tspy - Trojan keylogger

[Tezcatlipoca]

I like to think (...or used to like to think) that my XP SP2 PC was pretty well protected from all the nasties out there.


It sits behind a Netgear ADSL wireless router gateway, connected via wireless G using WPA & MAC filtering, with NAT & SPI.

It has Kaspersky AntiVirus, with all the different "Protections" running, including the "Proactive Defense".

It has Spywareblaster.

It has Spybot S&D.

It has Adaware.

It has MS Windows Defender.

Though for a software firewall it currently only has the XP SP2 firewall. I used to use Zone Alarm, but had problems with it conflicting with Kaspersky, so ditched ZA a couple of months ago.

I use Firefox rather than IE (unless IE is needed, e.g. for Windows Updates).


Everything is updated regularly.


I scan with Spybot & Adaware & Windows Defender every day.

I scan with Kaspersky's "Critical Areas" & "Startup Objects" scans every day.

I scan with Kaspersky's full "My Computer" scan every few days.



and yet.....

It seems to have picked something up yesterday.

Some variant of the "tspy" trojan keylogger, according to Trend Micro's online "HouseCall" antivirus scan.

Housecall removed said infection, & in a fit of paranoia I've since changed my passwords (& also inadvertently locked myself out of my online banking due to entering the wrong password when going back into it later on).


What really worries me, as well as the whole obvious risk of having an apparent keylogger, is exactly when the hell did this infection occur & how?

Maybe it was very recent, & would have been picked up by something else if I hadn't happened to have thought to do a "HouseCall" scan when I did.

But maybe it was there for longer, & *only* Housecall is capable of detecting it?!

In which case...

Is that possible or likely?



I've tried to find info on exactly what Spybot, Adaware, & Kaspersky can actually detect, but not had much luck.


I've since bought CounterSpy, another anti-spy/ad/malware etc. prog, plus I'm thinking of going back to using something other than the SP2 firewall.

[ADd]

Hi Matt D, firstly the only chink in your armour was a lack of firewall. That is because Windows firewall only blocks incoming attacks. So if you download something nasty via your browser (and java can be exploited this way even through firefox) then the firewall will not help you. A software firewall like Zonealarm, Sunbelt Kerio, or Outpost will enable you to block both incoming, and outgoing. Thus if something is downloaded, which attempts to contact a site on the web to fill your HD up with more nasties, the firewall should let you know, and allow you to block it.

I am surprised that Kaspersky did not detect this threat, as it is very good. another way of protecting yourself is doing online scans, like trendmicro, panda. To give you a second opinion. Basically a AV is only as good as its definitions.

Apart from that, without seeing a log/report from the cleaning of the infection I can't give you any more info. This is because 'tspy' seems a generic name for a number of keylogging trojans, and also it is important where this file was located.
Therefore I would suggest you post a HijackThis log at one of the following ASAP forums:
http://www.malwareremoval.com/a-sap.html

You will get free help, and the guys/gals will ensure you system is cleaned in the best possible manner, they are professionals with many years of experience.
Finally I would advise that you backup you personal data regularily - onto cd, usb memeory stick etc, so that if in the future you need to reinstall you have your info handy (imagine if you had a hardware failure)
One point, it is possible this was a false positive, hence why Trend found it and Kaspersky didn't - so a double check at one of the forums would be my best advice.

Edit>>If you want to know more about ASAP see here:http://asap.maddoktor2.com/

[Delta Whiskey]

Unfortunately IMHO the usual antivirus products aren't very good when it comes to trojans, keyloggers etc. For the last five years I've used BO Clean from PSC Software. It's not free, but it is updated at least once a day, sometimes more.

http://www.nsclean.com/index.html
http://www.nsclean.com/boclean.html

DW

[Tezcatlipoca]

Cheers for the replies


I ran HiJackThis after the Housecall scan/clean, & it was fine.



I've now gone back to using ZoneAlarm, instead of the XP SP2 firewall. Although, I'm now using the free ZA rather than ZA Pro (have no need of ZA Pro's anti-spyware scanning, due to having Spybot, Adaware & now also CounterSpy; & have no need of ZA Pro's "OS Firewall", due to Kaspersky's Protection & Proactive Defence, and now also CounterSpy's Active Protection).



I found the logs etc. for the Housecall scan, & have attached them, in case anyone would be kind enough to have a look through them.


The names of the tspy keylogging trojans found are "TSPY_CIMUZ" & "TSPY_AGENT.TQ".


A select quote from the log:

Quote:

Originally Posted by Housecall "everything0" log

(snip)

2006-08-28 13:16:06.984 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz (ID 79664) on 'HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\'

2006-08-28 13:16:07.031 WARNING ProcessSystemCallback reportInfection threatName =

2006-08-28 13:16:12.328 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz

2006-08-28 13:16:23.031 FINEST ProcessSystemCallback Found threat infection: TSPY_Agent.TQ (ID 86398) on 'HKLM\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\'

2006-08-28 13:16:23.046 WARNING ProcessSystemCallback reportInfection threatName =

2006-08-28 13:16:23.890 FINEST ProcessSystemCallback Found threat infection: TSPY_Agent.TQ

2006-08-28 13:16:24.203 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz (ID 79669) on 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Sh ell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}'

2006-08-28 13:16:24.250 WARNING ProcessSystemCallback reportInfection threatName = 2006-08-28 13:16:24.281 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz

2006-08-28 13:18:28.687 FINEST ProcessSystemCallback Spyware scanner processed threat scan

(snip)

The only other mentions of "TSPY_CIMUZ" & "TSPY_AGENT.TQ" I can find are related to them being marked for cleaning.


So, it seems to me, that the only actual instances of "TSPY_CIMUZ" & "TSPY_AGENT.TQ" were a few registry entries. It doesn't seem that there were any files or anything else, just a few registry entries (unless I've missed something from the logs?).

This makes me think that perhaps I didn't actually ever have a full tspy infection - maybe it was just a partial infection, with only a few registry entries successfully added, while perhaps the actual files etc were blocked by Kaspersky or something during the installation attempt (I don't remember any tspy related files - or anything else - ever being found during any scans. Just the reg entries discovered by Housecall).

That seem plausible?

[SnoopZ]

Becareful about using ZA as you stand a good chance of halving your broadband speed. It's not recommended from users on this site.

[AndrewJ]

Zonealarm sucks.

It so far

Screws up Bf2, Star Trek bridge commander and Halo and gt legends even if disabled I had huge ping problems until I got rid of it.

Avoid it unless you do zero gaming.

[SnoopZ]

Quote:

Originally Posted by Felinix_Devotion

Zonealarm sucks.

It so far

Screws up Bf2, Star Trek bridge commander and Halo and gt legends even if disabled I had huge ping problems until I got rid of it.

Avoid it unless you do zero gaming.

Or zero leeching.

[ADd]

SnoopZ it does look like Housecall found traces of the infection, and Counterspy is a very good anti-spyware program. If you want one more scan to put your mind at ease I can recommend Ewido anti-spyware here:

http://www.ewido.net/en/

You will need to use IE, as the scan uses Active X to install.

With regard to Zonealarm - it isn't my favourite, but if it works for you its miles ahead of the packet filter otherwise known as Windows firewall

[SnoopZ]

Quote:

Originally Posted by ADd

SnoopZ it does look like Housecall found traces of the infection, and Counterspy is a very good anti-spyware program. If you want one more scan to put your mind at ease I can recommend Ewido anti-spyware here:

http://www.ewido.net/en/

You will need to use IE, as the scan uses Active X to install.

With regard to Zonealarm - it isn't my favourite, but if it works for you its miles ahead of the packet filter otherwise known as Windows firewall

You got the wrong guy mate.

[ADd]

been a long day, apologies Matt D

[TheBlueRaja]

I would argue that what your probably seeing is a false positive, if you use all that protection and run Spybot / Adaware etc every day then you will more than likely be ok and Trend Micro's wrong.

[ADd]

Certainly a possibility TheBlueRaja, with regard to the following in the registry:

Quote:

2006-08-28 13:16:24.203 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz (ID 79669) on 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Sh ell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}'

2006-08-28 13:16:06.984 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz (ID 79664) on 'HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\'

Sophos comments: http://www.sophos.com/security/analyses/trojcimuzb.html

Quote:

This section contains the description and advanced technical information

Troj/Cimuz-B is is a Trojan for the Windows platform.

The Trojan starts a proxy server allowing remote users to route HTTP traffic
through the infected computer. The Trojan registers itself on several sites to
report the availability of the listening proxy server.

Troj/Cimuz-B includes functionality to access the internet and communicate with
a remote server via HTTP.

When first run Troj/Cimuz-B copies itself to <System>\mdms.exe and creates the
file <System>\winacpi.dll.

The following registry entry is created to run mdms.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysMemory manager
<System>\mdms.exe

The file winacpi.dll is registered as a COM object, creating registry entries
under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll
Extensions\Approved\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\CLSID\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\Interface\(5E2121ED-0300-11D4-8D3B-444553540000)
HKCR\TypeLib\(5E2121E1-0300-11D4-8D3B-444553540000)
HKCR\acpi.acpi.1\
HKCR\acpi.ext\

The following registry entry is set:

HKCR\*\shellex\ContextMenuHandlers\sysacpildap
(default)
(5E2121EE-0300-11D4-8D3B-444553540000)

Registry entries are created under:

HKCU\Software\mzs\mdms\mzu\

This is perhaps part of the reason Trend found these registry entires as bad. A google search of

Quote:

5E2121EE-0300-11D4-8D3B-444553540000

Returns about 800 hits on it. If you are running an ATI card, you may wish to read these threads:
http://www.bullguard.com/forum/5/Zubox_18003.html
http://www.wilderssecurity.com/archi...p/t-98909.html

for different programs, spysweeper and spyware doctor, both good anti-spyware programs, but does indicate a false positive is possible.
It is also indicated in this WinPFind2 log, which points to the ATI dll:
http://www.tomcoyote.org/forums/lofi...hp/t66665.html

Quote:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}--------- SimpleShlExt Class = C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll ( [Ver = 1, 0, 0, 1 | Size = 73728 bytes | Date = 10/19/2005 11:17 | Attr = ])

I guess it all comes down to if you have an ATI card installed, if you do could well be a false positive, if not just traces in the registry. You could also use the Sophos link to try and find the files on your C:\ drive, ensure you have showed hidden files and folders, just navigate to the correct places using windows explorer. If the files are not there, neither is the infection.
BTW it is typical for malware to use legitimate registry entries when installing on a system, in an attempt to hide itself from the user, and scanners.

[Tezcatlipoca]

Quote:

Originally Posted by ADd

it does look like Housecall found traces of the infection, and Counterspy is a very good anti-spyware program. If you want one more scan to put your mind at ease I can recommend Ewido anti-spyware here:

http://www.ewido.net/en/

You will need to use IE, as the scan uses Active X to install.

With regard to Zonealarm - it isn't my favourite, but if it works for you its miles ahead of the packet filter otherwise known as Windows firewall

No need - I ended up formatting & reinstalling a few days ago anyway (been a while since I've last reformatted, plus I'm an paranoid obsessive compulsive).


I've used ZA for years. Never had a problem with it. Only stopped recently as ZA Pro seemed to conflict with Kaspersky (which I switched to from Norton).

Still using the free ZA at the moment. Might stick my key in & turn it into ZA Pro, & just disable the "OS Firewall" & antispyware scan stuff due to having Kaspersky etc.

Quote:

Originally Posted by TheBlueRaja

I would argue that what your probably seeing is a false positive, if you use all that protection and run Spybot / Adaware etc every day then you will more than likely be ok and Trend Micro's wrong.

Very good point.

Makes sense due to the lack of anything being picked up apart from those reg entries.

Quote:

Originally Posted by ADd

Certainly a possibility TheBlueRaja, with regard to the following in the registry:

Sophos comments: http://www.sophos.com/security/analyses/trojcimuzb.html


This is perhaps part of the reason Trend found these registry entires as bad. A google search of

Returns about 800 hits on it. If you are running an ATI card, you may wish to read these threads:
http://www.bullguard.com/forum/5/Zubox_18003.html
http://www.wilderssecurity.com/archi...p/t-98909.html

for different programs, spysweeper and spyware doctor, both good anti-spyware programs, but does indicate a false positive is possible.
It is also indicated in this WinPFind2 log, which points to the ATI dll:
http://www.tomcoyote.org/forums/lofi...hp/t66665.html

I guess it all comes down to if you have an ATI card installed, if you do could well be a false positive, if not just traces in the registry. You could also use the Sophos link to try and find the files on your C:\ drive, ensure you have showed hidden files and folders, just navigate to the correct places using windows explorer. If the files are not there, neither is the infection.
BTW it is typical for malware to use legitimate registry entries when installing on a system, in an attempt to hide itself from the user, and scanners.

Too late to check for those files now, but if they had existed then it's presumably safe to assume that they would have been detected by HouseCall along with the registry entries, plus would've been detected by Kaspersky etc. Which they weren't.


As for an ATI card........

I've got an ATI Radeon 9800XT (old now, but does what I need still).

I'm using the Catalyst 6.8 drivers at the moment.

Think I had a slightly older version on my previous XP install. Also had the Catalyst Control Centre installed, along with the actual driver. Found the Control Centre slow & annoying though, so didn't install it on my current install (only installed the driver this time).



Thanks for the help

[basa]

This is similar to my experience recently.

I was doing a usual check over with HiJack This which amongst a few other benign entries (how DO you get rid of that blasted Quicktime start up entry !! ) found 'cfmon.exe' which I 'fixed'.

A quick sweep with ewido, Adaware and Spybot found nothing and a thorough search of HD and registry did not find 'cfmon.exe'. After a re-boot HiJack This found nothing so I assume I am clear.

Just goes to show no matter what you can easily pick up an infection, albeit in this case a partial one that didn't manage to install itself fully.

Take care out there

[TheBlueRaja]

Actully i think Add has done everything right, the chances are that he had teh kelogger at one point and its been picked up and detected by one of his spyware programs.

At this point the Spyware app has removed all its files but neglected the registry which Trend Micro, in an effort to impress (and win new customers) has jumped on and reported after a registry sweep.

So he neither had in all probablility Tspy, nor was Trend Micro (completely) wrong although it should should have looked for the files involved.