Do I Have a Keylogger Installed on My PC?

[blinkstar]

I ran a-squared today and it gave me this:

detected: Trace.File.SC Keylog

c:\documents and settings\my user name\application data\microsoft\internet explorer\quick launch\main.lnk



So I googled the above information and found this from Symantec:

http://www.symantec.com/securi...080515-5409-99&tabid=2

When Spyware.SCKeyLogger is installed, it performs the following actions:

1. Creates the following files:

* %ProgramFiles%\SC-KeyLog PRO DEMO\Main.chm
* %ProgramFiles%\SC-KeyLog PRO DEMO\Main.exe
* %ProgramFiles%\SC-KeyLog PRO DEMO\Uninstall.exe
* %System%\[RANDOM CHARACTERS].dat
* %System%\[RANDOM CHARACTERS].dll
* %System%\[RANDOM CHARACTERS].exe
* %SystemDrive%\[RANDOM CHARACTERS].exe
* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Main.lnk
* %UserProfile%\Desktop\Main.lnk
* %UserProfile%\Start Menu\Programs\SC-KeyLog PRO DEMO\Documentation.lnk
* %UserProfile%\Start Menu\Programs\SC-KeyLog PRO DEMO\Main.lnk
* %UserProfile%\Start Menu\Programs\SC-KeyLog PRO DEMO\Uninstall.lnk

Notes:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Creates the following registry subkeys:

HKEY_ALL_USERS\Applications\main.exe
HKEY_ALL_USERS\Software\SC-KeyLog PRO
HKEY_CLASSES_ROOT\.kla
HKEY_CLASSES_ROOT\klafile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SC-KeyLog PRO

3. Creates the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\[RANDOM CHARACTERS]

Now here's the thing: while a-squared did find one of the files listed above, that being %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Main.lnk, it didn't find ANY of the others above. When I looked for the reg files above, I found none (one kind of odd thing is that I don't even have an HKEY_ALL_USERS listing in my registry).

So does this mean this was a false positive? Why would I have the "Main.lnk" file but none of the others?

I'd be grateful for any and all input anyone can offer!

 

[mechBgon]

Malware evolves, so don't expect to find it verbatim as per Symantec's writeup. I just finished battling it out with a rootkit-protected logger that, even after being flushed from the protection of the rootkit, still was not detected :camera: by lots of security software.

So the safe bet, if you think your system's compromised, is to nuke your system, start over, and nevar break the "chain of trust" anywhere (not installing anything that's questionable, keeping the system secured the entire time, etc). Next-best is to run a whole bunch of rootkit-detection utilities and antivirus scanners on your system.

Online antivirus scanners: try F-Secure's, Symantec's, Microsoft's, TrendMicro's and Panda's online scanners in addition to whatever antivirus software you use now.

Rootkit scanners: F-Secure's online scanner also runs a rootkit check. McAfee Rootkit Detective and Panda Anti-Rootkit are a couple others to try.



Bigger picture: malware doesn't just happen. It came from somewhere. Check your system for vulnerabilities with Secunia's Personal Software Inspector and use a layered defense. An ounce of prevention... yeah.

 

[blinkstar]

Thanks for the great list of resources, mechBgon! I really appreciate it. I'm running the online scanners right now.

Hey, in another thread here you wrote:

Originally posted by: mechBgon
If your WinXP system is running any publicly-reachable services (a P2P client or whatever), make Windows run those services under a Limited account's credentials, and restrict that account to as little of your filesystem as will work, so that if the service gets exploited, it's on a short leash, rather than having extensive/complete power over your system..

Can you tell me how to do that? Or point me to a link that does? I do have a P2P client and I am afraid that that is the weak link ....

 

[blinkstar]

Ran F-Secure, TrendMicro, Symantec and Avira AntiVir and found nothing. I'm wondering if this might not have been a false positive. To be on the safe side, I've changed my main logon from admin to a limited account as you advise, mechBgon. One question: Do I need to password protect my admin account? Or do I not have to worry about that since I'll be logging on under my limited account?

Thanks again for your help!!!

EDIT: The "limited account" option really seems to cripple a lot of my software .. not sure that solution is going to work out.

 

[lusher]

Relax, I'm 99.999% sure you got a FP. Hint, in the future if you think you might have a FP, check the support forums of said product to see if others are reporting similar finds.

if you see a dozen posters suddenly report being infected after a new update, and all these posters are highly secure and paranoid individuals, you can be fairly sure that it's a FP, though no doubt being paranoid you might still want to run a dozen scans . My own experience with asquared is that it has its fair share of FPs.

Time to spam my favourite resource pages...

http://wiki.castlecops.com/Online_antivirus_scans - List of online scanners...

http://wiki.castlecops.com/Lis...ware_Security_Software - List of free security products organized by category. You might want to check out the antivirus, antispyware and particularly the antirootkit pages..

 

[mechBgon]

Originally posted by: blinkstar
Ran F-Secure, TrendMicro, Symantec and Avira AntiVir and found nothing. I'm wondering if this might not have been a false positive. To be on the safe side, I've changed my main logon from admin to a limited account as you advise, mechBgon. One question: Do I need to password protect my admin account? Or do I not have to worry about that since I'll be logging on under my limited account?

If you password-protect your Admin account, then you can right-click stuff while holding down the SHIFT key and use the Run As option to run things as Admin from within your Limited account. So giving the account a password is useful for this reason; RunAs won't work with blank/non-existent passwords.

EDIT: The "limited account" option really seems to cripple a lot of my software .. not sure that solution is going to work out.

See the tips at http://www.mechbgon.com/build/LimitedSW.html and let me know what software still has problems after you make those adjustments.

 

[blinkstar]

Thanks to you both for your detailed responses!

lusher--I tried a little experiment. I created a folder called "main" on my desktop, and I made a shortcut to it and put it in my c:\documents and settings\my user name\application data\microsoft\internet explorer\quick launch\ folder. Then I ran A-Squared.

Bingo. I got the exact same "Trace.File.SC Keylog c:\documents and settings\my user name\application data\microsoft\internet explorer\quick launch\main.lnk" as before.

Here's what I think happened. The SC Keylog program typically leaves a shortcut called "main" in the above folder. But I actually DID have a folder on my desktop called "main" at some point, and there was a shortcut to it in the above folder, and A-Squared saw it and reported it as trace of the keylogger. But it wasn't ... I hope.

mechBgon--I'll check out those tips for running a limited account. The weird thing is, when I boot up under a limited account, my games seem to run faster! Don't know why that would be, but it's a nice little bonus in addition to the added security, so I'd like to keep running the limited ...

Thanks again guys!

 

[lusher]

Indeed. Blinkstar you learnt a valuable lesson on why detection based on file and folder names alone is a dumb idea. But it seems the antispyware (antitrojans to some extent) like to do this more than avs

Ditto for registry "traces". A malware maker can foul people up by using registering registry keys that are used by other safe legitmate applications ....... Causing tons of confusion....