PC security general information - 2 Topics merged
Posted 12 January 2008 - 02:51 PM
A few months ago, my WoW account was compromised. I was positive there is a keylogger in my computer. I was running winxp at the time. I downloaded and ran a ton of antivirus software (kaspersky, bitdefender, norton, avg, zonealarm) and they all gave me a clean report. I remember having a trojan (deoplive) from using the japanese Share program awhile back, and I had a paid norton subscription at the time but it wasn't able to find it. I came to the conclusion that spyware and viruses are not the same, and maybe that is why I couldn't detect the keylogger with AV. I decided to purchase counterspy in the end because it was 20 dollars and had fairly good reviews.
I had counterspy do a daily scan at 4am everyday for a week and I got clean reports everytime. Then one day I woke up and CS found a keylogger, SKLog. It shows 2 minidump.dmp files as affected files. I don't remember the exact paths since I am not at my home computer right now, but I think one of them is C:\windows\minidump.dmp, and I think the other one is in the sys32 folder. I quarantined the files and ran another scan; the report is clean.
Fastfoward to 2008, I upgraded to vista a week ago. I got another hit for SKLog last night from counterspy's scan; I have CS installed for a week already. The affected files are the same 2 dmp files. This is a fresh install of vista, so I am trying to retrace my steps to figure out what it is that is delivering this logger to my computer. This is where I need some help understanding how spyware work.
What does it mean when the spyware is found in the 2 dmp files? Are the dump files caches files (ie: contents keep changing)? When I look up sklog in spyware databases, I see ist2.exe, skl0g.exe, and I think a fake windows update KB file as file traces for this keylogger. I don't see any of these files in my computer. I guess the big question is, is the trojan still in my computer now, after quarantining the 2 dmp files?
I have been fairly cautious since the fresh install of vista, so I really have no idea how to begin to pinpoint what it is exactly that's giving me the infection. This time I have mainly visited driver websites and haven't done anything I believe to be high risk. Can viruses and spyware only be installed through executable files and through browser "drive-bys"; can they be embedded and be installed from inside a non-executable file (ie a config file or something a program accesses regularly)?
This is a very frustrating problem. Any insight will be appreciated.
Posted 12 January 2008 - 05:34 PM
Posted 12 January 2008 - 06:03 PM
If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here
Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators
Fight back Malware Complaints
Posted 12 January 2008 - 07:12 PM
The reason I ask this is because I have used many many different scanners, and they all had their own "real time protection" mechanisms that involve popping up a dialogue or alert everytime some "suspicious" changes occur (ie: registry edits, one app launching another, etc). The problem I have with this system of protection is I cannot see how an average computer user can determine whether or not an operation is safe to allow. Whenever I have antivirus/spyware software installed, running a simple install program for drivers for my hardware can trip off maybe a dozen alarms. In fact installing antivirus from another company while running real time protection with another program can trip off multiple alarms. From my experience these alerts do not help at all as it doesn't really say what exactly is going on in plain english.
Are there any scanners that can actively scan running processes and catch something like a keylogger while it is running? The reason I ask is if the current available security suites cannot do this, then am I really protected? I mean if I schedule daily scans, and a keylogger is launched in between daily scans and logs the credit card info I used to make a purchase, possibly relaying it back to the author immediately, it would have still done what it's supposed to do; even if I do detect it and remove it the next day. That is what I feel is happening right now with my software. I do catch trojans and malware when daily scans complete, but I have yet to see them caught while they are running. It seems the scanner I have (counterspy, outpost firewall pro) just cleans up the mess, but doesn't really actively prevent it. A lot can happen in a 24hr period.
I am paranoid now because that is exactly what happened to me. I bought something online with my credit card, then the next morning my scan found a keylogger.