Please help. DevilInsideKeylogger.

I have three machines that are running Windows XP professional. I am pretty security conscious bordering on over zellous. I just recently found or Aluria Spyware Eliminator found on all there machines what it refered to as Devil Inside Keylogger, I removed it on two and did some testing on the third. I tried two other prominent antispyware products before cleaning the 3rd machine and neither found any reference to the Keylogger that Spyware Eliminator found. I scanned al three a number of times with TDS-3 and it found nothing either. TDS-3 database refers to something called Keylog.Devil.Inside if I remember correctly which would seem the closest match in name to what Spyware eliminator found. But like I said TDS-3 reported that all three systems were clean. I called Spyware Eliminator "Aluria" a couple of day's ago and the have not returned my call very disappointing as the say their number is a "Hotline" I see nothing hot about it as of now. Anyway I am really really hoping that this was a false positive on Spyware Eliminators part. Their online database doesn't refer to it which is another disappointment their reference data is not up to date seemingly with there programs signatures. The only common denominator that I can recall is that I have instlled EMC2 Dantz Retrospect single server on one machine and the clients on the other two as of recent software that is on all machines. Could someone please tell me if I should be concerned? I have tons of passwords and I haven't seen any illicit action on any of my accounts knock on wood. Also can someone recommend something that is really good for preventing keyloggers.

perpetd - I've edited the title to remove the double-post notice you had in it, as I've closed your other thread. Please stay with this one now. Thanks - snap

 

I wouldn't believe anything that Aluria told me they're traitors in the antispyware world! Sounds like your detection may be a false positive though. You could always double check with Security Task Manager, which has a 30 day free trial, if you want another opinion. http://www.neuber.com/taskmanager/index.html

 

Cool I actually own that product, good thinking. What is the best AntiSpyware scanner do you think? And why?

 

Not really the right forum to discuss this. Should probably be moved to Privacy Software forum.

That's a tough question. As far as JUST antispyware SCANNERS go, some people think it's Counterspy. Some say SpySweeper. I feel it's generally a combination of maybe MS antispyware, Ad-aware (free), X-Cleaner (free), Spybot, Pest Patrol and maybe STM. I use these programs together and do cross checking with them all, if one finds anything.

But protecting against spyware is really far more than just relying on spyware scanners. Prevention is just as important, or MORE important really. So get SpywareBlaster and SpywareGuard. Try Prevx for more spyware prevention. WinPatrol is a good as well. And switch your browser from IE to Firefox or Opera too to help also. Good luck.

 

Hello perpetd, do you want a TDS related answer or do you want me to move your posting / this thread to a general software discussion forum?

Anyway, to know if you have a real trojan TDS should detect or it might be a false positive locate the malware on your system, send a zipped copy to the TDS lab (see email in my sig).
If you cleansed out the two systems and do another scan with your other scanners does any of your scanners alarm on any of your three systems? As you said the third system is not cleansed you woudl expect an alarm there.
Without samples TDS is not alarming on it's really impossible to tell if TDS should have alarmed or that it might be a false positive.
You know to give TDS a proper chance to detect anything you should close other scanners and their resident protection and give TDS free access to everything. TDS can also be run in save mode btw if you like.

TDS has by now about the largest database covering lots of spyware/adware/keylogggers/trojans etc etc so zip and send in your sample to get expert advice on it if TDS doesn't beep and you think it should. DiamondCS does recommend however to do another scan to test if you're clean with SpybotS&D, Ad-aware, Spysweeper which are known proven programs.


DiamondCS is working more on prevention as you can see with ProcessGuard, you can see live detection with Port Explorer for hidden possible trojan connections and act immediately, WormGuard adds to this and is configurable to your own taste on what more it should beep when you are intending to touch a file, the exec protection in TDS blocks malware from running, you can do a lot of prevention with RegDefend for your registry, TDS to do scans and not to forget the network tools in it. The Javacool browserprotection tools are named already.

The good old times we could do with a 200 items database virus scanner only are not there since long.


BTW: the devilwithin keylogger is a commercial keylogger which in most cases is installed on purpose and doesn't come via infected websites or emails on your system. The fact you have three systems (networked?) with it adds to the impression. You might have another version then TDS has in it's database so please be so kind as to send in a sample. Thanks in advance.

 

Well I guess you can move it to the general forum. Thank you for your response also. I am thinking at this point that it was probably a false positive. I have nothing to send since I cleaned the third machine with Spyware Eliminator also. I then scanned all of them with TDS-3 and it came out clean. I scanned with Giant Companies AntiSpyware and also Spysweeper trial. I also had installed previous to when the infection or false positive occured Spyware Blaster, Spybot S&D with full immunization, ESET NOD32 V.2.5 with AntiSpyware detection, Greatis Regrun Watchdog and Spyware Eliminator. I just added SpyProtector and Spyware guard to my active protection for good measure.

 

Good to see you're clean, pity for the sample, as TDS should have beeped since it is in the database: it could be another version on your system.
As written above, it's a commercial keylogger put there intentionally in most cases, so it would be really interesting to see a sample.
(No i'm not recommending to get the commercial version to see if it is the same! )

You do have ProcessGuard installed too so you do work on prevention too, look at the other ones mentioned.
You have an impressive arsenal on scanners, some with very nice resident protection too. Add the JavaCool tools and RegDefend and you're a lot better protected from the deepest level till your browsers.
Make it a rule to close other scanners when scanning with one and use them randomly.
If you had them all closed including their resident protection and TDS still found nothing, also not in safe mode, and you did the same with all your other scanners i think you should be really clean.
False positives are possible in all cases, and with the explosive growth in the ad/spyware/downloaders/keyloggers hard to avoid in all cases, but most developpers react very quick when you send in your samples.
On Howles list is a whole list of scanners to avoid.

 

Sounds like you have a pretty good setup Perpetd. I would consider Prevx and/or Snoopfree (both free) http://www.snoopfree.com for stopping keyloggers if your still looking for something in that area.

 

Thank you again for your help guy's. Jooske I can't remember for sure but I think I scanned the infected system with TDS-3 before cleaning it with SE. I will have to make sure I get a hold of Aluria to confirm whether it was a fasle positive or not. I left them a phone message as I mentioned and also emailed them via contact form earlier tonight. Regarding your suggestions I own both Prevx and ProcessGuard and I feel that whenever I install them it is a bit more work then it is worth in terms of other things going wrong or becoming misconfigured. FOR ME. (I have also tested Ewido.) Anyone reading this the previously mentioned are both excellent products don't get me wrong. But I think there is a certain point when if you pay for a nice system and then have to innundate it with security software you are in a sense allowing virus and spyware creators to win. I obviously stive as I assume most do to find a good balance between performance and security. I have not looked at SnoopFree I'll have to take a peek at that one. One program I feel I should mention for you guys as neither of you mentioned it and you might REALLY like it is Greatis Software Regrun Start Control just to list all the security features in it would fill a page or three. Try out the trial it's an awesome awesome product. www.greatis.com If Im not allowed to link to that here I understand can't remember the policy just thought it's such agood program. Just for those who try it it does have a bit of a learning curve so if you are a computer novice please make sure you have a fair understanding of what you are doing.

 

As this is more spyware related I shall move it to the Privacy forum.
Before I do pertpetd please consider DCS ProcessGuard as it has strong anti- leylogger abilities plus sophisticated process protection abilities without the need for signatures

Pilli.

 

Ok thanks fellows maybe I'll reinstall ProcessGuard... thinking about it

Best & Kindest regards N thanks for all the help!

Perpetd

 

If you're looking at ease and good did you try RegDefend and it's various tests? See the GhostSecurity forum here at Wilders.

 

Hi perpetd, I moved your licencing question to here as it was DCS related and not part of this topic:
https://www.wilderssecurity.com/showthread.php?t=81346

Thank you. Pilli

 

Jooske I just purchased RegDefend seems to work great so far.

Thank you Pilli! You guy's are great tx for the help.

 

As we know, unless perpetd turned off System Restore, he should still have a copy there to send in Jooske.

controler

 

Hmm... good point. I may have it on a retrospect backup also only I wouldn't know where to look for it. I will post a follow up here after I speak to Aluria that way if anyone else has the same issue they know what is up. ;-)

 

Does Aluria look at the System Restore folder also when doing a full HD scan?
I don't know since I have never used it.

Let us know their answer. It is very common for one AT-AV to catch something others missed, especialy when it comes to RISKware or commercial Keyloggers.
Some delelopers refused to even detect commercial keyloggers for leagle reasons. That is why Kevin had to ad a button in BoClean. NOT LOL

NEVER tell your self .... Gee I scanned with 10 online scanner & used TDS-3,
ect and they didn't find anything, I MUST be as clean as a whistle, right?
wrong!!!!!!!!!!

It just happened to be last week. Was a modified Beagle & I played with it for a few days , watching the various AT-AV companies start covering it.
I picked it up by e-mail.. Fir thing I did was called my ISP and told them it was getting through their filtering. They said thanks and said we will sure try
to do something about it. I said it appears to be a new varient and told them to not expect their current server AV to detect it.

controler

 

AOL (based on Aluria) just started reporting DevilWithin Keylogger.
The log shows HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\st6unst #1
Spyware Name: DevilWithinKeylogger

This registry entry is for the uninstall of DShield Universal Firewall Client cvtwin.exe.

It's a false positive.

 

Wheew T H A N K Y O U !

 

So, this is a definite false positive with that line in my registry? Just want to make sure, I type all day about information that is pretty much useless to 99.999% of the world, but if one specific competitor got it, it would be a huge headache. So, would someone please confirm, as I used Aluria, and came up with the same findings of devilwithin Keylogger.

Thanks a bunch...

 

I just was warned of this SAME key logger and went to theweb and found this discussion. Sure amhappy to see it isa false positive! I was about to go change all my passwords.

 

this message may be a little late but you need to remove HKCU\.\\\Run\@
it should be pointing to a file called %windir%\fonts\font.exe
Search your process list for font.exe and kill it then you need to delete font.exe from the command line as it will not be visible in the fonts directory under explorer (Nice feature there microsoft)!

--Si