Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keylogger installed?


  • Please log in to reply
9 replies to this topic

#1 miss merlin

miss merlin

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 October 2011 - 10:48 AM

Hi,

I belive that I may have a keylogger installed on my computer. I can't ask the person who I suspect installed it, as they would only lie about it. But I do not trust them & they have done this in the past.

I have update & run AVG & Spybot but nothing found, but I am still not happy and still feel a little threatened by this.

Any help would be greatfully received

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 PM

Posted 06 October 2011 - 12:04 PM

Hello, usually an AV will pick these up.but we will look further.
Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 miss merlin

miss merlin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 October 2011 - 01:38 AM

Hi,

Thank you for that, Here's logs:

Security Check:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
AVG 9.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
HijackThis 2.0.2
CCleaner
Java™ 6 Update 21
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.4.6
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


MBAM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7887

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/10/2011 20:27:53
mbam-log-2011-10-06 (20-27-53).txt

Scan type: Quick scan
Objects scanned: 209884
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\POL (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.

Files Infected:
c:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Donna\application data\2860b98 (Stolen.Data) -> Quarantined and deleted successfully.
c:\program files\POL\menu.gif (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\POL.003 (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\POL.004 (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\POL.006 (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\POL.007 (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\POL.chm (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\POL.exe (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\qs.html (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\tray.gif (PUP.ArdamaxKeyLogger) -> Not selected for removal.
c:\program files\POL\uninstall.exe (PUP.ArdamaxKeyLogger) -> Not selected for removal.

ESEST Log:
C:\Program Files\POL\POL.003 Win32/KeyLogger.Ardamax application cleaned by deleting - quarantined
C:\Program Files\POL\POL.004 a variant of Win32/KeyLogger.Ardamax.NBB application cleaned by deleting - quarantined
C:\Program Files\POL\POL.006 Win32/KeyLogger.Ardamax.NAL application cleaned by deleting - quarantined
C:\Program Files\POL\POL.007 Win32/KeyLogger.Ardamax application cleaned by deleting - quarantined
C:\Program Files\POL\POL.exe a variant of Win32/KeyLogger.Ardamax.NAY application cleaned by deleting - quarantined
D:\Adobe Acrobat 8 Professional.iso a variant of Win32/Keygen.AH application deleted - quarantined
D:\Prog Downloads\Apple_QuickTime_Pro_7.4.5\Apple.QuickTime.Pro.v7.4.5.Multilanguage.Incl.Keygen-DI\Keygen.exe a variant of Win32/Keygen.AR application cleaned by deleting - quarantined
D:\Usefull Programmes\Eset\nod32fix.reg Win32/HackAV.G application cleaned by deleting - quarantined

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 PM

Posted 07 October 2011 - 02:42 PM

Hello, there it is.. Ardamax Keylogger
This is an installed application by someone,
If you want to rerun MBAM to see if anything shows again for removal this time do so.

I also see Keygens..

IMPORTANT NOTE: The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Before we can continue, I need you to remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.

Using these types of programs or the websites you visited to get them is almost a guaranteed way to get yourself infected!!




You need to update both Java and Adobe Reader..
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Similarly Update to Adobe Reader X (10.1.0)
Note UN check the box so you do not install the toolbar,unless you really want it..

Free! Google Toolbar search Google from any web page, block pop-ups

Yes, install Google Toolbar - optional

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 miss merlin

miss merlin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 October 2011 - 04:30 PM

Hi,

ESEST I believe cleared most of keylogger, but found the folder that had keylogger in (from scans) and managed to run uninstall which deleted all the folders. I ran MBAM again which found no threats.

I've removed programs with Key gens that I can find. My ex used to dl quite a lot so I don't really know what is on the comp.

Can't run Java program. I dl it to desk top, then when I click run, i get " JRE-7-windows-x64.exe not valid win32 application."

I've tried in admin (admin wouldn't accept as password is null and won't accept blank pw field) and tried running direct from website but still get same message.

Updated Adobe.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 PM

Posted 07 October 2011 - 08:38 PM

Ok, good then it is gone and thanks for removing the other junk.

Need to know if it's a 32 oe 64 bit system.
To determine whether you are running a 32-bit or a 64-bit version. of Windows.

If one does not work, try the other.

Method 1: View System Properties in Control Panel

1.Click Start, and then click Run.
2.Type sysdm.cpl, and then click OK.
3.Click the General tab. The operating system is displayed as follows:
◦For a 64-bit version operating system: Windows XP Professional x64 Edition Version < Year> appears under System.
◦For a 32-bit version operating system: Windows XP Professional Version <Year> appears under System.


Method 2: View System Information window

1.Click Start, and then click Run.
2.Type winmsd.exe, and then click OK.
3.When System Summary is selected in the navigation pane, locate Processor under Item in the details pane. Note the value.
◦If the value that corresponds to Processor starts with x86, the computer is running a 32-bit version of Windows.
◦If the value that corresponds to Processor starts with ia64 or AMD64, the computer is running a 64-bit version of Windows.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 miss merlin

miss merlin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 08 October 2011 - 08:30 AM

Hi,

Found it was a 32 bit, and run appropiate dl. Installed ok.

Anything else need doing or is that it?

Many thanks

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 PM

Posted 08 October 2011 - 07:18 PM

You're welcome. That should be it. Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 miss merlin

miss merlin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 09 October 2011 - 02:20 PM

Hi,

I've run clean up on my C drive that has program files & wondows on. Do I need to run it on other drives as well? I have three, C,D & E drive. That was how it was partitioned when we had a major crash a few years ago?

Other thaan that, thank you very much. Just need to change all my passwords then I'll feel safer again.

Once again, many thanks

MM

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 PM

Posted 09 October 2011 - 07:20 PM

Tu can run it on the other drives except the one :if labelled recovery"

You are most welcome.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users