1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible Keylogger

Discussion in 'Virus & Other Malware Removal' started by lightglobe, Jun 27, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. lightglobe

    lightglobe Thread Starter

    Joined:
    Sep 26, 2007
    Messages:
    294
    Just asking a question here, before I do anything else.

    I noticed on Task Manager there are duplicate process entries in "svchost.exe".

    Two x "svchost.exe/local service"
    Two x "svchost.exe/network service"
    Two x "svchost.exe/system"

    Is this normal, because I assumed that there should only be "one" process entry of each, not "two"?

    Could one of each of these process entries be a "keylogger" or "malware"?

    I tried to check "properties" of each to verify that it's Microsft and the "properties" box wouldn't show.

    Use Trend Titanium Premium and scans okay.
     
  2. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,725
    Windows runs several of the services on your computer, and uses that same file, only several instances of it, at the same time....

    http://www.gfi.com/blog/exploring-svchostexe-part-1/ a pretty good explanation, but technical and l_o_n_g

    A much shorter explanation here >>> http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/


    Finally you can that is it is quite usual to have more than one of the same item running >>> http://www.pcpowerguide.com/windows/why-is-there-more-than-one-svchost-exe-running-on-my-computer/

    As well, there is a bit how to tell when there IS a malware associated with svchost.exe at the pcpowerguide.com link just above.


    Has any program or scan indicated you might have a keylogger or any other malware on the machine?
     
  3. lightglobe

    lightglobe Thread Starter

    Joined:
    Sep 26, 2007
    Messages:
    294
    Hi Byteman,

    Thanks for your reply, and nothing has indicated a keylogger.

    I have been through a process of wiping HD and reinstalling OS, and all the necessary updates.

    The IE8 is unstable when working in my Hotmail account, and I have had a problem when working FBook and every function can be a pain, and it goes into hanging. I have posted on FBook and when I have returned I have found some of my postings have been removed.

    When I mentioned to another on the FB I was told that I might have a keylogger on the computer, and FB hijacked. I did change the password.

    I am thinking that something insidious has been placed on computer, and I am thinking of wiping off HD again and start again.

    When I saw two of everything I was wondering if the duplicated of each may have been a keylogger.

    I have used a disk cleaner of temp files, and traces removed; have done defrag; and all scans by Trend indicates system clean. The FB is a pain in the butt with whoever is removing my postings.

    So, I now assume that these duplicates of one process is normal.

    I tried to check them out by RH clicking and to view "properties" but the "properties" doesn't come up, just a menu to "end process", etc., etc. I thought if I was able to view "properties" it would indicated if the process was legit,

    I just checked the Task Manager and earlier when I checked all the files were displayed in "small letters" and just now I checked TM again, and the concerned processes are listed in "CAPTIAL letters". It doesn't make sense.
     
  4. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,725
    Hi, The captial vs. lower case identities in Task Man are nothing to worry about, unless we spot something running from a wrong location or other sign of malware.....



    What version of Windows are you using on that computer?

    Do you have the type of brand name computer that does a FULL system recovery.......where all data is removed, and you start out brand new
    just as the machine came to you from the factory? Or.... did you simply REinstall Windows -- or do what is called a Repair Install?

    How did you go about the "wiping HD and reinstalling OS"?

    Have you used a Registry fixing or cleaner program? Those can cause severe problems..........

    And one more question> is that computer a laptop?

    _ _ _ _ NEXT:_____

    Please download DDS by sUBs to your desktop from one of the following locations:

    http://download.bleepingcomputer.com/sUBs/dds.scr
    http://www.forospyware.com/sUBs/dds

    Disable any script blocker you may have, as they may interfere and then double-click the DDS.scr to run the tool.

    When DDS has finished scanning, it will open two logs named as follows:

    DDS.txt
    Attach.txt


    Save them both to your desktop.
    Please post the requested logs/reports, as follows:

    Copy and paste the contents of the DDS.txt file.
    Upload as an attachment the Attach.txt file
     
  5. lightglobe

    lightglobe Thread Starter

    Joined:
    Sep 26, 2007
    Messages:
    294
    Hi Bm,

    Roger that in regards to lower and capital case!

    Running WIN XP, and I have the three home recovery disks for ACER Aspire T300 Tower, about four-five years old (2.5gHz and 1015MB)

    I assume all data was removed, when I completed the procedure I inserted Disk 1, rebooted and went through some procedure, which I can’t remember fully, but I do remember a “Phoenix work station” coming up, went through “advance bios features”, then went through another sequence of Recovery Disk 1, ended up in “Symantec Ghost 7.0.0.260 © 1998-2001”; and continued with the remaining Recovery Disks. I assumed that this procedure wiped the HD clean, but I am not sure if that is so.

    No, I did a complete recovery reinstalling the OS, and didn’t do a WIN XP repair. I then went through downloading SP2 and all updates, then SP3 and all updates.

    I did download CCleaner and Wise Disk Cleaner on a suggestion by someone on this forum. I used only in removing temp files, cookies, and tracers; and didn’t get involved with any registry fixing.

    I am not sure about a “script blocker”? What about the Antispyware (Trend) do you turn that OFF?

    I am wondering if I should just do another Home Recover again, as I did above?

    Regards
     
  6. lightglobe

    lightglobe Thread Starter

    Joined:
    Sep 26, 2007
    Messages:
    294
    Hi BM,

    I went to download DDS by sUBs and my Trend Antivirus blocked it. In that case is my antivirus a "script blocker"?
     
  7. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,725
    Hi, So sorry ; I was out of town for a while and did not notify you.

    OK, yes we need you to temporarily turn off the real time protection from that program.

    I am assuming you mean you have a security suite from Trend, which is made up of an antivirus, and antispyware functions and possibly a firewall...... and you may see individual components in the main program's window such as:

    Email shield

    Web shield

    Real Time protection

    File shield.... If it's just an antivirus program that's fine, but it does need to be temporarily turned off so you can post a DDS log


    those are examples, as I am not sure what version or the name of your security program, if you can find the main Trend interface and open it, the Help>About Trend button is usually where it shows you the version and ID of the suite.

    If you could post that, I can further give you some help in turning the program off. If you know how, please do so, and get me the log from DDS.


    (I also am not sure when Trend blocked the program> when you clicked to just download or save it? Or, were you able to get the file onto the desktop or other location, and it was blocked from running? )
     
  8. lightglobe

    lightglobe Thread Starter

    Joined:
    Sep 26, 2007
    Messages:
    294
    Hi Bm,

    I have been having a lot of problems with the computer, which is an Acer Aspire T300. I do believe that something is in my computer that is causing extreme problems with IE8, Hotmail, and FB. I do believe trying all these different tests will be to no avail. The IE8 is so bad that I am going to do a full recover, and start all over again.

    I do have an ASUS Vista notebook, and am also having a few problems on IE9, so I have RESET the defautl settings.

    To ask another question, I have already had the ASUS reset to factory mode sometime back by the local technician, and I had not Recovery Disks. I gather the technician used the factory recovery on the computer. If this is so, how can I download this information to a CD so that I have a full set of recovery disks for the notbook?

    Thanks for your help.

    Regards
     
  9. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,725
    I am surprised that the tech did not mention that to you. Usually, if you are the original owner of a laptop these days, there is a utility included that tells you "The Recovery Disk set needs to be created when the computer is new" or something along those lines.

    If you look carefully through the All Programs menu for something like Create Recovery Media, Asus System Recovery....I am not sure of the exact name of the utility...... you get to make just one set of these DVDs, usually consisting of one two or more DVDs. See if the utility will still let you burn these recovery disks.

    If you did not create the set then you need to find out who did! Even if you or someone had started the utility up, and done part of the creating disks, the utility lets you stop and resume from the last disk made on through to finish you so get one full set made.

    Do you have the ASUS model number- I can point you to their support download section where they have the patches and things you may like to have such as the full user guide, lots of self-help about the recovery process, etc.

    (Added) > Usually also you can purchase these Recovery disks if need be, but not always......
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1058826