Keylogger

Discussion in 'ESET NOD32 Antivirus' started by bfree, May 15, 2008.

Thread Status:
Not open for further replies.
  1. bfree

    bfree Registered Member

    Joined:
    May 11, 2008
    Posts:
    1
    I believe I have a keylogger virus on my PC - but NOD32 doesn't show anything:

    * My keyboard locks every 10 seconds for a period of 4 seconds; when released, all keystrokes are echoed, indicating that something is caching them. Mouse events are unaffected.

    * When typing in notepad (no other app running), Performance Monitor shows my CPU pegging out; goes to 0 when I stop typing.

    * When using a keylog detector (AKLT) - it sometimes is able to intercept keystrokes, sometimes not. When it is able to intercept keystrokes, it drops occasional keys - despite the fact that all keystrokes are being echoed (with 4 second pauses) on notepad.

    I'm using the original/standard keyboard driver that came with my system; I don't see any unusual procs running, or ports open; nothing unusual in config.sys, autoexec.bat or system.ini - however, the symptoms seem to indicate that a TSR-like keylogger is being chained into my system for 4 seconds every 10 seconds.

    Thoughts?
     
  2. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Hello and welcome to Wilders!

    Quick question, besides NOD32, have you scanned your system with anything else? NOD32 is an amazing product, but nothing catches 100% of baddies. You could try a scan with SuperAntispyware and/or SpySweeper (both have a 30 day free trial) and see if either catch anything that NOD may have missed. Run the scans in safe mode too.

    Something else you could try to do is run a HijackThis log and have someone analyze it for you to make sure you don't have anything malicious running.
    Wilders no longer does HijackThis Analysis, but there are quite a few places that do.

    I hate to turn you away from here, but this will at least give you another option. One place that is very good is CastleCops.

    Run a Hijackthis log and post it on the forum listed above and someone will be able to analyze it for you and tell you if you do, in fact, have something malicious running.

    It would be nice if you will give us an update as to what you find.

    HTH
     
  3. ffemtreed

    ffemtreed Registered Member

    Joined:
    Apr 10, 2008
    Posts:
    6
    Doesn't sound like a keylogger to me. Sounds like a bad keyboard or some corrput kernel or I/O drivers on your system.

    Is this keyboard wireless by chance?
     
  4. Wyrd

    Wyrd Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    14
    I agree with the previous poster--sounds like a keyboard malfunction, rather than a keylogger.
     
  5. Oleg

    Oleg Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    406
    Location:
    USA
    Keylogger only record activity,but do not freez PC,but trojans can do this.
     
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Does the problem occur if you start the computer in Safe Mode? What about if you log in as a different user?

    Regards,

    Aryeh Goretsky
     
  7. Jodell Bumatai

    Jodell Bumatai Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    9
    I got that too this week. Spybot found:

    SpyBoss one day
    SmartPCKeyLogger next day

    files: Memmand.vxd
     
  8. hillrb

    hillrb Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    44
    If you're savvy with the registry, you can try downloading a VB script from SilentRunners dot org. When you run it, it will list all of the programs that are starting up on your computer in a text file. Believe me, this is no simple program that shows the same things Windows does. It is the best thing that ever happened to me (for resolving suspicious computer activity at least).
     
  9. me345

    me345 Registered Member

    Joined:
    May 23, 2008
    Posts:
    2
    "I got that too this week. Spybot found:

    SpyBoss one day
    SmartPCKeyLogger next day

    files: Memmand.vxd"


    I'm having this exact same thing happen. Ive rebooted and scanned 3 times and the first time SpyBoss was detected , the second time was ComputerMonitorKeylogger and the third time was SmartPCKeyogger. If you figure this out please post!
    Thanks!
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send the file in question to samples[at]eset.com with this thread's url enclosed.
     
  11. me345

    me345 Registered Member

    Joined:
    May 23, 2008
    Posts:
    2
    I actually cant send the file memman.vxd because it was deleted the first time spybot detected spyboss on my computer. Then I rebooted and ran Spybot again and ComputerMonitorKeylogger showed up as a cookie. The third time I rebooted and ran spybot SmartPCKeylogger showed up in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\system32\memman.vxd

    If I look in C:\Windows\System32 directory though the file memman.vxd is no longer there.

    Also the third time the ComputerMonitorKeylogger showed up as a cookie again.
     
Thread Status:
Not open for further replies.