Thread: tspy - Trojan keylogger
View Single Post
Old 02-09-2006, 17:11   #4
Tezcatlipoca
Inactive
 
Tezcatlipoca's Avatar
 
Join Date: Jun 2003
Location: Cambridge
Posts: 16,760
Tezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny stars
Tezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny stars
Re: tspy - Trojan keylogger
Cheers for the replies


I ran HiJackThis after the Housecall scan/clean, & it was fine.



I've now gone back to using ZoneAlarm, instead of the XP SP2 firewall. Although, I'm now using the free ZA rather than ZA Pro (have no need of ZA Pro's anti-spyware scanning, due to having Spybot, Adaware & now also CounterSpy; & have no need of ZA Pro's "OS Firewall", due to Kaspersky's Protection & Proactive Defence, and now also CounterSpy's Active Protection).



I found the logs etc. for the Housecall scan, & have attached them, in case anyone would be kind enough to have a look through them.


The names of the tspy keylogging trojans found are "TSPY_CIMUZ" & "TSPY_AGENT.TQ".


A select quote from the log:

Quote:
Originally Posted by Housecall "everything0" log

(snip)

2006-08-28 13:16:06.984 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz (ID 79664) on 'HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\'

2006-08-28 13:16:07.031 WARNING ProcessSystemCallback reportInfection threatName =

2006-08-28 13:16:12.328 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz

2006-08-28 13:16:23.031 FINEST ProcessSystemCallback Found threat infection: TSPY_Agent.TQ (ID 86398) on 'HKLM\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\'

2006-08-28 13:16:23.046 WARNING ProcessSystemCallback reportInfection threatName =

2006-08-28 13:16:23.890 FINEST ProcessSystemCallback Found threat infection: TSPY_Agent.TQ

2006-08-28 13:16:24.203 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz (ID 79669) on 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Sh ell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}'

2006-08-28 13:16:24.250 WARNING ProcessSystemCallback reportInfection threatName = 2006-08-28 13:16:24.281 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz

2006-08-28 13:18:28.687 FINEST ProcessSystemCallback Spyware scanner processed threat scan

(snip)

The only other mentions of "TSPY_CIMUZ" & "TSPY_AGENT.TQ" I can find are related to them being marked for cleaning.


So, it seems to me, that the only actual instances of "TSPY_CIMUZ" & "TSPY_AGENT.TQ" were a few registry entries. It doesn't seem that there were any files or anything else, just a few registry entries (unless I've missed something from the logs?).

This makes me think that perhaps I didn't actually ever have a full tspy infection - maybe it was just a partial infection, with only a few registry entries successfully added, while perhaps the actual files etc were blocked by Kaspersky or something during the installation attempt (I don't remember any tspy related files - or anything else - ever being found during any scans. Just the reg entries discovered by Housecall).

That seem plausible?
Tezcatlipoca is offline   Reply With Quote