keylog.h@tkeysh@@k.dll

Discussion in 'Trojan Defence Suite' started by Dilraig, Aug 14, 2003.

Thread Status:
Not open for further replies.
  1. Dilraig

    Dilraig Registered Member

    Joined:
    Aug 5, 2003
    Posts:
    11
    Question about detection & recovery. But I'll run through the details first.

    I manually run TDS3 on an XP box (NTFS format).

    Startup scanning is configured:
    boosted TDS3 token privelages
    Process File Scan
    Memory Mutex Scan
    Registry & File Trace scan

    1. Started & finished with a clean result.

    2. Ran Adaware - reported h@tkeysh@@k.dll

    3. Re-ran TDS3 - selected hard drive scan thru "Scan Control" - All scanning options flagged except "Scan for Clients/EditServers"

    Result: Positive id Keylog.HotkeysHook (dll)
    Identified what I expect are the source files which it was embedded in... a 3rd instance was found in the web browser cache (Opera used to download files).

    The way I have TDS3 configured on start up, did not detect this keylogger.

    Is it unusual for a memory, process & registry scan not find a footprint of this type of trojan?

    Besides the source files (fyi trainer progs for the game "Battlefield 1942" from http://www.trainerscity.com) and the actual dll... should I be looking for any other malware files from this trojan?... I did a little research & found some cleanup instructions (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HOTKEYHOOK)which mentions other files, which I have searched for & cannot find (post using TDS3 to delete identified files).

    Feedback appreciated.

    :)
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Correct. You didn't tell TDS to do a file scan at startup.
    And a keylogger is not a trojan...
    Dolf
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Dilraig and welcome!
    >And a keylogger is not a trojan...
    .....even though TDS detects lots of them.

    The explanation told the other files to look for, but does it mean now you didn't have them the nasty was not properly installed yet and had not done it's nasty work?
    Also check via the process list and autostart explorer if you see anything suspicious. Keyloggers in many cases have the habit of trying to be invisible, but they do show up inthe registry somehow.
    Port explorer would show all connections too, even the hidden ones and the applications responsible for them.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    This is not a trojan, it is a keyhook library that is sometimes used by trainers - it CAN be used by a trojan as in the example on that site.. ignore it, you will notice the trainer drops another copy if you delete it :)
     
  5. Dilraig

    Dilraig Registered Member

    Joined:
    Aug 5, 2003
    Posts:
    11
    :D Thanks guys for the quick response.

    Dolf, why wouldn't you include a keylogger as a trojan? It could be a matter of semantics... but I had time to kill this arvo :rolleyes: TDS glossary describes trojans "Whether they are Remote Access trojans or just password stealers, they still make the system vulnerable in one way or another."
     
Thread Status:
Not open for further replies.