Avast missed a trojan keylogger

[BanziBaby]

Hi folks

I always run a Avast scan & spybot scan at minimum twice a week, never finds much (yup it updated regularly)

Have been tryin Webroots SpySweeper 2.6 & it found three things, the Alexia toolbar (removed it), Eacceleration (something to do with NOD, last time i removed it on win98, NOD's IMON wouldnt start & i had to reinstall it) & the one below (info copied from Webroots site) removed it as well, it was mostly reg keys

SYSTEM MONITOR Description:

Name:

WinWhatWhere

Author:

TrueActive Software

Category:

System Monitor

Threat Assessment:

High



Description:

WinWhatWhere monitors all of your computer activity including keystrokes typed, Web sites visited, chat room conversation, and programs run.

Characteristics:

WinWhatWhere is a surveillance tool that records keystrokes, visited Web sites, both sides of chat room conversation, emails, clipboard contents, file activity and active applications. The program also captures screenshots and fields from online forms. The collected data is stored into a log file that can be secretly emailed to a remote address. WinWhatWhere runs in the background, so it is invisible to the user. In addition, the program can move and rename itself in order to hide itself from spyware detection programs.

Method of Infection:

WinWhatWhere can be installed by someone with administrative access to your computer, such as a system administrator or someone that shares your computer.

I have never ever installed anything like that & am very wary while online, this worries me cause it says it logs all info i type as well as chat room text & other stuff, does anyone here know more about it or what kind of software would install it??

Thx in advance

BaNzI

[whocares]

Hi,

does anyone else have access to your PC ?

please send the file detected as keylogger to
virus at asw dot cz

so it will be included into one of the next updates, if malicious


also scan the file with KAV (see below) and onlinescanners by www.ravantivirus.com and www.trendmicro.com and report here what it says

IF it really was said keylogger, AND you have sensitive private data on your PC, you should think about backup, format and reinstall
because you can't know what the keylogger transmitted and what else was installed

At least change all your passwords entered on the PC including onlinebanking and ebay etc.. and secure your system more

P.S.: some (online-)Games install keylogger components for more or less legit reasons..; you have something like that installed ?



 

[BanziBaby]

Cheers WhoCares

All spy sweeper found was a few reg entries, no dll oe exe files were found, im the only person that uses my pc, no one else does, i am always extra cautious & double scan any download with both Avast (my main scanner) & NOD 2.0.0.9, just done a scan with NOD & nothing found, have just updated Avast to the newer version & will be doin a boot scan & throurgh/with archives on

Im still curious how Spybot didnt pick anything up, i always check every day for newer updates, but it a;ways came up clean, last night i decided to try the newer version of SpySweeper & thats what picked it up

I dont use online banking or have a credit card so i safe on that front, but i do use a chat room at a led zeppelin forum & the fact that it says it logs chat bothways has me worried.I use Outpost 2.1 pro as my firewall & have noticed a lot of outgoing connections for something called System\BootPS, but according to all online firewall tests i am stealthed to the max, have also noticed a lot of portscan alerts (outpost pops up a warning) most of them are on HTTP (DCOM) & all from various IP's

I would hate to format & reinstall, but i do have a restore image from a month or two ago

I did update Trillian to 2.011 & am wondering if the reg keys could have been for that, sure it monitors key strokes to check Ur idle status

I also use Opera as my main browser with Firefox for other sites, only use IE for windowsupdates, so opera stops most malicious crap from ie diallers & other spyware

I could zip up the quarantined files from Spysweeper & mail them to Avast at the addy U gave, will they be able to open them?

Will rteport back after bootscan & thourgh scan, thanks so much for the advice & reply

BaNzI

[whocares]

Hi,

if it was only/mostly??   registry entries, what would you send ?

Spysweeper might also encrypt its quarantined files so that no other Spy/AV-Scanner stumbles over them, in that case alwil team might not be able to open/analyse them, except if they know the encryption used by spysweeper

please look in the report/log from spysweeper (or post it here)  if any FILES were quarantined; if so, you might want to restore them and then mail them to avast

afterwards, run spysweeper again

if it was only regkeys, i would still thoroughly check and secure the system, but you probably don't want to format then

 

[BanziBaby]

Hi WhoCares

Ok, i scheduled a boot time scan with the updated Avast ( ie final not beta) nothing found, also done a scan with NOD (all setting high) nothing found, also done a scan with Tauscan (all files) nothing found

Will attach the log file from SpySweeper here if i can, the first scan found it, the two scans after that are clean

I also tried the links U posted, the trend micro page opened, after that i seemed to have lost all net, othing worked just got connecting to remote host, so i then done the boot scan.

I have XP pro, all critical updates & outpost 2.1 firewall, Avast 4.1, Spybot 1.2 & Tauscan 1.65

Im still wondering if they might have been related to Trillian as i know that monitors keystrokes & text (for message history & idle status reasons) Will have to test Trillian & see if my hunch is right.

Will try Ur suggestion & post back, thanks again m8

BaNzI

EDIT Whoops forgot the log file lol

[BanziBaby]

Crap it wont post it, will just paste it here

|···  Friday, 27 February 2004  12:20 AM  ···|
Updating software definitions
Your software definitions have been updated.
12:22 AM Sweeping memory for active software.
12:22 AM Memory sweep has completed.
    Found: Alexa Toolbar registry trace.
    Found: Eacceleration registry trace.
    Found: WinWhatWhere registry trace.
12:23 AM Registry sweep completed.
12:23 AM Full sweep on all local drives initiated.
12:23 AM  Now sweeping drive C:
12:27 AM Full Sweep has completed.  Elapsed time 0 hours, 5 minutes, 15 seconds.
Files swept:    12,402
Software Located: 6
    Spy Sweeper quarantined registry traces of: Alexa Toolbar
    Spy Sweeper quarantined registry traces of: WinWhatWhere
    Spy Sweeper quarantined registry traces of: WinWhatWhere
    Spy Sweeper quarantined registry traces of: WinWhatWhere
    Spy Sweeper quarantined registry traces of: WinWhatWhere
·········  End of Session 12:29 AM  ·········


|···  Friday, 27 February 2004  12:38 AM  ···|
·········  End of Session 12:41 AM  ·········


|···  Friday, 27 February 2004  03:40 AM  ···|
03:40 AM Sweeping memory for active software.
03:40 AM Memory sweep has completed.
03:41 AM Registry sweep completed.
03:41 AM Full sweep on all local drives initiated.
03:41 AM  Now sweeping drive C:
03:45 AM Full Sweep has completed.  Elapsed time 0 hours, 4 minutes, 45 seconds.
Files swept:    12,406
Software Located: 0
·········  End of Session 04:06 AM  ·········


|···  Friday, 27 February 2004  04:35 PM  ···|
Updating software definitions
Your software definitions are up to date.
04:36 PM Sweeping memory for active software.
04:36 PM Memory sweep has completed.
04:37 PM Registry sweep completed.
04:37 PM Full sweep on all local drives initiated.
04:37 PM  Now sweeping drive C:
04:40 PM Full Sweep has completed.  Elapsed time 0 hours, 3 minutes, 43 seconds.
Files swept:    12,407
Software Located: 0
·········  End of Session 04:40 PM  ·········

[Bernie]

Hi BanziBaby!

Did you also check with Ad-aware? http://www.lavasoftusa.com