Malwarebytes found a file on my computer "AppData\Roaming\SAS7_000.DAT (Stolen Data)
I removed the file and also looked at it. It had a bunch of registry keys {ooo2000-000-000-0000000000046} this is not exact.
I'm using another computer to get info and have "unplugged" the computer from the net for now.
What now?
Anyway to find out what the reg keys are linked to?
Just slightly panicked.
Also, Malwarebytes asked me to send them a Hijackthis file which I did and they said it was a false positive.
So I'm feeling better but.................
Removing keylogger?
Re: Removing keylogger?
Those are GUIDs, which are generally used so programs can find where other software components are installed on the system. If you search the registry for them they often point to registry keys that may have information on the location of a file (mainly the ones with "clsid" somewhere in the path).
The one you mentioned looks like the ID for IDispatch which might not yield anything useful though. A lot of components implement that...
The one you mentioned looks like the ID for IDispatch which might not yield anything useful though. A lot of components implement that...
Re: Removing keylogger?
Is there a site or place I could go to look up some of my particular keys. Here's a few.
Do they look like they have any pertinent info?
{00020802-0000-0000-C000-000000000046}
{00020813-0000-0000-C000-000000000046}
{00020905-0000-0000-C000-000000000046}
{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
{00062FFF-0000-0000-C000-000000000046}
{C6E033E3-925F-11D4-8214-420BF9000000}
{00f25ae8-3625-4e34-92d4-f0918cf010ee}
{22A71B49-DDA0-43E0-9140-D18C76A50CF9}
{4367AB50-2512-43E6-AA00-7EDDB5364EE4}
{CB5EABCA-93E7-4091-BD71-0130F873595C}
Do they look like they have any pertinent info?
{00020802-0000-0000-C000-000000000046}
{00020813-0000-0000-C000-000000000046}
{00020905-0000-0000-C000-000000000046}
{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
{00062FFF-0000-0000-C000-000000000046}
{C6E033E3-925F-11D4-8214-420BF9000000}
{00f25ae8-3625-4e34-92d4-f0918cf010ee}
{22A71B49-DDA0-43E0-9140-D18C76A50CF9}
{4367AB50-2512-43E6-AA00-7EDDB5364EE4}
{CB5EABCA-93E7-4091-BD71-0130F873595C}
Re: Removing keylogger?
If a quick search on Google for each value doesn't yield anything, chances aren't very good.
I do have a number of these keys myself -
#1: (HKEY_CLASSES_ROOT\TypeLib) Office graph control, should point to graph.exe or similar
#2: (HKEY_CLASSES_ROOT\TypeLib) Excel embedded control
#3: (HKEY_CLASSES_ROOT\TypeLib) Word embedded control
#4: (HKEY_CLASSES_ROOT\TypeLib) looks like an embedded IE control (ieframe.dll)
#5: (HKEY_CLASSES_ROOT\TypeLib) Outlook object library
#7: (HKEY_CLASSES_ROOT\TypeLib) "PhotoAcquireObjects", a part of the inbuilt photo viewer apparently
Searched for #6 - seems to be a Nero component
#8 looks like something to do with "SkyGolf"?
#9 turns up nothing
#10 seems to have something to do with a TiVo component
Not sure this is of particular concern unless the values in question have been modified to point to something else. Which is definitely something you could do with the registry - hijack these "TypeLibs" so that whenever something tries to embed e.g. an Excel spreadsheet, it points to your malware instead.
Either way, I think this is basically hunting for ghosts. If you have good reason to suspect your machine is compromised, this isn't necessarily going to prove it, and if it turns up nothing, it's similarly no guarantee that everything is OK. There are many, many ways for something to hook into your system; it's not really possible to be sure whether it has or not unless you know exactly what to look for, where to look and how to look - and even if you do, it's very time-consuming.
I do have a number of these keys myself -
#1: (HKEY_CLASSES_ROOT\TypeLib) Office graph control, should point to graph.exe or similar
#2: (HKEY_CLASSES_ROOT\TypeLib) Excel embedded control
#3: (HKEY_CLASSES_ROOT\TypeLib) Word embedded control
#4: (HKEY_CLASSES_ROOT\TypeLib) looks like an embedded IE control (ieframe.dll)
#5: (HKEY_CLASSES_ROOT\TypeLib) Outlook object library
#7: (HKEY_CLASSES_ROOT\TypeLib) "PhotoAcquireObjects", a part of the inbuilt photo viewer apparently
Searched for #6 - seems to be a Nero component
#8 looks like something to do with "SkyGolf"?
#9 turns up nothing
#10 seems to have something to do with a TiVo component
Not sure this is of particular concern unless the values in question have been modified to point to something else. Which is definitely something you could do with the registry - hijack these "TypeLibs" so that whenever something tries to embed e.g. an Excel spreadsheet, it points to your malware instead.
Either way, I think this is basically hunting for ghosts. If you have good reason to suspect your machine is compromised, this isn't necessarily going to prove it, and if it turns up nothing, it's similarly no guarantee that everything is OK. There are many, many ways for something to hook into your system; it's not really possible to be sure whether it has or not unless you know exactly what to look for, where to look and how to look - and even if you do, it's very time-consuming.
Re: Removing keylogger?
Thanks for the posts. I'm normally very careful but that one file MalewareBytes found freaked me out. "Stolen Data" is not the name of a file you want to find on your computer.
Re: Removing keylogger?
Thanks, I'm trying to get someone to read a combofix log for me to see if they see anything suspicious.
Re: Removing keylogger?
Just found this in Program files in the Control Panel "cve-2012-1889"
Looks like a bad guy.
Looks like a bad guy.