PDA

View Full Version : Advanced Keylogger



marcomomo
2006-02-05, 17:22
Hello, I use Spybot since years and found it great.
I use other freeware and online scans too. Since few days Pest Patrol found several times an "Advanced Keylogger", that came very probably while surfing.
Have you heard about this new threat ?

Thanks in advance.

edit : "Advanced", I forgot de d...

tashi
2006-02-05, 18:39
Hi there.

It would be hard to know if Advanced Keylogger is on the System without seeing a Spybot-S&D log.

First; when did you install Pest Control (ie have you had it awhile without this detection before) and what is your Operating System?

Please open Spybot>Help>About
Let us know the version and latest detection update.

Cheers.

Danny
2006-02-05, 18:52
Hello
Try to know with what is attached this "pest"...maybe it,s a part of a your favorite software...... ...
..try to give us some details
about this item(i use pestpatrol too and i had rarely saw false positive.....)with a scan online at with PP,you gonna have all the infos for located this one
edit:try to find some infos in Pestpatrol official site before..it will be more appopriated

marcomomo
2006-02-05, 20:27
Hello
I'm running last version of spybot (1.4.0.3) with latest detection (and beta detection too) on a XP SP2.
Nothing is detected even with adaware SE (last version and definition files)
There is no available data in the knowledge base of computer associates for "advanced keylogger".
I'll often check while surfing.
I'm not certain it's a "true positive" while others don't detect it... Or it's a new threat which is only detected by PP ^^
I use PP since few months and get the last definitions too. The threat may be recent (maybe 5 to 10 days ?). It is detected through a standard scan.
Thx all :)

Danny
2006-02-05, 20:35
Hi
Normally PP online don't cure.....it gives just the way to manually remove item......with this way ,you can have a large description(normally) of the "pest".....another thing you can do is download the trial version (30 days)....with this version,you can quarantine the item ........and after that,you just have to delete the pest and/or buy it....it's a good purchase,and not too expensive....(maybe at the end of this trial version, is just the end of new detection rules....and you can keep PP with its old protection....i don't know the trial version.....)...
Bye
edit:Also,each and every antispywares softwares had there own specifications....sometimes one finds what others don't detect...it's normal....
edit:one of my friend have detect something last night,with the same name ,and he quarantine this...without any problems

marcomomo
2006-02-05, 21:24
Thx for advises
If I found something new&interesting I'll come back ^^

Best regards & "pardon" my english, I'm french

Danny
2006-02-05, 21:34
Salut Marcomomo
Moi aussi!je viens du Québec
si tu veux continuer en francais...let's go!

marcomomo
2006-02-06, 00:05
:bigthumb: :beerbeerb
Oki ^^
En fait je n'étais pas sûr de pouvoir trouver une solution à mon problème car j'ai effectivement conscience des différentes "bases de données/définitions des menaces" de chaque programme et j'en ai utilisé beaucoup (ne serait-ce qu'en évaluation, comme spysweeper) et j'ai déjà eu des problèmes de faux positifs...
Je me demandais juste si d'un programme à l'autre, par la force des choses, on pouvait retrouver la même définition de ce keylogger, peut-être dans une prochaine MAJ de Spybot ^^ (programme que je conseille en premier à mes relations :bigthumb: ).
Je vais faire des scans de temps en temps pour voir à quel moment apparaît ce spy, en fait je fais pas mal de sites de jeux gratuits qui nécessitent de cliquer des bannières publicitaires, ça pourrait venir de là :confused:
Ca fait plaisir de pouvoir s'exprimer en français sur le forum spybot ;)
Donc si j'ai du neuf ou des précisions je repasse.
Encore merci et à une prochaine !
:p

Danny
2006-02-06, 04:06
Ok....
En gros,ca m'étonnerait pas que PP est trouvé t'es trouvé une menace....pour ma part,en 2 ans ,jamais PP ne m'a sorti un faux positif(un ami avec qui je parle beaucoup d'informatique m'a parler d'une menace du meme nom detectée hier en soirée avec son PP...et les infos sur l'item était inexistante...comme toi...et il a mis cet item en quarantaine)En étant un possible "keylogger",NE FAIT PAS DE TRANSACTION OU ACHAT EN LIGNE!...tu cours peut etre après le trouble.Au risque de me répeter,pense à la version d'essai du PP(il te corrigera les problèmes et te fera une sauvegarde..alors...)....j'adore PP....et la fin de la version d'essai ne veut peut etre pas dire inactivité du programme....mais probablement la fin de nouvelles définitions de menaces......moi j'opterais pour cette solution.(chose sur ,si tu ne fait pas d'affaires en ligne,le stress d'un possible "keylogger" n'a pas vraiment lieu.....pour ma part,la confiance liée au transaction et cie en ligne est assez basse....le moins possible en gros)
Bye
p.s.je retourne en foret pour 8 jours(travail)alors ne soit pas surpris de n'avoir de réponses d'ici mardi le 28 février):waving:

marcomomo
2006-02-06, 10:58
OK merci pour tout !
Je pense à peu près la même chose sur les achats en ligne ^^
PP ne m'a rien retrouvé depuis.
Bon travail donc :beerbeerb

Danny
2006-02-06, 13:06
Salut
T'as rien trouver?alors quelle démarche à tu faites?(installer PP?...suppression manuelle,parti par magie??)
Bye
edit:un autre personne semble avoir le meme keylogger
http://forums.spybot.info/showthread.php?p=10944#post10944
c'est en allemand
mais avec cela,on fini par comprendre
http://babelfish.altavista.com/tr

tashi
2006-02-06, 17:51
Hello marcomomo.

If there is a discussion here regarding malware (I am not too sure ;) ) and you would like someone to take a look at the System; please post in the malware forum so that an authorised helper can assist you.

Before you post a log (http://forums.spybot.info/showthread.php?t=288)

Start a topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

OR do this first:

Open SpyBot, check for and get any updates available.
Close all browsers, check for problems and fix everything found in red
Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except

Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.

Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report in this topic please.

Best regards. :)

marcomomo
2006-02-06, 20:17
@Danny : Hello
Le spy n'est pas revenu.
J'ai PP installé depuis qq mois pas de pbm ^^
Je l'avais mis en quarantaine à chaque fois (et quarantaine supprimée).
Mais bon il n'est pas revenu depuis 24 h bizarrement, alors qu'il revenait assez souvent ces derniers jours...

@Tashi : Thanks for all
If the spy came back I will check with spybot before, I made PP standard scan because they are quite fast.
Read the german post too, he has the same threat.

edit : The CA database report this spy since 05/05 I just found this :
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094239

Danny
2006-02-15, 01:47
Salut Marcomomo
Selon moi,quand ton spy revenait,c'était probablement du à un site en particulier que tu fréquentais....alors ne soit pas surpris si il revient......
Bon ,bien a+ et si tu veux un super site pour l'informatique,va à
www.zebulon.fr
les membres du forum sont assez hot!
mon nick est Zonk
Bye

royakai
2006-03-30, 10:56
Hello, I use Spybot since years and found it great.
I use other freeware and online scans too. Since few days Pest Patrol found several times an "Advanced Keylogger", that came very probably while surfing.
Have you heard about this new threat ?

Thanks in advance.

edit : "Advanced", I forgot de d...

in addition:

I have found advanced keylogger using PCGuard and AdAwareSE but the anti-s have troubles to rid it off. I know where is it placed but traditional tool like "delete" doesn't work;
I have found it in HKEY_CLASSES_ROOT:clsid\... under InproServer32 and titled "Apartment" under "TradingModel;or as "Deafult" I see - icmui.dll;

I don't know how to stop it working...

Anybody knows how to resolve the problem? How to find a sender? And how to k... its a...?

tashi
2006-03-30, 18:32
Hello royakai. can we see a Spybot-S&D log please.


Open SpyBot, check for and get any updates available.
Close all browsers, check for problems and fix everything found in red
Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except

Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.

Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

Alternatively:
If you are not being helped at another forum, follow these instructions.
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)

Start a topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

Cheers.

royakai
2006-03-31, 17:38
thanks for reply - that's the report

by the way - I check for updates almost every day and use advanced mode

tashi
2006-03-31, 18:36
Hello royakai.

Could you post a HJT log in the malware forum please so we can take a look at the system from a different angle.

Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)

Thanks. :)