My Win Vista has a keylogger installed on it that also allowed a remote user to write some simple text on my computer (in the FAR manager application) and open a random webpage with Firefox.
Could you please help me spot the keylogger process(es)?
Please find attached the avz_sysinfo.zip I obtained with AVZ. Notice the "Process masking detected", and also the interception of methods from user32.dll (for example, "Function user32.dll:GetKeyState (2306) intercepted, method".
I can provide the guard32.dll which is reported as the application that intercepts the methods of user32.dll, such as GetKeyState.
Thanks a lot.
[attachment deleted by admin]
guard32.dll is part of CIS and is used to Prevent Keyloggers, as it’s using the same technique as a key logger this is probably the reason it’s masked.
I suspect other infections on your system, if you experience these kind of behavior
Please have a look at this post here:
And also have a look at GMER www.gmer.net for a good anti-rootkit scanner.
I have run various AVs, including some from the link you gave me. Quite a few of these AVs were run from a non-infested OS, so there is no concern on the rootkit behavior (I hope).
I suspect the following files for being related with the keylogger: http://alexsusu.110mb.com/Keylogger.zip . The most suspect ones are in the directory hidden_in_infested_OS, in my opinion.
I have included the logs obtained with HiJackThis and AVZ.
Could you please let me know if you find a hacked file among the ones sent.
Thank you very much.
I see you have VNC Server installed, did you do that your self or has malware been able to do this?
VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
VNC Server provides remote control, and if someone was able to access your system on the default port 5900 it could be “abused”…
For the rest i can’t find suspicious things in there, I’m not sure what file did create the extracted files but most of them seem legit, but I’m not Comodo Staff and not a Pro on malware analysis so no guarantees there.
Did you run the GMER rootkit detector on the live “infected” system? It needs to be run from the suspicious OS to determine if it’s rootkitted or not… and if you start it it will scan most important parts and warn you for malware/rootkit/suspicious behavior.
So based on what you describe my guess would be VNC Server abuse…