PDA

View Full Version : Stealth Keylogger / Registry back-up issue



NotaViking
2010-01-17, 16:55
After installing Spybot on a pretty new laptop and letting it do a registry back-up, I then ran a scan and it found a stealth keylogger. I asked for help on other forums and my logs seem to be fine and both Spybot and MBAM aren't finding anything now. However, I'm wondering if that registry back-up I did could be infected. Should I simply have Spybot do a new back-up? Thanks.

drragostea
2010-01-18, 01:27
The registry backup function has nothing to do with the keylogger that it has "detected". What have you done after the scan?
Have you removed it? Quarantined it? No action done?
-
Can you copy and paste the log?

NotaViking
2010-01-18, 02:56
Yes of course I let Spybot fix the problem - I assume it removed the keylogger rather than quarantining it. I can post the log tomorrow if necessary (I'm using a different pc to write this).

My concern over the registry is that the keylogger was in the registry when Spybot made the back-up. At least that is my assumption.

Edit: I posted the line from the Spybot fixes report on another forum, so I can copy that to here:

"Stealth Keylogger: [SBI $FD97FDA] Settings (Registry key, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\ASK"

drragostea
2010-01-18, 20:06
Although, it appears to be unlikely that this detection is a false positive, Spybot appears to have cleared it up. I'm a bit confused on why you are still worried if avast, MBAM, and Spybot have came it clean.

I was just thinking that this could be a trace of a "keylogger". After all, it is a new machine and the pre-installed software (some you do not need) may have included the optional Ask.com toolbar.

I've been running my own pc with Avast, etc for the last year or so and never had a single problem, but this laptop picks up a really serious bit of malware in two weeks with little use and nothing I can see that looks risky.
I found your thread on PC Advisor. If you do not mind, I was wondering what you meant by "picking up a really serious bit of malware". Were you referring to the labtop?

So a few questions then:

1. Anything else I should be doing to make sure that it's gone?

2. Any theories on how it got on the laptop in the first place?

3. Do you think that the McAfee trial version was a weakness and letting it through?

4. When I installed Spybot, I let it do a back-up of the registry. If the keylogger was in the registry at that time, is that back-up infected?
1. You are fine for now. It is good news that your AV and anti-malware programs are not picking up anything.
2.Possibly with the preinstalled software (since some might host the optional Ask.com toolbar).
3. Nope. McAfee is McAfee. When it is distributed, it is offered as a trial. Not crippleware or a security suite with security holes.
4. Not necessarily "infected". To me, I've always said that if a malicious registry key was in your machine, it is technically dead. It is missing it's critical components (the core of the software) such as the files and services that are installed. But that does not mean it is always the case. I mean you can always remove the key in a split second.

How is the HJT logs going at PCA?

NotaViking
2010-01-19, 23:00
Firstly, I'd like to say thanks for taking such an interest. When I first posted here, I thought about linking to my other posts to give the full story, but I decided it was better just to try to ask a simple question and not take up too much of someone's time. But it's great that you made the effort to find my other posts and I appreciate it.



Although, it appears to be unlikely that this detection is a false positive, Spybot appears to have cleared it up. I'm a bit confused on why you are still worried if avast, MBAM, and Spybot have came it clean.

I'm not too worried now, just trying to tie up a few loose ends.



I was just thinking that this could be a trace of a "keylogger". After all, it is a new machine and the pre-installed software (some you do not need) may have included the optional Ask.com toolbar.

Yeah, that was my first thought too, but I would have expected to find lots of threads about the ask.com toolbar causing false positives if that was the case. However as I couldn't really find anything about it, I decided to be careful and assume that it was a real keylogger.



I found your thread on PC Advisor. If you do not mind, I was wondering what you meant by "picking up a really serious bit of malware". Were you referring to the labtop?

Yes. To be clear, there's my father's laptop on which Spybot reported the stealth keylogger and there's my pc which is a desktop and is absolutely fine. And by "serious bit of malware" I was referring to the stealth keylogger.



1. You are fine for now. It is good news that your AV and anti-malware programs are not picking up anything.
2.Possibly with the preinstalled software (since some might host the optional Ask.com toolbar).
3. Nope. McAfee is McAfee. When it is distributed, it is offered as a trial. Not crippleware or a security suite with security holes.
4. Not necessarily "infected". To me, I've always said that if a malicious registry key was in your machine, it is technically dead. It is missing it's critical components (the core of the software) such as the files and services that are installed. But that does not mean it is always the case. I mean you can always remove the key in a split second.

1.,2.,3. Ok

4. You've slightly lost me there, but I'd really just like to go back to my original question. Because Spybot did a back-up of the registry before I got rid of the keylogger, is the back-up infected? Should I do a new back-up? Or is there no problem?



How is the HJT logs going at PCA?

Ok. The thread is here (http://www.pchelpforum.com/fixed-hijackthis-logs/83482-stealth-keylogger.html). Had my logs looked over and they're fine. Ran into some trouble in getting Combofix to work and I've left it for the moment. I'd ask for help somewhere dedicated to Combofix before trying it again.

So, it's just really that point 4 above that I could do with being cleared up. Thanks again for your help.

Sonnenblumen
2010-01-24, 22:36
Hi, I had the same problem with a Samsung laptop, bought a few months ago. And I don't know where this "stealth keylogger" came from. Thought about ANT.COM and its toolbar for Firefox, which has been nearly the only site which has been adivised as not really safe and which I visited. But maybe it has something to do with pre-installations of SAMSUNG. To me, that would be the finest reason. It's strange that there's so little to find about this "stealth keylogger" in the www - mostly advertisments for a free download but much less information.

drragostea
2010-01-27, 22:03
Sonnenblumen, I seriously doubt keyloggers (especially the stealth ones) would be deliberately installed on new machines. Especially if you have purchased it from retailers such as the one that primarily serve the electronics (Best Buy, PC Richards, etc.).

How did you find out that a keylogger was hiding on your machine?

NotaViking
2010-01-29, 17:09
drragostea, I don't think that Sonnenblumen is suggesting that stealth keyloggers are deliberately installed on Samsung laptops, but that there is something in the pre-installed software that is causing some type of conflict / false positive when running Spybot.

And thanks for posting Sonnenblumen. I did find one other case of a new Samsung laptop having the same problem, but I'm surprised too that there's so little information on this problem on the internet.

drragostea, could I just ask for a response to what I wrote about point 4 in my previous post. Thanks.

drragostea
2010-01-30, 02:21
NotaViking, the backup is not necessarily "infected". What Spybot did was it made a copy of your registry when you first installed it. So in case something goes wrong during a removal (fix) Spybot has a "good" copy of the registry.

Your registry is fine now because Spybot took care of the trace. Your helper at the PCHelpForums, told you that your logs are clean, so that is a good sign. I do not think it is necessary to back up your registry again.
-
Sorry Sonnenblumen, I was a bit blunt back there.

NotaViking
2010-01-30, 22:43
Yep, I'm happy that the registry is fine, it's purely the back-up that I'm asking about. If something happens and Spybot needs to rely on that back-up, I want to be sure that it's ok.

When you say that "the backup is not necessarily "infected"", it sounds like you're saying that it's not necessarily clean either.

However, all I'm asking for is your opinion and if your opinion is that there's no reason to do another back-up then that's fine. You know way more about how Spybot works than I do.

Thanks for your help.

drragostea
2010-02-01, 05:19
Well, let me clarify. What I was saying was that it does not mean the backup is infected. I would say it would be considered "infected" if you had a bunch of malware and more malware was being downloaded at that time, then your registry is definitely in a bad state.


...it sounds like you're saying that it's not necessarily clean either.
Oh, no. It would be clean, except you have the "trace" of this stealth rootkit.

My opinion: It might be a coincidence that this trace was found. Even if Spybot were to reuse the original copy of your registry, who said you cannot remove that registry key again with a scan? ; ]

For the time being, if Spybot is not picking anything up in it's scans it is a good sign.

I'm glad I was able to help. :oreo:

NotaViking
2010-02-01, 18:40
Ok, that's clearer to me now. Thanks for your help, it's really appreciated.

msstatedawg
2011-03-01, 23:57
Sonnenblumen, I seriously doubt keyloggers (especially the stealth ones) would be deliberately installed on new machines. Especially if you have purchased it from retailers such as the one that primarily serve the electronics (Best Buy, PC Richards, etc.).

How did you find out that a keylogger was hiding on your machine?

There is a discussion going on right now in the CISSP group on LinkedIn about this very subject. A guy using Vipre Antivirus was able to detect a keylogger preinstalled on a Samsung machine straight out of the box. Samsung, after repeated denials, has admitted to him that the keylogger is installed to monitor system performance and user behavior.