Keylogger?

hi - i did an online Kaspersky scan and it says i have a keylogger in my system information folder?? yet the folder is empty!? i'm finding it hard to take Kaspersky seriously as a reliable scanner.


Scan Statistics:
Total number of scanned objects: 62807
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 2223 sec

Infected Object Name - Virus Name
C:\downloads\NetworkActivPIAFCTMv1.5.exe Infected: not-a-virus:NetTool.Win32.Piafctm.152
C:\Program Files\NetworkActiv PIAFCTM 1.5\NetworkActivPIAFCTMv1.5.exe Infected: not-a-virus:NetTool.Win32.Piafctm.152
C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP4\A0000484.exe/lview.exe Infected: not-a-virus:Monitor.Win32.IKeyLogger.12
C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP4\A0000484.exe/ik.dll Infected: Trojan-Spy.Win32.KeyLogger.cb
C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP4\A0000484.exe/web.dll Infected: Trojan-Spy.Win32.KeyLogger.dp
C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP4\A0000484.exe Infected: Trojan-Spy.Win32.KeyLogger.dp

Scan process completed.

 

http://www.theeldergeek.com/system_volume_information_folder1.htm

And FYI, Kaspersky is possibly the most reliable scanner there is.

 

so why is it flagging an empty file?

 

Did you bother reading the page in the link?

 

the scene Vegas - the big poker tournament is underway - at the table - Texas Slim (Kaspersky) Old Longhorn (Microsoft) Big Bear (Panda) The Geek (Elder Geek) The Square (A2) and toploader.

The game has reached it's climax....

Texas Slim is coming on strong acting like he's got 4 aces in his hand - the question is he bluffing? is it a busted flush? Old Longhorn has been playing this game long before Texas Slim was born - Old Longhorn is playing his cards close to his chest - hey i got nothing in my folder toploader see it's empty you can believe me don't take any notice of Texas there he's a bluffing. Hold on thar Longhorn says the Geek - you ain't telling the truth you got plenty stashed away and i got the details of how to take a look. Old Longhorn gives the Geek one of his famous smiles and says yeah Geek but you copied those details from my website. Now if you don't believe me when i say my folder's empty how ya gonna believe anything else i tell ya - huh?

The Square pipes up well i did a scan and i'm a telling ya their ain't nutting there boy it's as clean as a whistle! Toploader turns to Big Bear who says i'm with the Square i didn't find anything either.

So toploader whatcha gonna do boy - you gonna call Texas Slim's bluff - you willing to put your money where your mouth is boy. you get this one wrong an you is gonna be living in a cardboard box after all your bank accounts have been ripped.

Throwing all his credit cards in the pot toploader logged onto all his bank sites exposing all his details - if there's a keylogger trojan on his computer then he's gonna be typing on this forum with a cardboard computer and tin cans for modems.

 

I hope this wasn't on one of the sports channels because poker is not a sport.

 

This is fun and all, but just to ask, do you have the XP system restore on? Chances is that if you didn't disable it, then the folder is most definiteny NOT empty; it's just that you can't see the contents by browsing manually. It's possible (though frankly, rare) to see false positives in Kaspersky, but I really doubt it would imagine files that don't actually even exist.

 

The file size is showing as 0 because you got the folder properties AFTER the scan during which KAV probably quarantined the files or is blocking access, so it will show as 0 bytes. The only way to remove a file from Sys Restore is to turn it off and then back on. Restore points are cumulative so you can't just delete the file, then every point after that will fail anyway if you attempt a restoration. Turn it off then back on problem solved.

 

hi flyrfan - yes that's what i did - turned off restore points and rebooted ( i believe you have to do that for it to take effect) - i think these alerts probably came up in a previous scan i did with KAV some weeks back i didn't take much notice of it at the time cos i was playing with keylogger software - i had deliberately downloaded and so assumed it was something to do with that. thanks for your help.

 

hi TNT - yes restore was on and i switched off and rebooted to be on the safe side.

i know KAV is a top notch scanner - i think the result threw me for a while took me a while to treat it seriously and go through the learning curve to understand what was happening. did a google search - one or two had similar problems - hopefully switching restore off/on solves the problem - it's kind of surreal in a way i still have difficulty in believing it's for real but i'm not blaming KAV for that. i've had quite a few alerts from different software scanners over the last few months one was real (a java trojan) the others i'm pretty sure were false positives. never a dull moment with a disk scan thanks for your help BTW

 

did another scan - just for the record switching off system restore cleared the "what ever it was"

 

LOL

A few years back, I wondered why scanners were not scanning the Sys restore folder and did a bit of research. EVERY file you ever download to your desktop get's a copy saved in sys restore if turned on.
Now Toploader was testing a few commercial keyloggers the other day and forgot when he downloaded them, a copy went to desktop.
Alot of software now cleans the sys resotre folder as well but usualy you have to be in safe mode.
Since I don't use sys restore any longer. Mr Reformat here LOL
I don't know if just turneing it off then on wipes the old stored points or not.
It used to which I always thought was funny. Maybe somebody can try it and post back.
It was not that long ago that scanners didn't scan windows hidden files OR
the Sys Restore folder. SO you were pretty much safe unless you knew how to view those hidden folders and then went in to sys retore and actualy clicked on one of them nasties.
I still wonder what new things will show up in Vista.

For some reason I can not run the new KIS Beta on my VMware machine.
KAV keeps throughing the same alert at me every time I click on something in the virtual machine. Oh dear.


controler

 

It shows as 0 bytes because you dont have access to the file, only SYSTEM does. Right-click, choose permissions and ADD yourself (your user name) and give full control. Then look, lots of files

For any interested parties, KAV was certainly not wrong. It found those correct filenames embedded in a package. See the IK.DLL ? IK = Invisible Keylogger ?, the others are a log viewer (LVIEW.EXE) and web.dll is probably a browser plugin for stealing form data.

Information_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}RP4A0000484.exe/lview.exe Infected: not-a-virus:Monitor.Win32.IKeyLogger.12
C:System Volume Information_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}RP4A0000484.exe/ik.dll Infected: Trojan-Spy.Win32.KeyLogger.cb
C:System Volume Information_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}RP4A0000484.exe/web.dll Infected: Trojan-Spy.Win32.KeyLogger.dp

 

thanks for the info MrSquiggle - it's long gone now - switching off system restore flushed it.

Kaspersky is still my number one second opinion

 

this one's been round before