Need 3 Files examined by Security Expert

**Cauhauna** · 06-30-2010, 11:29 AM

I am typing via Blackberry, as my Desktop has been keylogged.

I have 3 files that I desperately need a security expert to examine.
The files are highly private "mods" for an online computer game.

All 3 files function as intended. One of them contains a keylogger.

2 of the files are similar in nature. They are a rar package that contains several files.. In each of them are a few text config files, a .dLL, and a .exe. The .exe, called the "injector", injects the DLL into a running process named "game.exe" to allow the "mod" to work.

The third file is a .mpq file that is placed in the directory of the game.

All files scan clean with virustotal.com

System that was infiltrated was running:
ProcessGuard
Avira
Comodo

Shoot me a PM or post if you think you can help. I Really need to determine which file the keylogger came from.

**Woodscolby** · 06-30-2010, 11:43 AM

Most likely you have downloaded a botnet, not just a normal keylogger. Open MSCONFIG from your run menu, go to startup, and look for any file that has an unknown publisher and the only information on it is a name something.exe. Find it, disable it. If you have teamviewer I can take over your screen and help you out with it when I get off of work later. I have quite a bit of experience with these as I used to be an admin on one of the biggest xbox modding sites on the internet and had to deal with these files daily.

**Obsidian** · 06-30-2010, 12:06 PM

Upload them to Jotti and run a check.

Jotti's malware scan

Download Malwarebytes and Super Anti Spyware (both have portable versions) and run scans on your infected computer.

**Frenzy** · 07-02-2010, 12:21 PM

It's more than likely the executable that has caused the problem. First try a recovery, as in rollback to the last working config that was virus free. Some "botnet" or trojan creators can enable this feature tho'. Also, try booting in safe mode using F8 when you get a chance.

When the .exe was opened it creates other files, and creates registry keys in your reg. editor. So even if you delete the .exe, it will recreate itself upon startup. If you can upload your file to RapidShare: 1-CLICK Web hosting - Easy Filehosting, and post the link I will examine it. =)

**switch626** · 07-02-2010, 04:18 PM

Once a system has been compromised in this way, the only sure way to be clean is a format and re-install from trusted sources. This is what I would be looking to do if I were you.

The problem is that no matter how many tools you use to scan your computer, no one really knows the true extent of the damage. To continue to operate your computer after this, you have to always be on the lookout for suspicious activity.

Take an afternoon, back up your files, format the hard disk and re-install everything. At least you won't have to worry and you will spend less time n the end.

**Cauhauna** · 07-03-2010, 09:25 PM

Originally Posted by switch626

Once a system has been compromised in this way, the only sure way to be clean is a format and re-install from trusted sources. This is what I would be looking to do if I were you.

The problem is that no matter how many tools you use to scan your computer, no one really knows the true extent of the damage. To continue to operate your computer after this, you have to always be on the lookout for suspicious activity.

Take an afternoon, back up your files, format the hard disk and re-install everything. At least you won't have to worry and you will spend less time n the end.

I agree. I never try to recover after infection. I always DBAN 7 pass and rewrite MBR every time without fail. That is not why I created the thread.

I created thread because I need to figure out which file caused the infection --- not for removal, but so that I know I can safely use the other files after reformat, as I need all of them badly.

**The Chariot** · 07-04-2010, 11:47 AM

Do you make regular backups so you can reinstall Windows and restore from known-good archives?

**Cauhauna** · 07-06-2010, 07:16 AM

Originally Posted by The Chariot

Do you make regular backups so you can reinstall Windows and restore from known-good archives?

I'm not interested in doing any restoring or recovery. I always wipe a computer after a virus. Always.

I just need to know which file the virus came from.

**The Chariot** · 07-06-2010, 07:51 AM

Originally Posted by Cauhauna

Originally Posted by The Chariot

Do you make regular backups so you can reinstall Windows and restore from known-good archives?

I'm not interested in doing any restoring or recovery. I always wipe a computer after a virus. Always.

I just need to know which file the virus came from.

That's what I do. Wipe, re-install Windows and restore data from a known-good backup from before the time of the infection.

**Frenzy** · 07-07-2010, 01:07 AM

So it used EasyPlay injector to inject Houndini.dll:

Anubis - Analysis Report

There's my anubis scan, it created a process, prob changed a few registry keys/created them.

If you did a login to use this software it acted as a phisher, and sent your PW/Username to: http://members.multimania.co.uk/orlyz/

You can report the site and get it banned for violation of TOS if you have proof.

It's 3:07 AM, I'm tired, half of this is probably incorrect, so don't hate, just trying to help.