scandump

Hi there

i just downloaded the demo version of TDS3
i did the full system scan and received a number of alarms
but i don't know what it means and how to proceed.

This is my scan dump file

Scan Control Dumped @ 01:39:35 24-09-03
Positive identification <Adv>: Possible KeyLogger
File: c:\windows\system32\aksrvnt.exe

Positive identification <Adv>: Possible KeyLogger
File: c:\windows\system32\aksrvnt.exe

Positive identification <Adv>: Possible KeyLogger
File: c:\windows\system32\aksrvnt.exe

Suspicious Filename: Excessive space characters
File: c:\documents and settings\key\favorieten\welkom op goodfeeling.nl                                                                                                       .url

Suspicious Filename: HTA file in suspicious location
File: d:\system volume information\_restore{512e56cb-609c-47fc-82b9-3350691436c9}\rp7\a0003370.hta

Suspicious Filename: HTA file in suspicious location
File: d:\system volume information\_restore{affa3f49-b213-46d5-b502-de394bb304b8}\rp5\a0003351.hta

thx

 

Hello Defender and welcome to the forum!
Did you also update the radius to the most recent one via the web site after installing TDS?

It is possible aksrvnt.exe is part of an anti-keylogger if you installed that but best send that file zipped to submit@diamondcs.com.au to be sure and you'll get information what next to do with it.


That goodfeelings URL has so many spaces, everything can be wrong, like in general hiding a double file name and if you don't need it, get rid of it or you might like to change the name of that entry manually so you won't get the alarm anymore.

The HTA files probably have gone from your system in the installed area as there are no alarms there so you best delete them. Think it's difficult to delete system restore files so if you can't delete them and if you know your system is clean and the way you want it, you might like to disable system restore - reboot - enable system restore - create manually a new system restore point and they're gone.

Hope this helps. Please check back here also with DCS advice in relation to the aksrvnt.exe.

 

Hi
I hope you received the zipped file
as i don't know what the program does i didn't remove it.

HAT files couldn't remove, i followed the insructions about making new system restore point but it didn't help.

 

In this case TDS alerted you of a positive identification. Although not all keyloggers are malware, the system directory is unlikely the place where a 'legal' keylogger should be.
So I think you should remove the file from it's current location and see if all programs keep working as they should. If not you can always put it back
Dolf

 

Antikeylogger was giving some false alarms and we fixed that.. looks like the new version changed something and not its detected again.. we'll fix that as soon as possible sorry

Otherwise everything looks ok, that suspicious HTA file detection needs reviewing, and triggers on some normal WinXP HTA files.. files used by the tour or some of the help files I think

 

See also here the file mentioned in the last postings.

Defender, are you sure you disabled the system restore and rebooted and after that reboot you enabled system restore and made a new restore point?
It should remove all older restore points including the infections and whatever is wrong. If the entries are back in the new system restore it means the files are still on your system. If they are caused by the aksrvnt.exe () which seems all legally right to excist on your system then the entries have all right to be in system restore too. At the moment i don't see the connection between the two. If they're back in restore and there are no other alarms then those two, this is what it looks like.