SpybotS&D Found a Keylogger on My PC!

[Prince_Serendip]

Really, I should know better when trying new programs and my intuition is saying "NO!" The only proggy I tried since my last scan with Spybot was ICQ. (Installed it yesterday.) I'd also recently updated my Spybot. Always a good idea! So, even though I put my ICQ at the highest security level, I got a nice little "present" with it. It gave me the Investigator Keylogger. This could be someone's idea of a joke considering my profession. This is my very first detection of a keylogger on my home system (which isn't a bad track record I suppose).

In addition to the keylogger I found tracks of what looked like a search of several hundred files from my IE and my WinZip folder. I haven't used WinZip for a long time. Left me scratching my head. It's a good thing that I do a full security check of my system once a week. Phew! Thanks to Spybot, it's all cleaned up now!

I forgot to add earlier, hence this edit: ICQ 2002a Build 3728.

[TonyKlein]

Doublecheck it anyway.

On my machine SB detected two entries it identified as Silent Guard Keylogger, namely C:\Windows\System\Code_msg.hlp and HKLM\Software\Microsoft\CurrentVersion\SharedDlls\C:\Windows\System\Code_msg.hlp.

I did a little research, and it turned out to belong to the Pervasive Software Btrieve Database Manager, which in turn means it was installed by my Exact Accounting software.

I posted at SB forum, and Patrick said he'd fine tune Silent Guard detection.

I'm not saying it's a false positive in your case as well, but you should remain vigilant all the same.

[discogail]

Prince.......from r/clicking on Investigator Keylogger in Spybot.....through "Description of this product"......one finds http://www.winwhatwhere.com/ as the developer of this software.
According to the site...."Investigator ......needs to be installed by either having direct access to the machine or by you opening a 3.5MB EXE email attachment. "
What do you think?

[controler]

That almost sounds like one of the keyloggers I sent Patrick to add.

Is good to hear someone posting things about SpyBot again.
it really is a great program..
What other spyware program is detecting trojans and Keyloggers?
Yes it doesn't detect even close to all trojans but I am sure Patrick could do that too if he wishes.
Most Blackhats try to use the newest tricks NOT old , thinking they will be caught anyway.
I know there is still a few keyloggers that I sent to Patrick that haven't as of yet been added and I am not sure why.
Maybe they got lost in da mail.
Good job Prince

[snapdragin]

Prince, i have ICQ 2002a, Build 3722, installed it in March/02, and i have seen nothing ever come up in any of my scans for such a thing as the key-logger you mentioned, or any kind of keylogger.

i have Spybot S&D also, fully updated, and do regular scans before and after i install any programs, Ad-AwarePlus too, and also had Anti-Keylogger which never detected anything like that. i have NOD32, Trojan Hunter, TDS-3 also.

Quote:

quoting: Prince_Serendip link=board=21;threadid=3115;start=0#20990 date=1029705015]
...It gave me the Investigator Keylogger. This could be someone's idea of a joke considering my profession. This is my very first detection of a keylogger on my home system (which isn't a bad track record I suppose).

i am not sure what you mean here....i don't think ICQ would have any way of knowing your profession?

Quote:

...In addition to the keylogger I found tracks of what looked like a search of several hundred files from my IE and my WinZip folder. I haven't used WinZip for a long time. Left me scratching my head. It's a good thing that I do a full security check of my system once a week. Phew! Thanks to Spybot, it's all cleaned up now!

SpybotS&D also detects tracks from my IE too, and my WinZip, even if i haven't used my WinZip in awhile, for some reason it still will come up showing the last file opened.

this is very curious....i do remember one time i had my ICQ open and up popped a request to download a patch. Since i had no idea what that patch was for and i didn't initiate the request for it...i said no. hummm....

did anything like that pop up?
or maybe this "patch" was included in the new build that just came out?

snap

[Prince_Serendip]

Hooo-boy! Lot's of questions. No, I haven't opened any 3.5 MB e-mail. My habit is if I do not know the attachment is coming, I simply delete it and ask my sender to clarify (if it's someone I know and trust). It can always be resent. Installing a keylogger directly onto your PC could be done if it is bundled with other programs. I have not put any new stuff on my PC in several weeks, except for ICQ yesterday and updating my SpybotS&D on Friday. Earlier in the week we had that Norton Update problem and I installed the upgrade work around. (Sheepishly) I scanned ICQ with Norton and the Cleaner, but not with Spybot before install. Oops!

When I upload any pictures, I have to put my Firewall on Low/Learning mode. Could I have gotten it then?

Thank you all for the lightning fast responses. Wow!

[snapdragin]

i found ICQPatchManager.exe in the ICQ folder....i'm guessing that's so patches can be downloaded through this patchmanager....but i still seemed to have control over that since i said no to it. Not sure if that was a good thing or not, i just don't like installing patches unless i KNOW what they are. Maybe it's an update-type patch for the newer builds, but that would be something new for ICQ to start doing. (still suspicious of that patch thing)

Prince, you could uninstall ICQ, if you haven't already, and re-download it and then do another scan and see if that key-logger thing shows back up....it would rule ICQ out as the culprit, or in....but then you probably don't want to do that, huh?

snap
(i can't get to Google to do a search)

[TonyKlein]

Could it possibly be a false positive, though?

What's the name of the file(s) identified as this keylogger?

If it seems unlikely to you that someone placed a keylogger on your machine (also listen to what Gail had to say about this), I'd investigate a little further.

[Prince_Serendip]

Thanks Tony and everyone! I kind of wish it is a false-positive. They are not so truly nasty. I went offline and did the whole nine yards with Adaware, Spybot, Norton, and the Cleaner. Clean bill of health. I haven't tried uninstalling ICQ. Not using it either. There were a few times while using it (not in a chat room, talking with one known individual at a time) that I saw my cursor go into "working in background" mode with a box which flashed on the screen but was gone so fast I saw only a blur. It happened when I was typing.

I should have recorded the file string from the keylogger but I remember "ROOT" very clearly. When I run Spybot or anything like it, I turn everything off except Explorer so they won't conflict with other proggies. When all done, I reboot.

(I don't think it's possible that ICQ knows my profession. It's just weird. A strange coincidence?)

Link to Google (sounds like baby food LOL): http://www.google.ca/

[Paul Wilders]

PS,

Curious here as well. Feel free to zip the file and attach it to an email - you've got my addy.

regards.

paul

[Prince_Serendip]

Thank you Paul! Already on its way!

Note: I've also sent along the Logfile of the Spybot scan. Hope it helps.

[Paul Wilders]

First impression:

A hex editor reveals STUB.EXE, OCXREG32.EXE and ICQSRP.EXE - as far as I know all common files. Can't figure the CKDLL.DLL though.

A brief glance at the strings does bot reveal anything fishy either as far as I can see (attached). The log file states " Found Investigator File Extension".

I tend to believe it's a false positive. Nevertheless it's recommended to contact Patrick (Spybot author) about this.

regards.

paul

[parkersxs]

SpybotS&D found keylogger "IAMBIGBROTHER" on my system a while back. Don't know where the hell it came from or how it got there. Remind me to donate to SpyBot!

[Prince_Serendip]

Hi Paul! I posted at PepiMk Forums. (I had originally intended to send it as a Private Message but the board would not let me even though I was logged in. I posted that too.) Thank you very very much for your help. It's sincerely appreciated!

Here's the Link to that thread at Net-Integration:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3d60b5de2db8ffff;act=ST;f=28;t=350

[Paul Wilders]

Hi PS,

Well done! Patrick no doubt will answer asap (that is: as soon as he's back from a holiday - any day now).

note: I didn't ask for the program executable itself; the possibly infected file would have been nice - but you deleted that one.

parkersxs,

Quote:

Remind me to donate to SpyBot!

just the reminder you wanted: did you donate in the meanwhile?

regards.

paul

[Prince_Serendip]

OOPS! Sorry about that Paul. I guess I misunderstood. Every time (so far) I have found some nasty thing on my PC I have this "knee-jerk" reaction where I get rid of it asap! That doesn't help with tracing the source of the problem. Next time I will use my ScreenHunter and takes its picture. Is there anything else I should do before deleting it? Thanks.

[Paul Wilders]

Hey PS,

No problem - checked the .exe file anyway, in order to see if it was legitimate - and it was.

As for being in doubt to delete: it's good practice to make a back up from standard. This wil prevent a false positive leading to deleting a perfectly sound file forever.

Screen shots are nice; a file investigation is needed to have a closer look.

regards.

paul

OT- I had Kevin's Disk Investigator ™ come up in Spybot S&D a while back as spyware..but knew it was not and it only did this for a week.

This is a nice program and it is free.

Disk Investigator ™

http://www.theabsolute.net/sware/dskinv.html


Solway's Software Page

http://www.theabsolute.net/sware/

By Paul:

*just the reminder you wanted: did you donate in the meanwhile? *


Say Paul.....perhaps us few users that had computers hosed by Sybot can seek donations


Snowman

On second thought...after just spending nearly the entire weekend re-formating my computer because of the damage caused by Spybot......its already taken far to much of my time...an I will just leave this alone and move on to other things.....

snowman

[TonyKlein]

Quote:

quoting: snowy link=board=21;threadid=3115;start=15#21044 date=1029762608]


After just spending nearly the entire weekend re-formating my computer because of the damage caused by Spybot

That can't be right: formatting my drive has never taken me that long...

Seriously, though: restoring the backups and rebooting would surely have returned your system to the state it was in before?

Tony

Lol...praise be to back-ups...LOL

The monitor is just about ruined.....already pricing a new one............programs working fine.....cpu ok.......
But being fair minded I wont dog on Sybot.....its a good program for some.....does a good job for most......just kicked me where it hurts the most....an not happy about that........the author is a real nice person....offering a free program......etc..........perhers needs more testing time on differant os's..........P>S> Tony I never got a chance to even use Sybot.....the disaster happened just opening it..
but hey.....it happens......

snowman

[TonyKlein]

Incidentally, I meant the backups that SpyBot makes before removing stuff.

Did you try that?

Or didn't you even get a chance.

But I guess you're right: these things happen.

Tony

sorry my friend..mis-understood.....nope never got that far....LOL........made a real pretty screen saver though LOL

snowman

P.S.

its ok....I know of someone who is in need of a computer for school work...an can't afford one so will repair this one and pass it on.........

[Prince_Serendip]

Hi snowman! I am truly sorry that Spybot caused you so much trouble. If I had known it could do such a thing to your system, I would have warned you about it. Although you will never use it again, and I know you are a very busy person, it might help future users if you were to make a report on what happened to Patrick Kolla. It's up to you if you want to or not.

On a lighter note to MyNethingyMan: Thanks for the links. I'll check them out.

A BIG THANK YOU to all who contributed here. You make this board like home! Members of the same family rarely grow up under the same roof! I am very happy to know each and every one of you.