Keylogger

[Seldom1]

Yes, I accidentally went to a page with a keylogger.

I ran Adaware SE personal, it found 176 objects which I have quarantined. I downloaded and ran Spybot S&D, ran, fixed, and immunized.

I am running Windows Vista Home Premium.

My hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 12:17:57 AM, on 5/26/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wpcumi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\WINDOWS\System32\CTXFISPI.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Security Task Manager\taskman.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=...cale=EN_US&c=71&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=...cale=EN_US&c=71&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=...cale=EN_US&c=71&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{906DB252-4A8C-4869-82E0-ED61903A370B}: NameServer = 68.94.156.1 68.94.157.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

I would greatly appreciate it if someone helped. Is it safe for me to enter passwords on things? =/

 

[mechBgon]

Hi Seldom1, welcome to the Forums Can you answer these questions to start with:

1) see the padlock icon at the upper-right of my post? That is the private-message system. Would you mind clicking that and sending me the website that has the keylogger, if you know what it is.

2) when you went to the website with the keylogger, were you using Internet Explorer, or were you using some other browser?

3) how did you recognize that the website had a keylogger? What alerted you to it?

4) Can you go to VirusTotal.com and upload this file for analysis, then copy & paste the results here: c:\windows\system32\wpclsp.dll

 

[Seldom1]

2. I was using Firefox.
3. Keyloggers have been going around on the WoW forums. I wasnt paying attention and clicked the link. Other players said "keylogger" after the post with the link was made,
4. Complete scanning result of "wpclsp.dll", received in VirusTotal at 05.26.2007, 07:09:22 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.25.2007 no virus found
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.26.2007 no virus found
CAT-QuickHeal 9.00 05.25.2007 no virus found
ClamAV devel-20070416 05.25.2007 no virus found
DrWeb 4.33 05.25.2007 no virus found
eSafe 7.0.15.0 05.24.2007 no virus found
eTrust-Vet 30.7.3665 05.26.2007 no virus found
Ewido 4.0 05.25.2007 no virus found
FileAdvisor 1 05.26.2007 No threat detected
Fortinet 2.85.0.0 05.26.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.25.2007 no virus found
Ikarus T3.1.1.8 05.26.2007 no virus found
Kaspersky 4.0.2.24 05.26.2007 no virus found
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.26.2007 no virus found
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.25.2007 no virus found
Prevx1 V2 05.26.2007 no virus found
Sophos 4.18.0 05.25.2007 no virus found
Sunbelt 2.2.907.0 05.24.2007 no virus found
Symantec 10 05.26.2007 no virus found
TheHacker 6.1.6.123 05.25.2007 no virus found
VBA32 3.12.0 05.26.2007 no virus found
VirusBuster 4.3.23:9 05.25.2007 no virus found
Webwasher-Gateway 6.0.1 05.26.2007 no virus found

Aditional Information
File size: 72192 bytes
MD5: efabe798c285db5b1076ae571c2af461
SHA1: 898b4863c13bf3f02bea35a6da444666cc3901e2
Bit9 info: http://fileadvisor.bit9.com/services/ex...x?md5=efabe798c285db5b1076ae571c2af461
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

 

[mechBgon]

I recieved your message and am going to see what-all you might be up against. In the meantime I have a couple more questions:

1) is your User Account Control enabled? That's where Vista prompts you for Administrator credentials when you're doing Important Stuff. It's enabled by default, so if you didn't disable it, that is a help because it's a security enhancement.

2) is your Automatic Updates feature enabled? It probably is, unless you chose to disable it.


Back in about 5 minutes...

 

[Seldom1]

My user account control is disabled. Even though its a security thing, a lot of people have turned it off due to the sheer annoyingness of it.

Auto updates are on.

 

[mechBgon]

I don't want to wear out my welcome by giving un-asked-for advice, but your best security would be with UAC enabled and using Internet Explorer 7 instead of Firefox, since UAC + IE7 = IE7 Protected Mode. It matters nowdays, as you just discovered. Disabling UAC has much greater security implications than most people realize. I wouldn't be off hunting down your keylogger without UAC, IE7 Protected Mode, a SRP, full hardware DEP, minimum attack surface and a non-Admin user account. A word to the wise is sufficient...

Ok, now back to your malware situation. I looked into it, and the website was using scripts to call up an ANI exploit, which probably had the keylogger as its "payload." screenshot of my ISP's Fortigate blocking my attempt to access the exploit file :camera:

So the question is (1) why did your crummy AVG antivirus not detect this exploit and (2) did Vista patch itself against this ANI vulnerability before you were exposed to the attack.


Determine if you were already immune to this kind of attack
1) go to Control Panel > Windows Update. On the Windows Update panel, hit "View Update History."

2) in the Update History, look for "Security update for Windows (925902)", which should be down around April 3rd if it auto-patched.

If that patch is present, you should be OK.


Checking your system with better antivirus software as a safeguard
AVG is feeble. If you want to try something better, uninstall AVG, and then go to this page and get a 30-day trialware of Kaspersky Antivirus 6.

After installing it, it'll update and then want to reboot the system. Once that's over with, right-click the red K icon in the system tray, choose Settings, and go down the settings panel, maxing out all the detection sliders, especially for File Antivirus and the Scan > Scan My Computer. Then have it do a full scan, starting from the top.

Hope that helps, and let me know if I wasn't clear on anything

 

[mechBgon]

Oh, and I sent you a Private Message back. Since it's not super-obvious where the PM's are on the page here, they're at the upper-left above the Forum categories. I hope I was some help

 

[Seldom1]

Yay!

update history shows: Security update for Windows Vista (KB925902) On april 4th.

Same thing, right?

And I dont think I would leave firefox behind </3

So, the keylogger couldnt even get to my pc?

 

[Seldom1]

Lmao, yeah they want my entire 50s after I restarted =P

 

[mechBgon]

Originally posted by: Seldom1
Yay!

update history shows: Security update for Windows Vista (KB925902) On april 4th.

Same thing, right?

And I dont think I would leave firefox behind </3

So, the keylogger couldnt even get to my pc?

That's correct. The 925902 patch makes your system invulnerable to these exploits, which means the payload they're made to deliver (a keylogger, in this case) never arrives. So I think your Gold is safe

 

[Seldom1]

Thank you <3

 

[Xavier434]

Hello, I understand this thread died over a week ago, but I was curious to find out if the security update for Windows Vista (KB925902) on April 4th still makes your system invulnerable to this attack while UAC is disabled, Windows Firewall is disabled, and while using the latest version of Firefox? Assume all other settings in Vista are set to default.

Thanks!

 

[bsobel]

Originally posted by: Xavier434
Hello, I understand this thread died over a week ago, but I was curious to find out if the security update for Windows Vista (KB925902) on April 4th still makes your system invulnerable to this attack while UAC is disabled, Windows Firewall is disabled, and while using the latest version of Firefox? Assume all other settings in Vista are set to default.
Thanks!

Short answer yes you can't get infected by malware using this vector with this patch installed. However, there are lots of other vectors with UAC and a FW control. As such, I highly highly recommend you leave them on (at a minimum after your done installing and updating). I get maybe 1 UAC prompt a day, it's unfortunately noisy when you first get a box or install while you customize it. Once done you honestly do rarely trigger it.

 

[Xavier434]

Thanks bsobel. Like many of us, I was driven nuts by the constant UAC prompts when I first installed Vista and I turned it off right away. I'll turn it back on and play with the settings some more when I get home today.

I have barely explored the different kinds of configuration options for UAC. Is there any configuration setup that you recommend? I am typically the kind of guy who prefers security over performance, but I don't want to be regularly annoyed by my software if that helps at all.