Thread: tspy - Trojan keylogger
View Single Post
Old 05-09-2006, 00:13   #13
Tezcatlipoca
Inactive
 
Tezcatlipoca's Avatar
 
Join Date: Jun 2003
Location: Cambridge
Posts: 16,760
Tezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny stars
Tezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny starsTezcatlipoca has a pair of shiny stars
Re: tspy - Trojan keylogger
Quote:
Originally Posted by ADd View Post
it does look like Housecall found traces of the infection, and Counterspy is a very good anti-spyware program. If you want one more scan to put your mind at ease I can recommend Ewido anti-spyware here:

http://www.ewido.net/en/

You will need to use IE, as the scan uses Active X to install.

With regard to Zonealarm - it isn't my favourite, but if it works for you its miles ahead of the packet filter otherwise known as Windows firewall


No need - I ended up formatting & reinstalling a few days ago anyway (been a while since I've last reformatted, plus I'm an paranoid obsessive compulsive).


I've used ZA for years. Never had a problem with it. Only stopped recently as ZA Pro seemed to conflict with Kaspersky (which I switched to from Norton).

Still using the free ZA at the moment. Might stick my key in & turn it into ZA Pro, & just disable the "OS Firewall" & antispyware scan stuff due to having Kaspersky etc.


Quote:
Originally Posted by TheBlueRaja View Post
I would argue that what your probably seeing is a false positive, if you use all that protection and run Spybot / Adaware etc every day then you will more than likely be ok and Trend Micro's wrong.

Very good point.

Makes sense due to the lack of anything being picked up apart from those reg entries.


Quote:
Originally Posted by ADd View Post
Certainly a possibility TheBlueRaja, with regard to the following in the registry:

Sophos comments: http://www.sophos.com/security/analyses/trojcimuzb.html


This is perhaps part of the reason Trend found these registry entires as bad. A google search of

Returns about 800 hits on it. If you are running an ATI card, you may wish to read these threads:
http://www.bullguard.com/forum/5/Zubox_18003.html
http://www.wilderssecurity.com/archi...p/t-98909.html

for different programs, spysweeper and spyware doctor, both good anti-spyware programs, but does indicate a false positive is possible.
It is also indicated in this WinPFind2 log, which points to the ATI dll:
http://www.tomcoyote.org/forums/lofi...hp/t66665.html

I guess it all comes down to if you have an ATI card installed, if you do could well be a false positive, if not just traces in the registry. You could also use the Sophos link to try and find the files on your C:\ drive, ensure you have showed hidden files and folders, just navigate to the correct places using windows explorer. If the files are not there, neither is the infection.
BTW it is typical for malware to use legitimate registry entries when installing on a system, in an attempt to hide itself from the user, and scanners.

Too late to check for those files now, but if they had existed then it's presumably safe to assume that they would have been detected by HouseCall along with the registry entries, plus would've been detected by Kaspersky etc. Which they weren't.


As for an ATI card........

I've got an ATI Radeon 9800XT (old now, but does what I need still).

I'm using the Catalyst 6.8 drivers at the moment.

Think I had a slightly older version on my previous XP install. Also had the Catalyst Control Centre installed, along with the actual driver. Found the Control Centre slow & annoying though, so didn't install it on my current install (only installed the driver this time).



Thanks for the help
Tezcatlipoca is offline   Reply With Quote