keylog.h@tkeysh@@k.dll

Question about detection & recovery. But I'll run through the details first.

I manually run TDS3 on an XP box (NTFS format).

Startup scanning is configured:
boosted TDS3 token privelages
Process File Scan
Memory Mutex Scan
Registry & File Trace scan

1. Started & finished with a clean result.

2. Ran Adaware - reported h@tkeysh@@k.dll

3. Re-ran TDS3 - selected hard drive scan thru "Scan Control" - All scanning options flagged except "Scan for Clients/EditServers"

Result: Positive id Keylog.HotkeysHook (dll)
Identified what I expect are the source files which it was embedded in... a 3rd instance was found in the web browser cache (Opera used to download files).

The way I have TDS3 configured on start up, did not detect this keylogger.

Is it unusual for a memory, process & registry scan not find a footprint of this type of trojan?

Besides the source files (fyi trainer progs for the game "Battlefield 1942" from http://www.trainerscity.com) and the actual dll... should I be looking for any other malware files from this trojan?... I did a little research & found some cleanup instructions (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HOTKEYHOOK)which mentions other files, which I have searched for & cannot find (post using TDS3 to delete identified files).

Feedback appreciated.

 

Correct. You didn't tell TDS to do a file scan at startup.
And a keylogger is not a trojan...
Dolf

 

Hi Dilraig and welcome!
>And a keylogger is not a trojan...
.....even though TDS detects lots of them.

The explanation told the other files to look for, but does it mean now you didn't have them the nasty was not properly installed yet and had not done it's nasty work?
Also check via the process list and autostart explorer if you see anything suspicious. Keyloggers in many cases have the habit of trying to be invisible, but they do show up inthe registry somehow.
Port explorer would show all connections too, even the hidden ones and the applications responsible for them.

 

This is not a trojan, it is a keyhook library that is sometimes used by trainers - it CAN be used by a trojan as in the example on that site.. ignore it, you will notice the trainer drops another copy if you delete it

 

Thanks guys for the quick response.

Dolf, why wouldn't you include a keylogger as a trojan? It could be a matter of semantics... but I had time to kill this arvo TDS glossary describes trojans "Whether they are Remote Access trojans or just password stealers, they still make the system vulnerable in one way or another."