If You Got Keylogged Read

[Fishy80]

ok, so testing the program as I type this... will edit every chance I get...

so the second u run the malicious program that was recently spread through mediafire (the one I got was supposedly a wow hack loader)

it starts to write a registry key to start up here is the registry key

Code:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{1E3CB49E-FFFA-025E-0604-040407030402}

(the last part of that will be different, the random nymbers and letters)

it is injecting into c:\windows\explorer.exe which restarts iexplore.exe (normal internet explorer but infected) and which writes all the registry entries...

it starts iexplore.exe which is what the troja is using to connect to the internet.. which tries to connect to the IP address

Code:

69.247.84.239

that is the ip address of the hacker... just FYI

so folllowing the registry entry... it uses
c:\windows\system32\win32.exe << that is the stub.. aka the main part of the trojan...

I have researched it is NOT a system file, and is safe to delete..
so restart your computer, keep pressing f8 when booting and boot into safe mode, go and delete c:\windows\system32\win32.exe and then go delete the above registry key, buy going to "start\run" and then typing "regedit" and hitting enter... then just follow the registry keys down, and delete the key... then close the registry editor and reboot the computer and you should be good...

the registry key it uses is random, and if u delete it when not in safe mode, it re-writes itself to a different key

so what you want to do is look through the registry, go to the

Code:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components

and search for any entry pointing to win32.exe and delete that, in safe mode... and then delete the win32.exe

EDIT-------------
Ok. so it injects into explorer.exe thats why it keeps re-writing the entries... so.. if you are NOT in safe mode, and think u can remove it that way... end explorer.exe then delete the registry entry and the win32.exe... that will end the problem... then you can safely restart explorer.exe and your good to go...

I hope this helped someone!

[KuRIoS]

69.247.84.239 : c-69-247-84-239.hsd1.fl.comcast.net

[Phygar]

Thanks for helping the people who used the keylogger.

[Hallowsend]

I didn't download this (The trojan), but great for taking precautionary matters for those who did D/L And try it. Very nice of you

[fasck]

IP address location & IP address info:
IP address [?]: 69.247.84.239 Copy [Whois]
IP address country: ip address flag United States
IP address state: Florida
IP address city: Sarasota
IP postcode: 34238
IP address latitude: 27.218700
IP address longitude: -82.471001
ISP of this IP [?]: Comcast Cable
Organization: Comcast Cable
Host of this IP: [?]: c-69-247-84-239.hsd1.fl.comcast.net [Whois]
Local Time of this IP country: 2008-02-26 18:11




Can be usefull.

[Fishy80]

just trying to help the community... I mess with trojans/keyloggers a lot, so I know how they work... so any time people post them here and I find out.. I'll try and do what I can to help people get rid of it... I need to set up a computer for testing though lol... doubt my mom likes me using her lappy for testing XD
I hate virtual machines...

[Muatmessmoko]

The Hacker lives on Veranda Way near Stoneybrook Country Club in sarasota Florida.

Edit: He lives in a very large house

[Yeti]

you do know, that finding/tracking ip addresses through google and other sites doesn't mean thats right where they live.

[Fishy80]

your right the location may not always be correct... my neighbors ip leads to a parking lot, but it is like... less than a mile away from our house...

[Muatmessmoko]

I did it by the Latitude and Longitude :P

[Lyricalwarfare]

What a noob, trying to keylog us, haha.

[Stinja1]

time to screw up that ip ;-)

[~Jagris]

okay mess with him do the following: email [email protected] (I recomened you use fakermail.net) and tell them this: One of your users I am sorry to inform, sent out malicious software via another program (you may want to include a link to download) it sends out a keylogger to the IP:
69.247.84.239, the full information on the user: IP address location & IP address info:
IP address [?]: 69.247.84.239 Copy [Whois]
IP address country: ip address flag United States
IP address state: Florida
IP address city: Sarasota
IP postcode: 34238
IP address latitude: 27.218700
IP address longitude: -82.471001
ISP of this IP [?]: Comcast Cable
Organization: Comcast Cable
Host of this IP: [?]: c-69-247-84-239.hsd1.fl.comcast.net [Whois]
Local Time of this IP country: 2008-02-26 18:11,

I got this information through a whois scan so it MAY not be 100&#37; accurate. Please see that my email is looked into.

[aznboy]

I think I got keylog and I can't find the win32.Exe but I did found win32k.exe . O and where you told us to search on the regedit. Well i found all of this:



Is this a keylog or no??

[Lyricalwarfare]

I'm not sure, but if you did download the .rar you probably have the keylogger. Run a spyware program like Dr.Spy and it'll remove it.
However I cant say that you have it, though. The chances are pretty big if you unzipped it.