Keylogger?

Discussion in 'other anti-trojan software' started by toploader, Sep 24, 2005.

Thread Status:
Not open for further replies.
  1. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi - i did an online Kaspersky scan and it says i have a keylogger in my system information folder?? yet the folder is empty!? i'm finding it hard to take Kaspersky seriously as a reliable scanner.


    Scan Statistics:
    Total number of scanned objects: 62807
    Number of viruses found: 4
    Number of infected objects: 6
    Number of suspicious objects: 0
    Duration of the scan process: 2223 sec

    Infected Object Name - Virus Name
    C:\downloads\NetworkActivPIAFCTMv1.5.exe Infected: not-a-virus:NetTool.Win32.Piafctm.152
    C:\Program Files\NetworkActiv PIAFCTM 1.5\NetworkActivPIAFCTMv1.5.exe Infected: not-a-virus:NetTool.Win32.Piafctm.152
    C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP4\A0000484.exe/lview.exe Infected: not-a-virus:Monitor.Win32.IKeyLogger.12
    C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP4\A0000484.exe/ik.dll Infected: Trojan-Spy.Win32.KeyLogger.cb
    C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP4\A0000484.exe/web.dll Infected: Trojan-Spy.Win32.KeyLogger.dp
    C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP4\A0000484.exe Infected: Trojan-Spy.Win32.KeyLogger.dp

    Scan process completed.
     

    Attached Files:

  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    http://www.theeldergeek.com/system_volume_information_folder1.htm

    And FYI, Kaspersky is possibly the most reliable scanner there is.
     
  3. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    Last edited: Sep 24, 2005
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Did you bother reading the page in the link?
     
  5. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    the scene Vegas - the big poker tournament is underway - at the table - Texas Slim (Kaspersky) Old Longhorn (Microsoft) Big Bear (Panda) The Geek (Elder Geek) The Square (A2) and toploader.

    The game has reached it's climax....

    Texas Slim is coming on strong acting like he's got 4 aces in his hand - the question is he bluffing? is it a busted flush? Old Longhorn has been playing this game long before Texas Slim was born - Old Longhorn is playing his cards close to his chest - hey i got nothing in my folder toploader see it's empty you can believe me don't take any notice of Texas there he's a bluffing. Hold on thar Longhorn says the Geek - you ain't telling the truth you got plenty stashed away and i got the details of how to take a look. Old Longhorn gives the Geek one of his famous smiles and says yeah Geek but you copied those details from my website. Now if you don't believe me when i say my folder's empty how ya gonna believe anything else i tell ya - huh?

    The Square pipes up well i did a scan and i'm a telling ya their ain't nutting there boy it's as clean as a whistle! Toploader turns to Big Bear who says i'm with the Square i didn't find anything either.

    So toploader whatcha gonna do boy - you gonna call Texas Slim's bluff - you willing to put your money where your mouth is boy. you get this one wrong an you is gonna be living in a cardboard box after all your bank accounts have been ripped.

    Throwing all his credit cards in the pot toploader logged onto all his bank sites exposing all his details - if there's a keylogger trojan on his computer then he's gonna be typing on this forum with a cardboard computer and tin cans for modems.
     
  6. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I hope this wasn't on one of the sports channels because poker is not a sport. :D
     
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    This is fun and all, but just to ask, do you have the XP system restore on? Chances is that if you didn't disable it, then the folder is most definiteny NOT empty; it's just that you can't see the contents by browsing manually. It's possible (though frankly, rare) to see false positives in Kaspersky, but I really doubt it would imagine files that don't actually even exist.
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    The file size is showing as 0 because you got the folder properties AFTER the scan during which KAV probably quarantined the files or is blocking access, so it will show as 0 bytes. The only way to remove a file from Sys Restore is to turn it off and then back on. Restore points are cumulative so you can't just delete the file, then every point after that will fail anyway if you attempt a restoration. Turn it off then back on problem solved.
     
  9. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi flyrfan - yes that's what i did - turned off restore points and rebooted ( i believe you have to do that for it to take effect) - i think these alerts probably came up in a previous scan i did with KAV some weeks back i didn't take much notice of it at the time cos i was playing with keylogger software - i had deliberately downloaded and so assumed it was something to do with that. thanks for your help.
     
    Last edited: Sep 25, 2005
  10. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi TNT - yes restore was on and i switched off and rebooted to be on the safe side.

    i know KAV is a top notch scanner - i think the result threw me for a while took me a while to treat it seriously and go through the learning curve to understand what was happening. did a google search - one or two had similar problems - hopefully switching restore off/on solves the problem - it's kind of surreal in a way i still have difficulty in believing it's for real but i'm not blaming KAV for that. i've had quite a few alerts from different software scanners over the last few months one was real (a java trojan) the others i'm pretty sure were false positives. never a dull moment with a disk scan :D thanks for your help BTW
     
    Last edited: Sep 25, 2005
  11. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    did another scan - just for the record switching off system restore cleared the "what ever it was"
     
  12. controler

    controler Guest

    LOL

    A few years back, I wondered why scanners were not scanning the Sys restore folder and did a bit of research. EVERY file you ever download to your desktop get's a copy saved in sys restore if turned on.
    Now Toploader was testing a few commercial keyloggers the other day and forgot when he downloaded them, a copy went to desktop.
    Alot of software now cleans the sys resotre folder as well but usualy you have to be in safe mode.
    Since I don't use sys restore any longer. Mr Reformat here LOL
    I don't know if just turneing it off then on wipes the old stored points or not.
    It used to which I always thought was funny. Maybe somebody can try it and post back.
    It was not that long ago that scanners didn't scan windows hidden files OR
    the Sys Restore folder. SO you were pretty much safe unless you knew how to view those hidden folders and then went in to sys retore and actualy clicked on one of them nasties.
    I still wonder what new things will show up in Vista.

    For some reason I can not run the new KIS Beta on my VMware machine.
    KAV keeps throughing the same alert at me every time I click on something in the virtual machine. Oh dear.


    controler
     
  13. mrsquiggle

    mrsquiggle Guest

    It shows as 0 bytes because you dont have access to the file, only SYSTEM does. Right-click, choose permissions and ADD yourself (your user name) and give full control. Then look, lots of files :)

    For any interested parties, KAV was certainly not wrong. It found those correct filenames embedded in a package. See the IK.DLL ? IK = Invisible Keylogger ?, the others are a log viewer (LVIEW.EXE) and web.dll is probably a browser plugin for stealing form data.

    Information_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}RP4A0000484.exe/lview.exe Infected: not-a-virus:Monitor.Win32.IKeyLogger.12
    C:System Volume Information_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}RP4A0000484.exe/ik.dll Infected: Trojan-Spy.Win32.KeyLogger.cb
    C:System Volume Information_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}RP4A0000484.exe/web.dll Infected: Trojan-Spy.Win32.KeyLogger.dp
     
  14. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks for the info MrSquiggle - it's long gone now - switching off system restore flushed it.

    Kaspersky is still my number one second opinion :)
     
  15. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
Thread Status:
Not open for further replies.