Computer Hope
Software => Computer viruses and spyware => Topic started by: 02bin3 on May 25, 2009, 08:04:51 AM
-
Back again with another problem. I used KL-Detector to see if I have a keylogger on my computer and the report generated stated that, "someone might have installed a keylogger on your computer!" and it gave a one page list of files that appear suspicious, plus a 42 page full report. I was supposed to view this list and pick out whatever files KL-Detector felt contained a keylogger. Frankly, I haven't the foggiest notion of what I am looking at or what it is I am supposed to identify. Is there a more definitive way for those of us, who love computers but haven't a clue as to how their innards work, to find and get rid of a keylogger? I know my computer has some big time problems since I have 8 instances of svchost.exe running all the time according to Task Manager and have no idea as to how to identify which of the 8 is the REAL and necessary file. There are usually 55 processes running at any given time when I boot up some of which I did remove from the Task Bar and presently the Task Manager is showing 43 processes but I have no idea if the others will reappear when I reboot the next time. Do you think that maybe I should just have Windows reinstalled? I think I got in trouble initially when my Zonealarm firewall had conflicts with Wildblue so I just relied on Windows firewall until I switched to Hughesnet and activated Zonealarm again. I hadn't had any security programs prior to running Windows firewall. Zonealarm and Norton Antivirus seemed to have worked quite well.
-
http://www.computerhope.com/jargon/k/keylogger.htm
go to above and read
what security do you have
-
If you want your computer checked and cleaned you should follow the instructions in this link and post the required logs.
http://www.computerhope.com/forum/index.php/topic,46313.0.html
-
Thanks for replying, Harry 48 and Super Dave. For security I have: Norton Antivirus and Zonealarm Firewall that I just recently turned on as Zonealarm had a problem with letting me get on line when I had Wildblue. I run Ad-Aware, SuperAntispy, CCleaner and Malwarebytes frequently and none of them are picking up whatever it is that is giving me 8 svchost.exe processes running everytime I boot up, nor are they picking up on a keylogger. Spywareblaster is also running and Secunia to let me know when programs I have may need security updates. Despite my obvious computer bug paranoia, I still have problems.
-
8 svchost.exe processes running is common. While svchost.exe can be an infection, seeing multiple running is nothing to worry over. If you have run all of those and not found anything I would be willing to say that whatever is going on is not malware.
Keyloggers can be hard to find and even harder to remove. If one is there you shouldn't notice anything at all wrong with the computer. What makes you think it's a keylogger?
-
Thanks for your reply, evilfantasy.
Maybe you can make more sense of this than I could. The whole report was 42 pages. I have only pasted the first page as that is the only one that seem to narrow it down to where the problem might be.
When I ran KL-Detector the report said the following:
Keylogger report from KL-Detector
KL-Detector has found some suspicious files:
C:\System Volume Information\EfaData\SYMEFA.DB
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\mrcFramework\common.dat-journal
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\mrcFramework\common.dat
C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS1.dat
C:\Documents and Settings\All Users\Application Data\COMMON FILES\INTUIT\QUICKBOOKS\qbupdate\log\CHANNEL.LOG
C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS2.dat
C:\System Volume Information\EfaData\SYMEFA.DB-journal
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\Downloads\Download.Resumption.Lue
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\Logs\TempLog.Lue
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\Downloads\minitri.flg
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\Downloads\streaming\1243256466jtun_streamset.zip
C:\System Volume Information\_restore{2DE0CEA9-1995-4840-BE9D-D880FE5FCB1B}\RP311\change.log
Please check; someone might have installed a keylogger on your computer!
You MAY want to take a look at:
C:\Documents and Settings\owner\
C:\System Volume Information\EfaData\
C:\WINDOWS\system32\config\
C:\System Volume Information\
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\mrcFramework\
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\Downloads\
C:\Documents and Settings\All Users\Application Data\COMMON FILES\INTUIT\QUICKBOOKS\qbupdate\log\
C:\WINDOWS\Prefetch\
C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\
C:\Documents and Settings\owner\Local Settings\
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\Logs\
C:\DOCUME~1\owner\LOCALS~1\Temp\
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Common Client\
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Common Client\_lck\
-
None of those files are of any threat.
I would remove KL-Detector ASAP. It used to be and still may be listed as a rouge itself.
What makes you think it's a keylogger?
Can you tell me why?
-
I do not have a concrete reason for suspecting a keylogger but in my internet travels to find answers I could understand as to why at times my CPU would be running at 100%, and sometimes there were 2 iexplore.exe process running, 8 svchost.exe processes and other processes that according to ProcessLibrary.com were strong contenders for viruses, trojans, worms, etc., I've been trying to eliminate possible suspects on my own. There is no one in my house with the slightest interest in the computer never mind installing a keylogger program. A new hard drive was installed last September but I would like to think that the folks I trusted with my computer wouldn't install such a program. Below is a log from ProcessLibrary of what is generally running on my computer:
266621110512464156
http://www.processlibrary.com/
http://www.processlibrary.com/
All Processes Security Network Performance Autostart
Search Term:
Show Modules Show Processes Running Processes
File name Product name Status Security Performance Network Source Recommendation
Loading data...
1 aawservice.exe Ad-Aware Service Application Running Low Memory Usage Service Scan For Errors
2 aawtray.exe Ad-Aware Tray Application Running Unknown Low Memory Usage Autostart Scan For Threats
3 acrord32.exe Adobe Reader Running Low Memory Usage Process Scan For Errors
4 alg.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
5 aluschedulersvc.exe LiveUpdate Running Low Memory Usage Service Scan For Errors
6 askservice.exe Running Low Memory Usage LAN Service Scan For Errors
7 calmain.exe Running Low Memory Usage Service Scan For Errors
8 ccsvchst.exe Symantec Security Technologies Running Low Memory Usage Service Scan For Errors
9 ccsvchst.exe Symantec Security Technologies Running Low Memory Usage Service Scan For Errors
10 csrss.exe Microsoft® Windows® Operating Sys... Running Unknown Low Memory Usage Process Scan For Threats
11 ctfmon.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Autostart Scan For Errors
12 ctoolbar.exe Crawler Toolbar Running Unknown Low Memory Usage Process Scan For Threats
13 e_fati9aa.exe EPSON Status Monitor 3 Running Low Memory Usage Autostart Scan For Errors
14 em_exec.exe MouseWare Running Low Memory Usage Process Scan For Errors
15 explorer.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Process Scan For Errors
16 findfast.exe Running Low Memory Usage Autostart Scan For Errors
17 hpztsb06.exe HP DeskJet Running Low Memory Usage Autostart Scan For Errors
18 iexplore.exe Windows® Internet Explorer Running Medium Memory Usage LAN Process Scan For Errors
19 itouch.exe iTouch Running Low Memory Usage Autostart Scan For Errors
20 jqs.exe Java(TM) Platform SE 6 U13 Running Unknown Low Memory Usage LAN Service Scan For Threats
21 jusched.exe Java(TM) Platform SE 6 U13 Running Low Memory Usage Autostart Scan For Errors
22 logi_mwx.exe MouseWare Not Running Autostart Scan For Errors
23 lsass.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Network Service Scan For Errors
24 msascui.exe Windows Defender Running Unknown Low Memory Usage Autostart Scan For Threats
25 msmpeng.exe Windows Defender Running Low Memory Usage Service Scan For Errors
266621110512464156
http://www.processlibrary.com/
http://www.processlibrary.com/
All Processes Security Network Performance Autostart
Search Term:
Show Modules Show Processes Running Processes
File name Product name Status Security Performance Network Source Recommendation
Loading data...
27 osa.exe Running Low Memory Usage Autostart Scan For Errors
28 pifsvc.exe LiveUpdate Notice Running Low Memory Usage Service Scan For Errors
29 pifsvc.exe LiveUpdate Notice Running Low Memory Usage Service Scan For Errors
30 processscanner.exe ProcessScanner Running Low Memory Usage Process Scan For Errors
31 psi.exe Secunia PSI Running Unknown Low Memory Usage LAN Autostart Scan For Threats
32 qbcfmonitorservice.... QuickBooks for Windows Running Low Memory Usage Service Scan For Errors
33 qbupdate.exe QuickBooks Automatic Update Running Low Memory Usage Autostart Scan For Errors
34 reader_sl.exe Adobe Acrobat Not Running Autostart Scan For Errors
35 searchfilterhost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Process Scan For Errors
36 searchindexer.exe Microsoft® Windows® Operating Sys... Running Unknown Low Memory Usage Service Scan For Threats
37 searchprotocolhost.... Microsoft® Windows® Operating Sys... Running Low Memory Usage Process Scan For Errors
38 services.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
39 smss.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Process Scan For Errors
40 soundman.exe Realtek Sound Manager Running Low Memory Usage Autostart Scan For Errors
41 spoolsv.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
42 sp_rsser.exe Crawler Spyware Terminator Running Low Memory Usage Service Scan For Errors
43 spywareterminatorsh... Crawler Spyware Terminator Running Low Memory Usage Autostart Scan For Errors
44 svchost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
45 svchost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
46 svchost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
47 svchost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
48 svchost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
49 svchost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Network Service Scan For Errors
50 svchost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage LAN Service Scan For Errors
51 svchost.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Service Scan For Errors
< Showing items 27 - 51 of 59>
266621110512464156
http://www.processlibrary.com/
http://www.processlibrary.com/
All Processes Security Network Performance Autostart
Search Term:
Show Modules Show Processes Running Processes
File name Product name Status Security Performance Network Source Recommendation
Loading data...
53 vsmon.exe TrueVector Service Running Low Memory Usage Service Scan For Errors
54 windowssearch.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Autostart Scan For Errors
55 winlogon.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Process Scan For Errors
56 wmiprvse.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Process Scan For Errors
57 wmiprvse.exe Microsoft® Windows® Operating Sys... Running Low Memory Usage Process Scan For Errors
58 wweb32.exe WordWeb Running Low Memory Usage Autostart Scan For Errors
59 zlclient.exe ZoneAlarm Client Running Low Memory Usage Autostart Scan For Errors
< Showing items 53 - 59 of 59>
Thanks for your follow-up.
-
Run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols.shtml) for Viruses, Spyware and RootKits.
Note: This Scanner is for Internet Explorer Only!
- Click on Online Services and then Online Scanner
- Accept the License Agreement.
- Once the ActiveX installs,Click Full System Scan
- Once the download completes,the scan will begin automatically.
- The scan will take some time to finish,so please be patient.
- When the scan completes, click the Automatic cleaning (recommended) button.
- Click the Show Report button and Copy&Paste the entire report in your next reply.
-
Unfortunately after generating the report from f-secure, I was only able to paste to Notepad and print it out from that as it would not allow me to save in either Word, Notepad nor Wordpad???? My CPU began running at 100% and pretty much everything froze up and wouldn't work. Anyway, this is the information that f-secure came up with:
Scanning Report
Tuesday, Mary 26, 2009 16:39:47 - 18:13:44
Computer name: OWNER - 2SU97NY40
Scanning type: Scan system for malware, spyware and rootkits
-------------------------------------------------------------------------------------
1 malware found
TrackingCookie.Atwola (spyware)
System (Disinfected)
---------------------------------------------------------------------------------------
Statistics
Scanned:
Files: 43266
System: 3702
Not scanned: 11
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON
CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537847F55FC}0
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON
CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON
CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON
CLIENT\_LCK\_NPC.TRAY.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON
CLIENT\_LCK\_UI.HOST.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0
------------------------------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure USS:3.0.0
F-Secure Hydra: 3.8.9080, 2009-05-26
F-Secure AVP: 7.0.171, 2009-05-22
F-Secure Pegasus: 1.20.0
F-Secure Blacklight
Scanning Options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO?
XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIZ . ACM ASP AX CNV CSC DRV INI MDB MPP MPT
OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TDO TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics
-----------------------------------------------------------------------------------------
Thanks,
-
1 malware found
TrackingCookie.Atwola (spyware)
System (Disinfected)
I don't see any issues.
-
Well thanks, that is good to hear. But, I am still left wondering why my CPU runs at 100% every so often, and large files are downloaded to my computer when I haven't been using it and I can't find them. The only reason I know they've been downloaded is that Hughesnet will slow my speed to a crawl and when I check my usage for the day it will show that I have downloaded a file of 173 MB or so (which I'm unaware of), and their daily allowance is 200 MB. This has happened a couple of times and I have no idea where or what was downloaded. Most of the time the CPU usage bounces around between 2% and 40% but sometimes it will be up around 100% and I will have no programs open other than what loads at the desktop for security. I am constantly running malware programs to get rid of any malware, defragging monthly, Norton Antivirus downloads automatically as does Microsoft updates to keep my security tight and Secunia reminds me if there are needed security updates to other programs that do not update automatically. What other areas would you suspect there could be a problem? I have Windows XP Professional, 280 GB hard drive, 2 GB of Memory, 2.45 ghz Intel Pentium 4, 2 monitors, and 2 printers. The programs I have are: Secunia, Norton Antivirus, Ad-aware, SpywareBlaster, SuperAntiSpy, Ccleaner, Malwarebytes, Zonealarm, Free Download Manager, Java, Adobe Reader 9, Quick Books 2008, Print Shop, IrfanView, WordWeb, Office 97, Revo Uninstaller, Cannon's download program for digital camera, Logitech mouse and keyboard, Windows Media Player. I don't know if any of these are a problem but I thought I'd include them. I am assuming that the free anti-virus programs I have are not running "live" to conflict with Norton. Thanks, again.
-
That all sounds OK.
I don't know what it is. Maybe something is updating? Zone Alarm is known to be heavy on resources. You might look into another firewall. Norton doesn't have a firewall built in?
-
I have only Norton Antivirus because several years ago I'd had their Norton Utilities and my computer ran wicked slow and was constantly crashing so a friend who had been in the computer business and had had the same problem, suggested using just their antivirus program. I understand that they have ironed out the bugs in their security system now and it no longer hogs a lot of memory in order to run. It would be nice to be able to buy ONE program that would reliably and consistently do it all from firewall to antivirus, trojans, etc., but I haven't heard of any that do it ALL well.
-
It would be nice to be able to buy ONE program that would reliably and consistently do it all from firewall to antivirus, trojans, etc., but I haven't heard of any that do it ALL well.
That is actually the worst way IMHO. Putting all of your eggs in one basket...
-
Thanks for all of your help. You have no idea how much folks like me appreciate folks like you who are willing to spend time and share your knowledge helping those of us who are at times,..........clueless!
-
There are too many tools out there that simply create more confusion than they do answer questions.
In the end, trust your antivirus to do it's job.