Avast WEBforum
Other => General Topics => Topic started by: sandy55 on December 02, 2010, 03:06:07 PM
-
Boot scan found a key logger I am not sure what to do with it so put it in the virus chest. Do we only send viruses to the lab.
What do I do with this file does putting it in the chest affect excel in any way?
-
Now my computer is so slow I could take a walk after pressing enter and usually do as it is driving me mad.
-
Well with only 1.58GHz processor and 448MB RAM its no wonder the system is slow.
Add more RAM as that would be your best and cheapest option.
-
Seems it was fast enough before I found the key logger. Ideas?
-
Sent it.
-
Seems it was fast enough before I found the key logger. Ideas?
have you tried a second opinion scan with Malwarebytes ?
-
Seems it was fast enough before I found the key logger. Ideas?
have you tried a second opinion scan with Malwarebytes ?
+1
-
Boot scan found a key logger I am not sure what to do with it so put it in the virus chest. Do we only send viruses to the lab.
What do I do with this file does putting it in the chest affect excel in any way?
What was the file name and original location ?
Putting it in the chest whilst investigating it is the safest option.
-
I did search on my computer for a key logger this is what it found. FAMILY-KEYLOGGER-SETUP.EXE-34A19BCE.pf been there since nov 11 C/windows prefetch. should I put this in the virus chest too?
Avast report says win32pup-C setting/documentw/Acer valued customer I sent it already
The first message said it was in excel guess it is not there anymore as it is in the virus chest. Not sure if these are the same thing or not. I recently used excel for the first time on this computer likely the day noted on the virus report nov 27.
Malware bites found nothing.
-
Well with only 1.58GHz processor and 448MB RAM its no wonder the system is slow.
Add more RAM as that would be your best and cheapest option.
+1
-
The windows prefetch folder doesn't actually contain the file, but details about its physical location on the hard disk, etc. so that it can be loaded quicker.
Did you actually install this family keylogger, given its name ?
Key-loggers act in a way that tries to hide them from view and this may well be what is being detected, what is the malware name that it was given ?
Seeing your other mention of the suffix PUP, means you have run a custom scan and had avast look for PUPs (Potentially Unwanted Program), this can open a whole can of worms if you don't understand what a PUP is as many tools, etc. can have an alternative use good or evil and avast can't determine intent.
That is where the PUP comes in, you the user have to know what you installed on your system and what it does and if it could potentially be used for malicious purposes (key-logger, etc.) then it could be classified a PUP.
-
ok thanks for you help.
-
You're welcome.
-
I did not load the key logger but did take me computer to a family member for help around that time as I could not get the avast pro to work properly he helped me out perhaps he put it on bit creepy to think about. How would he see the logs as I rarely see him...
hoping it was just a glitch I have no little kids and usually am the only one who uses this laptop so there is no need for a key logger or security of that type.
-
Please change all your major passwords
Some Keylogger can email its installer with all your password and username logs including your screenshots and history
So, he doesn't need to check your PC physically...
-
I did not load the key logger but did take me computer to a family member for help around that time as I could not get the avast pro to work properly he helped me out perhaps he put it on bit creepy to think about. How would he see the logs as I rarely see him...
hoping it was just a glitch I have no little kids and usually am the only one who uses this laptop so there is no need for a key logger or security of that type.
You could check when the file was created, if that coincides with a family member helping you out.
You could also check out these other tools:
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
- 1. MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
- 2. SUPERantispyware (http://www.superantispyware.com) (SAS). On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
-
I will change my passwords that will take some doing.
In the mean time before I do that I ran a super antispyware check and this is the report from there
Detected Item Description and Information
Listed below is basic information about the detected application/process. This application may not be safe to have on your system.
Summary : Trojan.Agent/Gen-KeySpy[FKL]
Company : Unknown/Varies
Description : Trojan.Agent/Gen-KeySpy[FKL].Process
is this the same thing?
no sense changing my passwords till I get rid of it as it will just copy them right?
-
Lots of tracking stuff and the other at the bottom. I will let sas do the trackers next. What of the other?
here is the log it is at the bottom the log will not fit I have to send it in two messages.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/02/2010 at 12:35 PM
Application Version : 4.46.1000
Core Rules Database Version : 5942
Trace Rules Database Version: 3754
Scan type : Quick Scan
Total Scan Time : 00:13:22
Memory items scanned : 447
Memory threats detected : 0
Registry items scanned : 1472
Registry threats detected : 1
File items scanned : 7198
File threats detected : 158
Trojan.Agent/Gen-KeySpy[FKL]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Sys32V2Contoller [ C:\WINDOWS\mw2mmgr32\mw2mmgr32.exe ]
Now is this the same problem or another one????
-
I had sas remove everything have to reboot.
Why did avast not see this one? Guess it pays to have more than one program.
-
I had sas remove everything have to reboot.
Why did avast not see this one? Guess it pays to have more than one program.
It did (up to a point) in the boot-time scan, so far all three have found the keylogger (some different elements in different areas) and all will be likely to have different malware names for it as there is no standard naming convention for malware, so you can get lots of aliases.
After the reboot, run MBAM again and allow it to remove selected. Then run SAS again and finally run an avast scan.
-
I am surprised sas could still find it if it was in the chest. Does being in the chest mean it cannot run in any respect. Malware did not see anything btw. I going do run all the programs again. Should I delete the pup from the avast chest?
Will report back.
-
You didn't find it in the avast chest (a protected area) as your report doesn't show that. What has been found is another element of the keylogger as I mentioned.
Files in the chest are encrypted and from the outside the file name is not the same as the original. So they are safe in the chest if they are in there.
If you are talking about this "win32pup-C setting/documentw/Acer valued customer" there is no file name in that ?
So I can't say what it is; so I can't make any judgement.
Presumably you have an Acer computer ?
-
Sorry I am not explaining this very well.
I will try again.
This is the first message from avast boot scan.
C documents and settings \ValuedAcerCustomer\MyDocuments\Downloads\family-keylogger-setup.excel>$INSTDIR\mw2mmgr32.dll is infected by win32:pup-gen[pup]
this I put in the chest
then did sas scan and found this
Trojan.Agent/Gen-KeySpy[FKL]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Sys32V2Contoller [ C:\WINDOWS\mw2mmgr32\mw2mmgr32.exe ]
Part of the same issue I have been told but do not understand how sas can find it if it is in the chest.
The information I sent previously that said pup was what I got from the chest when I asked for the properties a window opened and gave me that information.
After the scan by sas I had sas deal with what it found.
I have completed another sas scan which came back with just takers no keylogger. Malware bites came back clean every time. Avast full system scan came back clean is this scan good enough or do I need a boot scan too?
Is it now time to change my passwords?
Thank you for you patients Sandy
-
The file has gone, but there was a registry item left behind, that is what SAS found, the registry item in isolation without the file is inert. What SAS found was the run command for the file, without the file it can't run anything.
Avast doesn't specifically scan the registry, if it finds spyware it does try to find any associated registry entry, in this case it wasn't found, but the most important part the file was.
So this wasn't in the chest as it is a registry entry not removed by avast.
In the file properties, avast also displays the file name, and the path on separate lines, see image. The file name is also displayed in the chest itself before you check the properties. You didn't say if you actually have an acer computer (?). All of which contribute to whether it is a legit file with a legit purpose on your acer (?) computer and is used for good not evil (the double edged intent, one you want to keep the other you don't).
After any keylogger infection it is advisable to change passwords certainly any banking ones, followed by email accounts, then any you consider confidential, etc. those with a higher degree of severity should be done soonest, and the remainder when you have time.
The one thing about keyloggers is that they gather information, but essential to that is they have to get that information out and this is where a good firewall comes into play to block unauthorised outbound connections. So what is your firewall ?