HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

Keylogger Files

by viileafclover / September 18, 2009 4:56 PM PDT

I posted an earlier thread about memory shortage on a laptop and i believe i have found the cause, i downloaded SASFE (super antispyware free edition) and its so far found 2 key loggers, and from what i know about keyloggers and from what ive read trying to find a thread relevant to my problem i think its being stored on the laptop instead of being transmitted, (and yes SASFE is still scanning)
now if i remove the keylogger with the SASFE does that remove the file also? and hence free the memory back up?
and if it doesnt i need to know how to locate the file (i havent yet tried just searching for a DLL file like soemone mentioned was used to store what was typed) so i can manually remove it.
and how do i get rid of it if i am unable to manually remove it.
(trying not to be pesky and get all my relevant questions into one thread)

Discussion is locked
You are posting a reply to: Keylogger Files
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Keylogger Files
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Searching computer for .DLL files
by viileafclover / September 18, 2009 5:21 PM PDT
In reply to: Keylogger Files

in searching the laptop for .DLL files and typing in the forums alone ive lost 34mb of space
not to mention the search itself led to just about every file on the computer, one i saw in particular was twain._32.dll.mui and that just kind of struck me as odd cause if i were a hacker id probably be creative and label it as such (with the twain part i mean) but its the only DUI file type listed, and weve got 2 keyloggers listed. so far everything is an application extension, shortcut
ive found 2 that are manifest file types, dtu100.manifest and dpll100.dll.manifest then theres one text doc file type labeled virtdisk.dll.vd
mainly im freaking out because i access my bank accounts on this laptop. and just yesterday twice used my debit card online (silly me for not checking up with this earlier)
its been 2 hours on the SASFE run and its still going. hasnt found any more loggers or cookies or bots in 45 minutes but im afraid to cut the search to go head and remove the loggers incase theres more.

Collapse -
UPDATE
by viileafclover / September 18, 2009 5:55 PM PDT
In reply to: Keylogger Files

i stopped the scan early to remove and quarentine the keyloggers, but it hasnt freed up any memory in the removal of the log files, cause there were HUNDREDS. it brought the MBs up from 116 to 130, which means there could be more so im going to leave the scanner going all night to see what else it might catch, then run it in safe mode.
SASFE needed to reboot the laptop so i let it, and it again popped up with the low disc space click here, i clicked it, its taking much longer this time to calculate the disc space i will be able to free up maybe this will help with the low memory if since the keyloggers have been removed the files are unneccesary maybe this will catch them? it freed up 142 MB of space. its still in the red, so ill update in the morning with the results.
sorry if im being pesky

Collapse -
You should not stop the scan
by Donna Buenaventura / September 22, 2009 3:55 AM PDT
In reply to: UPDATE

Hi,

You should allow SAS or any scanners to finished scanning before allowing it to quarantine/delete the detected items.

Can you please try to use CCleaner to scan for unneeded and temporary files on your system? You can get CCleaner from http://www.ccleaner.com/download/builds (scroll down the page and get the Slim, No Toolbar installer of CCleaner).

I suggest to run CCleaner. Reboot then re-scan with SAS. Let if finished scanning before allowing it to heal/deal with the infections.

Collapse -
CCleaner
by viileafclover / September 22, 2009 11:09 AM PDT

on my other post someone suggested that and ive done that, and use it daily and showed everyone who uses this laptop how to use it and the same with SAS
i just looked at the quarentine log and it seems someones emptied it but from running it last night we had gotten another key logger
just called keylogger.actual spy and what not

Collapse -
Yes
by Donna Buenaventura / September 22, 2009 3:53 AM PDT
In reply to: Keylogger Files

Hi,

You wrote:

now if i remove the keylogger with the SASFE does that remove the file also? and hence free the memory back up?

Yes, SAS should remove the file also that was added by the keylogger. You only need to re-scan the system to ensure there's no more. Or you could run another on-demand scanner that might detect similar threat and see if it will find any remnants to delete so you don't have to search for it.

Would you mind posting the "threat" name that SAS is detecting?

Collapse -
found the log
by viileafclover / September 22, 2009 11:18 AM PDT
In reply to: Yes

Generated 09/19/2009 at 03:28 AM

Application Version : 4.29.1002

Core Rules Database Version : 4111
Trace Rules Database Version: 2051

Scan type : Complete Scan
Total Scan Time : 01:49:04

Memory items scanned : 354
Memory threats detected : 0
Registry items scanned : 5933
Registry threats detected : 0
File items scanned : 30468
File threats detected : 24

Adware.Tracking Cookie
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\keith@richmedia.yahoo[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\keith@myaccount.sparebackup[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\keith@stats.sparebackup[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@adopt.specificclick[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@ads.pointroll[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@ads.revsci[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@collective-media[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@find.americanexpress[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@goodyear.122.2o7[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@insightexpressai[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@interclick[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@media6degrees[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@mediaservices.myspace[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@myaccount.sparebackup[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@nextag[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@partner2profit[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@richmedia.yahoo[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@rotator.adjuggler[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@specificclick[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@stats.sparebackup[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@stats.sparebackup[2].txt

Rogue.AntispywareBot
C:\Windows\Tasks\AntispywareBot Scheduled Scan.job

Keylogger.Actual Spy
C:\BACKUP\08-09-06 0421PM\MY ARCHIVES\ONE-TIME BACKUP 09062008-142143\FILES\DESKTOP\KEITH PICS\KEITH STUFF\RISSA\STUFF\ACTUALSPY.EXE
C:\BACKUP\08-09-06 0421PM\USERS\KEITH\DESKTOP\KEITH PICS\KEITH STUFF\RISSA\STUFF\ACTUALSPY.EXE
---------------------------------------------------------------------
Generated 09/19/2009 at 06:09 AM

Application Version : 4.29.1002

Core Rules Database Version : 4102
Trace Rules Database Version: 2051

Scan type : Complete Scan
Total Scan Time : 01:59:21

Memory items scanned : 565
Memory threats detected : 0
Registry items scanned : 5878
Registry threats detected : 0
File items scanned : 53146
File threats detected : 55

Adware.Tracking Cookie
C:\BACKUP\08-09-06 0421PM\Users\Happy\AppData\Roaming\Microsoft\Windows\Cookies\Low\happy@microsoftwindows.112.2o7[1].txt
C:\BACKUP\08-09-06 0421PM\Users\Happy\AppData\Roaming\Microsoft\Windows\Cookies\Low\happy@myaccount.sparebackup[2].txt
.myaccount.sparebackup.com [ C:\BACKUP\08-09-06 0421PM\Users\Happy\AppData\Roaming\Mozilla\Firefox\Profiles\zzcxf1ny.default\cookies.txt ]
myaccount.sparebackup.com [ C:\BACKUP\08-09-06 0421PM\Users\Happy\AppData\Roaming\Mozilla\Firefox\Profiles\zzcxf1ny.default\cookies.txt ]
stats.sparebackup.com [ C:\BACKUP\08-09-06 0421PM\Users\Happy\AppData\Roaming\Mozilla\Firefox\Profiles\zzcxf1ny.default\cookies.txt ]
stats.sparebackup.com [ C:\BACKUP\08-09-06 0421PM\Users\Happy\AppData\Roaming\Mozilla\Firefox\Profiles\zzcxf1ny.default\cookies.txt ]
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\keith@stats.sparebackup[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\keith@myaccount.sparebackup[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@nextag[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@insightexpressai[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@ads.pointroll[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@ads.revsci[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@adopt.specificclick[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@stats.sparebackup[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@goodyear.122.2o7[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@stats.sparebackup[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@collective-media[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@specificclick[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@partner2profit[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@mediaservices.myspace[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@myaccount.sparebackup[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@richmedia.yahoo[2].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@interclick[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@find.americanexpress[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@rotator.adjuggler[1].txt
C:\BACKUP\08-09-06 0421PM\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@media6degrees[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@adbrite[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@ad.yieldmanager[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@atdmt[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@ads.pointroll[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@fastclick[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@realmedia[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@apmebf[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@invitemedia[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@mediaplex[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@advertising[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@specificclick[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@specificmedia[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@casalemedia[2].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@bs.serving-sys[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@serving-sys[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@doubleclick[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@questionmarket[1].txt
C:\Users\keith\AppData\Local\Temp\Low\Cookies\keith@ads.predictad[1].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\keith@2o7[2].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@ad.yieldmanager[1].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@adserver.adtechus[1].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@content.yieldmanager[1].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@atdmt[1].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@specificmedia[1].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@collective-media[1].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@specificclick[1].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@cdn4.specificclick[2].txt
C:\Users\keith\AppData\Roaming\Microsoft\Windows\Cookies\Low\keith@doubleclick[1].txt

Keylogger.Actual Spy
C:\BACKUP\08-09-06 0421PM\USERS\KEITH\DESKTOP\KEITH PICS\KEITH STUFF\RISSA\STUFF\ACTUALSPY.EXE
---------------------------------------------------------------------
Generated 09/22/2009 at 07:01 AM

Application Version : 4.29.1002

Core Rules Database Version : 4102
Trace Rules Database Version: 2051

Scan type : Complete Scan
Total Scan Time : 04:17:39

Memory items scanned : 568
Memory threats detected : 0
Registry items scanned : 5834
Registry threats detected : 0
File items scanned : 46558
File threats detected : 1

Keylogger.Actual Spy
C:\BACKUP\08-09-06 0421PM\USERS\KEITH\DESKTOP\KEITH PICS\KEITH STUFF\RISSA\STUFF\ACTUALSPY.EXE

i havent quite figured out where these key loggers are coming from
and i know theres still a lot to do and we went through again removed all music, and a good portion of pictures were put on disc, but i still havent figured out whats taking up all the memory.
theres 2 games, and niether take up more then 2gs total even saved files..

Collapse -
added info
by viileafclover / September 22, 2009 11:22 AM PDT
In reply to: found the log

and no i havent gotten him a firewall yet, im waiting on a disc from the computer guru that works on/built my computer for the firewall i use, i just cant remember the name of it off hand, ares? its a short word.
right now for internet protection theres the AVG, and SAS.. and whatever was default on the laptop

Collapse -
Thanks for the log of SAS
by Donna Buenaventura / September 22, 2009 5:34 PM PDT
In reply to: added info

It's obvious that SAS failed to remove ActualSpy. I suggest to scan using Malwarebytes' Anti-Malware using its Full system scan.

MBAM should detect it. If not, please do any of these:

1. Make sure the system is showing hidden files and folders.

Look for actualspy.exe and actualspystart.lnk in C:\ and in C:\Windows and in C:\Windows\System32
If you find in any of these folder the said files, delete them (just the file actualspy.exe and actualspystart.lnk is the one you'll delete).

Go to C:\BACKUP\08-09-06 0421PM\USERS\KEITH\DESKTOP\KEITH PICS\KEITH STUFF\RISSA\STUFF folder then delete ACTUALSPY.EXE

2. Get HijackThis from http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe

Open Hijackthis.exe, click "Do a system scan and save a logfile"
After the scan is finished, the notepad will open to display the log.
Copy the entire log information from the notepad to one (1) of the forums below:

1. http://www.lognrock.com/forum/index.php?showforum=5
2. http://forum.securitycadets.com/index.php?showforum=2
3. http://malwarecrypt.com/forumdisplay.php?f=4
4. http://www.temerc.com/forums/viewforum.php?f=12
5. http://www.malwarebytes.org/forums/index.php?showforum=7
6. http://spywarehammer.com/simplemachinesforum/index.php?board=10.0
7. http://www.bleepingcomputer.com/forums/forum22.html

Their HijackThis analysts will try to look the location of the keylogger and also diagnose whether it's the malware that is eating the hard-disk space or a legitimate program.

Collapse -
SAS
by viileafclover / September 23, 2009 2:21 PM PDT

it did remove the key logger files, i only posted the log files that found anything, there were 4 or 5 inbetween the ones that showed up with the keylogger, initially there were 2, then the scan came back clean for a couple days then there was another, its some website my stepmother goes to, and theres really not much a can do about it unless i put a home use version of a keylogger on here so i know what the crap shes doing. but lord knows if she finds out im spying all hell would break loose, you know? so i havent felt the need to do that yet being as it seems most everything is fixable with a little help.

Collapse -
Most Here Fear To Tread
by tobeach / September 23, 2009 3:02 PM PDT
In reply to: SAS

on a situation as delicate as your stepmother situation (we don't know
her & you do) & You are sure it's the site?? No chance it's anything else? IRS/Police/Ex-husband/Employer?

Keyloggers are SERIOUS trouble!! ANY site that routinely sets a keylogger is without question a DANGEROUS site and a threat to her, her banking,e-mails, and a threat to her friends & contacts on the net since such a program could be easily spread to others (via trojan/mail worm /we don't know how extensive this program is)from her machine & could lead to her ISP blocking her from the net.

Further, EVEN IF only locale itself, that info on herself & others she contacts is being sent home to obviously unscrupulous entities to profit from any way they, or whoever they sell that info to, see fit to profit from her.
Example: She posts she's going south for 2 weeks starting November 1st. How much would that info be worth to a local burglars?
Or to bank fraud artists knowing she won't see a statement or warning for 2 weeks?

At the very least she should stop visiting & block that site by putting it in her host file (to prevent access to the site) by her or others.

You could show her this post and let her curse & blame me but I'd rather take a sledge hammer to my machine than let a keylogger survive even 1 hour & 1 net visit! Safety is everyones concern! Good Luck! Happy

Collapse -
Maybe it's best that you add security add-on in a browser?
by Donna Buenaventura / September 24, 2009 5:27 PM PDT
In reply to: SAS

How about adding any of these:
1. WOT (Web of Trust) for IE and Firefox
2. Use IE8 with SmartScreen Filter
3. Use Hosts file to block malicious links

Not good to put keylogging and spyware. Just help her by preventing the malware.

Collapse -
dernit
by viileafclover / September 23, 2009 2:25 PM PDT

i totally forgot about hijackthis.exe, (its been awhile since ive used my own computer so ive forgotten what i use on it) but ill be sure to download that and run it tonite with SAS, if it catches another i dont know what im going to do unless i can get that firewall up faster and im not entirely sure that would help, being as im not really firewall savvy i just know theyre highly useful in blocking internet/computer access

Collapse -
Glad you're familiar with HJT!
by Donna Buenaventura / September 24, 2009 5:23 PM PDT
In reply to: dernit

You can always diagnose the system with it as you know but be careful on what you will fix. Get advise if needed Happy

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.