If You Got Keylogged Read menu

Shout-Out

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 15 of 34
  1. #1
    Fishy80's Avatar Contributor
    Reputation
    113
    Join Date
    Apr 2006
    Posts
    536
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    If You Got Keylogged Read

    ok, so testing the program as I type this... will edit every chance I get...

    so the second u run the malicious program that was recently spread through mediafire (the one I got was supposedly a wow hack loader)

    it starts to write a registry key to start up here is the registry key

    Code:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{1E3CB49E-FFFA-025E-0604-040407030402}
    (the last part of that will be different, the random nymbers and letters)

    it is injecting into c:\windows\explorer.exe which restarts iexplore.exe (normal internet explorer but infected) and which writes all the registry entries...

    it starts iexplore.exe which is what the troja is using to connect to the internet.. which tries to connect to the IP address
    Code:
    69.247.84.239
    that is the ip address of the hacker... just FYI

    so folllowing the registry entry... it uses
    c:\windows\system32\win32.exe << that is the stub.. aka the main part of the trojan...

    I have researched it is NOT a system file, and is safe to delete..
    so restart your computer, keep pressing f8 when booting and boot into safe mode, go and delete c:\windows\system32\win32.exe and then go delete the above registry key, buy going to "start\run" and then typing "regedit" and hitting enter... then just follow the registry keys down, and delete the key... then close the registry editor and reboot the computer and you should be good...

    the registry key it uses is random, and if u delete it when not in safe mode, it re-writes itself to a different key

    so what you want to do is look through the registry, go to the
    Code:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components
    and search for any entry pointing to win32.exe and delete that, in safe mode... and then delete the win32.exe

    EDIT-------------
    Ok. so it injects into explorer.exe thats why it keeps re-writing the entries... so.. if you are NOT in safe mode, and think u can remove it that way... end explorer.exe then delete the registry entry and the win32.exe... that will end the problem... then you can safely restart explorer.exe and your good to go...

    I hope this helped someone!
    Last edited by Fishy80; 02-26-2008 at 06:08 PM. Reason: cleaned it up a bit

    If You Got Keylogged Read
  2. #2
    KuRIoS's Avatar Admin
    Authenticator enabled
    Reputation
    2984
    Join Date
    Apr 2006
    Posts
    9,811
    Thanks G/R
    353/298
    Trade Feedback
    9 (100%)
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    69.247.84.239 : c-69-247-84-239.hsd1.fl.comcast.net

  3. #3
    Phygar's Avatar ( ͡° ͜ʖ ͡°)
    Reputation
    444
    Join Date
    Nov 2007
    Posts
    1,591
    Thanks G/R
    7/5
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for helping the people who used the keylogger.

  4. #4
    Hallowsend's Avatar 滚开! 大声笑。I 是令人敬畏的。
    Reputation
    366
    Join Date
    Sep 2007
    Posts
    720
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I didn't download this (The trojan), but great for taking precautionary matters for those who did D/L And try it. Very nice of you

  5. #5
    fasck's Avatar Active Member
    Reputation
    57
    Join Date
    Aug 2006
    Posts
    187
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    IP address location & IP address info:
    IP address [?]: 69.247.84.239 Copy [Whois]
    IP address country: ip address flag United States
    IP address state: Florida
    IP address city: Sarasota
    IP postcode: 34238
    IP address latitude: 27.218700
    IP address longitude: -82.471001
    ISP of this IP [?]: Comcast Cable
    Organization: Comcast Cable
    Host of this IP: [?]: c-69-247-84-239.hsd1.fl.comcast.net [Whois]
    Local Time of this IP country: 2008-02-26 18:11




    Can be usefull.

  6. #6
    Fishy80's Avatar Contributor
    Reputation
    113
    Join Date
    Apr 2006
    Posts
    536
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    just trying to help the community... I mess with trojans/keyloggers a lot, so I know how they work... so any time people post them here and I find out.. I'll try and do what I can to help people get rid of it... I need to set up a computer for testing though lol... doubt my mom likes me using her lappy for testing XD
    I hate virtual machines...

  7. #7
    Muatmessmoko's Avatar Banned
    Reputation
    116
    Join Date
    Apr 2007
    Posts
    568
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The Hacker lives on Veranda Way near Stoneybrook Country Club in sarasota Florida.

    Edit: He lives in a very large house

  8. #8
    Yeti's Avatar Banned
    Reputation
    181
    Join Date
    Feb 2008
    Posts
    624
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you do know, that finding/tracking ip addresses through google and other sites doesn't mean thats right where they live.

  9. #9
    Fishy80's Avatar Contributor
    Reputation
    113
    Join Date
    Apr 2006
    Posts
    536
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    your right the location may not always be correct... my neighbors ip leads to a parking lot, but it is like... less than a mile away from our house...

  10. #10
    Muatmessmoko's Avatar Banned
    Reputation
    116
    Join Date
    Apr 2007
    Posts
    568
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I did it by the Latitude and Longitude :P

  11. #11
    Lyricalwarfare's Avatar Active Member
    Reputation
    49
    Join Date
    Dec 2007
    Posts
    577
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What a noob, trying to keylog us, haha.

  12. #12
    Stinja1's Avatar Member
    Reputation
    10
    Join Date
    Mar 2007
    Posts
    401
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    time to screw up that ip ;-)
    .:Stinja:.

  13. #13
    ~Jagris's Avatar Contributor
    Reputation
    154
    Join Date
    Apr 2007
    Posts
    1,479
    Thanks G/R
    2/2
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    okay mess with him do the following: email [email protected] (I recomened you use fakermail.net) and tell them this: One of your users I am sorry to inform, sent out malicious software via another program (you may want to include a link to download) it sends out a keylogger to the IP:
    69.247.84.239, the full information on the user: IP address location & IP address info:
    IP address [?]: 69.247.84.239 Copy [Whois]
    IP address country: ip address flag United States
    IP address state: Florida
    IP address city: Sarasota
    IP postcode: 34238
    IP address latitude: 27.218700
    IP address longitude: -82.471001
    ISP of this IP [?]: Comcast Cable
    Organization: Comcast Cable
    Host of this IP: [?]: c-69-247-84-239.hsd1.fl.comcast.net [Whois]
    Local Time of this IP country: 2008-02-26 18:11,

    I got this information through a whois scan so it MAY not be 100&#37; accurate. Please see that my email is looked into.


  14. #14
    aznboy's Avatar Active Member
    Reputation
    45
    Join Date
    Jun 2007
    Posts
    807
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think I got keylog and I can't find the win32.Exe but I did found win32k.exe . O and where you told us to search on the regedit. Well i found all of this:



    Is this a keylog or no??
    Last edited by aznboy; 02-27-2008 at 06:13 PM.

  15. #15
    Lyricalwarfare's Avatar Active Member
    Reputation
    49
    Join Date
    Dec 2007
    Posts
    577
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not sure, but if you did download the .rar you probably have the keylogger. Run a spyware program like Dr.Spy and it'll remove it.
    However I cant say that you have it, though. The chances are pretty big if you unzipped it.

Page 1 of 3 123 LastLast

Similar Threads

  1. [AMAZING] If you got a Necro alt/main, read this!
    By TheBluePanda in forum Age of Conan Exploits|Hacks
    Replies: 20
    Last Post: 08-03-2008, 01:48 AM
  2. Replies: 21
    Last Post: 08-08-2007, 08:39 PM
  3. Trading Gliderkey for something! (+ if you got UDE points codes or special item keys
    By Disphotic in forum Members Only Accounts And CD Keys Buy Sell
    Replies: 2
    Last Post: 08-04-2007, 08:38 PM
  4. Almost got banned - Read ! with screenshots :P
    By X-Gogeta in forum World of Warcraft General
    Replies: 107
    Last Post: 06-05-2007, 09:56 PM
All times are GMT -5. The time now is 07:18 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search