TechSpot

Keylogger

By CoreyH
Mar 29, 2007
  1. I believe I have a keylogger on my computer. A few days ago I was getting warnings from Norton saying someone was trying to send me something called 'Infostealer.JiangHu', Norton was saying it was being blocked, and I ran scans after anyway and it didn't find anything so assumed I was safe. Today my account and 2 other accounts for a game I play had been hacked and taken. I've ran every anti-virus, spyware, and all that I could find and the ones you listed but I'm still paranoid not knowing if its gone or not.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. CoreyH

    CoreyH TS Rookie Topic Starter

    Alright I did it all and attached the HJT, AVG Antispyware and Combofix logs. AVG Antirootkit said it didn't find anything.
     

    Attached Files:

  4. jobeard

    jobeard TS Ambassador Posts: 9,333   +622

    the BAE.dll is a trojan!
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    jobeard: The BAE.dll file is actually part of Google. See HERE.

    CoreyH: Please do the following.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    SpywareBot<This is a rogue programme and needs to be removed.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    SpywareBot.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

    O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{6BA804F4-3030-4F73-8C35-AAD5A73FE1A4}: NameServer = 68.2.16.25,68.2.16.30<Only fix this entry, if it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\SpywareBot<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    I need you to have a file checked out.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\Program Files\Rupture\Rupture.exe
    * Click Open
    * Please let me know the results and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. jobeard

    jobeard TS Ambassador Posts: 9,333   +622

    >jobeard: The BAE.dll file is actually part of Google. See ...
    Oops; guess the reference I found was wrong -- sorry for the confusion.
     
  7. halo71

    halo71 TS Rookie Posts: 1,090

    http://vil.nai.com/vil/content/v_102355.htm

    jobeard, looks like the reference I found must be wrong too!
    And I also found the below info as well.....



    What is BAE.dll? Is BAE.dll spyware or a virus?
    Process name: BAE.dll

    Product: Browser Address Error Redirector

    Company: Dell Inc (www.dell.com) or Gateway Inc

    File: BAE.dll



    If you want a detailed security rating about your BAE.dll (and all other running background processes) download the free trial version of Security Task Manager.

    Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection! Check it out!
     
  8. CoreyH

    CoreyH TS Rookie Topic Starter

    Alright I did it, SpywareBot wasn't in my add or remove programs list or in my program files but it was in the HGT list.

    Also I'm a little confused about the BAE.dll thing, am I supposed to be deleting that or?

    Oh and forgot, I uninstalled Rupture yestarday when all this happened because it was the only thing I could think of that I had downloaded recently. Do you want me to download it again and scan it at that site?
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, don`t fix the BAE.dll file, it`s perfectly safe.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Rupture.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - Startup: Rupture.lnk = C:\Program Files\Rupture\Rupture.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Rupture<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let us know if you`re still haveing problems.

    Regards Howard :)

    This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. CoreyH

    CoreyH TS Rookie Topic Starter

    Wasn't in add or remove or program files but was in HJT again. I won't really know if I still have the problem unless my account gets stolen again I guess which I really don't want to happen. Do you know if any of these things I've deleted could've been a keylogger?
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean. Don`t worry that you couldn`t find the C:\Program Files\Rupture folder.

    I can find nothing nasty on your system.

    However, if you want to post an Autoruns log, I`ll be happy to take a look for you.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    Regards Howard :)

    This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. CoreyH

    CoreyH TS Rookie Topic Starter

    Sorry if I seem a little naggy, 2 of the accounts stolen through me were each worth over $1,000, quite paranoid about it now. Logs attached.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No worries mate.

    I can`t see anything nasty in your Autoruns log.

    Your system looks clean. However, I can`t guarantee 100% you don`t have some malware hiding away somewhere.

    That`s why I gave you this link earlier. The bottom line is this. If you use your computer for sensitive info, or for financial purposes, it makes sense to format rather than clean the system. Once a system has been compromised, it cannot be trusted 100% again.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of CoreyH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...