Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Possible Keylogger

(In Progress)
(!)

lightglobe's Avatar
lightglobe lightglobe is offline
Member with 294 posts.
THREAD STARTER
 
Join Date: Sep 2007
Experience: Intermediate
27-Jun-2012, 04:32 PM #1
Possible Keylogger
Just asking a question here, before I do anything else.

I noticed on Task Manager there are duplicate process entries in "svchost.exe".

Two x "svchost.exe/local service"
Two x "svchost.exe/network service"
Two x "svchost.exe/system"

Is this normal, because I assumed that there should only be "one" process entry of each, not "two"?

Could one of each of these process entries be a "keylogger" or "malware"?

I tried to check "properties" of each to verify that it's Microsft and the "properties" box wouldn't show.

Use Trend Titanium Premium and scans okay.

Last edited by lightglobe; 27-Jun-2012 at 04:47 PM..
Byteman's Avatar
Byteman   (Bill) Byteman is offline Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,381 posts.
 
Join Date: Jan 2002
Location: NY
27-Jun-2012, 05:48 PM #2
Windows runs several of the services on your computer, and uses that same file, only several instances of it, at the same time....

http://www.gfi.com/blog/exploring-svchostexe-part-1/ a pretty good explanation, but technical and l_o_n_g

A much shorter explanation here >>> http://www.howtogeek.com/howto/windo...is-it-running/


Finally you can that is it is quite usual to have more than one of the same item running >>> http://www.pcpowerguide.com/windows/...n-my-computer/

As well, there is a bit how to tell when there IS a malware associated with svchost.exe at the pcpowerguide.com link just above.


Has any program or scan indicated you might have a keylogger or any other malware on the machine?
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!

Last edited by Byteman; 27-Jun-2012 at 05:54 PM..
lightglobe's Avatar
lightglobe lightglobe is offline
Member with 294 posts.
THREAD STARTER
 
Join Date: Sep 2007
Experience: Intermediate
27-Jun-2012, 07:40 PM #3
Hi Byteman,

Thanks for your reply, and nothing has indicated a keylogger.

I have been through a process of wiping HD and reinstalling OS, and all the necessary updates.

The IE8 is unstable when working in my Hotmail account, and I have had a problem when working FBook and every function can be a pain, and it goes into hanging. I have posted on FBook and when I have returned I have found some of my postings have been removed.

When I mentioned to another on the FB I was told that I might have a keylogger on the computer, and FB hijacked. I did change the password.

I am thinking that something insidious has been placed on computer, and I am thinking of wiping off HD again and start again.

When I saw two of everything I was wondering if the duplicated of each may have been a keylogger.

I have used a disk cleaner of temp files, and traces removed; have done defrag; and all scans by Trend indicates system clean. The FB is a pain in the butt with whoever is removing my postings.

So, I now assume that these duplicates of one process is normal.

I tried to check them out by RH clicking and to view "properties" but the "properties" doesn't come up, just a menu to "end process", etc., etc. I thought if I was able to view "properties" it would indicated if the process was legit,

I just checked the Task Manager and earlier when I checked all the files were displayed in "small letters" and just now I checked TM again, and the concerned processes are listed in "CAPTIAL letters". It doesn't make sense.
Byteman's Avatar
Byteman   (Bill) Byteman is offline Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,381 posts.
 
Join Date: Jan 2002
Location: NY
27-Jun-2012, 10:03 PM #4
Hi, The captial vs. lower case identities in Task Man are nothing to worry about, unless we spot something running from a wrong location or other sign of malware.....



What version of Windows are you using on that computer?

Do you have the type of brand name computer that does a FULL system recovery.......where all data is removed, and you start out brand new
just as the machine came to you from the factory? Or.... did you simply REinstall Windows -- or do what is called a Repair Install?

How did you go about the "wiping HD and reinstalling OS"?

Have you used a Registry fixing or cleaner program? Those can cause severe problems..........

And one more question> is that computer a laptop?

_ _ _ _ NEXT:_____

Please download DDS by sUBs to your desktop from one of the following locations:

http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

Disable any script blocker you may have, as they may interfere and then double-click the DDS.scr to run the tool.

When DDS has finished scanning, it will open two logs named as follows:

DDS.txt
Attach.txt


Save them both to your desktop.
Please post the requested logs/reports, as follows:

Copy and paste the contents of the DDS.txt file.
Upload as an attachment the Attach.txt file

Last edited by Byteman; 27-Jun-2012 at 11:32 PM..
lightglobe's Avatar
lightglobe lightglobe is offline
Member with 294 posts.
THREAD STARTER
 
Join Date: Sep 2007
Experience: Intermediate
30-Jun-2012, 04:01 AM #5
Hi Bm,

Roger that in regards to lower and capital case!

Running WIN XP, and I have the three home recovery disks for ACER Aspire T300 Tower, about four-five years old (2.5gHz and 1015MB)

I assume all data was removed, when I completed the procedure I inserted Disk 1, rebooted and went through some procedure, which I can’t remember fully, but I do remember a “Phoenix work station” coming up, went through “advance bios features”, then went through another sequence of Recovery Disk 1, ended up in “Symantec Ghost 7.0.0.260 1998-2001”; and continued with the remaining Recovery Disks. I assumed that this procedure wiped the HD clean, but I am not sure if that is so.

No, I did a complete recovery reinstalling the OS, and didn’t do a WIN XP repair. I then went through downloading SP2 and all updates, then SP3 and all updates.

I did download CCleaner and Wise Disk Cleaner on a suggestion by someone on this forum. I used only in removing temp files, cookies, and tracers; and didn’t get involved with any registry fixing.

I am not sure about a “script blocker”? What about the Antispyware (Trend) do you turn that OFF?

I am wondering if I should just do another Home Recover again, as I did above?

Regards
lightglobe's Avatar
lightglobe lightglobe is offline
Member with 294 posts.
THREAD STARTER
 
Join Date: Sep 2007
Experience: Intermediate
02-Jul-2012, 08:06 AM #6
Hi BM,

I went to download DDS by sUBs and my Trend Antivirus blocked it. In that case is my antivirus a "script blocker"?
Byteman's Avatar
Byteman   (Bill) Byteman is offline Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,381 posts.
 
Join Date: Jan 2002
Location: NY
04-Jul-2012, 06:08 PM #7
Hi, So sorry ; I was out of town for a while and did not notify you.

OK, yes we need you to temporarily turn off the real time protection from that program.

I am assuming you mean you have a security suite from Trend, which is made up of an antivirus, and antispyware functions and possibly a firewall...... and you may see individual components in the main program's window such as:

Email shield

Web shield

Real Time protection

File shield.... If it's just an antivirus program that's fine, but it does need to be temporarily turned off so you can post a DDS log


those are examples, as I am not sure what version or the name of your security program, if you can find the main Trend interface and open it, the Help>About Trend button is usually where it shows you the version and ID of the suite.

If you could post that, I can further give you some help in turning the program off. If you know how, please do so, and get me the log from DDS.

Quote:
Originally Posted by lightglobe View Post
Hi BM,

I went to download DDS by sUBs and my Trend Antivirus blocked it. In that case is my antivirus a "script blocker"?

(I also am not sure when Trend blocked the program> when you clicked to just download or save it? Or, were you able to get the file onto the desktop or other location, and it was blocked from running? )

Last edited by Byteman; 04-Jul-2012 at 08:43 PM..
lightglobe's Avatar
lightglobe lightglobe is offline
Member with 294 posts.
THREAD STARTER
 
Join Date: Sep 2007
Experience: Intermediate
07-Jul-2012, 06:40 PM #8
Hi Bm,

I have been having a lot of problems with the computer, which is an Acer Aspire T300. I do believe that something is in my computer that is causing extreme problems with IE8, Hotmail, and FB. I do believe trying all these different tests will be to no avail. The IE8 is so bad that I am going to do a full recover, and start all over again.

I do have an ASUS Vista notebook, and am also having a few problems on IE9, so I have RESET the defautl settings.

To ask another question, I have already had the ASUS reset to factory mode sometime back by the local technician, and I had not Recovery Disks. I gather the technician used the factory recovery on the computer. If this is so, how can I download this information to a CD so that I have a full set of recovery disks for the notbook?

Thanks for your help.

Regards
Byteman's Avatar
Byteman   (Bill) Byteman is offline Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,381 posts.
 
Join Date: Jan 2002
Location: NY
09-Jul-2012, 08:18 AM #9
I am surprised that the tech did not mention that to you. Usually, if you are the original owner of a laptop these days, there is a utility included that tells you "The Recovery Disk set needs to be created when the computer is new" or something along those lines.

If you look carefully through the All Programs menu for something like Create Recovery Media, Asus System Recovery....I am not sure of the exact name of the utility...... you get to make just one set of these DVDs, usually consisting of one two or more DVDs. See if the utility will still let you burn these recovery disks.

If you did not create the set then you need to find out who did! Even if you or someone had started the utility up, and done part of the creating disks, the utility lets you stop and resume from the last disk made on through to finish you so get one full set made.

Do you have the ASUS model number- I can point you to their support download section where they have the patches and things you may like to have such as the full user guide, lots of self-help about the recovery process, etc.

(Added) > Usually also you can purchase these Recovery disks if need be, but not always......

Last edited by Byteman; 09-Jul-2012 at 10:39 PM..
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑