Jump to content

Keylogger advice needed please, before I go mad ;-)


Recommended Posts

Good Evening,

 

I have had a nightmare trying to sort this problem out, and I'm hoping some kind soul will be able to help me.

 

My friend upgraded my pc the other day and put on ScanSpyware, which picked the following nasties up which google said were keyloggers.

 

e-surveiller – Reg Key – HKEY-CLASSES-ROOT.ZIG – HIGH RISK

e-surveiller – Reg Key – HKEY-LOCAL-MACHINESOFT – HIGH RISK

 

I started in safe mode with system restore turned off but soon as I reboot they are back, I have tried various things, and even though scanspyware says they have been removed, as soon as I reboot, they are back again

 

I also ran process explorer and there was an odd file called Interrupts - Hardware Interrupts that was running between 40-80 CPU.

 

My friend remotely connected to my pc and he wasn't sure what it was or why it was running so high, it couldn't be deleted or amended either.

 

Someone said it may be a rootkit, so I ran rootkit revealer, and the following came up

Posted Image

 

I do not really know much about keylogers/trojans etc, and even though the pc is running smoothly, I darnt use internet banking/paypal because I'm scared the keylogger will pick my information up.

 

I also run PeerGuardian, and for the past week or so, and it sits there ok, until I get to certain (sometimes trusted sites) and it flashes, and I decide to either accept or deny, Well for the past week or so there is a certain site that tries to get me to allow http, as I don't know who it is, I have blocked it, it tries regularly through the day too, sometimes 10-20 times a minute, if I post the name someone maybe able to shed some light on who or what this site is, its called Savvis Sourceforge Split2 End Range, I have tried googling it, but theres only 2 sites come up, and don't really seem relevant. Not sure if it is anything to do with this nasty on my pc.

 

Sorry for such a long post but I thought that the combination of things may help someone realize what it is and how I can remove it, I was going to purchase the 6 month pandascan, but darnt use paypal.

 

I forgot to say that when I run task manager, even when I have nothing open, the CPU fluctuates between 40-100% and my friend said it is way too high, but he has looked and cant find anything that would cause it to run so high.

 

:crash:

 

Thanks in advance

Kind Regards

Nikki

Link to post
Share on other sites

Welcome to The Pit, nikola247. :)

 

Not all anti-spyware utilities are legitimate. Unfortunately there are companies out there that dupe users into thinking they are getting rid of malware, when really they are only adding to the problem by using their program.

 

SpywareWarrior has a list of Rogue/Suspect Anti-Spyware Products. ScanSpyware features on this page:

 

ScanSpyware

scanspyware.net

aggressive advertising (1); false positives work as goad to purchase [A: 6-26-04 / U: 6-26-04]

I would remove this program as quick as possible. There's a list of reputable programs in the link in my signature. :)

 

Someone else here will have to assist you with the RootkitRevealer results. :)

 

Can you also post us a TechExpress link to a Pit Scan?

 

with regards

Edited by Champion_Munch
Link to post
Share on other sites

Thanks very much for the info champion_munch, I didnt realise scanspyware was a bit suspect. I have ran nearly every online scan that was on your list, and nothing has found e-surveiller on my pc except that, so I rekon they are pulling a fast one.

 

When I ran Spyware Doctor it found something called NetObserve in c:\windows\unvise.32.exe, whicg google came back as a backdoor keylogger, so I darnt use paypal or internet banking, so dont know how to remove the bloomin thing :pullhair:

 

I am just running Microsoft antispyware, and also I put a tick in the system restore to turn it off when I scan things.

 

How do you also post a TechExpress link to a Pit Scan? Sorry to sound a bit dumb, but Im new to all this :lol:

 

Once again, thanks for taking the time to give me some advice, and I have now removed scanspyware from my pc, never to return.

 

Kindest Regards

Nikki

Link to post
Share on other sites

Hi Nikki,

 

NetObserve may be part of the utility that your friend used to access your computer remotely.

Look in your Control Panel - Add/Remove for any new programs. If you didn't install it or have a question about whether or not it is safe on your machine, post the name back to this forum. If you recognize a program as the "remote access" utility used by your friend, I recommend you "uninstall" it. If you want your friend to gain remote access again in the future, you may decide to install a software for that purpose again in the future. For now, it would be better to close up the holes and leaks.

 

Please run online AntiVirus scans here:

http://housecall.trendmicro.com

http://www.kaspersky.com/virusscanner

 

Hopefully one/both of these will identifyany remaining malware.

post a list of items identified and/or removed when scanning with these online tools.

 

To scan for and detect spyware and possibly some rootkit invasions...

You can use the free online version of Webroot SpySweeper, Here:

http://www.webroot.com/land/freescan.php?W...4ef7b3a7a23724e

 

Please post back with the results from your scans.

Additionally, please describe any symptoms that your machine may be exhibiting.

 

Best Regards

Link to post
Share on other sites

First of all, you're "Pie" drive is close to being completely full. You've only got 6% free space on it. For a drive to function properly, you shouldn't get lower than about 25-30%. I would suggest transfering some of the stuff off that drive onto your "Big Pie" drive, which has plenty of spare room. :)

 

You can also clean out some junk files you have on there. Try one of the cleaning programs in the link in my signature, my personal favourite is CCleaner - just make sure to stick to the "cleaner" tab if you use it.

 

You won't be able to defrag the near-full drive, but you should defragment the "Big Pie" using Windows Defragmenter. How to here: http://www.pcpitstop.com/pcpitstop/DskOpt.asp

 

Also you should readjust the IE browser cache to around 80MB. See here: http://www.pcpitstop.com/pcpitstop/IntCache.asp

 

with regards

Link to post
Share on other sites

Nikki,

 

Carefully read and follow the recommendations from the Results of your PCPitstop Full Test

 

This one iis particularly worrisome. Hard drives run best when they have about 50% free space, and generally start showing bluescreen and failure type problems or lag excessively when free space dips below 15%. With only 6% you hardly have any room to make read-write exchanges, and probably won't be able to defrag you C:\ until you've remove enough data and files to give it about 20% free space.

 

Free space 2524 MB (6%)

 

Best Regards

Link to post
Share on other sites

Good Afternoon Dough,

 

I ran housecall the other night, and my friend checked the results, and didn’t find anything suspicious, the weird thing is I went to run it again, and peerguardian would normally flash and ask if I want to let housecall in, but I kept getting the Savvis Sourceforge Split2 End Range site trying to get in, now that savvis thingy, has constantly been trying to gain access through peerguardian thousands of times a day for the past few days, do you know if it is part of housecall? I personally don’t think it is, because I have blocked it, and the scan ran ok the other night even though the savvis site was blocked.

 

I really have got a sneaky feeling, that champion Munch was right when he said that scanspyware may be dodgy, because nothing else has picked up this e-surveiller, and that I may not have a keylogger on here after all, and have spent nearly 3 whole days trying to sort it out.

I am running kaspersky, and will post the results when its finished,

 

I will also run webroot spysweeper, and will post those results here too.

 

My pc is running perfectly, except the high CPU usage, but I am sure it’s been high for a while.

 

When I am convinced that I do not have a keylogger, I will make a donation to the Hurricane Relief for your help. I have already made a donation, but that was because I wanted too, but will make another one when I feel my pc is safe.

 

RE post 8, I will move some of my graphics and music over onto the 80gb drive this afternoon, I defragged it last week, and it ran ok, but will obviously run better when I free up some space on the 40gb drive, thanks very much for your advice.

 

-------------------------------

 

Good Afternoon Champion,

 

I spent days last week cleaning out my junk files ..lol.. but will use ccleaner and give it a little spring clean, as it obviously goes deeper than me.

The reason my drives are named pie and bigpie, is because whenever I checked it, I would ring my friend and say “I haven’t got much pie left” so he did that as a little joke, I only had the 80gb harddrive put in on Wednesday, and because the scanspyware said I had a keylogger, I have spent every waking moment trying to sort it out, so haven’t had the chance to move files onto the 80gb one yet, thought the keylogger (if there even is one) was more important to sort out first.

 

Right, I went into IE browser cache, and you said it should be about 80mb, mine was 1221MB…Good grief a bit high don’t you think?? :blink:

 

I also defrag regualry, I did it last week, and it worked fine.

 

---------------------------

 

Good Afternoon Juliet,

 

Thanks for the info, I have posted the result on the sysinternals forum to see if anyone knows if its dodgy or not :)

 

Once again, thanks to all you guys for your help and advice, I really do appreciate it.

 

Kindest Regards

 

Nikki

Link to post
Share on other sites

Hi Nikki,

 

Thanks for keeping us updated with your progress. Other Members will probably learn from your problem solving. That's what the Forums are all about.

 

Please run and post a fresh PCPitstop Full Test TechExpress so that we can see the progress that you are making and adjust our recommendations accordingly.

 

Have you uninstalled "scanspyware"? I don't have to have a sneaky suspicion to know that Champion Munch's recommendation on this item is solid. He refers to one of the best anti-spyware resources on the Net.

 

Take a look here to consider a variety of competent tools you may decide to use:

http://pcpitstop.invisionzone.com/index.php?showtopic=61975

 

You're doing great so far. Keep up the good work.

I'm glad you decided to become a Member here.

 

Best Regards

Link to post
Share on other sites

Good Afternoon dough,

 

Thanks very much :)

 

I have deleted scanspyware from my pc.

 

I have just thought of something that may or may not be important. About 6/7 weeks ago, someone told me about something called spoofstick, and said it was really handy. I never normally download anything unless Ive confirmed it with my friend, but I downloaded it anyway.

 

I have tried many times since to try and remove this program, but cant find any info at all on removal, in fact I cant find it in add/remove programs either. I have tried a search on the system, and it doesnt come up with anything, but its still on my toolbar :pullhair:

 

I have ran ccleaner, and also trend micro, adaware6pro, spybot,spyware doctor and the only one that came up with something was adaware, which came up with possible browser hijack attempt - reg data - data miner - in

HKEY_CURRENT_USER:software\microsoft\internetexplorer\main"default_page_url" (about blank)

Not sure if this is anything to worry about, but I deleted it with adaware.

 

Also, when I get task manager up, the cpu usage is still fluctuating between 30% and 100% and I only have this ,ZA,AVG and pg2 running, do you rekon that spoofstick is causing it, becasue it must be hidden as add/remove programs nor windows search can pick it up, and all the scans Ive ran pick up no nasties either.

 

In Task Manager there is something called System Idle Process, which fluctuates between 40-80% and memory usage is 16k, theres one other thing that is quite odd, its called Tmas.exe and normally sits at 0%, and every 30 seconds or so can go up to 96% and the memory usage is a frightening 17336k, any ideas what it can be.

 

I really do appreciate all the help Ive recieved on this forum, Ive learned quite alot too.

Once again Thanks

Kind Regards

Nikki

Link to post
Share on other sites

:sparkle:I've been trying to find data on removal.....no luck.

I did a google search and found the home page for SpoofStick......which looks like many might use this.

You may have to go to the home page and look for removal instructions.

I did not click on any of these links.....so use your discression.

Spoofstick now available for Internet Explorer

Link to post
Share on other sites
  • 7 years later...

Thanks very much for the info champion_munch, I didnt realise scanspyware was a bit suspect. I have ran nearly every online scan that was on your list, and nothing has found e-surveiller on my pc except that, so I rekon they are pulling a fast one.

 

When I ran Spyware Doctor it found something called NetObserve in c:windowsunvise.32.exe, whicg google came back as a backdoor myjad keylogger, so I darnt use paypal or internet banking, so dont know how to remove the bloomin thing Posted Image

 

I am just running Microsoft antispyware, and also I put a tick in the system restore to turn it off when I scan things.

 

How do you also post a TechExpress link to a Pit Scan? Sorry to sound a bit dumb, but Im new to all this Posted Image

 

Once again, thanks for taking the time to give me some advice, and I have now removed scanspyware from my pc, never to return.

 

Kindest Regards

Nikki

 

A keylogger, also known as keystroke logging, is a program installed on your computer unbeknownst to you that logs all key strokes typed into your computer which is then viewed by a third party. Keyloggers are also capable of taking screen captures.

Edited by jimmaqualin
Link to post
Share on other sites

Just throwin' this out there.........I think as this post is from 2006; either:

 

a. OP has fixed the problem

b. So scared of a keylogger hacking their life the OP has never used their PC since.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...