Skip to content
View in the app

A better way to browse. Learn more.

Tip.It Forum

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

A very evasive keylogger :S

Featured Replies

I somehow got a keylogger last night and i noticed my computer behaving a little wierdly (slower internet etc) so i did 2 virus scans and changed the pass on one of my chars (which i really care about) and left my main with the same pass. However today when i logged on and off and logged back on later, my main was cleaned out. I thought well i just missed it so i tried to check it again using Housecall, Sysmentec, and AVG. None found a thing so i ran a Adaware and SpyBot scan as well. Nothing either. This really stumped me. Anyone have any clue how this is?

  • Author

Here is my HJT log:

 

 

 

 

 

 

 

ogfile of HijackThis v1.99.1

 

 

 

Scan saved at 10:43:48 PM, on 4/22/2005

 

 

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

 

 

 

C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]

 

 

 

C:\Program Files\Grisoft\AVG Free\avgemc[Caution: ExecutableFile]

 

 

 

C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\devldr32[Caution: ExecutableFile]

 

 

 

D:\Sean\hijackthis\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

 

 

O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll

 

 

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

 

 

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP

 

 

 

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [bpk] C:\WINDOWS\system32\bpk[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [bitComet] "C:\Program Files\BitComet\BitComet[Caution: ExecutableFile]"

 

 

 

O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile]

 

 

 

O8 - Extra context menu item: ÃÆÃÂ¥ÃâïÃâÃÂ¼ÃÆÃ¥âââ¬Ã¡ÃâÃÂºÃÆÃÂ¥Ãâ¹Ã¢â¬Â Ãâð Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java ????ÃÆÃâÃâÃÂ¬ÃÆÃ¢â¬Å¡Ãâè - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

 

 

 

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile]

 

 

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall ?ÃÆÃâÃâÃÂ­ÃÆÃ¢Ã¢ââ¬Å¡Ã¬Ãâò?????) - http://housecall-beta.trendmicro.com/[garden tool] ... scan60.cab

 

 

 

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (?ÃÆÃâÃâÃÂ·ÃÆÃâÃâê??????ÃÆÃâÃâú??ÃÆÃâÃâÃÂ©ÃÆÃ¢â¬Å¡Ãâè??3ÃÆÃâÃâìDÃÆÃâÃâò) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab

 

 

 

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

 

 

 

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

 

 

 

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]

 

 

 

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]

 

 

 

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile]

 

 

 

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV[Caution: ExecutableFile]

 

 

 

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV[Caution: ExecutableFile]

  • Author

Well here is one after i restart the computer:

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 10:49:49 PM, on 4/22/2005

 

 

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\bpk[Caution: ExecutableFile]

 

 

 

C:\Program Files\BitComet\BitComet[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

 

 

 

C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\devldr32[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile]

 

 

 

D:\Sean\hijackthis\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

 

 

O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll

 

 

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

 

 

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP

 

 

 

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [bpk] C:\WINDOWS\system32\bpk[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [bitComet] "C:\Program Files\BitComet\BitComet[Caution: ExecutableFile]"

 

 

 

O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile]

 

 

 

O8 - Extra context menu item: ÃÆÃÂ¥ÃâïÃâÃÂ¼ÃÆÃ¥âââ¬Ã¡ÃâÃÂºÃÆÃÂ¥Ãâ¹Ã¢â¬Â Ãâð Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java ????ÃÆÃâÃâÃÂ¬ÃÆÃ¢â¬Å¡Ãâè - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

 

 

 

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile]

 

 

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall ?ÃÆÃâÃâÃÂ­ÃÆÃ¢Ã¢ââ¬Å¡Ã¬Ãâò?????) - http://housecall-beta.trendmicro.com/[garden tool] ... scan60.cab

 

 

 

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (?ÃÆÃâÃâÃÂ·ÃÆÃâÃâê??????ÃÆÃâÃâú??ÃÆÃâÃâÃÂ©ÃÆÃ¢â¬Å¡Ãâè??3ÃÆÃâÃâìDÃÆÃâÃâò) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab

 

 

 

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

 

 

 

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

 

 

 

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]

 

 

 

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]

 

 

 

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile]

 

 

 

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV[Caution: ExecutableFile]

 

 

 

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV[Caution: ExecutableFile]

I don't know how to read these, but somebody will come and help you.

  • Author

Blah got rid of it. I dont see how the stupid Sysmentec, Housecall and AVG all THREE cant get rid of this thing. It was:

 

 

 

 

 

 

 

C:\WINDOWS\system32\bpk.e3e (CAUTION - executable file)

 

 

 

 

 

 

 

looked suspicious and it was.

Ah yes, bpk, it's caused many people problems. Good job on finding it and removing it.

did you kill this entry too?

 

 

 

O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll

 

 

 

 

 

 

 

Very surprised that Spybot did not find it. Just out of curiosity did you run it?

Never mind I just re-read your post. Still very strange that it was not picked up on the scans. All of them are targeting it.

maybe he has old definitions, or it couldn't be deleted because it was in use (wasn't scanned in safe mode)

 

 

 

 

 

 

 

Anywas, I will congradulate you on one thing, and that is that you were at least smart enough to provide a well written, cleary thought out post about what happened and what you did. Usually we get these types of posts...

 

 

 

 

 

 

 

"OMG I JUST GAWT HAKCED!1! SOMEONE HELP ME PLZ I WERE HACKD!!1!!!"

 

 

 

 

 

 

 

sorry for your loss, hope it wasn't too big...

 

 

 

 

 

 

 

On another note, do you know where you may have gotten the keylogger from?

...

Often ppl forget to disable "system restore" an then the computer have been cleaned and it is restarted the virus or whatever are back. That the reason I never have system restore enable at any time.

dude, i had a keylogger also. but you must have an un-updated version of those 3. because i had the exact same one and it found it immeadiatly =]. see if you have any updates for it.

reportingsjr.png
Blah got rid of it. I dont see how the stupid Sysmentec, Housecall and AVG all THREE cant get rid of this thing. It was:

 

 

 

 

 

 

 

C:\WINDOWS\system32\bpk.e3e (CAUTION - executable file)

 

 

 

 

 

 

 

looked suspicious and it was.

 

 

 

 

 

 

 

Its not that hard to hex edit a server to make it undetectable to most AV services.

  • Author

blah lol im not that stupid, i updated my definition on everything i ran. Yes i deleted that dll file as well. First time i got a keylogger since i used a dedicated computer to play rs. Im thinking that the keylogger hides itself after the system starts. I took the log right when the system was just started. Anyway whats done is done.

did you kill this entry too?

 

 

 

O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll

 

 

 

 

 

 

 

Very surprised that Spybot did not find it. Just out of curiosity did you run it?

It's hexed version. The bho entry looks like this in unmodified BPK:

 

 

 

O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A}

Create an account or sign in to comment

Important Information

By using this site, you agree to our Terms of Use.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.