keylogger? trojan?

[killie99]

A friend asked me to look at their pc as their bank account had twice been illegally accessed and the bank claimed their pc must have a virus on it. They also do online shopping with their credit cards and there has been no rogue activity on their credit cards.

They have XP fully patched, running up to date mcafee suite, using a firewalled NAT router. A full scan of mcafee finds nothing. Nothing suspicious in msconfig and the firewall program exceptions are as expected.

I took their hard drive out and put it in one of my systems as a slave. Ran latest versions of avg, spybot, adaware and superantispyware - found 1 tracking cookie. I am at the point where I just don't believe it's some malware/trojan/virus on their pc that has allowed their bank details to be grabbed but their credit card details have been left alone. If I'd found a bunch of virus's and other crap on their pc I'd be thinking it was something on their pc but all the scans found absolutely nothing bar 1 tracking cookie. They say they only use the pc for email, online banking and buying from amazon, they never open emails from people they don't know and looking at their browser history I'd have to agree that they really don't visit many websites and definately none that are remotely dodgy.

Thoughts?

[moogle]

I'd do a reinstall and then set up back to how it was, tell them not to run any programs downloaded from the internet or install anything and see how it goes. You can't really catch viruses from emails as it'd have to exploit something in the software which the scanners and firewalls would probably catch. It's running .exe or .scr files which can cause trojans/keyloggers to embed themselves in your system but even those are easily detected by A/V Software.

[sleepyhead]

My guess is their log in details have been compromised (depending on HOW it is logged in) or whether they use a wireless router and that has somehow been compromised.

Can your friend change ANY of the log in requirements, ie change password or unique word or something?

[Moby-Dick]

are you sure they havn't been phished ?

no phones calls from "the bank" ?

[sleepyhead]

are you sure they havn't been phished ?

no phones calls from "the bank" ?

That was the term I couldn't think of..."phished". Thanks for that.

[CrazyMonkey]

If it is a trojan or keylogger, the reason you find nothing suspicious in msconfig or the firewall exceptions list is because the Trojan/Keylogger is more than likely injecting itself into a legit application that requires internet access - Thus you do not see a random application in the exceptions list.

Get them to run hijackthis - http://www.trendsecure.com/portal/en...kthis/download

Click "Do a system scan and save log file"
***Do not click 'Fix Checked' or delete anything from within Hijackthis!***

Post the contents of the Log file here and ill analyze it. Usually it pop's up in here otherwise there are many more steps that can be manually taken (higher success rate).

Also dropping me a PM when you have posted your log file would be helpful.

As a side note - A complete reformat is advisable in circumstances such as these, although it's always worth giving a removal a shot.

[killie99]

Thanks for the replies.
I'll try "Hijackthis" but they've gone on holiday this morning for 2 weeks so as soon as they get back I'll run it and post the log.

I suspected phishing but they are adamant they have never told anyone their details over the phone or in an email and I have no reason not to believe them. The fact that I can find nothing at all odd on their pc and their browsing history for the last 20 days has nothing out of the ordinary (no p0rn, or dodgy downloading sites) is the reason I don't think it's anything on their pc as I can't see how some malicious code could have got on there - more likely someone at their bank is at it if you ask me. They have disabled their internet banking for the mean time, which I think is the sensible thing to do.

The wireless part of their router is disabled so that's not the source either. They live on their own, no kids or other relatives have access to the pc.

It's not a big job to reload everything, they've only got about 4 programs other than XP on it but it's the not knowing where the problem is that irks me.

Anyway, thanks for the replies and I'll get back with the hijack log.

[Haggisuk99]

this may help you futher
http://forums.hexus.net/help-technic...d-spyware.html

[Viper81]

Just to add to the paranoia .. I'd throw in a root kit check, the sysinternals tool is supposed to be quite good:

http://technet.microsoft.com/en-us/s.../bb897445.aspx