Some guy from my school sent me a 'funny' picture of a kid getting a needle and screaming, and beneat it says "ownt".

Later he told me it was a back doored key logger.

How do I get rid of it?

You could run HijackThis and post the log so we can see if there really is one or not installed :p From the description of the image, it's possible he's just kidding you :p

Okay, i'll dl that.

But he says that it's 'backdoored' and programmed right into windows or soemthing. Someone said it's possible that it is a keylogger using a WMF exploit.

He says the only thing i can do to get rid of it is run Norton but i dont have it...he said free anti virus dont work.

Sounds like he works for Norton.

Logfile of HijackThis v1.99.1
Scan saved at 9:02:43 PM, on 5/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Kelly\LOCALS~1\Temp\Rar$EX03.542\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Anti-keylogger] C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144019545376
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144020474301
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

The bolded object is NOT showing up in my running processes... :\?

I skimmed through you hijack this, and aside from Java blasthphomy, I found nothing (;))

Anyways, I don't think HijackThis will find it if the key logger is imbedded into windows as it only (to my knowlage) pulls IE registry info.

Honestly, I am incredibly paranoid about key loggers. They can be undetectable and non malacious looking. I would back up and reinstall just off suspicion, or google the image name with keylogger and see if there is a fix somewhere out there. Personally, I would just reinstall.

I got one on a linux box and it marks one of the few times I had to reinstall linux - cuz I am a bastard like that. Keylogger's suck; that is why I keep my windows box for gaming and eoff and linux server seperated - increased security.

Bipper

C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
That may be it.
You may want to delete that out of the registry and reboot your machine.

C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
That may be it.
You may want to delete that out of the registry and reboot your machine.

I think it's a legit app ;) At least I haven't found anything about it on the net.

I think the PC looks clean to me too :p

C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
That may be it.
You may want to delete that out of the registry and reboot your machine.

I think it's a legit app ;) At least I haven't found anything about it on the net.


aye - I blamed paranoia for that one :D

I've just never seen it before, and I found mixed reports after searching for it online. Since it's not a standard executable, I figured it was better to be safe than sorry.

I've just never seen it before, and I found mixed reports after searching for it online. Since it's not a standard executable, I figured it was better to be safe than sorry.

I downloaded that myself after learning he sent me one. It did nothing.

Anyways, he told me that it's a backdoored trojan. At first I didn't believe I had one but I signed into my AIM and about 15 minutes later I was booted off with a message that I had signed in at another location...

Anyway, the picture was of a chinese kid getting a needle and he had a funny expression on his face, and beneath it said "ownt" (or something like that). I can't find anything on google no matter how hard I search, but the signing out of AIM thing makes me suspicious.

I've just never seen it before, and I found mixed reports after searching for it online. Since it's not a standard executable, I figured it was better to be safe than sorry.

I downloaded that myself after learning he sent me one. It did nothing.

Anyways, he told me that it's a backdoored trojan. At first I didn't believe I had one but I signed into my AIM and about 15 minutes later I was booted off with a message that I had signed in at another location...

Anyway, the picture was of a chinese kid getting a needle and he had a funny expression on his face, and beneath it said "ownt" (or something like that). I can't find anything on google no matter how hard I search, but the signing out of AIM thing makes me suspicious.

The disconnection means someone logged in as you somewhere, all it takes is your screen name and the password, which may (or not) have been guessed.

How did he send you the picture? Mail? Aim? Told you to go to a site?

Edit: this image?
<img src="http://funnypics.free.fr/explorer/public/img/o/ownedasiankidvaccination.jpg">

That's the image, but it was smaller, some of the stuff to the right was cut off...i think. And OWNED! was lower down I believe.

He sent me the picture through MSN Messenger.

That could mean he has a keylogger recording your keystrokes and sending the log to somewhere else, like his email address. Then finding out your password would be as easy as searching for your AIM username.

Some trojan servers can be bound to an executable, so that they'll install silently when you run it, and they'll allow anyone who has your IP address full access to your computer. Was the picture he sent you in the form picture.exe or picture.jpg/gif/png etc?
Trojan servers can do some nasty things so check these two things on your machine:

Check whether your system restore points have been disabled
Check if Windows Firewall is still enabled


I think he's just using something like Sub7 or Prorat. To be safe, see if you can find a copy of three programs: Sub7, Prorat and Netbus, and use the "Clean server" option within them. If he's using any of those, programs to attack you, it'll disable his access and get rid of the trojan. It will probably take quite a while to find those though, as the spyware sites all talk about them.

I say that you should install Gentoo. :p

It was in the form of a picture file, i'm not sure what type, but Windows opened it in the picture preview window thing (winXP).

As for windows firewall, im not sure how to see if its still enabled.

I've never heard of a server as I mentioned before being bound to an image file, but I suppose it would be possible, given that last year sometime, scripts were developed which, triggered by viewing an image, planted spyware on your PC.

To check your firewall, go to Start > Control Panel > Windows Firewall, and it's plain to see whether or not it's enabled. If your system restore points are gone and/or your firewall is disabled, I think it would be pretty likely that he's using Prorat. Even if they aren't, it's still a likely possiblity.

About four years ago (mabey longer) viruses began being spread by JPG images via script in one of the 'layers' of the file. Being that I am not a complete ass, I don't know how to do this, as I dont care to do it to anyone:p but yes - viruses are very easily passed through JPG images.

If you find any information you can actually press charges on this guy from school, and I would suggest you threaten him with very real and legal retaliation. This is serious buisness.

When you wanna get him back we can talk ;)

Bipper

Well seeing as I'm not very computer-ey inclined, and the firewall was disabled etc and so on. I went ahead and reformatted my hard drive to be safe, re-installed a better anti-virus, dled a firewall and anti-spyware etc. and so on.

I really wish I'd saved the conversation I had on msn with the guy, cuz he admitted to sending one, but later claimed it was a joke after I flipped out...but I don't really believe him.

The American mentality: Sue sue sue!

If it was the jpg that infected you though, it's your own fault for not keeping your system patched and up to date, so you should learn a lesson from that :p

Anyway, I guess I forgot about that jpg exploit since it's ancient now, the image exploit I was thinking about which it might have been was the WMF one :p

If it was the jpg that infected you though, it's your own fault for not keeping your system patched and up to date, so you should learn a lesson from that :p



Well I run Windows Update every day to check for new updates...but it still didn't stop it.Windows update still won't recognize im running of SP1, and i dont know how to get SP2 without windows update.

That is kinda harsh cl_out. I am not trying to coarse him into sueing - or taking advantage of the situation. The other kid broke laws and vandalized aisle_s' property. Personally, I think the kid needs to learn a lesson - or remedy what he has done. The legal threat would, hopefully, get the other kid to fess up more details on his keylogger.

The other kid should really stop and think before he encourages the use of any viral software, as it could very well be very contagous. Retarded people with a hint of knowlage is a very dangerous thing to the nets:p

Bipper

That's the image, but it was smaller, some of the stuff to the right was cut off...i think. And OWNED! was lower down I believe.

He sent me the picture through MSN Messenger.

This one?
<img src="http://www.acidmouse.com/Gall/albums/userpics/10001/thumb_own3.jpg">

That's the pic.

Does anyone know the reason why my Windows Update isn't realizing I only have SP1? I ran it and it scanned and only found like 3 updates.

What steps do I have to take to make sure my security is up to date? Because Windows Update isn't doing it.

You could install SP2 and then retrieve all the latest updates for that.