Win32/Spy.KeyLogger

Discussion in 'NOD32 version 2 Forum' started by arrowsmithmidwest, May 12, 2004.

Thread Status:
Not open for further replies.
  1. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    yes, this morning im getting calls and emails about it.
    they say that NOD32 will remove it.
    they do another scan and it is straight back again. is there a pernament patch/fix for thiso_O

    Thank you again.
     
  2. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    If it gets removed, but is there again after a while, it's most likely one of these three things that's happening:

    • They have system restore enabled, and Windows has a backup copy of the file in C:\_Restore (WinME), or C:\System Volume Information (WinXP). If so, disable system restore (loosing any restore points you may have), restart the computer, and enable the system restore function again, to remove all files in the backup.
    • The infected file is reinstalled because the computer is not secured. Either it has shared a drive with no password, or a bad password, or it isn't patched, and something is exploiting a security hole to gain access. Get all security updates from http://www.windowsupdate.com/
    • There is an auto-starting dropper that drops the infected file, and NOD32 doesn't detect the dropper. Run HijackThis and post the log to this forum, to see if there are any rogue autostarting programs.

    Of these, I guess it's either the first or the second one. Do a full scan with the NOD32 Scanner (Start -> Programs -> Eset -> NOD32, click on "Clean" to start the scanning). If nothing infected is detected, visit http://www.windowsupdate.com/ and make sure you have all the security updates.

    I also suggest that they use some free anti-spyware program (for example Ad-aware from http://www.lavasoft.nu/ ), and personally, I'm really fond of the SpywareBlaster program ( http://www.javacoolsoftware.com/ ). They work totally differently, so using both is definately recommended.

    Best regards,
    Anders
     
  3. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    THanks, i will give it a try and see how it all goes and report on the results.
     
  4. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    Logfile of HijackThis v1.97.7
    Scan saved at 12:32:23 PM, on 18/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Robyn\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wn.com.au/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [] C:\WINDOWS\W98SYS.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/220b7de60cec5fb44e01/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.7420486111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    i can't see anything in particular here
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I'm not an expert either, however the HJT log looks fine. As Anders said, make sure you do the following:

    Install a firewall such as ZoneAlarm available from www.zonelabs.com

    Make sure Windows is fully up to date

    Do NOT share the main "C" drive, share folders within the C drive instead.

    Install and use programs such as Spybot Search and Destroy v1.3 available from www.download.com

    Install Spyware Guard by javacool available from this site

    Install Spyware Blaster by javacool available from this site

    Install and run all these programs and you should sort out the problem pretty quick smart :D

    You may also want to see the following thread for settings and how we deal with and install security for customers: https://www.wilderssecurity.com/showthread.php?t=21171

    Hope this helps...

    Cheer :D
     
  6. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    O4 - HKLM\..\Run: [] C:\WINDOWS\W98SYS.EXE

    That doesn't look good. If that file exists, send it to samples@eset.com and/or to me.

    Best regards,
    Anders
     
  7. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    i checked the clients PC and that file doesnt not exist, via search or anything.
    so maybe that was the virus and NOD removed it?
     
Thread Status:
Not open for further replies.