ask about keylogger

04/10/2009 11:12 Smurfin#1

today I found something strange, when i was logged into pw indo server suddenly i got booted by force like if the account was logged by force.

i felt something's wrong and check netstat, there was a suspicious ongoing connection, i marked it with '?' from the image below.

[Only registered and activated users can see links. Click Here To Register...]

and found out it's running under a filename winload.exe , when I checked the file at virusscan.jotti.org it said

Code:

Service load:  	
0% 	  	  	100%
File: 	winload.exe
Status: 	INFECTED/MALWARE
MD5: 	f719cf8719e318f30ae715579f133740
Packers detected: 	
-

A-Squared           	Found Backdoor.Rbot!IK
AntiVir 	                Found WORM/Rbot.210944
ArcaVir 	                Found Heur.RoundKick
Avast 	                Found Win32:DCom-F
AVG Antivirus      	Found BackDoor.RBot.DM
BitDefender         	Found Backdoor.RBot.XTJ
ClamAV 	                Found Exploit.DCOM.Gen
CPsecure 	                Found W32.Net.W.Welchia.A
Dr.Web 	                Found Win32.HLLW.MyBot.based
F-Prot Antivirus      	Found W32/Ircbot.1!Generic
F-Secure Anti-Virus 	Found Backdoor.Win32.Rbot.aea
Ikarus 	                Found Backdoor.Rbot
Kaspersky Anti-Virus 	Found Backdoor.Win32.Rbot.aea
NOD32                	Found a variant of Win32/Rbot
Norman Virus Control 	Found W32/Spybot.CNJK
Panda Antivirus     	Found W32/Gaobot.gen.worm
Quick Heal 	                Found Backdoor.Rbot.aea
Sophos Antivirus 	        Found W32/Rbot-Gen
VirusBuster          	Found Worm.RBot.Gen.10
VBA32                	Found Backdoor.Win32.Rbot.aea

winload.exe is located at c:\winload.exe

is it a keylogger ?
dunno for how long it's been running on my system and not noticing anything wrong until today my account on pw id got booted by force, 2 of my char accounts.

I used tcpview application to see anything going in and out via internet on my system and that file was active.

just for precaution, if anyone visits this thread, do check if there was a winload.exe running on your system, maybe I got infected by running a file from here or somewhere else i'm not sure, better be safe than sorry.

04/10/2009 15:59 BetaBowElfe#2

thanks ill watch out for that winload... carefull on what u dowload..

04/10/2009 16:29 Smurfin#3

yea, i just reinstalled avg now and using its firewall to ask first if anything is attempting to make connection. I never download anything other than media files though since my avg expired last month. Maybe it's from before that and active when my avg got expired, or could be booted by gm because i shouted some complaints but that's very unlikely coz the gm is dumb and ignorant.

04/11/2009 17:04 plixbugmenot#4

hmm seems like it connects to an irc server, port 6667. can you send me the file if you still have it, I will take a look at what it does exactly.

EDIT

[Only registered and activated users can see links. Click Here To Register...]

the ip 124.217.249.249 is registered under piradius.net (malaysian host) you could mail to [Only registered and activated users can see links. Click Here To Register...] to report it.. but they probably don't care.

04/11/2009 21:12 Smurfin#5

ah yea, now that you mentioned fud.exe, i believe it's coming from my cracked dumeter 4, i deleted the file already as soon as i was booted from the game and change my pass. Glad it's not coming from this forum.

strange though how the person whom the program intended to send data would know of a pw game, maybe i was booted by gm at that time and not because someone attempted to login through my account because the message is the same like if we tick [force login] on login screen, his behaviour/response in the game is kinda nut and weird lately lol.

tks btw for the info