Keylogger

I believe my system is infected with a keylogger. AVAST has not detected it can someone tell how to go about in cleaning my system of this keylogger ?

Thanks in advance.

hi and welcome,

as to your issue, more precisions needed obviously… how did you detect it, what are the signs that you have a keylogger?

i would try this free application, http://www.emsisoft.com/en/software/free/ A-Squared Free

What are the symptoms of your suspicions ?

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

What is your firewall ?
The reason for asking key-loggers to be of use must send the data gathered home and a firewall with outbound protection would be a line of defence.

Thanks Logos.

I can tell that there is an application monitoring my keystrokes because there is a lag/delay during typing. Not present before but after surfing I seem to notice that it picked up. I have WinPatrol installed and running in the background. Also I don’t have any other applications running at the same time when typing.

Please advise and thank to everyone’s replies.

I’m afraid this doesn’t mean you have a keylogger. Keyloggers in general should be able to record instantly your keystokes without you noticing anything. The delay you got comes from something else. Check your keyboard settings :wink: …if it’s not that it’s something else that might be broken on your install… malware may be, did you run a malware scan as suggested (with SAS and/or MAB) ?

I have noticed that my firewall application has warned me that it discovered that its security file(s) have been tampered with but now restored and that I should run a spyware/antivirus scan. I’ve seen this waring once now.

Thanks again

The way to prevent future keyloggers by encrypting your keystrokes is to use KeyScrambler from QFX Software.

Many thanks

You will type something fairly quickly and what happens is you will finish typing and the visibilty of the characters show up a split second afterwards. So your ahead of the keystrokes. This happens often now.
My firewall is PC Tools Firewall Plus.

Thanks for the reply. I will give that a try. Would you know how to tell if its working once downloaded and installed ? Is there a way to test it out ?

type some numbers in address bar and look at the system tray where keyscrambler icon is and it will show it randomizing the numbers in different sequence.

That should give reasonable protection against unauthorised outbound connections, making it harder if there were a key-logger on the system to upload captured data.

Thanks again Logos. Yes I’ve taken the advice of DavidR and downloaded Malwarebytes and A-Squared and SuperAntiSpyware. Nothing showed up on any of the scans. I honestly feel that this malware has stealth capabilities. Hence another reason for thinking its a keylogger.

Maybe do a hijackthis log for them so they can verify more your pc ?

Thanks for the tip. I downloaded this program and ran a scan. It found some suspect files which it uploaded. The files were not quarantined or cleaned since they were only suspect.

Logfile of HijackThis v1.99.1
Scan saved at 12:02:19 PM, on 12/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PrivacyKeyboard\akl_svc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\HiJackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\a-squared Free\a2service.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM..\Run: [PrivacyKeyboard] C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe /autorun
O4 - HKLM..\Run: [00PCTFW] “C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe” -s
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\AUSER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: PrivacyKeyboard Service (akl_svc") - Unknown owner - C:\Program Files\PrivacyKeyboard\akl_svc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

is that the full log? I don’t see the end of the file. You can also attach the file log to a post in the forum. Click the “Additional Options…” link near the end of the post, click “choose file”, browse to the log file and click open. Then, click post.

Things are not going too good right now. For some reason my computer is running really slow and Firefox has really started to act up. The lag/delay in my keystrokes are alot more obvious.

Yes thats the full/complete log. Its not the Trendmicro version of Hijackthis but the one found here
http://majorgeeks.com/download3155.html . Sorry for the late response. Victor.


The old version of HJT that you used may not give complete or correct results.

An analysis of the HJY log supplied shows these problems :

MSIE: Internet Explorer v7.00 (7.00.6000.16915)
A newer version of IE has been available for many months. You should consider upgrading to the more secure IE8.

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.

There were several questionable entries for “PrivacyKeyboard.” Research shows that these should be OK and the entries may be due to using the old version of HJT … then again, maybe not due to the old version.

http://www.bleepingcomputer.com/startups/privacykeyboard-10344.html

You possibly have 2 firewalls running which is not recommended :

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

MsMpEng.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware

smc.exe
Firewall
Sygate Personal Firewall

Explorer.EXE
System task
Microsoft Windows Explorer

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

akl_svc.exe
Unknown task ( PrivacyKeyboard )
Unknown task

mscorsvw.exe
System task
.NET Runtime Optimization Service

GhostStartService.exe
Backgroundtask
Required to run the Windows based wizard in Norton Ghost

jqs.exe
Backgroundtask
Java Quick Starter Service

FWService.exe
Firewall
PC Tools Firewall Plus service

RichVideo.exe
Backgroundtask
Cyberlink Power Director Video Module

RichVideo.exe
Backgroundtask
Cyberlink Power Director Video Module

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

jusched.exe
Backgroundtask
Sun Java Update Scheduler

GhostStartTrayApp.exe
Backgroundtask
System Tray access to Norton Ghost

MSASCui.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware

PDVDServ.exe
Backgroundtask
PowerDVD Remote Control

PrivacyKeyboard.exe
Security software
PrivacyKeyboard

FirewallGUI.exe
Firewall
PC Tools Firewall GUI

winpatrol.exe
Backgroundtask
WinPatrol

ashDisp.exe
Virusscan
Avast AntiVirus

SUPERAntiSpyware.exe
Anti Add/Spyware software
SUPERAntiSpyware

svchost.exe
System task
Microsoft Service Host Process

firefox.exe
Application
Mozilla Firefox

HijackThis.exe
Application
Merijn Hijackthis

avast.setup
Virusscan
avast! Antivirus

a2service.exe
Backgroundtask
a-squared Service