Win32/Spy.KeyLogger

[arrowsmithmidwest]

yes, this morning im getting calls and emails about it.
they say that NOD32 will remove it.
they do another scan and it is straight back again. is there a pernament patch/fix for this

Thank you again.

[anders]

If it gets removed, but is there again after a while, it's most likely one of these three things that's happening:

• They have system restore enabled, and Windows has a backup copy of the file in C:\_Restore (WinME), or C:\System Volume Information (WinXP). If so, disable system restore (loosing any restore points you may have), restart the computer, and enable the system restore function again, to remove all files in the backup.
• The infected file is reinstalled because the computer is not secured. Either it has shared a drive with no password, or a bad password, or it isn't patched, and something is exploiting a security hole to gain access. Get all security updates from http://www.windowsupdate.com/
• There is an auto-starting dropper that drops the infected file, and NOD32 doesn't detect the dropper. Run HijackThis and post the log to this forum, to see if there are any rogue autostarting programs.

Of these, I guess it's either the first or the second one. Do a full scan with the NOD32 Scanner (Start -> Programs -> Eset -> NOD32, click on "Clean" to start the scanning). If nothing infected is detected, visit http://www.windowsupdate.com/ and make sure you have all the security updates.

I also suggest that they use some free anti-spyware program (for example Ad-aware from http://www.lavasoft.nu/ ), and personally, I'm really fond of the SpywareBlaster program ( http://www.javacoolsoftware.com/ ). They work totally differently, so using both is definately recommended.

Best regards,
Anders

[arrowsmithmidwest]

THanks, i will give it a try and see how it all goes and report on the results.

[arrowsmithmidwest]

Logfile of HijackThis v1.97.7
Scan saved at 12:32:23 PM, on 18/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Robyn\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wn.com.au/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [] C:\WINDOWS\W98SYS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/220b7de6...p/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...120.7420486111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

i can't see anything in particular here

[Blackspear]

I'm not an expert either, however the HJT log looks fine. As Anders said, make sure you do the following:

Install a firewall such as ZoneAlarm available from www.zonelabs.com

Make sure Windows is fully up to date

Do NOT share the main "C" drive, share folders within the C drive instead.

Install and use programs such as Spybot Search and Destroy v1.3 available from www.download.com

Install Spyware Guard by javacool available from this site

Install Spyware Blaster by javacool available from this site

Install and run all these programs and you should sort out the problem pretty quick smart

You may also want to see the following thread for settings and how we deal with and install security for customers: http://www.wilderssecurity.com/showthread.php?t=21171

Hope this helps...

Cheer

[anders]

O4 - HKLM\..\Run: [] C:\WINDOWS\W98SYS.EXE

That doesn't look good. If that file exists, send it to samples@eset.com and/or to me.

Best regards,
Anders

[arrowsmithmidwest]

i checked the clients PC and that file doesnt not exist, via search or anything.
so maybe that was the virus and NOD removed it?