Operaget shown to have pcdetective systemmonitor

Hi

Operaget is an extension for opera, downloadable from their forum.

Link -
http://my.opera.com/community/forums/topic.dml?id=90198&t=1150968806&page=2

The file og.dll in operaget archive is shown to contain pc detective system monitor by spysweeper and outpost spyware plugin.

Dr web antivrus shows it as pc detective too when checked at
http://virusscan.jotti.org/

This is the download link for the file at the opera forum

hxxp://my.opera.com/bluej/homes/files/old_forum_import/operaget132.zip

Could anyone verify if its safe to use.

Thanks

 

Its a keylogger!
I googled it and the search results are very obvious...
search for pc detective system monitor and see it.

 

I was wondering if its a false positive, since operaget is possibly used by many people running opera.
Is it possible to verify it using hex edit and other stuff that you gurus use

 

Wait a while, aegis. When you scanned it with spysweeper, was there an option to remove the item that it found?
Its not surprising to find a malware-riddled extension.
If it really is a false positive, then the developers should be informed.
NOTE: Some russian fellow at the Opera forum says dr.web detects possibly as a false positive.
Since outpost anti-spyware plugin detected it too, you should immediately go to the outpost forums and ask them for more details and assistance.

 

There is an option to disinfect it with spysweeper, but it makes operaget unusuable.

What id like to know is if its indeed infected and have a few of the pros here test and find out for sure. Thatd solve the issue.

nadirah

A keylogger would mean all our sensitive data is subject to being monitored by someone else. Which is why i posted it here to find out for sure.
Its unnerving to find a keylogger hidden in an extension of your favorite browser.

 

I would like to test it out and check myself but my system environment is too valuable.
I could use a virtual machine but my system is at risk of performance overheads. Not enough ram.

 

I have found a bit problem with Obook plugin for Opera.
Comodo firewall warned me that OBook may be trying to connect internet via Free Download manager( that I use) and it might send data.
I wonder if any body can confirm these( OperaGet and OBook) are safe or not?

 

Wait, you said its downloadable from the forum?
How about trying to get in touch with the author of the extension and ask him what the heck is going on? And ask him about this keylogger that was found in his software and show him all the evidence you've got. The best way to know if its infected is to ask the Man himself.

Downloading a browser extension from a forum is not safe IMO.

 

There are quite a few items of legitimate software that have keylogger-like properties (specifically, hooking themselves into Windows' keyboard or mouse routines) since they need to be able to intercept certain mouse or keyboard commands (obvious examples include mouse/touchpad drivers and keyboard/game controller software). Some applications may use this method also simply because it is a convenient way of implementing a non-standard function (e.g. IrfanView with its Save As dialog),

It may be that scanners are detecting this with OperaGet or just picking up a false positive for another reason. However a real keylogger has to collect data and send it back to its owner so the acid test is whether OperaGet makes connections to any site other than those you download from, or whether it causes Opera to do so.

 

Basically, Pcdetective system monitor is a keylogger software program. And according to what para said, you should check your firewall for that, if you've got one on your computer.
Also, why should an extension associated with download managers have keylogger-like functions? If there's really a keylogger in it, the author must be contacted.

 

If it has (the developer is best qualified to confirm this) then it could be that it emulates keyboard commands to send URLs from Opera to the download managers (since many will accept URLs via the clipboard, this would be an easy way to work with multiple managers).

 

Thanks for the clarification paranoid.
Is there a way to check if its indeed system monitor by using hex edit or other tools. Ive heard it mentioned before by the pros. Thatd solve the issue.

 

Hex edit? Now i don't think that is necessary as that is mainly for extremely complex and dirty cases. A keylogger problem is still solvable without having to make the whole situation more complex.
Aegis, maybe you can try this HIPS/HIDS program called antihook from http://www.infoprocess.com.au/AntiHook.php

After installing it, don't use it first, go to the free registration page on the website and copy and paste the username and registration key into antihook.
after that click on the antihook icon in the taskbar and click rules editor.
Then it will ask you do you want to install the rules editor for antihook?
Before installing the rules editor, make sure you have the Microsoft .NET Framework installed on your computer.
After it is installed, you may need to reboot your machine. After it comes back on, set antihook to fingerprint running mode. The normal mode will drive you crazy with all its prompting.
At this point of time, go to rules editor again and click on windows hooks.
Look for anything related to opera or the extension based on the names.
If it indeed does have a hook, then it should be checked out thoroughly.

 

How about the registratuion issue?

Gerard

 

Gerard, look more carefully at the pages please. There is a free user name and registration key available right at this page http://www.infoprocess.biz/register.aspx. Users can use those to register while waiting for infoprocess to come up with a solution.

Due to insufficient disk space on our Web Server we are publishing a free registration key until this problem is resolved. The hosting company www.sentris.com will hopefully sort this out soon.
User Name (site): AntiHookSharedKey
Registration Key: 114A11133E48AAC223D8B56ACCCC608D2F1F022255D445371A43DBAD244FC0D89D0D2397268C8956

 

Sorry Nadirah, I thought it was related to version 2.5 and not to insufficient diskspace.

Gerard

 

@ Little Guy ... I split your post into it's own thread, you find it here -> https://www.wilderssecurity.com/showthread.php?t=137901

The thread has been re-titled: [Split & Re-titled] Possible security vulnerability with IrfanView?

BTW - Welcome to Wilders

Regards;

Steve