc.

So, if your F: drive is a different physical disk to your C: drive, you will need to add a different number here.

partition(0)
This refers to the actual partition where Windows is installed. For example, if you have installed Windows in the default location C:\Windows, then the value for partition woiuld be (1).

If you had a single disk with two partitions (C: & D:) and you installed Windows in D:\Windows the value for partition would be (2)

So the line you need to add would look something like this:

multi(0)disk(0)rdisk(1)partition(2)\WINDOWS="Recovery System" /fastdetect

In this case Windows is installed on the second physical disk - rdisk(1), and on the second partition - partition(2) on that disk.

I hope that makes some sense, you just have to play with the numbers. If you get them wrong, just reboot to C:\ and try again. It shouldn't do any damage to your system.

[Tags:]