[Help] I cant remove a keylogger from my PC :-(

[nikola247]

Hi LLXX, I have ran it again and only had open avg,zone alarm and peer guardian, as Im too frightened too turn them off.

Also peer guardian sits there ok, until I get to certain (sometimes trusted sites) and it flashes, and I decide to either accept or deny, Well for the past week or so there is a certain site that tries to get me to allow http, as I dont know who it is, I have blocked it, it tries reguarly through the day too, sometimes 10-20 times a minute if I post the name someone maybe able to shed some light on who or what this site is, its called Savvis Sourceforge Split2 End Range, I have tried googling it, but theres only 2 sites come up, and dont really seem relevant. Not sure if it is anything to do with this nasty on my pc.

Im so sorry to take up so much of your time

Rootkit revealler result

TrickyTwista - I am going to install ewido now, hopefully something has to work

Thanks to you both

Nikki

[nikola247]

Trickytwista - Oooo blimey, I downloaded ewido (forgetting I had it on my pc before and my friend removed it) and it said I have tried it before, so have to buy it, and I cant really afford it right now, I went to bookmarks to reply to you, and all my bookmarks have gone I havent closed down firefox yet, in case they can be recovered. It really isnt my week this week..lol.. I have got some really important bookmarks in there, so hopefully they can be recovered.

Also, I ran pandascan, and went to buy it so it could remove nasties, as it was only $8.00, but then remembered the bl**dy e-surveiller keylogger so I darnt use paypal or internet banking.. it just gets worse

Thanks again guys

Nikki

[trickytwista]

http://www.ewido.net/en/ you have to buy it now if you want to use it as a realtime scanner, however you can still use it and download latest definations after trial has expired for free This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. Edited February 3, 2006 by trickytwista

[nikola247]

Thanks Trickytwista, I will try that and see if it works, do you know where I can find my bookmarks, as they have disapeared after I went to download ewido, it didnt delete my bookmarks last time I downloaded it, Im sure this pc hates me..lol

Thanks alot

Nikki

[N1K]

If you're having a lot of troubles with this and can't remove this threat, I'd suggest that you save ur money and don't spend it on buying different anti spy apps. I would recommend that you backup ur data and reinstall windows.. It would be falster and you would be sure that you're completely clean..

[nikola247]

Thanks N1K, I might just have to do that, Ive got thousands of photos/images/clip art and alot of programs all installed on this pc, so backing everthing up, and to redo folders etc might be a bit of a nightmare, as I am hoping to set up my own business in the very near future, and have so much stuff on here its unreal. Only the other week I had a clean up on my pc, redid all the folders cleared out junk etc, and it took me days, so I am a bit hesitant to do it, as I am so short on time. I have alot of important things backed up, but its just a drop in the ocean to what is actually on here.

I will ring my friend later on and link him to this thread, and see what he thinks, as he hasnt looked at the rootkit revealer result.

Thanks very much for your help.

Nikki

[N1K]

Thanks N1K, I might just have to do that, Ive got thousands of photos/images/clip art and alot of programs all installed on this pc, so backing everthing up, and to redo folders etc might be a bit of a nightmare, as I am hoping to set up my own business in the very near future, and have so much stuff on here its unreal. Only the other week I had a clean up on my pc, redid all the folders cleared out junk etc, and it took me days, so I am a bit hesitant to do it, as I am so short on time. I have alot of important things backed up, but its just a drop in the ocean to what is actually on here.

I will ring my friend later on and link him to this thread, and see what he thinks, as he hasnt looked at the rootkit revealer result.

Thanks very much for your help.

Nikki

No problem mate, I would do that for sure and that's why I'm suggesting this to you...

Installation of windows + apps will not take you more than 2-3 hours mate..

[LLXX]

Interesting. There are no Rootkits present on your machine, but something is suspicious with

Also peer guardian sits there ok, until I get to certain (sometimes trusted sites) and it flashes, and I decide to either accept or deny, Well for the past week or so there is a certain site that tries to get me to allow http, as I dont know who it is, I have blocked it, it tries reguarly through the day too, sometimes 10-20 times a minute

"peer guardian" would be firewall? I'm not familiar with it, but is this indicative of your machine attempting to connect to a remote site, or is another machine attempting to connect to yours? The former is very keylogger-like, the latter can be ignored so long as it's not causing any noticeable problems.

I don't believe your system is so massively infected as to warrant a reformat and reinstall. If one process on your machine is initiating these connections, preventing it from starting and removing its file should be sufficient.

[nikola247]

Good Afternoon N1K and LLXX,

Thanks very much smile for the advice, I have spent hours scanning the pc, and have come to the conclusion that scanspyware had a suspect reading. Here is a bit of an update.

I have deleted scanspyware from my pc.

I have just thought of something that may or may not be important. About 6/7 weeks ago, someone told me about something called spoofstick, and said it was really handy. I never normally download anything unless Ive confirmed it with my friend, but I downloaded it anyway.

I have tried many times since to try and remove this program, but cant find any info at all on removal, in fact I cant find it in add/remove programs either. I have tried a search on the system, and it doesnt come up with anything, but its still on my toolbar pullhair.gif

I have ran ccleaner, and also trend micro, adaware6pro, spybot,spyware doctor and the only one that came up with something was adaware, which came up with possible browser hijack attempt - reg data - data miner - in

HKEY_CURRENT_USER:software\microsoft\internetexplorer\main"default_page_url" (about blank)

Not sure if this is anything to worry about, but I deleted it with adaware.

Also, when I get task manager up, the cpu usage is still fluctuating between 30% and 100% and I only have this ,ZA,AVG and pg2 running, do you rekon that spoofstick is causing it, becasue it must be hidden as add/remove programs nor windows search can pick it up, and all the scans Ive ran pick up no nasties either.

In Task Manager there is something called System Idle Process, which fluctuates between 40-80% and memory usage is 16k, theres one other thing that is quite odd, its called Tmas.exe and normally sits at 0%, and every 30 seconds or so can go up to 96% and the memory usage is a frightening 17336k, any ideas what it can be.

I really do appreciate all the help Ive recieved on this forum, Ive learned quite alot too

Once again, Many Thanks

Kind Regards

[trickytwista]

you have trend micro running also? or have had it on pc and uninstalled it incorrectly? http://www.liutilities.com/products/wintas...sslibrary/Tmas/ Description: File Tmas.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 1306624 bytes (91% of all occurrence), 1294336 bytes.

You can uninstall this program in the control panel. File Tmas.exe is not a Windows core file. Tmas.exe is able to record inputs, monitor applications. Therefore the technical security rating is 5% dangerous.

Important: Some malware camouflage themselves as Tmas.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the Tmas.exe process on your pc whether it is pest.

Edited February 5, 2006 by trickytwista

[nikola247]

Oeeerr I forgot about trend micro, its got a thing called venus spy trap running. Thanks for that trickytwista.

As I am quite a noooobie, Im not sure how to check tmas.exe to see if its a pest, would all the spyware scans Ive done not pick it up? or do I have to manually do it somehow?

Thanks Alot

Nikki

[Tarun]

You could try Spyware Doctor which is not free but has the best detection in my opinion..

I had the situation where I made a full scan with updated Spybot S&D and Adaware Personal Edition and they removed few threats, but the PC was still infected..

Then the customer bought Spyware Doctor which found more than 500 infections and removed them all..

Two monhts passed, and the customer didn't have any problems with his computer or spyware B)

Spyware Doctor is also terrible software, it has countless false positives. It detected a shortcut to a folder that I made on my desktop as a "severe" keylogger/trojan.

Interesting. There are no Rootkits present on your machine, but something is suspicious with

Also peer guardian sits there ok, until I get to certain (sometimes trusted sites) and it flashes, and I decide to either accept or deny, Well for the past week or so there is a certain site that tries to get me to allow http, as I dont know who it is, I have blocked it, it tries reguarly through the day too, sometimes 10-20 times a minute

"peer guardian" would be firewall? I'm not familiar with it, but is this indicative of your machine attempting to connect to a remote site, or is another machine attempting to connect to yours? The former is very keylogger-like, the latter can be ignored so long as it's not causing any noticeable problems.

I don't believe your system is so massively infected as to warrant a reformat and reinstall. If one process on your machine is initiating these connections, preventing it from starting and removing its file should be sufficient.

PeerGuardian 2 is Phoenix Labs’ premier IP blocker for Windows. PeerGuardian 2 integrates support for multiple lists, list editing, automatic updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc), making it the safest and easiest way to protect your privacy on P2P. More...

This thread actually belongs in the Malware Prevention section which would also comply with the rules of this subforum.

You will want to download an Anti-Malware Package. I personally recommend the Anti-Malware Pro package; as it contains everything you'll need. After you have downloaded that, refer to the PC Maintenance page and select the package that you've downloaded. If you didn't download one, select the Anti-Malware Pro guide. It has all the steps in easy to follow terms to update and clean your pc thoroughly.

Once you've run all of the scanners, post a HijackThis log to check for any leftover malicious files.