SCKeylogger found - what is next?

[Jim Kuhn]

I have a wireless router with three computers connected. I rarely use my laptop. Today I logged onto the laptop and entered a poker tourney. As I had not run spybot on this computer for a while I updated and checked the laptop. It came back with SCKeylogger found.

My kids utilize the laptop very often and play online games. I suspect this is how the virus was picked up. I restarted the laptop and am running spybot again. It says the keylogger has been fixed. I am on one of the pc's and checked my poker account balances. Those balances appear intact. I am running spybot on all three machines.

What should I do next? I have windows firewall turned on. Will that help? My router I think also acts as a firewall? If I remove that virus and change all of my passwords will I be safe? Thank you for any help you may provide!

Thank you,

Jim Kuhn

[Stihgnob]

D'oh, that really sucks, glad you found it.

While I haven't had any experience with this keylogger a quick Google search brings up loads of info. I'd check this page out and follow the steps to be sure the system is 100% clean. Remove Spyware

Most keyloggers send info out over email, so your firewalls probably didn't stop much. And about changing passwords, yes, do it soon and do it from a computer you believe to be clean.

Good Luck!

[illunious]

First/ASAP: Change your passwords on another (non infected) computer

[ QUOTE ]
If I remove that virus and change all of my passwords will I be safe?

[/ QUOTE ]

If I detected a keylogger on any of my computers the next thing I would do is start from scatch, (format, reinstall windows). Without determining what exactly the keylogger is capable of, this is the only way I'd feel safe. Either that or I'd stop using any accounts on that computer that I wanted to be as secure as possible.

[teddyFBI]

[Sotiria]

Like illunious said, change your passwords on a known "clean" computer. This includes any bank sites, poker rooms, and any site that you have a login/password for.

Reformatting and re-installing is your only option now.

[AKQJ10]

I'm latching onto this thread -- hopefully not a hijack -- because I've noticed a mysterious "C:\U.exe" that's shown up twice in my root directory. Googling seems to indicate that it's likely part of a keylogger, although there also appear to be legitimate apps with a U.exe. (Hard to believe they'd invite themselves in the root dir, though.)

My semi-expired McAfee firewall seemed to detect its attempts to access the internet so I'm hopeful that means that nothing malicious has happened yet. But I don't want to be naive -- everything I read says these things can hide themselves well.

Is there really no other course of action than to wipe it and start over? I'm allegedly an IT professional so I realize the philosophy of "better safe than sorry," which is probably what I'd tell my own clients. All the same, formatting seems like at least a 20-30 hour operation given all the junk I've got installed. Surely there's gotta be some way to find what's creating this U.exe, no? I'm trying to configure Filemon to watch my disk accesses.

I've certainly started changing my passwords on another computer. I'm pretty ignorant of keyloggers; if I enter a new password via copy/paste (e.g. from Password Safe), will they pick up the clipboard traffic?

Lately I've installed some poker-related software, and I'm worried that something like PAHUD free version has installed this U.exe. Please please please tell me there's some legitimate use for it.

[BiPolar_Nut]

[ QUOTE ]
will they pick up the clipboard traffic?

[/ QUOTE ]

A flat-out single-purpose keylogger that *only* logs keystrokes wouldn't catch the clipboard, but any keylogger could trivially add this functionality.

I have a U.exe in my root dir....NOT! I don't think I'd trust *any* app that put something like that in my root dir even if I knew the software that did it was trustable. That to me is offensive and an intrusion.

FWIW, I didn't find any legit uses for U.exe in a search. What do you mean by PAHud free version? The trial? If it's some free version that *isn't* the trial then it's almost certainly a trojan'd version (unless you got it from the PAHud site and it was free for signing up someplace using his affiliate link but I don't remember if he did that or not, I bought both PAHud and PT at regular retail).

Theoretically, anything installed can be removed, but if you didn't notice it getting in there in the first place, chances are good you wouldn't be able to get a clean machine w/ certainty. In fact, no matter who you are you can never be 100% certain any compromised machine is ever fully cleansed (although depending on your system guts prowess, going through the registry in safe and normal modes, using known, clean copies of process, file, and traffic/port monitoring software, and checking tcpdump/ethereal traffic logs on your router may be able to give enough piece of mind if you're confident enough in your search and remove rampage).

What do spyware and virus scans turn up and what engines are you using for the scans? Also, what does "semi-expired" mean? (/me shudders at the mention of McCrappy...not in a good way.)

[AKQJ10]

PAHUD Free version: I mean that I downloaded the free trial, limited to one table and 30 days. I haven't yet purchased the full version.

For the record, I have no reason to blame PAHUD. I'm just trying to recollect what I've installed recently that wasn't airtight safe (i.e., widely used and open-source).

McAfee: It came preinstalled when I bought this Dell in July, and I think the updates ran out after 90 days. I'd also installed AVG Free Edition before this happens. Neither finds anything.

(Technically McA identifies two things that it considers notable: the FTP program bundled with Apache2Triad is a "potentially unwanted program", and a huge .tgz file of mostly spammail that I downloaded from my Web server had some message with a virus in it. Needless to say I've never executed that attachment and don't plan to; it's deep within a gzipped tar that I've just not cleaned out.)

Since this happened, I installed SpyBot S&D. It didn't find anything.

There have, in the past month or so, been a couple of things that McA complained about in my Firefox cache, but as best I could tell those were quarantined and dealt with. I'm looking for the logs to give you more detail.

I've blocked U.exe from Internet access in the McAfee firewall, and bumped up the setting to just below "lockdown".

I've installed FileMon and am hoping to soon filter out the irrelevant stuff so I can see if anything's written to on my keystrokes.

[BiPolar_Nut]

If you delete U.exe does it come back? (may want to back it up first if you think it may be legit)