Some guy from my school sent me a 'funny' picture of a kid getting a needle and screaming, and beneat it says "ownt".
Later he told me it was a back doored key logger.
How do I get rid of it?
keylogger??
Some guy from my school sent me a 'funny' picture of a kid getting a needle and screaming, and beneat it says "ownt".
Later he told me it was a back doored key logger.
How do I get rid of it?
You could run HijackThis and post the log so we can see if there really is one or not installedFrom the description of the image, it's possible he's just kidding you
Okay, i'll dl that.
But he says that it's 'backdoored' and programmed right into windows or soemthing. Someone said it's possible that it is a keylogger using a WMF exploit.
He says the only thing i can do to get rid of it is run Norton but i dont have it...he said free anti virus dont work.
Sounds like he works for Norton.
Logfile of HijackThis v1.99.1
Scan saved at 9:02:43 PM, on 5/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Kelly\LOCALS~1\Temp\Rar$EX03.542\HijackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Anti-keylogger] C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144019545376
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144020474301
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
The bolded object is NOT showing up in my running processes... :\?
I skimmed through you hijack this, and aside from Java blasthphomy, I found nothing ()
Anyways, I don't think HijackThis will find it if the key logger is imbedded into windows as it only (to my knowlage) pulls IE registry info.
Honestly, I am incredibly paranoid about key loggers. They can be undetectable and non malacious looking. I would back up and reinstall just off suspicion, or google the image name with keylogger and see if there is a fix somewhere out there. Personally, I would just reinstall.
I got one on a linux box and it marks one of the few times I had to reinstall linux - cuz I am a bastard like that. Keylogger's suck; that is why I keep my windows box for gaming and eoff and linux server seperated - increased security.
Bipper
That may be it.C:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
You may want to delete that out of the registry and reboot your machine.
I think it's a legit appOriginally Posted by Samuraid
And then there is Death
I think the PC looks clean to me too
I think it's a legit app
aye - I blamed paranoia for that one
I've just never seen it before, and I found mixed reports after searching for it online. Since it's not a standard executable, I figured it was better to be safe than sorry.
I downloaded that myself after learning he sent me one. It did nothing.
Anyways, he told me that it's a backdoored trojan. At first I didn't believe I had one but I signed into my AIM and about 15 minutes later I was booted off with a message that I had signed in at another location...
Anyway, the picture was of a chinese kid getting a needle and he had a funny expression on his face, and beneath it said "ownt" (or something like that). I can't find anything on google no matter how hard I search, but the signing out of AIM thing makes me suspicious.
The disconnection means someone logged in as you somewhere, all it takes is your screen name and the password, which may (or not) have been guessed.I downloaded that myself after learning he sent me one. It did nothing.
Anyways, he told me that it's a backdoored trojan. At first I didn't believe I had one but I signed into my AIM and about 15 minutes later I was booted off with a message that I had signed in at another location...
Anyway, the picture was of a chinese kid getting a needle and he had a funny expression on his face, and beneath it said "ownt" (or something like that). I can't find anything on google no matter how hard I search, but the signing out of AIM thing makes me suspicious.
How did he send you the picture? Mail? Aim? Told you to go to a site?
Edit: this image?
<img src="http://funnypics.free.fr/explorer/public/img/o/ownedasiankidvaccination.jpg">
Last edited by Endless; 05-09-2006 at 09:01 PM.
And then there is Death
That's the image, but it was smaller, some of the stuff to the right was cut off...i think. And OWNED! was lower down I believe.
He sent me the picture through MSN Messenger.
That could mean he has a keylogger recording your keystrokes and sending the log to somewhere else, like his email address. Then finding out your password would be as easy as searching for your AIM username.
Some trojan servers can be bound to an executable, so that they'll install silently when you run it, and they'll allow anyone who has your IP address full access to your computer. Was the picture he sent you in the form picture.exe or picture.jpg/gif/png etc?
Trojan servers can do some nasty things so check these two things on your machine:
- Check whether your system restore points have been disabled
- Check if Windows Firewall is still enabled
I think he's just using something like Sub7 or Prorat. To be safe, see if you can find a copy of three programs: Sub7, Prorat and Netbus, and use the "Clean server" option within them. If he's using any of those, programs to attack you, it'll disable his access and get rid of the trojan. It will probably take quite a while to find those though, as the spyware sites all talk about them.
I say that you should install Gentoo.
Posting Permissions
Reply With Quote
