Keylogger - Just When I Though All Was Safe!

After doing all that I was told and closing ports - I did a scan and found a keylogger. I freaked and reinstalled Windows XP, all was clear for four days and now I have the same keylogger again. I have about 7 FastStone screenshots that I will post, Comodo Firewall is running, AVG 7.5 is running, Ad-Aware 2007beta is running, Avast Pro is running.

AVG is currently running a scan, so I do not know the location of the Keylogger right now. Last time it was in Advanced MP3 Convertor - a folder which was deleted. The infected file was bass.dll.


http://img170.imageshack.us/img170/9345/20070517202341nf2.th.png


http://img170.imageshack.us/img170/297/20070517201633aftercb9.th.png


http://img170.imageshack.us/img170/3534/20070517201501kn4.th.png


http://img170.imageshack.us/img170/6751/20070517201417ca7.th.png


http://img170.imageshack.us/img170/4434/20070517201326mh4.th.png


http://img170.imageshack.us/img170/8181/20070517201130vs2.th.png


http://img170.imageshack.us/img170/3039/20070517201014bf8.th.png


http://img170.imageshack.us/img170/7291/20070517200831he6.th.png


http://img170.imageshack.us/img170/83/20070517200805sv6.th.png

Hey kc7brown, welcome back :slight_smile:

Let’s take this from the top. You did a scan. What did you scan with, which program?
you found a keylogger. Which one?
I would interested in seeing the screen shots :slight_smile:

Don’t panic :slight_smile:

It’s the second from the bottom, AVG - the same program that found it a few days ago. After the reinstall I rescanned in Safe Mode and Regular Mode, all clear until today.

I have not done anymore P2P and uninstalled both Limewire and Shareaza after you told me about those.

Thanks for the images.

Apart from the AVG image, I can find nothing particularly odd, apart from one entry in the Hijackthis log.

O2 - BHO: (no name)

You also seem to have a rather large number of open ports?

We can come back to that later.

From the AVG Scan, have you managed to identify which file is supposed to contain the keylogger?

Also, do you know what each of the programs are, that can be seen running in process explorer?

BTW, I changed the title, as it’s no longer a NetBIOS issue.


http://img511.imageshack.us/img511/6492/keyloggerlocationom9.th.png

They are both in system restore, so maybe they were left over from the previous scan somehow.

Since I reinstalled XP, the only UDP ports that stayed open were 1025, 123, 123, 1116, 1734, and TCP 12080. Then last night I noticed all these 3*** entries that are sometimes open, sometimes not.

Process Explorer - I can identify:

system:
Avast
AVG Anti-Spyware
COMODO BoClean
iPod (iTunes)
Ad-Aware

explorer:
COMODO
Avast
Quick Time
iTunes
Java
AVG Anti-Spyware
List Alphabetizer (does not depend on internet)
Ad-Watch
WWDC
Firefox
FastStone Screen Capture

The rest I have no idea.

Under HiJackThis:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] “F:\WINDOWS\is-M67J1.exe” /REG

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

The only ones I can guess at is that 09s and 018s are Live! Messenger related. Adding Live! to MSN Messenger through Patchou website is one of the few things I have added. And I thought my previous problems were Yahoo!Messenger related.

Can Messenger be opening ports that are allowing access?

If it’s in system restore, it’s likely it’s the same file. Personally, I don’t use system restore, for exactly this reason, but that’s a personal decision and not something I recommend. You should be able to purge the contents of SR by doing the following:

  1. Right click on ‘My Computer’ and select properties
  2. Select System Restore
  3. Tick ‘Turn off System Restore on all drives’
  4. Reboot
  5. If you wish to re-enable follow same steps but un-check the box.

When you see a large number of open ports, are you using a particular program?

The rest of the items in PE look fine, standard processes. It;s just that one entry in the hijackthis log:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

no name, no file…it could simply be it’s something that no longer exists, might be worth checking hat CLSID in the registry, see what’s in there…

Open regedit and search on: {7E853D72-626A-48EC-A868-BA8D5E23E045}

Oh yeah, I don’t mind you renaming - someone else may have a similar problem and need help. I am familiar with SR, and before I turn my CPU off tonight I will purge SR.

Right now, all that I have in active windows are Firefox (with addons), AVG (because I haven’t quarantined yet).

In the taskbar: Avast, COMODO FP, AVG Anti-Spyware, FastStone Capture, and Ad-Aware.

The only thing I closed was QuickTime in the taskbar, because it keeps autostarting - even though in msconfig I was sure I had disabled it on startup.

Right now all I have open are UDP 123, 123, 1734, 1025 and TCP 12080! Before I closed QuickTime, I had all those open ports.

I rarely use QuickTime, so I don’t need it running.


http://img511.imageshack.us/img511/7614/regeditgw5.th.png

It may well be Quicktime, I don’t use it. You might want to look at this option QuickTime Alternative - Wikipedia, the free encyclopedia if QT is something you use. I have it as a firefox extension, but it works just as well outside the browser and negates the need to install all that nasty Apple ■■■■.

The CLSID didn’t tell us much :frowning: If it were me, I’d simple remove it, using Hijackthis. If the application that placed it there needs it, it will let you know soon enough…

Okay, I deleted the registry key - it seemed to be IE related and I only use Firefox (unless something only runs on IE). I have it as a backup, and can reinstall if the regkey was important.

I can disable QuickTime. The only program that seems to depend on it is iTunes, and I’m about to check out the QT alternative that you posted. And through the past hour after closing QT in the taskbar, I have not had any extra ports opened.

I still wonder how I got the keylogger, but since I hadn’t used Advanced MP3 in a while it could have been dormant there.

It’s always possible it was a false positive…

Okay, I downloaded and installed the QT Alternative. When I ran the configuration, I got the QTPro screen with my registration code and it tried to connect to Apple through rundll (Comodo). Almost as if I hadn’t uninstalled QuickTime.

I checked regedit and deleted the keys I could find for QuickTime/Apple. On my startmenu, everything looked fine except for it directing me to the original QuickTime screen. Should I have uninstalled iTunes first?

I see you are logged off, so I’ll wait for your reply whenever you can, and in the meantime I will set msconfig to not start any QT processes on startup.

Toggie, thanks once again, you are the best. Instead of those Comodo Rocks signs there should be one that says Toggie Rocks! (:AGL)

LOL, kc7brown :-[

I confess I’m not sure about Itunes, again not something I use. I’ll find out…

I did find out that iTunes does not run without it, so I’ll make sure it only runs when I let it. And of course be sure to close it when I finish.

Right now I have ports 2902, 2903, 2913, 2914, 2915, 2916 open along with the usual:

123,123, 1734, 1025, 12080

I do think that QT was my problem, I just don’t understand why it needs to open so many ports! Maybe Apple wants Windows users to get like really ■■■■■■ and switch to Macs!! ;D

You said you had a Firefox extension, what do you use? I don’t know what the half of them are, I am not technical (:NRD) enough to understand most of them. I have Clipmarks (rarely used), Cookie Manager Button, DOM Inspecter, WOT (I love it), Download StatusBar, FasterFox, ShowIP, Talkback, FirePhish (not initialized), and Verification Engine.

So I guess I will run WWDC and TCPView over to the side where I can keep an eye on what’s going on for a few days.

Most likely when I reinstalled Windows I overlooked a setting from the previous thread. Sure did think I got them all!

FYI the Keylogger your referring to is a WIN32.Keylogger it takes a bit of trolling through a google search to find out. Haven’t had a minute to find a removal program for you though…

Eric

Sorry about the QT alternative thing, I forgot you use ITunes. QTA is just a lightweight QT. I use it simply by copying the plugin DLLs from the QT directory to the fx/plugin directory. To be honest, I will probably remove it soon, as I never have need for it.

I don’t have an answer as to why QT opens so many ports, assuming that’s what’s it’s doing, but I like your answer :slight_smile:

I still find it strange that you have, even with QT off, so many consecutive UDP ports open. Do you know which program is using them?

You can close port 123 if you wish, it’s simply windows Internet time synchronisation. just go to services and stop/disable the Windows Time Service.

I tried quite a few of the fx extensions over time, and I’ve settled on 27, which I use, in one way or another, everyday. Of all of them, scrapbook is one I wouldn’t want to be without.

Fasterfox is ok, but you can do everything it can, through user.js, just requires a little hacking (:NRD)

We do have a couple of browser threads here, although they have gon a bit quite recently:

What Firefox extensions do you use?
The browser thread

Hi,

That 02 line you fixed was Windows Live Messenger also.

And what the heck is “Net Sentry” (nscnap.net)?

If I have several windows open at the same time, even with FasterFox, the browser is really slow. Almost like dialup! I’ve been monitoring with TCP, and it’s fairly usual for firefox to have about 20 process threads going! I’ve seen the above one, but WWDC still shows only minimal ports open. Right now all I have open is only UDPs: 123, 4671, 123, 1025 NO TCPs al all. ???

Actually, I think I inadvertently switched a setting in Services when I reinstalled Windows. Is there anything I could have done to slow this down?

Sidenote: I did get rid of the keylogger, and AVG Anti-Spyware gave me a popup tonite about Virtumundo? As did BOClean. I had both delete that one.