kingjoe2002 Posted April 23, 2005 Share Posted April 23, 2005 I somehow got a keylogger last night and i noticed my computer behaving a little wierdly (slower internet etc) so i did 2 virus scans and changed the pass on one of my chars (which i really care about) and left my main with the same pass. However today when i logged on and off and logged back on later, my main was cleaned out. I thought well i just missed it so i tried to check it again using Housecall, Sysmentec, and AVG. None found a thing so i ran a Adaware and SpyBot scan as well. Nothing either. This really stumped me. Anyone have any clue how this is? Link to comment Share on other sites More sharing options...
Rob_Gambino Posted April 23, 2005 Share Posted April 23, 2005 Post a hijackthislog. Link to comment Share on other sites More sharing options...
kingjoe2002 Posted April 23, 2005 Author Share Posted April 23, 2005 Here is my HJT log: ogfile of HijackThis v1.99.1 Scan saved at 10:43:48 PM, on 4/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] C:\Program Files\Grisoft\AVG Free\avgemc[Caution: ExecutableFile] C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile] C:\WINDOWS\system32\devldr32[Caution: ExecutableFile] D:\Sean\hijackthis\HijackThis[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] O4 - HKLM\..\Run: [bpk] C:\WINDOWS\system32\bpk[Caution: ExecutableFile] O4 - HKCU\..\Run: [bitComet] "C:\Program Files\BitComet\BitComet[Caution: ExecutableFile]" O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] O8 - Extra context menu item: ÃÆÃÂ¥ÃâïÃâüÃÆÃ¥âââ¬Ã¡ÃâúÃÆÃÂ¥Ãâ¹Ã¢â¬Â Ãâð Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java ????ÃÆÃâÃâìÃÆââ¬Å¡Ãâè - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile] O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall ?ÃÆÃâÃâÃÂÃÆââââ¬Å¡Ã¬Ãâò?????) - http://housecall-beta.trendmicro.com/[garden tool] ... scan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (?ÃÆÃâÃâ÷ÃÆÃâÃâê??????ÃÆÃâÃâú??ÃÆÃâÃâéÃÆââ¬Å¡Ãâè??3ÃÆÃâÃâìDÃÆÃâÃâò) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile] O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile] O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV[Caution: ExecutableFile] O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV[Caution: ExecutableFile] Link to comment Share on other sites More sharing options...
kingjoe2002 Posted April 23, 2005 Author Share Posted April 23, 2005 Well here is one after i restart the computer: Logfile of HijackThis v1.99.1 Scan saved at 10:49:49 PM, on 4/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] C:\WINDOWS\system32\bpk[Caution: ExecutableFile] C:\Program Files\BitComet\BitComet[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] C:\WINDOWS\system32\devldr32[Caution: ExecutableFile] C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile] D:\Sean\hijackthis\HijackThis[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] O4 - HKLM\..\Run: [bpk] C:\WINDOWS\system32\bpk[Caution: ExecutableFile] O4 - HKCU\..\Run: [bitComet] "C:\Program Files\BitComet\BitComet[Caution: ExecutableFile]" O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] O8 - Extra context menu item: ÃÆÃÂ¥ÃâïÃâüÃÆÃ¥âââ¬Ã¡ÃâúÃÆÃÂ¥Ãâ¹Ã¢â¬Â Ãâð Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java ????ÃÆÃâÃâìÃÆââ¬Å¡Ãâè - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile] O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall ?ÃÆÃâÃâÃÂÃÆââââ¬Å¡Ã¬Ãâò?????) - http://housecall-beta.trendmicro.com/[garden tool] ... scan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (?ÃÆÃâÃâ÷ÃÆÃâÃâê??????ÃÆÃâÃâú??ÃÆÃâÃâéÃÆââ¬Å¡Ãâè??3ÃÆÃâÃâìDÃÆÃâÃâò) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile] O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile] O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV[Caution: ExecutableFile] O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV[Caution: ExecutableFile] Link to comment Share on other sites More sharing options...
Rob_Gambino Posted April 23, 2005 Share Posted April 23, 2005 I don't know how to read these, but somebody will come and help you. Link to comment Share on other sites More sharing options...
kingjoe2002 Posted April 23, 2005 Author Share Posted April 23, 2005 Blah got rid of it. I dont see how the stupid Sysmentec, Housecall and AVG all THREE cant get rid of this thing. It was: C:\WINDOWS\system32\bpk.e3e (CAUTION - executable file) looked suspicious and it was. Link to comment Share on other sites More sharing options...
Rob_Gambino Posted April 23, 2005 Share Posted April 23, 2005 Ah yes, bpk, it's caused many people problems. Good job on finding it and removing it. Link to comment Share on other sites More sharing options...
just1vet Posted April 23, 2005 Share Posted April 23, 2005 did you kill this entry too? O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll Very surprised that Spybot did not find it. Just out of curiosity did you run it? Link to comment Share on other sites More sharing options...
just1vet Posted April 23, 2005 Share Posted April 23, 2005 Never mind I just re-read your post. Still very strange that it was not picked up on the scans. All of them are targeting it. Link to comment Share on other sites More sharing options...
zonda Posted April 23, 2005 Share Posted April 23, 2005 maybe he has old definitions, or it couldn't be deleted because it was in use (wasn't scanned in safe mode) Anywas, I will congradulate you on one thing, and that is that you were at least smart enough to provide a well written, cleary thought out post about what happened and what you did. Usually we get these types of posts... "OMG I JUST GAWT HAKCED!1! SOMEONE HELP ME PLZ I WERE HACKD!!1!!!" sorry for your loss, hope it wasn't too big... On another note, do you know where you may have gotten the keylogger from? ... Link to comment Share on other sites More sharing options...
L_B_P Posted April 23, 2005 Share Posted April 23, 2005 Often ppl forget to disable "system restore" an then the computer have been cleaned and it is restarted the virus or whatever are back. That the reason I never have system restore enable at any time. Link to comment Share on other sites More sharing options...
himy_name_is Posted April 23, 2005 Share Posted April 23, 2005 dude, i had a keylogger also. but you must have an un-updated version of those 3. because i had the exact same one and it found it immeadiatly =]. see if you have any updates for it. Link to comment Share on other sites More sharing options...
YesImANewbie Posted April 23, 2005 Share Posted April 23, 2005 Blah got rid of it. I dont see how the stupid Sysmentec, Housecall and AVG all THREE cant get rid of this thing. It was: C:\WINDOWS\system32\bpk.e3e (CAUTION - executable file) looked suspicious and it was. Its not that hard to hex edit a server to make it undetectable to most AV services. Link to comment Share on other sites More sharing options...
kingjoe2002 Posted April 24, 2005 Author Share Posted April 24, 2005 blah lol im not that stupid, i updated my definition on everything i ran. Yes i deleted that dll file as well. First time i got a keylogger since i used a dedicated computer to play rs. Im thinking that the keylogger hides itself after the system starts. I took the log right when the system was just started. Anyway whats done is done. Link to comment Share on other sites More sharing options...
Karvinen Posted April 25, 2005 Share Posted April 25, 2005 did you kill this entry too? O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll Very surprised that Spybot did not find it. Just out of curiosity did you run it?It's hexed version. The bho entry looks like this in unmodified BPK: O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now