April 23, 200521 yr I somehow got a keylogger last night and i noticed my computer behaving a little wierdly (slower internet etc) so i did 2 virus scans and changed the pass on one of my chars (which i really care about) and left my main with the same pass. However today when i logged on and off and logged back on later, my main was cleaned out. I thought well i just missed it so i tried to check it again using Housecall, Sysmentec, and AVG. None found a thing so i ran a Adaware and SpyBot scan as well. Nothing either. This really stumped me. Anyone have any clue how this is?
April 23, 200521 yr Author Here is my HJT log: ogfile of HijackThis v1.99.1 Scan saved at 10:43:48 PM, on 4/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] C:\Program Files\Grisoft\AVG Free\avgemc[Caution: ExecutableFile] C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile] C:\WINDOWS\system32\devldr32[Caution: ExecutableFile] D:\Sean\hijackthis\HijackThis[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] O4 - HKLM\..\Run: [bpk] C:\WINDOWS\system32\bpk[Caution: ExecutableFile] O4 - HKCU\..\Run: [bitComet] "C:\Program Files\BitComet\BitComet[Caution: ExecutableFile]" O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] O8 - Extra context menu item: ÃÆÃÂ¥ÃâïÃâÃÂ¼ÃÆÃ¥âââ¬Ã¡ÃâÃÂºÃÆÃÂ¥Ãâ¹Ã¢â¬Â Ãâð Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java ????ÃÆÃâÃâÃÂ¬ÃÆÃ¢â¬Å¡Ãâè - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile] O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall ?ÃÆÃâÃâÃÂ̢̢̮ââ¬Å¡Ã¬Ãâò?????) - http://housecall-beta.trendmicro.com/[garden tool] ... scan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (?ÃÆÃâÃâÃÂ·ÃÆÃâÃâê??????ÃÆÃâÃâú??ÃÆÃâÃâÃÂ©ÃÆÃ¢â¬Å¡Ãâè??3ÃÆÃâÃâìDÃÆÃâÃâò) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile] O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile] O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV[Caution: ExecutableFile] O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV[Caution: ExecutableFile]
April 23, 200521 yr Author Well here is one after i restart the computer: Logfile of HijackThis v1.99.1 Scan saved at 10:49:49 PM, on 4/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile] C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] C:\WINDOWS\system32\bpk[Caution: ExecutableFile] C:\Program Files\BitComet\BitComet[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] C:\WINDOWS\system32\devldr32[Caution: ExecutableFile] C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile] D:\Sean\hijackthis\HijackThis[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] O4 - HKLM\..\Run: [bpk] C:\WINDOWS\system32\bpk[Caution: ExecutableFile] O4 - HKCU\..\Run: [bitComet] "C:\Program Files\BitComet\BitComet[Caution: ExecutableFile]" O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] O8 - Extra context menu item: ÃÆÃÂ¥ÃâïÃâÃÂ¼ÃÆÃ¥âââ¬Ã¡ÃâÃÂºÃÆÃÂ¥Ãâ¹Ã¢â¬Â Ãâð Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java ????ÃÆÃâÃâÃÂ¬ÃÆÃ¢â¬Å¡Ãâè - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile] O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall ?ÃÆÃâÃâÃÂ̢̢̮ââ¬Å¡Ã¬Ãâò?????) - http://housecall-beta.trendmicro.com/[garden tool] ... scan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (?ÃÆÃâÃâÃÂ·ÃÆÃâÃâê??????ÃÆÃâÃâú??ÃÆÃâÃâÃÂ©ÃÆÃ¢â¬Å¡Ãâè??3ÃÆÃâÃâìDÃÆÃâÃâò) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch[Caution: ExecutableFile] O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan[Caution: ExecutableFile] O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV[Caution: ExecutableFile] O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV[Caution: ExecutableFile]
April 23, 200521 yr Author Blah got rid of it. I dont see how the stupid Sysmentec, Housecall and AVG all THREE cant get rid of this thing. It was: C:\WINDOWS\system32\bpk.e3e (CAUTION - executable file) looked suspicious and it was.
April 23, 200521 yr Ah yes, bpk, it's caused many people problems. Good job on finding it and removing it.
April 23, 200521 yr did you kill this entry too? O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll Very surprised that Spybot did not find it. Just out of curiosity did you run it?
April 23, 200521 yr Never mind I just re-read your post. Still very strange that it was not picked up on the scans. All of them are targeting it.
April 23, 200521 yr maybe he has old definitions, or it couldn't be deleted because it was in use (wasn't scanned in safe mode) Anywas, I will congradulate you on one thing, and that is that you were at least smart enough to provide a well written, cleary thought out post about what happened and what you did. Usually we get these types of posts... "OMG I JUST GAWT HAKCED!1! SOMEONE HELP ME PLZ I WERE HACKD!!1!!!" sorry for your loss, hope it wasn't too big... On another note, do you know where you may have gotten the keylogger from? ...
April 23, 200521 yr Often ppl forget to disable "system restore" an then the computer have been cleaned and it is restarted the virus or whatever are back. That the reason I never have system restore enable at any time.
April 23, 200521 yr dude, i had a keylogger also. but you must have an un-updated version of those 3. because i had the exact same one and it found it immeadiatly =]. see if you have any updates for it.
April 23, 200521 yr Blah got rid of it. I dont see how the stupid Sysmentec, Housecall and AVG all THREE cant get rid of this thing. It was: C:\WINDOWS\system32\bpk.e3e (CAUTION - executable file) looked suspicious and it was. Its not that hard to hex edit a server to make it undetectable to most AV services.
April 24, 200521 yr Author blah lol im not that stupid, i updated my definition on everything i ran. Yes i deleted that dll file as well. First time i got a keylogger since i used a dedicated computer to play rs. Im thinking that the keylogger hides itself after the system starts. I took the log right when the system was just started. Anyway whats done is done.
April 25, 200521 yr did you kill this entry too? O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\WINDOWS\system32\bpkwb.dll Very surprised that Spybot did not find it. Just out of curiosity did you run it?It's hexed version. The bho entry looks like this in unmodified BPK: O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A}
Create an account or sign in to comment