19 replies to this topic

[linuxbaby]

Hello @ all

I am looking for a script to find and remove keyloggers in windows XP and windows 7.

I have found on the customer's PC a directory with ca. 4000 logfiles and screen shuts, but i can not locate the software.

can not locate in

-Task Manager
-Process Manager
-Startup folder
-Task Scheduler
I have testing the software (http://technet.micro...s/bb897445.aspx) RootkitRevealer v1.71 (by By Bryce Cogswell and Mark Russinovich) but this software does not find the keylogger on the the customer-pc. Not in the active hard drive c:\=Win7 or in the sometimes active hard drive d:\=WinXP

Can anyone help me?

Regards,
linus

Edited by linuxbaby, 14 March 2011 - 09:23 PM.

[Rui Paz]

Hi,

Most anti-rootkit tools will try to find traces in ram and probably will fail to detect them when running XP because the malware isn't active on memory.

Install AVPTool on XP and make sure it scans the boot sectors and the Windows 7 partition
http://devbuilds.kas...builds/AVPTool/

[linuxbaby]

Install AVPTool on XP and make sure it scans the boot sectors and the Windows 7 partition
http://devbuilds.kas...builds/AVPTool/

Hello Rui Paz

thanks for the answer.

i have tested AVP-Tool but it doesen't found the Keylogger. It builds every Minute a new logfile and a screenshut.

tested
-mbam
-spybot
-RootkitRevealer
-Reanimator 6.9.7.60

I don't no what i can do anymore.

[RoyM]

Hi linuxbaby
I'm not very experienced with keyloggers, but I think my next step would be to open regedit and search the registry for words like;
ca. 4000 or is it ca.4000 ( no space after . ) and possibly key words contained in the log file and/or the names of the screenshots

If you can suggest a free or open-source keylogger detector app to use, I may be able to find the time to write such a script.
RoyM

[Rui Paz]

i have tested AVP-Tool but it doesen't found the Keylogger. It builds every Minute a new logfile and a screenshut.

Is the logfile also created when you are on Windows XP?

[al_jo]

Have you tried SuperAntiSpyware?
They have made a portable single file version
that can be run from a CD or UFD:
http://www.superanti...blescanner.html

There is also a Winbuilder script for latest SAS here:
http://al-jo.99k.org/SAS_2011-03-15.7z


Ps. As a last resort there is a very powerful tool named ComboFix:
http://www.infospywa...lware/combofix/
Read all about it and use it with extreme care!

[pscEx]

I don't no what i can do anymore.

What about using Sysinternals's FileMon (or ProcMon in W7)?

Filter everything away besides the "Log Directory".

Peter

[skyide]

In relation to ComboFix, make sure you read the Known Issues section.

[linuxbaby]

@all Thank you very much!

Now i have found the logger with the helping Sysinternals's FileMon and RegMon (or ProcMon in W7)
Thank you very much PscEX

The Keyloggers Name is "Paint.exe" and runs under the "C:\WINDOWS\system32\wins" directory and is very small.
The folder name of the log- and screen direcotry name: C:\WINDOWS\system32\1031\bang.

@al_jo , @skyide , @RoyM and @Rui Paz Thank you very much for your help.

All Software i have tested in good hope for your help doesn't found this Keylogger on under Win7 and WinXP

tested
-AVP-Tool
-mbam
-spybot
-RootkitRevealer
-Reanimator 6.9.7.60
-SuperAntiSpyware
-Winbuilder script for latest SAS

the ComboFix i have not testet. Tomorrow i will do that. First i read the "Known Issues" section.

Also ... thank you very, very much for help.

[Brito]

I'm happy to hear your report of success finding the logger.

Congratulations!

[Rui Paz]

...
The Keyloggers Name is "Paint.exe" and runs under the "C:\WINDOWS\system32\wins" directory and is very small.
The folder name of the log- and screen direcotry name: C:\WINDOWS\system32\1031\bang.
...

Try to copy the paint.exe to another clean machine and upload the file to http://www.virustotal.com/ the site it give you the information about anti-virus that can detect the malware in that file, booting from a clean system, LiveCD or the WinXP installation if clean and running one of the tools should fix the problem.

[pscEx]

@all Thank you very much!

Now i have found the logger with the helping Sysinternals's FileMon and RegMon (or ProcMon in W7)
Thank you very much PscEX

The Keyloggers Name is "Paint.exe" and runs under the "C:\WINDOWS\system32\wins" directory and is very small.
The folder name of the log- and screen direcotry name: C:\WINDOWS\system32\1031\bang.

@al_jo , @skyide , @RoyM and @Rui Paz Thank you very much for your help.

All Software i have tested in good hope for your help doesn't found this Keylogger on under Win7 and WinXP

tested
-AVP-Tool
-mbam
-spybot
-RootkitRevealer
-Reanimator 6.9.7.60
-SuperAntiSpyware
-Winbuilder script for latest SAS

the ComboFix i have not testet. Tomorrow i will do that. First i read the "Known Issues" section.

Also ... thank you very, very much for help.

This proofs that sometimes using the "built-in human brain" can solve issues better than sophisticated high-tec applications.

Peter

[linuxbaby]

Try to copy the paint.exe to another clean machine and upload the file to http://www.virustotal.com/ the site it give you the information about anti-virus that can detect the malware in that file, booting from a clean system, LiveCD or the WinXP installation if clean and running one of the tools should fix the problem.

the report of http://www.virustotal.com/ shows no [0]/49 results.

It's crazy again.

[linuxbaby]

This proofs that sometimes using the "built-in human brain" can solve issues better than sophisticated high-tec applications.

Peter

That's right Peter

Brain.exe is sometimes good, better than sophisticated high-tec applications but my [Slackware] Linux is at any time my favorite when I see what *. exe can destroy in the people live.

Thanks again Peter....

[Rui Paz]

the report of http://www.virustotal.com/ shows no [0]/49 results.

It's crazy again.

Well that can explain why the tools didn't find the infection. It seems you got a new specie

The best bet against brand new malware is Behavior Analysis and not all AV's use that also this mean that the AV need to be running for some time on the system...

[Wonko the Sane]

Obviously brain.exe is full of bloat.
Brain.com is much faster and smaller, though EXACTLY as powerful.




Wonko

[al_jo]

the report of http://www.virustotal.com/ shows no [0]/49 results.

It's crazy again.

Perhaps the key logger was not a malware.
Only a Spy program that “somebody” installed
to log a users behaviour?
Some companies/wifes/husbands is doing that…legal or not!

[Wonko the Sane]

Perhaps the key logger was not a malware.
Only a Spy program that “somebody” installed
to log a users behaviour?
Some companies/wifes/husbands is doing that…legal or not!

Yep, more generally "real" keyloggers:

• hide "better" the logs and screenshots
• send them *somewhere*
• are hardware devices

I mean to have an actual usefulness you would need physical (or remote) access to the machine to gather the results.

A number of years ago I did have a complete moron unexperienced user (actually an executive in the company) who kept NOT saving the notes he typed on his PC and later went around whining that someone had deleted them, until I installed (with his approval in writing ) a key logger to his PC so that we coud get anything he actually typed back from the logged key presses.


Wonko

[skyide]

linuxbaby, I think Avira AV comes with some type of new technology (forgot how they call it) that can detect unknown newly released viruses. Are you able to test the file with Avira and see what it tells you without downloading updates? Then again, a key logger is not a virus but it is malware of some sort. If the test fails, download updates and test again.

[linuxbaby]

A number of years ago I did have a complete moron unexperienced user (actually an executive in the company) who kept NOT saving the notes he typed on his PC and later went around whining that someone had deleted them, until I installed (with his approval in writing ) a key logger to his PC so that we coud get anything he actually typed back from the logged key presses.

this is real-security to themselves.

@ skyide

hmmm....worry to the Avira AV. No results! i dont no too .... i test all scanners I know but always: No results.

i will here report continue to my experience.

Thanks @all ...
Linus

Edited by linuxbaby, 16 March 2011 - 02:54 PM.