Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Stealth Keylogger / Registry back-up issue

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default Stealth Keylogger / Registry back-up issue

    After installing Spybot on a pretty new laptop and letting it do a registry back-up, I then ran a scan and it found a stealth keylogger. I asked for help on other forums and my logs seem to be fine and both Spybot and MBAM aren't finding anything now. However, I'm wondering if that registry back-up I did could be infected. Should I simply have Spybot do a new back-up? Thanks.

  2. #2
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    The registry backup function has nothing to do with the keylogger that it has "detected". What have you done after the scan?
    Have you removed it? Quarantined it? No action done?
    -
    Can you copy and paste the log?

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default

    Yes of course I let Spybot fix the problem - I assume it removed the keylogger rather than quarantining it. I can post the log tomorrow if necessary (I'm using a different pc to write this).

    My concern over the registry is that the keylogger was in the registry when Spybot made the back-up. At least that is my assumption.

    Edit: I posted the line from the Spybot fixes report on another forum, so I can copy that to here:

    "Stealth Keylogger: [SBI $FD97FDA] Settings (Registry key, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\ASK"
    Last edited by NotaViking; 2010-01-18 at 03:03.

  4. #4
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    Although, it appears to be unlikely that this detection is a false positive, Spybot appears to have cleared it up. I'm a bit confused on why you are still worried if avast, MBAM, and Spybot have came it clean.

    I was just thinking that this could be a trace of a "keylogger". After all, it is a new machine and the pre-installed software (some you do not need) may have included the optional Ask.com toolbar.
    Quote Originally Posted by NotaViking
    I've been running my own pc with Avast, etc for the last year or so and never had a single problem, but this laptop picks up a really serious bit of malware in two weeks with little use and nothing I can see that looks risky.
    I found your thread on PC Advisor. If you do not mind, I was wondering what you meant by "picking up a really serious bit of malware". Were you referring to the labtop?
    Quote Originally Posted by NotaViking
    So a few questions then:

    1. Anything else I should be doing to make sure that it's gone?

    2. Any theories on how it got on the laptop in the first place?

    3. Do you think that the McAfee trial version was a weakness and letting it through?

    4. When I installed Spybot, I let it do a back-up of the registry. If the keylogger was in the registry at that time, is that back-up infected?
    1. You are fine for now. It is good news that your AV and anti-malware programs are not picking up anything.
    2.Possibly with the preinstalled software (since some might host the optional Ask.com toolbar).
    3. Nope. McAfee is McAfee. When it is distributed, it is offered as a trial. Not crippleware or a security suite with security holes.
    4. Not necessarily "infected". To me, I've always said that if a malicious registry key was in your machine, it is technically dead. It is missing it's critical components (the core of the software) such as the files and services that are installed. But that does not mean it is always the case. I mean you can always remove the key in a split second.

    How is the HJT logs going at PCA?

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default

    Firstly, I'd like to say thanks for taking such an interest. When I first posted here, I thought about linking to my other posts to give the full story, but I decided it was better just to try to ask a simple question and not take up too much of someone's time. But it's great that you made the effort to find my other posts and I appreciate it.


    Quote Originally Posted by drragostea View Post
    Although, it appears to be unlikely that this detection is a false positive, Spybot appears to have cleared it up. I'm a bit confused on why you are still worried if avast, MBAM, and Spybot have came it clean.
    I'm not too worried now, just trying to tie up a few loose ends.


    Quote Originally Posted by drragostea View Post
    I was just thinking that this could be a trace of a "keylogger". After all, it is a new machine and the pre-installed software (some you do not need) may have included the optional Ask.com toolbar.
    Yeah, that was my first thought too, but I would have expected to find lots of threads about the ask.com toolbar causing false positives if that was the case. However as I couldn't really find anything about it, I decided to be careful and assume that it was a real keylogger.


    Quote Originally Posted by drragostea View Post
    I found your thread on PC Advisor. If you do not mind, I was wondering what you meant by "picking up a really serious bit of malware". Were you referring to the labtop?
    Yes. To be clear, there's my father's laptop on which Spybot reported the stealth keylogger and there's my pc which is a desktop and is absolutely fine. And by "serious bit of malware" I was referring to the stealth keylogger.


    Quote Originally Posted by drragostea View Post
    1. You are fine for now. It is good news that your AV and anti-malware programs are not picking up anything.
    2.Possibly with the preinstalled software (since some might host the optional Ask.com toolbar).
    3. Nope. McAfee is McAfee. When it is distributed, it is offered as a trial. Not crippleware or a security suite with security holes.
    4. Not necessarily "infected". To me, I've always said that if a malicious registry key was in your machine, it is technically dead. It is missing it's critical components (the core of the software) such as the files and services that are installed. But that does not mean it is always the case. I mean you can always remove the key in a split second.
    1.,2.,3. Ok

    4. You've slightly lost me there, but I'd really just like to go back to my original question. Because Spybot did a back-up of the registry before I got rid of the keylogger, is the back-up infected? Should I do a new back-up? Or is there no problem?


    Quote Originally Posted by drragostea View Post
    How is the HJT logs going at PCA?
    Ok. The thread is here. Had my logs looked over and they're fine. Ran into some trouble in getting Combofix to work and I've left it for the moment. I'd ask for help somewhere dedicated to Combofix before trying it again.

    So, it's just really that point 4 above that I could do with being cleared up. Thanks again for your help.

  6. #6
    Junior Member
    Join Date
    Jan 2010
    Posts
    1

    Default stealth keylogger

    Hi, I had the same problem with a Samsung laptop, bought a few months ago. And I don't know where this "stealth keylogger" came from. Thought about ANT.COM and its toolbar for Firefox, which has been nearly the only site which has been adivised as not really safe and which I visited. But maybe it has something to do with pre-installations of SAMSUNG. To me, that would be the finest reason. It's strange that there's so little to find about this "stealth keylogger" in the www - mostly advertisments for a free download but much less information.

  7. #7
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    Sonnenblumen, I seriously doubt keyloggers (especially the stealth ones) would be deliberately installed on new machines. Especially if you have purchased it from retailers such as the one that primarily serve the electronics (Best Buy, PC Richards, etc.).

    How did you find out that a keylogger was hiding on your machine?

  8. #8
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default

    drragostea, I don't think that Sonnenblumen is suggesting that stealth keyloggers are deliberately installed on Samsung laptops, but that there is something in the pre-installed software that is causing some type of conflict / false positive when running Spybot.

    And thanks for posting Sonnenblumen. I did find one other case of a new Samsung laptop having the same problem, but I'm surprised too that there's so little information on this problem on the internet.

    drragostea, could I just ask for a response to what I wrote about point 4 in my previous post. Thanks.

  9. #9
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    NotaViking, the backup is not necessarily "infected". What Spybot did was it made a copy of your registry when you first installed it. So in case something goes wrong during a removal (fix) Spybot has a "good" copy of the registry.

    Your registry is fine now because Spybot took care of the trace. Your helper at the PCHelpForums, told you that your logs are clean, so that is a good sign. I do not think it is necessary to back up your registry again.
    -
    Sorry Sonnenblumen, I was a bit blunt back there.

  10. #10
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default

    Yep, I'm happy that the registry is fine, it's purely the back-up that I'm asking about. If something happens and Spybot needs to rely on that back-up, I want to be sure that it's ok.

    When you say that "the backup is not necessarily "infected"", it sounds like you're saying that it's not necessarily clean either.

    However, all I'm asking for is your opinion and if your opinion is that there's no reason to do another back-up then that's fine. You know way more about how Spybot works than I do.

    Thanks for your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •