[RESOLVED] SYS Keylogger Pro found. How do I make sure no traces left?

[Rotties4Life]

Spy Sweeper dectected SYS Keylogger Pro. How can I make sure my computer is completely free of this?

My operating system is Windows XP, Media Center Edition, Version 2002 with Service Pack 2.
Internet connection = cable.
Router = Microsoft Broadband Networking Wireless Base Station, MN-700
Cable Modem = Motorola
Security Software = Norton Internet Security 2007, Webroot Spy Sweeper and Webroot Window Washer

~~~~

This morning I ran Webroot Spy Sweeper which detected the Keylogger . I quarantined the Keylogger. I then accessed Turbo Lister 2, which I had knewly installed and briefly used last evening from Ebay, I thought that might be where the keylogger came from. After accessing Turbo Lister and closing out of that program, I ran Spy Sweeper again, which detected the Keylogger. So, I uninstalled the program through the Control Panel. I ran Spy Sweeper again, which did not detect a KeyLogger. I still have the KeyLogger in the quarantined section of the Spy Sweeper program.

What else should I do? How can I make my computer is clean of this? Help!!!!!

[jerryctx]

Webroot reports this is a false positive. Check with them in a couple days for an updated Spy Sweeper.

[Rotties4Life]

Thanks for your response.

I failed to mention earlier that my computer knowledge is limited. I may be in the classification of knowing just enough to be dangerous. I found this site by posting a thread in eBay, and was directed here to Virual Dr.

I'm assuming that a false positive means that I have nothing to be concerned about? Why would this show up now, but never in the last three years of using Spy Sweeper? Could it have anything to do with the TurboLister program I downloaded from eBay?

I will back up my files, something I have never done. Do I just copy them and paste them to the CD and then write?

[jerryctx]

My apologies for not giving a complete description of the problem.

A false positive means a security program is giving an incorrect warning. It happens from time to time with all anti-viruses and similar programs. The vendor generally offers a corrected program for download.

Was your Spy Sweeper definitions file updated recently, perhaps automatically without your knowledge? Webroot were suddenly swamped with questions from users and determined that the warnings were invalid.

I believe they now have an updated definitions file that corrects the problem. I don't use Spy Sweeper so can't give precise instructions but somewhere in the program there is the command "Check for Updates". You can update either the program or the definitions. Choose definitions.

After the update, rerun the program. The warning should not occur.

If you are still concerned, contact Webroot and ask if Turbo Lister is one of the programs that sets off Spy Sweeper. They may send you a program to test Turbo Lister if no one else has reported it as a problem.

[jerryctx]

Re file backup, that's part of my signature. It appears on all my posts and was not directed specifically at you.

None the less you should copy all data files that you don't want to lose. Just copy to the CD.

Don't forget files such as your Internet Browser's Favorites/Bookmarks, which may have an Import/Export function under the File menu.

Periodically, make new backups. How often depends on how frequently the files change and their importance. If you use your computer for business, you probably should backup every night. You can automate backups. If you are interested, post a question in the forum for your operating system. The scheduler and backup tools will vary by OS.

[Rotties4Life]

Jerryctx,

Thanks for all the help.

The Spy Sweeper program checks for updates automatically everyday. I did update again after your suggestions and reran the program. No warning showed after performing that sweep.

I forgot to mention in my first post that I had uninstalled TurboLister for fear that was giving me problems. Should I decide to download TL again to give it another try I will contact Webroot as you suggested.

Regarding Backup of files: I should get some things done around the house today (neglected yesterday) but will go to the forum for my operating system real soon to learn about automated backups.

Thanks ever so much
Rotties4Life
_______________________________

There are no bad dogs---only inexperienced owners!!

[Rotties4Life]

Jerryctx,

All seems well after running some more scans. No more Keylogger found. However, it looks like I have more work ahead of me as I found some other suspicious (similar to other's post) stuff on my computer. Now to find where to go.

I do appreciate your help with this.

[Broni]

You may...

1. Run free ESET Online Scanner at: http://www.eset.com/onlinescan/
Note: This Scanner is for Internet Explorer Only
1. You will notice that the "Start" button is grayed out. Place a check mark at "Yes, I accept the Terms of use". The "Start" button will become visible. Click on it.
2. If it wants to install an ActiveX component allow it
3. You will be asked to install an ActiveX, click the "Install" button (Note: If you have a Firewall install you may have to approve the installation)
4. Once ActiveX control is installed click on the "Start" button to initialize the scanner
5. After initialization is complete, make sure, that "Remove found threats", and "Scan unwanted applications" are checkmarked.
6. Click the "Scan" button
7. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt
Post ESET's log.

2. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

[Rotties4Life]

Broni,

Just noticed your post. This is what I have noticed on my system: zzzHPSETUP, ISUSPM, and Symantec PIF Alert Eng.

[Rotties4Life]

Broni,
Printed off and read the instructions. Question, do I need to disable Norton Internet Security or Spy Sweeper before starting any of the above?

[Broni]

No. Just make sure, you run SAS in Safe Mode.

[Rotties4Life]

I tried installing ESET Online Scanner, received this error message:
Initialization of the ESET Online Scanner
ERROR: Update Failed (200). Tried a 2nd install, same message. So I downloaded SUPERantispyware, started at about 5:30 and just completed. However, when I returned to the main menu I was not asked if I want to reboot. What do I do now?

[Broni]

Reboot manually, give me its log, and run HJT. Post its log, as well.

[Rotties4Life]

I was away from the laptop for a little. Will go back to the desktop, reboot and get that filed uploaded to you. Then I will do the HJT download and scan.
Thanks for the help.

[Rotties4Life]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/08/2008 at 09:05 PM

Application Version : 3.9.1008

Core Rules Database Version : 3398
Trace Rules Database Version: 1390

Scan type : Complete Scan
Total Scan Time : 03:30:57

Memory items scanned : 173
Memory threats detected : 0
Registry items scanned : 6735
Registry threats detected : 0
File items scanned : 85691
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@jupitermedia[1].txt