Keylogger: AMECISCO

Discussion in 'privacy problems' started by eljay376, Aug 26, 2004.

Thread Status:
Not open for further replies.
  1. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Hi all,

    I'm running Windows 98, IE6 on a PII with 256Mb RAM. I am very security conscious as I do regard spyware of any kind as a personal theft attack.

    I have Trend Internet Security running, for my anti-virus requirements and Spyware Blaster, SpyBot S&D and Spy Sweeper to combat spyware.

    As well as the built-in firewall that comes with the Trend product, I also run Sygate Personal Firewall (free version).

    I stay current with software updates for all.

    Last evening, I downloaded a newer version of Spy Sweeper and immediately gave it a run.

    It turned up a key logger by the name of AMECISCO, which it apparently dealt with.

    What I want to know is whether my security has been compromised, and more especially, how I might determine if it has been on my kit for some time and none of my softwares had the means to detect it, or if it was a new attack that I have now hopefully nipped in the bud?

    I don't have any idea as to just what could happen as a consequence, or whether there is any need for me to make any changes to any banking details, for instance.

    I believe that key logging records keystrokes BEFORE encryption and that therefore any secure connections used are irrelevant.

    I also think that this particular scumware has the ability to remain pretty much invisible and can have variable names and file locations.

    Never had one of these before and so far my slightly "belt and braces" set-up would appear to have looked after me reasonably well - but is it time to hit the panic button now . . . or should I just make a pot of tea, sit down and calm down about it all?

    All thoughts very much appreciated here - with thanks.

    Regards eljay.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Is there anyone else that has access to your system?

    The keylogger in question is available for purchase at $99 from the companys website...

    Cheers :D
     
    Last edited: Aug 26, 2004
  3. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    While you're waiting for someone to come along who can give you better information than I, I'd definitely recommend option 2. :)

    pollux

    edit: Blackspear arrived while I was writing. You're in good hands now, but tea never hurts. Good luck.
     
  4. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Have you removed it from quarantine, and also checked the box in "always remove" (options>always remove), so it won't enter your computer again? :)
     
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    Last edited: Aug 26, 2004
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Eljay376,

    In your post you mention running 2 software firewalls, Trend and Sygate. Running 2 firewalls simultaneously is a bad idea since it can lead to system conflicts and even prevent either from working fully. If this happened, then it could leave your system open to attack.

    In this case, I think it more likely that someone else with access to your system installed the keylogger. ;) If you are the only one with access to your system then, if you use IE, either consider another browser (like Firefox or Opera) or take the time to lock down IE's configuration (it is an open door to malware by default) and install a spyware scanner.
     
  7. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Hi Guys (and gals?)

    Thanks for all the quick responses.

    In chronological order then:

    My adult daughter is presently setting up a web-site, with a view to earning a living just sitting on her rear end (and she'll probably manage it too!) and she has access to the PC.

    I have deleted the found traces from the Spy Sweeper quarantine area, but have not taken the other step that Don Pelotas advises - so I'll get that done
    pronto!

    Thanks for the reference to the key logger thread iceni60 - I'll take a look.

    I punched in Amecisco in my browser at work this morning and printed off a whole shedload of bed-time(!) reading matter.

    Pest Patrol has some pretty good form on it, with file names to look for, but if it's that simple, why is there so much hype out there about it being an "invisible" key logger?

    Pest Patrol says it is "difficult to detect by design . . . may hide from process list . . . may install with variable names in variable locations.

    Sound pretty scary to me!

    And what about the practical considerations like bank/debit card details . . . does anyone have first hand experience of that - or am I making too much of this?

    My dial-up password has been set since the day I set up the account and not keyed in since. I have changed my Hotmail password. Where elase should I be looking?

    I have certainly entered my bank account details recently, but can't think of anything at the moment that for reasons of security or confidentiality are protected by a password.

    The main usage I have for passwords is to access sites such as this and can't think how somebody pretending to me would have anything to gain from it - or is there?

    Will take a look at SkyCop for which I do believe there is a trial version.

    I also came across Anti-keylogger, Spyware Doctor and as I said, Pest Patrol, all of whom claim to offer some form of protection against keyloggers.

    Before I go downloading a whole load of stuff that will probably not have a clean uninstall function attached to the software, does anyone have any experience of any of these doing a good job on their own PC's?

    Well, I'd better stop hogging things - much appreciation for the contributions so far - more very welcome if you can help.


    Regards eljay
     
  8. Hop A. Long

    Hop A. Long Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    39
    Location:
    USA
    I've had the best results with $20 snoopfree (free trial at snoopfree.com). It detects three major ways that trojans spy on you:
    1) Hooking your keyboard
    2) Taking screen pictures
    3) Reading open windows

    I haven't seen anything that can beat snoopfree in these areas.
     
  9. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi eljay

    Since you have Spy Sweeper which also detects keyloggers, why not take a look at Processguard. Pest Patrol seems to have too many false positives to be recommended, it's just a personal opinion,do a search here on wilders and see what you think. :)

    BTW, Did you see Paranoid2000 post about running two firewalls at the same time?
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  11. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Lucky you downloaded Spy Sweeper. I recently ran some tests (and posted the results here) with keyloggers and found that Webroot's SpySweeper caught every single one (27). SpyCop has seen its day - it didn't do so well and Spy Sweeper has since passed SpyCop as the best for keyloggers. Of course, Spybot and AdAware catch a few, but they're both geared more to run-of-the-mill spyware and adware. Keyloggers are much more difficult to detect and Webroot has done a super job of regular reference updates and catching this insidious form of snoopware - as you just found out.

    Before you deleted what Spy Sweeper detected from quarantine, did you note exactly which files were found? You can open the main detection note and it expands into a tree and will show each and every file, registry entry, etc.

    Considering that a keylogger captures everything - I think you should take the path of secure computing and change several things. Your banking password is a must! If you have used your credit card online - consider it in the wrong hands and ask for a replacement. email passwords, etc.....in short, everything that you would not want in the hands of anyone.

    The short answer to the question, "Have I been compromised?" is yes. All the security tools in the world do no good if we don't act on what they tell us. If you had a confirmed keylogger, you must act and consider the worst. To not do so can cause you much pain in the end. With all of these security tools, nothing beats the quick action of the end-user.

    If you continue to share your computer, you might consider access software that you can configure to allow your guest users basic access without the ability to install programs, access system settings, etc. There are several good programs.

    Good luck to you!
    John
    Luv2BSecure
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good post luv2bsecure

    Cheers :D
     
  13. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Hi all,


    Firstly can I say avery big thank-you to all who are taking the time and trouble to offer advice. I have only used this forum once before and it continues to be one of the most welcoming I have come across. Long may it remain so and offer such a wealth of knowledge in opposition to the "bad guys".

    To come up to date then:

    (Paranoid) - I can disable the firewall component in Trend Internet Security, if it gives cause for concern running along side Sygate.
    When I do, I notice that the firewall log is still recording - is this OK?
    Both Sygate and Trend get an independent "all ports in stealthed mode" rating from Shields Up!
    I must try this with both softwares running, eh?
    Trend PC-cillin 2003 used to show with about a dozen ports in "closed" mode, so I was pleased to see the all-clear in 2004.
    I wish I had more knowledge in interpretting the log record in either system, as I couldn't honestly tell from it whether the bad guys are getting through.
    Does anyone have any detail on cluing up on that topic?
    I'm sure that my adult daughter would not have put a key logger on our home computer. She has the blind faith that all nasties will go elsewhere and complains bitterly when I insist that anti-virus updates take precedence over her wanting to use the PC.
    I do have the IE6 configuration locked via both via SpyBot S&D and Spyware Blaster, along with being current with Windows Critical Updates.

    (Hop A. Long) - I tried to get the Snoopfree trial download and as well as certainly suggesting that it was configured for Windows XP (I am Windows 9:cool:, the download resulted in a missing.dll error message. I tried again from a mirror site, with the same result.
    I am always uneasy when advised to turn all system utilities off for the duration of a programme download - but could that be the reason?

    (Don Pelotas) - I downloaded the free trial Pest Patrol (and have done previously). This suggested that I had one Hi-Jack item and one piece of Adware. I too have my suspiscions here - I wonder if they are actully spoof notices, designed to persuade you to buy the product? Each time I have tried Pest Patrol it has come up things that none of my other software find.
    I acknowledge that there is a shade of opinion that feels that too much security software is a no-no, but there are always postings in firums such as these from folk who say that such-and-such software missed what another found. I wish I could be convinced that less IS actually better!

    (Blackspear) - yup! Some more links/threads to take a look at, with thanks.
    I found some stuff at http://www.antionline.com/showthread.php?threadid=240606 which was quite informative.

    (luv2bsecure) - I confess I panicked and could have managed the situation a whole lot better. I just wanted the scumware off my PC!
    I have now checked the box within Spy Sweeper that says it will immediately delete Amecisco if it turns up again.
    I have cancelled my debit card and don't do on-line banking (for this very reason), so I hope I haven't got caught with my pants down.
    I am reassured by your faith in Spy Sweeper. It is very easy to use and if it does the job competently then what more can I ask for?
    I guess I still have a bit of a learning curve with the small details. This is always a problem with dowloaded software as you never get the degree of stuff that's in the user manual when you buy it in a box.

    That's me up-to-date - more here on outcomes. More still welcome from anyone with whatever might be helpful . . .

    Is there a reliable check that I can do, for instance, to see whether I am actually sending out packets of information to who knows where?

    Are there any firewall experts out there that could spare the time to talk about configuration and log interpretation in order to get the best security set-up?

    Wait to hear from you . . .

    Once again, my thanks for everyone's generosity in sharing what thay know with me (and at no cost at that!)


    Regards to all, eljay.
     
  14. eljay376

    eljay376 Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    19
    Don't know where that "cool" icon came from - I typed in an "eight" (that should sort that one out)!
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Being "stealthed" online is useful rather than critical from the security perspective (there is an Online Scans - What to do with Open and Closed Ports FAQ on another forum I frequent which has some useful details on this). Disabling one of the firewalls should be sufficient - the only thing I would mention is that Sygate cannot filter traffic to local proxies (see their forum FAQ on this) so if you use any for filtering web traffic (like Proxomitron - well worth using BTW) or anti-virus software that scans incoming/outgoing email (most do this as a proxy) then sticking with Trend (or using another firewall like Kerio or Outpost) would be a safer choice.
    If a site exploited an IE vulnerability to install the keylogger, this would not show up in any firewall logs. I have noticed some spam emails whose sole purpose is to cause people to check a website (specifically by including a fake order invoice and asking people to check it by following a link) which then tries to compromise their system so if you had one of these, then this is a possible infection route (ditching IE and using an alternative browser like Firefox or Opera is the best option here - past IE vulnerabilities have even allowed for restricted zone settings to be bypassed).
    Hmmm...a Significant Other perhaps?

    Finally, if you have the keylogger file in quarantine (or in your Recycle Bin) it may be worth contacting Amecisco about it. Since it is legitimate software, it may have a user registration key in it which could give a clue as to who purchased or installed it.
     
  16. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    I would be uneasy too, infact i wouldn't download any program i didn't know, that asked me to do that.
    In General i would say you're pretty well covered, i mean you have: Trendmicro Internet Security firewall/antivirus,Spywareblaster, spybot+Spy Sweeper for spyware, you could add Ad-Aware free to that, instead of buying Pest Patrol also. Perhaps an antitrojan like BOClean ( light on resources, set and forget, daily updates), TDS-3 (Large database, a little heavy on resources, daily updates) or maybe the free version of Ewido, (large database,daily updates). :)
    I know that feeling. ;) :D
     
  17. taygt

    taygt Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    2
    Hi,

    The same thing happened to me - Webroot's Spy Sweeper detected the presence of Amecisco Keylogger in my PC. I have tried removing it but the traces always recur (even if I had switched on the 'always remove' function in Spysweeper). In fact, the traces are located in the hidden part of my hard drive (c:\_restore\temp) in two files with the suffix (.cpy) What should I do to remove the traces totally?

    Thanks!
     
  18. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Have you tried turning off system restore ---> reboot to clean out all the old restore points --> then turn on System Restore after the reboot and set a new restore point.

    Also clean out all your temp folders, in case something still living in there from it.
    A good proggy for that is CrapCleaner [nope, not kidding :) ]

    Here: http://www.ccleaner.com/

    Thread and screenies

    HERE

    The thread is about Registry Cleaners, but keep reading and you will see CCleaner mentioned re TIFS/Temp folders and much more.

    Cheers, TAS
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Try turning off system restore and reboot your PC into "Safe Mode" then run a further scan.

    Let us know how you go...

    Cheers :D
     
  20. taygt

    taygt Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    2
    Thanks guys for the tips! You've helped me remove the Keylogger.

    Cheers!
     
  21. Anon43

    Anon43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    11
  22. Gianni

    Gianni Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    45
  23. Ameciso

    Ameciso Guest

    or a very bad false positive which spysweeper is prone to. So far, I've not seen a real case yet.
     
  24. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Hi, all.

    Another person just posted in the thread at DSLR/BBR that Anon 43 referenced in his post:
    http://www.broadbandreports.com/forum/remark,11219295~mode=flat
    (I think it might be the same Gianni who just posted here?)

    It seems at least possible that this detection is a false positive, since some people have not found all of the various files associated with Amecisco Keylogger by Pest Patrol:
    http://www.pestpatrol.com/pestinfo/a/amecisco_invisible_keylogger_stealth_1_2.asp

    I'm wondering if the users of Webroot Spy Sweeper who have had this detection could contact the company about it. (I'd do so myself, but I think it would be better coming from a user of the product, which doesn't apply to me). As far as I can tell, the company does not have a support forum, but they do have an online support page:
    https://supportcenteronline.com/ics/support/default.asp?deptID=776

    To clarify, I don't think there is enough evidence at this point to determine whether the detection is a false positive or something to worry about (and of course it may be different on different machines: some may actually have the Amecisco Keylogger even if there is also a false positive detection). So I think the best way to proceed at this point would be to try to get a response from the vendor.

    Thanks! :)

    pollux
     
  25. Gianni

    Gianni Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    45
    yes, i'm... ;)

    i contacted Webroot's Online Support too...and waiting now for an official reply!

    see u later... :)
     
Thread Status:
Not open for further replies.