Register for your free account! | Forgot your password?

You last visited: Today at 06:59

  • Please register to post and access all features, it's quick, easy and FREE!

ask about keylogger

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
ask about keylogger

today I found something strange, when i was logged into pw indo server suddenly i got booted by force like if the account was logged by force.

i felt something's wrong and check netstat, there was a suspicious ongoing connection, i marked it with '?' from the image below.



and found out it's running under a filename winload.exe , when I checked the file at virusscan.jotti.org it said
Code:
Service load:  	
0% 	  	  	100%
File: 	winload.exe
Status: 	INFECTED/MALWARE
MD5: 	f719cf8719e318f30ae715579f133740
Packers detected: 	
-

A-Squared           	Found Backdoor.Rbot!IK
AntiVir 	                Found WORM/Rbot.210944
ArcaVir 	                Found Heur.RoundKick
Avast 	                Found Win32:DCom-F
AVG Antivirus      	Found BackDoor.RBot.DM
BitDefender         	Found Backdoor.RBot.XTJ
ClamAV 	                Found Exploit.DCOM.Gen
CPsecure 	                Found W32.Net.W.Welchia.A
Dr.Web 	                Found Win32.HLLW.MyBot.based
F-Prot Antivirus      	Found W32/Ircbot.1!Generic
F-Secure Anti-Virus 	Found Backdoor.Win32.Rbot.aea
Ikarus 	                Found Backdoor.Rbot
Kaspersky Anti-Virus 	Found Backdoor.Win32.Rbot.aea
NOD32                	Found a variant of Win32/Rbot
Norman Virus Control 	Found W32/Spybot.CNJK
Panda Antivirus     	Found W32/Gaobot.gen.worm
Quick Heal 	                Found Backdoor.Rbot.aea
Sophos Antivirus 	        Found W32/Rbot-Gen
VirusBuster          	Found Worm.RBot.Gen.10
VBA32                	Found Backdoor.Win32.Rbot.aea
winload.exe is located at c:\winload.exe

is it a keylogger ?
dunno for how long it's been running on my system and not noticing anything wrong until today my account on pw id got booted by force, 2 of my char accounts.

I used tcpview application to see anything going in and out via internet on my system and that file was active.

just for precaution, if anyone visits this thread, do check if there was a winload.exe running on your system, maybe I got infected by running a file from here or somewhere else i'm not sure, better be safe than sorry.
Smurfin is offline  
Old 04/10/2009, 15:59   #2
 
elite*gold: 20
Join Date: Apr 2008
Posts: 752
Received Thanks: 123
thanks ill watch out for that winload... carefull on what u dowload..
BetaBowElfe is offline  
Old 04/10/2009, 16:29   #3
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
yea, i just reinstalled avg now and using its firewall to ask first if anything is attempting to make connection. I never download anything other than media files though since my avg expired last month. Maybe it's from before that and active when my avg got expired, or could be booted by gm because i shouted some complaints but that's very unlikely coz the gm is dumb and ignorant.
Smurfin is offline  
Old 04/11/2009, 17:04   #4
 
elite*gold: 0
Join Date: Dec 2008
Posts: 89
Received Thanks: 56
hmm seems like it connects to an irc server, port 6667. can you send me the file if you still have it, I will take a look at what it does exactly.

EDIT



the ip 124.217.249.249 is registered under piradius.net (malaysian host) you could mail to to report it.. but they probably don't care.
plixbugmenot is offline  
Thanks
1 User
Old 04/11/2009, 21:12   #5
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
ah yea, now that you mentioned fud.exe, i believe it's coming from my cracked dumeter 4, i deleted the file already as soon as i was booted from the game and change my pass. Glad it's not coming from this forum.

strange though how the person whom the program intended to send data would know of a pw game, maybe i was booted by gm at that time and not because someone attempted to login through my account because the message is the same like if we tick [force login] on login screen, his behaviour/response in the game is kinda nut and weird lately lol.

tks btw for the info
Smurfin is offline  
Reply


Similar Threads
SM containing Keylogger?
05/23/2007 - SRO Main - Discussions / Questions - 7 Replies
hi, my guild recently just told me that SM is containing a keylogger and that i should not use, is this true?



All times are GMT +1. The time now is 06:59.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2018 elitepvpers All Rights Reserved.