Operaget shown to have pcdetective systemmonitor

Discussion in 'malware problems & news' started by aegis, Jul 1, 2006.

Thread Status:
Not open for further replies.
  1. aegis

    aegis Registered Member

    Joined:
    Jun 7, 2006
    Posts:
    11
    Hi

    Operaget is an extension for opera, downloadable from their forum.

    Link -
    http://my.opera.com/community/forums/topic.dml?id=90198&t=1150968806&page=2

    The file og.dll in operaget archive is shown to contain pc detective system monitor by spysweeper and outpost spyware plugin.

    Dr web antivrus shows it as pc detective too when checked at
    http://virusscan.jotti.org/

    This is the download link for the file at the opera forum

    hxxp://my.opera.com/bluej/homes/files/old_forum_import/operaget132.zip

    Could anyone verify if its safe to use.

    Thanks
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Its a keylogger! :eek:
    I googled it and the search results are very obvious...
    search for pc detective system monitor and see it.
     
    Last edited: Jul 1, 2006
  3. aegis

    aegis Registered Member

    Joined:
    Jun 7, 2006
    Posts:
    11
    I was wondering if its a false positive, since operaget is possibly used by many people running opera.
    Is it possible to verify it using hex edit and other stuff that you gurus use :)
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Wait a while, aegis. When you scanned it with spysweeper, was there an option to remove the item that it found?
    Its not surprising to find a malware-riddled extension.
    If it really is a false positive, then the developers should be informed.
    NOTE: Some russian fellow at the Opera forum says dr.web detects possibly as a false positive.
    Since outpost anti-spyware plugin detected it too, you should immediately go to the outpost forums and ask them for more details and assistance.
     
  5. aegis

    aegis Registered Member

    Joined:
    Jun 7, 2006
    Posts:
    11
    There is an option to disinfect it with spysweeper, but it makes operaget unusuable.

    What id like to know is if its indeed infected and have a few of the pros here test and find out for sure. Thatd solve the issue. :)

    nadirah

    A keylogger would mean all our sensitive data is subject to being monitored by someone else. Which is why i posted it here to find out for sure.
    Its unnerving to find a keylogger hidden in an extension of your favorite browser.
     
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I would like to test it out and check myself but my system environment is too valuable.
    I could use a virtual machine but my system is at risk of performance overheads. Not enough ram.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have found a bit problem with Obook plugin for Opera.
    Comodo firewall warned me that OBook may be trying to connect internet via Free Download manager( that I use) and it might send data.
    I wonder if any body can confirm these( OperaGet and OBook) are safe or not?
     
  8. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Wait, you said its downloadable from the forum?
    How about trying to get in touch with the author of the extension and ask him what the heck is going on? And ask him about this keylogger that was found in his software and show him all the evidence you've got. The best way to know if its infected is to ask the Man himself.

    Downloading a browser extension from a forum is not safe IMO.
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There are quite a few items of legitimate software that have keylogger-like properties (specifically, hooking themselves into Windows' keyboard or mouse routines) since they need to be able to intercept certain mouse or keyboard commands (obvious examples include mouse/touchpad drivers and keyboard/game controller software). Some applications may use this method also simply because it is a convenient way of implementing a non-standard function (e.g. IrfanView with its Save As dialog),

    It may be that scanners are detecting this with OperaGet or just picking up a false positive for another reason. However a real keylogger has to collect data and send it back to its owner so the acid test is whether OperaGet makes connections to any site other than those you download from, or whether it causes Opera to do so.
     
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Basically, Pcdetective system monitor is a keylogger software program. And according to what para said, you should check your firewall for that, if you've got one on your computer.
    Also, why should an extension associated with download managers have keylogger-like functions? If there's really a keylogger in it, the author must be contacted.
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If it has (the developer is best qualified to confirm this) then it could be that it emulates keyboard commands to send URLs from Opera to the download managers (since many will accept URLs via the clipboard, this would be an easy way to work with multiple managers).
     
  12. aegis

    aegis Registered Member

    Joined:
    Jun 7, 2006
    Posts:
    11
    Thanks for the clarification paranoid.
    Is there a way to check if its indeed system monitor by using hex edit or other tools. Ive heard it mentioned before by the pros. Thatd solve the issue.
     
  13. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Hex edit? Now i don't think that is necessary as that is mainly for extremely complex and dirty cases. A keylogger problem is still solvable without having to make the whole situation more complex.
    Aegis, maybe you can try this HIPS/HIDS program called antihook from http://www.infoprocess.com.au/AntiHook.php

    After installing it, don't use it first, go to the free registration page on the website and copy and paste the username and registration key into antihook.
    after that click on the antihook icon in the taskbar and click rules editor.
    Then it will ask you do you want to install the rules editor for antihook?
    Before installing the rules editor, make sure you have the Microsoft .NET Framework installed on your computer.
    After it is installed, you may need to reboot your machine. After it comes back on, set antihook to fingerprint running mode. The normal mode will drive you crazy with all its prompting.
    At this point of time, go to rules editor again and click on windows hooks.
    Look for anything related to opera or the extension based on the names.
    If it indeed does have a hook, then it should be checked out thoroughly.
     
  14. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    How about the registratuion issue?

    Gerard
     
    Last edited: Jul 6, 2006
  15. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Gerard, look more carefully at the pages please. There is a free user name and registration key available right at this page http://www.infoprocess.biz/register.aspx. Users can use those to register while waiting for infoprocess to come up with a solution.

    Due to insufficient disk space on our Web Server we are publishing a free registration key until this problem is resolved. The hosting company www.sentris.com will hopefully sort this out soon.
    User Name (site): AntiHookSharedKey
    Registration Key: 114A11133E48AAC223D8B56ACCCC608D2F1F022255D445371A43DBAD244FC0D89D0D2397268C8956
     
  16. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Sorry Nadirah, I thought it was related to version 2.5 and not to insufficient diskspace.

    Gerard
     
  17. dog

    dog Guest

    @ Little Guy ... I split your post into it's own thread, you find it here -> https://www.wilderssecurity.com/showthread.php?t=137901

    The thread has been re-titled: [Split & Re-titled] Possible security vulnerability with IrfanView?

    BTW - Welcome to Wilders ;)

    Regards;

    Steve
     
Loading...
Thread Status:
Not open for further replies.