Re: What kind of keylogger is this?

David H. Lipman · 10-22-2006, 06:31 PM

From: <betty889125@hotrmailnospam.org>

| (see image link below as I can't attach a *.txt file to this group).
|
| http://i13.tinypic.com/40l2t81.jpg
|
| When I found my IE 6 browser refusing to open several browsers at a time,
| I did a ctrl-alt-delete and found two SERVICES processes. I also saw that
| my IEXPLORE.exe file would still be open as a memory hog (130 mg) even
| after closing all open browser screens. After using Crapcleaner to clean
| the temp files and cache, I ran a services.msc command and noticed this
| Key*** service, which I knew I never had before. The attached image link
| shows half of the places I found where it appeared in my registry.
| Obviously, Crap Cleaner deleted the exe file in the temp directory.
| When I was in services, I disabled it (it was set to "manual").
|
| I've searched all over Google and can't find any references to it.
|
| Hijackthis picked it up as an 023 item - Unknown owner - \LOCALS~1\Temp
| \exe (file missing)
|
| Before I delete all the registry references to it, would anyone here know
| of any site that discusses it?
|

Please submit a sample of "keygodsx.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

It uses RootKit techniques so I suggest using Gmer.
http://www.gmer.net/

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman · 10-22-2006, 07:07 PM

From: <betty889125@hotrmailnospam.org>

| I'd like to submit the file, except that I ran Crap Cleaner even before I
| knew it was on the system. Crap Cleaner deleted it.
| I'm going to run the above rootkit program as well as Sysinternals and a
| few others.
|
| Do you think it's time for Multi A-V? Is is safe to run these online
| scanners rather than downloaded the signatures like Multi-AV does?
| Don't the online scanners record every filename on your computer?
| Secondly, isn't there stuff they can't find because of one's firewall?
|
| I have McAfee's SiteAdvisor as a BHO, use IE-Spyad and have a HOSTS file,
| plus use Avast and a firewall. Still, it's amazing how these things
| infiltrate a computer. I was reading on one of the security sites that
| Spyware problems are soaring.
|
| I wonder if it pays to change the name of your computer, sign on name,
| password, and release and renew IP addresses on a regular basis.
|
| Someone better inform the media soon how serious a problem this is
| becoming. Any guesses as to how many home computers are seriously
| infected around the world?
|
| (Please excuse my crossposting, but I'm incensed at my violation of
| privacy with this spyware/malware/trojan problem and I feel that the more
| individuals who read about this particular keylogger, if that's what it
| is, the better.)

I have more confidence in Gnmer that RootKit Revealer so I suggest using it first.

Sure, you can use my Multi AV Scanning Tool. The McAfee module alone knows hundreds of
Keylogging Trojans. Additionally, you never know what else any of the modules might find.

I really do NOT know what you had. I looiked in virus libraries and could not find it. It
may be new or it may be an old one that is using new names for Registry keys and files.

I would assume the worst. That is you need to immediately redo *all* passwords that have
been used on that PC. Online Banking, Forum accounts, Quicken, -- every and all of them.
Chaning ther name of the computer is waste of time. The PC name is meaningless. Getting a
new IP address is also worthless. I do suggest that if you are on Broadband, get and use a
Cable/DSL Router sucgh as the Linksys BEFSR41.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman · 10-22-2006, 07:57 PM

From: <betty889125@hotrmailnospam.org>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:EIT_g.80249$073.23051@trnddc01:
|
>> I have more confidence in Gnmer that RootKit Revealer so I suggest
>> using it first.
|
| I just used it and can't make head or tail from it.
| Secondly, Drwatson appears about 2nd use and closes it.
|
| Right now, I see that the gmer.exe file is still running in my task
| manager, yet I can't see the program, nor can I close it.
|
| The same goes for sysinternals.com Process Explorer.
|
| When I ran the Rootkit scan, I saw a load of things scrolling by,
| but I didn't see anything marked "hidden" like his FAQ's show (unless I'm
| reading the FAQ's wrong). I did see some of the MJ's and some TCP/IP
| things floating by. I thought I was getting very advanced, but I'm not
| sure what boxes s/b checked, nor how many of the 50+ services in the other
| tab I see that I should research. There's quite a few I'm not sure about.
|
| I'm going to delete all references to the "keylogger(?)" in my registry
| now, and then run a multitude of security programs - including Multi-AV.
|
| I hope that whatever it is is only in my system partition or registry,
| because I have a very large hard drive, and also use a large, multi-
| partitioned external drive on occasion.
|
| To scan all those partitions with Multi-AV might take the rest of the
| winter - LOL! Usually, these bugs are in the OS directory, registry,
| documents and settings, or program files on the main partition.

The MOST important areas to scan with Multi AV...

C:\Documents and Settings

C:\Program Files

%windir%

You can have it selectively scan those specific areas.

Delete those Registry entries. Exit Regedit and then go back into Regedit and see if they
still exist.

If they still exist, the malware is still running.
If they don't still exist, reboot the PC and then run selectyive area scan using the Multi
ACV Scanning Tool.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman · 10-22-2006, 08:56 PM

From: <betty889125@hotrmailnospam.org>

Replies are inline...

|
| I've already scanned it with Regseeker and Registrar Lite from
| Resplendence.com (who has some nice stuff). Regseeker picked up 34
| instances and Registrar Lite found another 20 or so. I also just did a
| Regedit search, and the registry was clean (from this one, at least).
| Now onto Multi-AV, a-squared, Ad-Aware, Spybot, Windows Defender (it it
| really worth it?), Regclean, and Avast.

You can leave out; Ad-Aware, Spybot, Windows Defender, Regclean, and Avast.

|
| I'm beginning to wonder about Mcafee's Site Advisor. There are some
| questionable sites that they say is clean, yet they have a warning about
| Resplendence.com, who makes some good registry cleaners.
|
| Do the scanners in Multi-AV also clean the system (look for all instances
| where the virus or trojan may be) once it finds a bug, or do I have to
| research everything it finds?

Yes. That's why it isn't always giood to use a surrogate PC to scan a hard disk.
(that is removing the hard disk from the affected PC and plaing it in another PC and having
that PC scan it)

|
| I remember reading here once that the Kaspersky scanner left marks on
| every file it found, and a tool was needed to remove the Kaspersky
| extensions.

I haerd that too. I think it was version 5.

| I'm surprised that there hasn't been more participation in this thread.
| This was the first place I thought of posting the problem since it's
| easier to post to newsgroups, and it's open to all readers of forums such
| as Wilders Security, Castle Cops, etc.

It's Sunday night. Friday and Sunday nights are usually quite.

|
| The WWW is beginning to make the old wild, wild, west look tame by
| comparison! Why can't Microsoft, with all their programmers, have a
| department that collects all info about rootkits, trojans, spyware, etc,
| and issue a daily, or twice weekly updated program - even if it has a 100
| mg signature file, that deeply cleans every aspect of the registry, and
| once it finds something, has a lookup table of what exe or dll files it's
| associated with? I wouldn't care if the program took 4 hours to run, as
| long as it guaranteed a clean registry, with no strange services running.

Yepper. The landscape of the Internet is full of pitfalls and dangers waiting for the
unsuspecting user and is getting worse.

|
| I wonder if I'll be safer now with Firefox?
|

Moderately, yes.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman · 10-22-2006, 09:01 PM

From: <betty889125@hotrmailnospam.org>

< snip >

I submitted your JPEG to some real experts. We'll see what feedback they provide.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman · 10-23-2006, 04:04 PM

From: <betty889125@hotrmailnospam.org>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:ejV_g.11216$A27.1715@trnddc08:
|
>> You can leave out; Ad-Aware, Spybot, Windows Defender, Regclean, and
>> Avast.
|
| You're that down on Avast? What AV program do you use?

McAfee Enterprise and AntiVir.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thread: Re: What kind of keylogger is this?

Thread Tools

Display