Hello all, With the newest TDS Database: 19552 refs (Wed Nov 20 2002), on my initial startup scan, I am getting the following: ------------------------------------------------------------------------------- Scan Control Dumped @ 14:53:44 20-11-02 Live trojan found (in process memory): Keylog.Spion File: C:\WINDOWS\System32\smss.exe Live trojan found: Keylog.Spion File: C:\WINDOWS\system32\winlogon.exe Live trojan found: Keylog.Spion File: C:\WINDOWS\system32\services.exe Live trojan found: Keylog.Spion File: C:\WINDOWS\system32\spoolsv.exe Live trojan found: Keylog.Spion File: C:\Program Files\Alwil Software\Avast4\ashserv.exe Live trojan found: Keylog.Spion File: C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe Live trojan found: Keylog.Spion File: C:\Program Files\FileChecker\filechecker.exe Live trojan found: Keylog.Spion File: C:\Program Files\Executive Software\DiskeeperWorkstation\DfrgNTFS.exe Live trojan found: Keylog.Spion File: C:\WINDOWS\System32\nod32cc.exe Live trojan found: Keylog.Spion File: C:\WINDOWS\System32\nvsvc32.exe Live trojan found: Keylog.Spion File: C:\WINDOWS\Explorer.EXE Live trojan found: Keylog.Spion File: C:\Program Files\Soft4Ever\looknstop\looknstop.exe Live trojan found: Keylog.Spion File: C:\Program Files\ESET\pop3scan.exe Live trojan found: Keylog.Spion File: C:\Program Files\CPal\CPal.exe Live trojan found: Keylog.Spion File: C:\WINDOWS\System32\ltmsg.exe Live trojan found: Keylog.Spion File: C:\Program Files\Network Associates\PGPNT\PGPtray.exe Live trojan found: Keylog.Spion File: C:\Program Files\Eraser\eraser.exe Live trojan found: Keylog.Spion File: C:\Program Files\Common Files\ADT Shared\Scheduler\ADSched.exe Live trojan found: Keylog.Spion File: C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe Live trojan found: Keylog.Spion File: C:\Program Files\AWS\WeatherBug\Weather.exe Live trojan found: Keylog.Spion File: C:\Program Files\ID-Blaster Plus\idblasterplus.exe Live trojan found: Keylog.Spion File: C:\Program Files\MRU-Blaster\scheduler.exe Live trojan found: Keylog.Spion File: C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe Live trojan found: Keylog.Spion File: C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe Live trojan found: Keylog.Spion File: C:\DCS\Port Explorer\PortExplorer.exe Live trojan found: Keylog.Spion File: C:\WINDOWS\msagent\AgentSvr.exe ------------------------------------------------------------------------------- I am pretty sure it is a false positive caused by something in the newest radius database update. Also, I have been forced to uninstall execution protection, as it stops just about anything that I try to execute as having the Keylog.Spion infection. Regards, Kent
Perhaps this keylogger works itself into the process space of other programs. Since TDS has the ability to scan inside process spaces it would be able to detect it. I'd suggest trying a program like Anti-keylogger to get a second opinion and then change all your passwords.
Get back to yesterday's radius in the TDS directory and change the radius.td3 into radius.td3.old and yesterday's radius.bak into radius.td3 reload or start TDS and problem gone. As all users have the same, be sure of a too tight detection code which Gavin will refine in next update for sure. Of course you might like to use any online scan and anti-keylogger if you like (which program i urgently had to uninstall btw, after which my system was back stable again).
Yeah, I hate when programs make your system unstable. I never had a problem with Anti-keylogger, but I suppose it depends on what software you have installed along with it. (And then, I had anti-keylogger and removed it before I put TDS on, so I don't know.) Can't hurt to get a second opinion, but be aware that Anti-keylogger may be a little overzealous. It detects a Sygate log as a possible keylog file, but I think that's only because it lists the various processes that have been run.
OMG, I just got that too! Keylog.Spion is showing up everywhere! I did a google search for it (Keylogger.Spion), and found what may be the keylogger on some German site. I clicked the "Spione" link and it wanted me to download a program, but I cancelled it. Now I do a scan and it's showing the same thing as you, with almost every process showing as the trojan. nwrecmsg.exe [novel netware program] explorer.exe taskmon.exe systray.exe logwat95.exe [antivirus component] isrv95.exe [antivirus component] tclock.exe [taskbar & clock modification program] agentsvr.exe iexplore.exe aim.exe notepad.exe All show as this trojan. I'm suspecting a mistake in the radius.td3 file. Here are the programs that didn't show up as being a trojan: msgsrv32.exe mprexe.exe smc.exe [sygate firewall] wmiexe.exe ddhelp.exe OK they show up in a memory space scan, but not a process file scan, object memory scan, or mutex scan, or any others.
Just get back to the older radius of 19 november and problem solved for today till the next radius update.
Re:Key.Spion Hi, Keylog.Spion is showing up on my other computer also. Only updated NOD32 and TDS3 on that system since yesterday and a full scan yesterday came up clean so I think its the update. Loki
It's good when multiple members post regarding these issues. Now, it is certainly clear that this is a false positive which should be resolved soon. And none of you actually have that keylogger.
Hi everyone, If you have not already been notified by an email, there was a problem with the current database. Apologies for the problem, a new database is up now which will correct this corruption. Glad to see the community reacted together to reduce panic Again, I apologise for the corrupted database
Hi Gavin, Just finished a full scan with the new update and system comes up clean. Problem fixed! Loki
Thanks for the update, patience, and all, and sorry LowWaterMark, don't have a sample of it All is well and clean.
Hello all, Yes, I agree, there is nothing better than a good forum pulling together in a positive manner to reduce panic and to help verify these were indeed false positives. Thanks go to Gavin, Jooske, and all the others that posted. Regards, Kent