Keylog.Spion

Discussion in 'Trojan Defence Suite' started by puff-m-d, Nov 20, 2002.

Thread Status:
Not open for further replies.
  1. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,402
    Location:
    North Carolina, USA
    Hello all,

    With the newest TDS Database: 19552 refs (Wed Nov 20 2002), on my initial startup scan, I am getting the following:

    -------------------------------------------------------------------------------
    Scan Control Dumped @ 14:53:44 20-11-02
    Live trojan found (in process memory): Keylog.Spion
    File: C:\WINDOWS\System32\smss.exe

    Live trojan found: Keylog.Spion
    File: C:\WINDOWS\system32\winlogon.exe

    Live trojan found: Keylog.Spion
    File: C:\WINDOWS\system32\services.exe

    Live trojan found: Keylog.Spion
    File: C:\WINDOWS\system32\spoolsv.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Alwil Software\Avast4\ashserv.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\FileChecker\filechecker.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Executive Software\DiskeeperWorkstation\DfrgNTFS.exe

    Live trojan found: Keylog.Spion
    File: C:\WINDOWS\System32\nod32cc.exe

    Live trojan found: Keylog.Spion
    File: C:\WINDOWS\System32\nvsvc32.exe

    Live trojan found: Keylog.Spion
    File: C:\WINDOWS\Explorer.EXE

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Soft4Ever\looknstop\looknstop.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\ESET\pop3scan.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\CPal\CPal.exe

    Live trojan found: Keylog.Spion
    File: C:\WINDOWS\System32\ltmsg.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Network Associates\PGPNT\PGPtray.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Eraser\eraser.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Common Files\ADT Shared\Scheduler\ADSched.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\AWS\WeatherBug\Weather.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\ID-Blaster Plus\idblasterplus.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\MRU-Blaster\scheduler.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe

    Live trojan found: Keylog.Spion
    File: C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe

    Live trojan found: Keylog.Spion
    File: C:\DCS\Port Explorer\PortExplorer.exe

    Live trojan found: Keylog.Spion
    File: C:\WINDOWS\msagent\AgentSvr.exe
    -------------------------------------------------------------------------------

    I am pretty sure it is a false positive caused by something in the newest radius database update.

    Also, I have been forced to uninstall execution protection, as it stops just about anything that I try to execute as having the Keylog.Spion infection.

    Regards,
    Kent
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Kent, sounds like what you said. Let's hope so and Gavin will change the detection code asap.
     
  3. Paragon

    Paragon Guest

    Perhaps this keylogger works itself into the process space of other programs. Since TDS has the ability to scan inside process spaces it would be able to detect it.
    I'd suggest trying a program like Anti-keylogger to get a second opinion and then change all your passwords.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Get back to yesterday's radius in the TDS directory and change the radius.td3 into radius.td3.old and yesterday's radius.bak into radius.td3 reload or start TDS and problem gone.
    As all users have the same, be sure of a too tight detection code which Gavin will refine in next update for sure.
    Of course you might like to use any online scan and anti-keylogger if you like (which program i urgently had to uninstall btw, after which my system was back stable again).
     
  5. Paragon

    Paragon Guest

    Yeah, I hate when programs make your system unstable. I never had a problem with Anti-keylogger, but I suppose it depends on what software you have installed along with it. (And then, I had anti-keylogger and removed it before I put TDS on, so I don't know.)
    Can't hurt to get a second opinion, but be aware that Anti-keylogger may be a little overzealous. It detects a Sygate log as a possible keylog file, but I think that's only because it lists the various processes that have been run.
     
  6. Paragon

    Paragon Guest

    OMG, I just got that too! Keylog.Spion is showing up everywhere!
    I did a google search for it (Keylogger.Spion), and found what may be the keylogger on some German site. I clicked the "Spione" link and it wanted me to download a program, but I cancelled it. Now I do a scan and it's showing the same thing as you, with almost every process showing as the trojan.
    nwrecmsg.exe [novel netware program]
    explorer.exe
    taskmon.exe
    systray.exe
    logwat95.exe [antivirus component]
    isrv95.exe [antivirus component]
    tclock.exe [taskbar & clock modification program]
    agentsvr.exe
    iexplore.exe
    aim.exe
    notepad.exe

    All show as this trojan. I'm suspecting a mistake in the radius.td3 file.

    Here are the programs that didn't show up as being a trojan:
    msgsrv32.exe
    mprexe.exe
    smc.exe [sygate firewall]
    wmiexe.exe
    ddhelp.exe

    OK they show up in a memory space scan, but not a process file scan, object memory scan, or mutex scan, or any others.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Just get back to the older radius of 19 november and problem solved for today till the next radius update.
     
  8. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Re:Key.Spion

    Hi,

    Keylog.Spion is showing up on my other computer also. Only updated NOD32 and TDS3 on that system since yesterday and a full scan yesterday came up clean so I think its the update.

    Loki
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    It's good when multiple members post regarding these issues. Now, it is certainly clear that this is a false positive which should be resolved soon. And none of you actually have that keylogger.
     
  10. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    I can also verify this false-positive.

    Regards,

    -Javacool
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi everyone,

    If you have not already been notified by an email, there was a problem with the current database. Apologies for the problem, a new database is up now which will correct this corruption. Glad to see the community reacted together to reduce panic :)

    Again, I apologise for the corrupted database
     
  12. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hi Gavin,

    Just finished a full scan with the new update and system comes up clean. Problem fixed! :D

    Loki
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for the update, patience, and all, and sorry LowWaterMark, don't have a sample of it :D
    All is well and clean.
     
  14. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,402
    Location:
    North Carolina, USA
    Hello all,

    Yes, I agree, there is nothing better than a good forum pulling together in a positive manner to reduce panic and to help verify these were indeed false positives.

    Thanks go to Gavin, Jooske, and all the others that posted.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.