Keyboard went crazy

Hi all,

There was a security breach in my computer due to a program that one of my partners run. Several Trojans and keyloggers were installed. I think I have almost all the problems covered. But the keyboard, although is configured in Control Panel as portuguese doesn't give me the accents right; if I want an "a" with the "´" accent, I get "´´a" - double accent and a "a"; the same thing happens with "~" - I get "~~a". I think it's only the accents - the rest seems to be working fine. it's the "~~" , "^^" , "´´" , "``". They all come double and not over the letter.

Also, the program sent an email, passing trough Norton and Sygate - is there a chance of knowing what the content was?

Please, someone, answer as soon as possible.

Kind regards

Kepler

you already have a thread concerning this right ? why dont you post there ?

try uninstalling the keyboard and re-installing it again from the properties tab.

You cannot find out what data the email carried unless you packet log the program sending the email.

I know the email problem is mentioned in both, but the keyboard problem is probably enough of a different problem for a new thread.

thanks edwin.

kepler are you still having a problem with the keyboard ?

Hi,

Sorry for answering so late, but since Saturday it's been hell on earth to me. The problem was - and might still be - one or more keyloggers. I've installed a anti-keylogger for the time being. Also, there were some trojans. But, this hacker ( the author - names himself Gerardo El Ruso ) has new material - neither Norton, nor Macafee, nor Sygate could detect it.

I decompiled the program, and made some routines in VB, and found out the above nickname, his email, what smtp he used, etc...I've already made a complaint to the Federal police of Argentina, with all the details.

The info he gather, only God and that bastard knows - bank accounts, passwords, etc., it's all compromised.

It's better to get some rest now...I'm really tired.

Kind regards,

Kepler

I still say you packetlog all suspicious dll and executable files running from the Task Manager processes tab. After recording the data the files are recording and sending, you can probably tell if they are a threat or if they are safe. You can then run your computer in safe mode and delete the proper files and if you know where to look, remove their registry key values as well. If you cannot find a packetlogger, search for WPE Pro. It's very easy to use and gets the job done.

i cant remember rightly.. but doesnt WPE Pro/Non-Pro versions work only with Win95 and Win98 ? its been a while since i heard if that one.

edit:
ahh.. i see the pro version works with xp. Doesnt seem to be freeware though. (the alpha version is though- available here:WPE pro -alpha)
found a tutorial on google too if our Op is interested.
http://www.phuzion.com/?p=tutorials/cheating/packet

it seems to be a favorite among the gaming community.

Hi kepler,

Feel free to post a HijackThis log.

Please download HijackThis. Make sure you install HijackThis to a permanent folder such as C:\HJT as it creates backups of what we will fix.

Run the program, click the button at the top "Do a system scan and save a logfile". Save the log to a convenient place such as C:\HJT Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed!

http://www.majorgeeks.com/download3155.html

Tom

Please update HijackThis, you are using an outdated version. The new version does a better job of detecting malware:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.99.1 at:

http://www.majorgeeks.com/download3155.html

If you downloaded the newer version, please delete the older version you are using now.

Post a fresh log with this new version. Just copy and paste the text from HijackThis directly into your next post, using the Code or Quote dialog boxes makes the log to hard to read.

Tom

The zipped files had the same name, but different folders...


Regards,

Kepler

ummm hehe .. kepler.. you posted a zip of the hijackthis application and not your log file. your logfile will be in the folder to which you installed hijackthis. please do not run hijackthis from a temporary folder. install it to a permanent folder on yuor harddisk. the log file will be a simple text file.

Here you go kepler, it's broken into 2 posts because of the length of the log:

Logfile of HijackThis v1.99.1
Scan saved at 18:43:36, on 16-05-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\aaksrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programas\Java\j2re1.4.2_02\bin\jusched.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\NEOLEC Mouse\NEOLEC Mouse\1.1\MOUSE32A.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Babylon-dir\Babylon.exe
C:\www\Apache2\bin\apache.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programas\Advanced Anti Keylogger\aak.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\WinZip\WZQKPICK.EXE
C:\www\mysql\bin\mysqld-max-nt.exe
C:\Programas\MSI\PC Alert 4\PCAlert4.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\Programas\GetRight\getright.exe
C:\Programas\GetRight\getright.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programas\Microsoft Office\Office10\msoffice.exe
C:\Programas\Idyle Software\Agenda 98\Agenda98.exe
C:\Programas\Winamp\Winampa.exe
C:\www\Apache2\bin\apache.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programas\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programas\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programas\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Outlook Express\msimn.exe
C:\Programas\eDonkey2000\edonkey2000.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rui Fernandes\Ambiente de trabalho\Cosmos\Web\Mirror\Tools\HijackThis 1.99.1\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.248.240.119:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Programas\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Vnezra] c:\Program Files\Wrip\Ujwioe.exe
O4 - HKLM\..\Run: [ussshreg] C:\PROGRA~1\ULEADS~1.0\Ussshreg.exe /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Programas\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programas\NEOLEC Mouse\NEOLEC Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Programas\Babylon-dir\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcx8] C:\WINDOWS\qfktem.exe
O4 - HKLM\..\Run: [Keylogger Killer] C:\Programas\Keylogger Killer\KeyloggerKiller.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AAK] C:\Programas\Advanced Anti Keylogger\aak.exe /silent
O4 - Startup: regsvr.bat
O4 - Startup: Agenda 98.lnk = C:\Programas\Idyle Software\Agenda 98\Agenda98.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Programas\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: IDSAutoStart.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programas\GetRight\getright.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe