Avast WEBforum
Other => Viruses and worms => Topic started by: victor43 on December 09, 2009, 08:25:31 PM
-
I believe my system is infected with a keylogger. AVAST has not detected it can someone tell how to go about in cleaning my system of this keylogger ?
Thanks in advance.
-
hi and welcome,
as to your issue, more precisions needed obviously... how did you detect it, what are the signs that you have a keylogger?
-
i would try this free application, http://www.emsisoft.com/en/software/free/ A-Squared Free
-
What are the symptoms of your suspicions ?
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
- 1. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
- 2. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
What is your firewall ?
The reason for asking key-loggers to be of use must send the data gathered home and a firewall with outbound protection would be a line of defence.
-
hi and welcome,
as to your issue, more precisions needed obviously... how did you detect it, what are the signs that you have a keylogger?
Thanks Logos.
I can tell that there is an application monitoring my keystrokes because there is a lag/delay during typing. Not present before but after surfing I seem to notice that it picked up. I have WinPatrol installed and running in the background. Also I don't have any other applications running at the same time when typing.
Please advise and thank to everyone's replies.
-
I'm afraid this doesn't mean you have a keylogger. Keyloggers in general should be able to record instantly your keystokes without you noticing anything. The delay you got comes from something else. Check your keyboard settings ;) ...if it's not that it's something else that might be broken on your install... malware may be, did you run a malware scan as suggested (with SAS and/or MAB) ?
-
I'm afraid this doesn't mean you have a keylogger. Keyloggers in general should be able to record instantly your keystokes without you noticing anything. The delay you got comes from something else. Check your keyboard settings ;) ...if it's not that it's something else that might be broken on your install... malware may be, did you run a malware scan as suggested (with SAS and/or MAB) ?
I have noticed that my firewall application has warned me that it discovered that its security file(s) have been tampered with but now restored and that I should run a spyware/antivirus scan. I've seen this waring once now.
Thanks again
-
The way to prevent future keyloggers by encrypting your keystrokes is to use KeyScrambler (http://www.qfxsoftware.com/Download.htm) from QFX Software.
-
What are the symptoms of your suspicions ?
What is your firewall ?
The reason for asking key-loggers to be of use must send the data gathered home and a firewall with outbound protection would be a line of defence.
Many thanks
You will type something fairly quickly and what happens is you will finish typing and the visibilty of the characters show up a split second afterwards. So your ahead of the keystrokes. This happens often now.
My firewall is PC Tools Firewall Plus.
-
The way to prevent future keyloggers by encrypting your keystrokes is to use KeyScrambler (http://www.qfxsoftware.com/Download.htm) from QFX Software.
Thanks for the reply. I will give that a try. Would you know how to tell if its working once downloaded and installed ? Is there a way to test it out ?
-
type some numbers in address bar and look at the system tray where keyscrambler icon is and it will show it randomizing the numbers in different sequence.
-
What is your firewall ?
The reason for asking key-loggers to be of use must send the data gathered home and a firewall with outbound protection would be a line of defence.
Many thanks
<snip>
My firewall is PC Tools Firewall Plus.
That should give reasonable protection against unauthorised outbound connections, making it harder if there were a key-logger on the system to upload captured data.
-
I'm afraid this doesn't mean you have a keylogger. Keyloggers in general should be able to record instantly your keystokes without you noticing anything. The delay you got comes from something else. Check your keyboard settings ;) ...if it's not that it's something else that might be broken on your install... malware may be, did you run a malware scan as suggested (with SAS and/or MAB) ?
Thanks again Logos. Yes I've taken the advice of DavidR and downloaded Malwarebytes and A-Squared and SuperAntiSpyware. Nothing showed up on any of the scans. I honestly feel that this malware has stealth capabilities. Hence another reason for thinking its a keylogger.
-
Maybe do a hijackthis log for them so they can verify more your pc ?
-
i would try this free application, http://www.emsisoft.com/en/software/free/ A-Squared Free
Thanks for the tip. I downloaded this program and ran a scan. It found some suspect files which it uploaded. The files were not quarantined or cleaned since they were only suspect.
-
Maybe do a hijackthis log for them so they can verify more your pc ?
Logfile of HijackThis v1.99.1
Scan saved at 12:02:19 PM, on 12/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PrivacyKeyboard\akl_svc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\HiJackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\a-squared Free\a2service.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PrivacyKeyboard] C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe /autorun
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\AUSER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: PrivacyKeyboard Service (akl_svc") - Unknown owner - C:\Program Files\PrivacyKeyboard\akl_svc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
-
is that the full log? I don't see the end of the file. You can also attach the file log to a post in the forum. Click the "Additional Options..." link near the end of the post, click "choose file", browse to the log file and click open. Then, click post.
-
is that the full log? I don't see the end of the file. You can also attach the file log to a post in the forum. Click the "Additional Options..." link near the end of the post, click "choose file", browse to the log file and click open. Then, click post.
Things are not going too good right now. For some reason my computer is running really slow and Firefox has really started to act up. The lag/delay in my keystrokes are alot more obvious.
-
is that the full log? I don't see the end of the file. You can also attach the file log to a post in the forum. Click the "Additional Options..." link near the end of the post, click "choose file", browse to the log file and click open. Then, click post.
Yes thats the full/complete log. Its not the Trendmicro version of Hijackthis but the one found here
http://majorgeeks.com/download3155.html . Sorry for the late response. Victor.
-
***
The old version of HJT that you used may not give complete or correct results.
An analysis of the HJY log supplied shows these problems :
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
A newer version of IE has been available for many months. You should consider upgrading to the more secure IE8.
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.
There were several questionable entries for "PrivacyKeyboard." Research shows that these should be OK and the entries may be due to using the old version of HJT ... then again, maybe not due to the old version.
http://www.bleepingcomputer.com/startups/privacykeyboard-10344.html
You possibly have 2 firewalls running which is not recommended :
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
Overview of running tasks :
smss.exe
System task
Session Manager Subsystem
winlogon.exe
System task
Microsoft Windows Logon Process
services.exe
System task
Windows Service Controller
lsass.exe
System task
Local Security Authority Service
svchost.exe
System task
Microsoft Service Host Process
svchost.exe
System task
Microsoft Service Host Process
MsMpEng.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware
smc.exe
Firewall
Sygate Personal Firewall
Explorer.EXE
System task
Microsoft Windows Explorer
aswUpdSv.exe
Virusscan
Avast Anti-Virus Component
ashServ.exe
Virusscan
Avast
spoolsv.exe
System task
Microsoft Printer Spooler Service
akl_svc.exe
Unknown task ( PrivacyKeyboard )
Unknown task
mscorsvw.exe
System task
.NET Runtime Optimization Service
GhostStartService.exe
Backgroundtask
Required to run the Windows based wizard in Norton Ghost
jqs.exe
Backgroundtask
Java Quick Starter Service
FWService.exe
Firewall
PC Tools Firewall Plus service
RichVideo.exe
Backgroundtask
Cyberlink Power Director Video Module
RichVideo.exe
Backgroundtask
Cyberlink Power Director Video Module
ashMaiSv.exe
Virusscan
Avast Anti-Virus Component
ashWebSv.exe
Virusscan
avast! Web Scanner
jusched.exe
Backgroundtask
Sun Java Update Scheduler
GhostStartTrayApp.exe
Backgroundtask
System Tray access to Norton Ghost
MSASCui.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware
PDVDServ.exe
Backgroundtask
PowerDVD Remote Control
PrivacyKeyboard.exe
Security software
PrivacyKeyboard
FirewallGUI.exe
Firewall
PC Tools Firewall GUI
winpatrol.exe
Backgroundtask
WinPatrol
ashDisp.exe
Virusscan
Avast AntiVirus
SUPERAntiSpyware.exe
Anti Add/Spyware software
SUPERAntiSpyware
svchost.exe
System task
Microsoft Service Host Process
firefox.exe
Application
Mozilla Firefox
HijackThis.exe
Application
Merijn Hijackthis
avast.setup
Virusscan
avast! Antivirus
a2service.exe
Backgroundtask
a-squared Service
***