Spyware/Keylogger found on machine......

Hi guys,

We've found a Key Logger on someone's PC in our U.S offices. The trojan is Trojan.Boaxxe and it has indeed spotted 'Spyware.Ursnif' all over the place. We had some fraudulent activities occur in November 2017.

I've even included the snapshot for you of the findings. When I go to the .txt files you can see, it definitely has November dates which is when the frauds occurred. However, if I go to the 'Tojan.boaxxe' location which is in the Appdata\Local\YJPack location, the date for that is 2015. I'm trying to work out when the actual keylogger was installed.

Is there anyway of finding that out? And how on earth would a keylogger have been installed? Would it usually be through a manual installation or a possible script via phishing etc?

Thank for helping
Yashy
Spyware.jpg
LVL 1
YashyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
1. If possible, disconnect from the Internet.
2. Enter the Safe Mode and run Disc Cleanup or anything that deletes all your temp files.
3. Still in Safe Mode... run all necessary scans. Deep scans!
Some free tools: Kaspersky TDSSKiller for removing rootkits, Malwarebytes and HitmanPro for removing malware, AdwCleaner for removing adware.
4. Try to remove all 'unknown publisher' apps as well as recently downloaded files.
5. If nothing helps, you should consider reinstalling your OS.
Good luck!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
My bet would be on phishing being the root cause. You don't allow remote access directly to user systems, correct? Also, I notice you never mentioned whether users have administrative rights on their machines, which can be an issue in and of itself.

You could utilize a forensic tool like Redline from FireEye to conduct an investigation on that system. It will show you all sorts of activities such as logons and file creations.
0
YashyAuthor Commented:
That's right, we don't have anybody allowed for remote access. Also, nobody has Administrative rights.

I will definitely look into the 'Redline' application. Appreciate your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.