Stealth Keylogger - advice please

  NotaViking 19:29 12 Jan 2010

Two weeks ago my father got a new Samsung laptop and I've been setting it up for him. It came with Windows 7 and included a McAfee trial version and I put some other stuff on it like Office 2000, Steam, Spotify, Skype and transferred some files over from my pc. The laptop hasn't been used that much otherwise, just some internet browsing and gaming. So far, pretty dull.

Yesterday, I removed the McAfee trial and installed Avast, Spybot, Ad-Aware and Zonealarm. On running Spybot, I obviously found a stealth keylogger. From the Spybot fixes report:

"Stealth Keylogger: [SBI $FD97FDA] Settings (Registry key, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\ASK"

At first I thought it must be a false positive, but after some quick googling, I couldn't find any cases of that happening. It just seems so unlikely and unlucky. After fixing it with Spybot, I've run Avast, Spybot and Ad-Aware again and installed and run Malwarebytes (and ran them all again using safe mode). Nothing found at all, so I'm hoping that's it gone.

Going to have to do a lot of password changing, but the laptop hadn't been used for any banking or purchasing yet, so I don't think there's any serious risk.

I'm still really puzzled how this could have happened. I've been running my own pc with Avast, etc for the last year or so and never had a single problem, but this laptop picks up a really serious bit of malware in two weeks with little use and nothing I can see that looks risky. I've run Avast, etc on my pc today and it's fine (running Malwarebytes at the moment). I can't rule out the possibility that my father click on something stupid online though, but it'd be very unlucky.

So a few questions then:

1. Anything else I should be doing to make sure that it's gone?

2. Any theories on how it got on the laptop in the first place?

3. Do you think that the McAfee trial version was a weakness and letting it through?

4. When I installed Spybot, I let it do a back-up of the registry. If the keylogger was in the registry at that time, is that back-up infected?

I'm not too bad with computers, but this is above anything I'd hoped to have to deal with, so any advice is gratefully received.

  NotaViking 19:39 12 Jan 2010

No edit function? Oh well, the end of my third question should have read, "and let it through?".

  GaT7 19:57 12 Jan 2010

1. I would run HijackThis (HT) click here, & post the resultant log in a dedicated HT forum like click here (or click here for more related forums - see left column). They may ask you to run other programs like ComboFix & post their logs too.

You can also do a quick DIY HT analysis via click here. Do NOT manually remove anything on your own - ask for help on one of those forums. All the best with it.

2. Via malicious websites/links, email attachments, P2P networks, rogue software programs, infected media, etc.

3. Unfortunately there's no perfect antivirus/security program.

4. Very possibly yes.

There's no edit function on this forum. The lack of 'extras' keeps it light & fast (allegedly ;-)). G

  NotaViking 20:22 12 Jan 2010

Thanks for the reply, Crossbow7.

1. I'll definitely follow this, thanks.

2. It just puzzles me as most of these can't have happened. There's only a handful of emails on it and they're all fine, no P2P stuff, the software is all well known products and all obtained legally and looking through the internet explorer history I don't see anything I'm suspicious of. But it got there somehow. Just don't want the same thing happening again, but I know no one can really answer this question. Hopefully the different security software will stop it getting infected again, but I'll be scanning it a lot in the next few weeks.

3. Indeed.

4. Ok, I'll follow that up at the Spybot forum as I was going to post there anyway.

Thanks again.

  rdave13 20:43 12 Jan 2010

ASK toolbar possibly. Check IE add-ons. If unabled then re-enable.
Run toolbarcop to delete.
click here
Needs to be run as admin in Vista and Win7. Addon needs to be enabled for Toolbarcop to delete.
Very old program but still works a treat.
Remember to install to it's own folder so registry backups can be made automatically.

  NotaViking 21:03 12 Jan 2010

I did wonder if it could be to do with the Ask search engine when I thought it must be false positive. However, I assumed that I would have found lots of posts about that happening and I didn't.

Looking in the Manage Add-ons window, there's no mention of an Ask toolbar. Would Spybot have deleted this when fixing the problem?

  NotaViking 21:04 12 Jan 2010

And thanks for your reply, rdave13.

(I'm too used to having an edit function ;).

  rdave13 21:11 12 Jan 2010

Can't remember whan this 'ASK' addon/toolbar was downloaded with a freebie program but it took toolbarcop to find it. This on Win7.
Might not be your problem but worth a look. Otherwise follow Crossbow7's sound advice.

  NotaViking 23:57 12 Jan 2010

Ok, so I ran Toolbarcop, but there's no mention of Ask. There is one strange entry though. Like others it has an Object Type (BHO) and a Class ID number, but under Name and Filename it just says (Empty). It's status is enabled. Could this have been the Ask toolbar, but it was taken out by Spybot? Or is it something else completely?

  rdave13 10:17 13 Jan 2010

Just ran TC and had two similar 'empty' entries. Deleted them but left the reg backup for now.
Something left after an uninstall I think.
You've ran quite a few security apps and no infection found so I think it's reasonable to suggest the PC is clean.

  NotaViking 14:32 13 Jan 2010

Ok, thanks. I've posted on the HT forum that Crossbow7 suggested and I'll follow up the registry back-up at the spybot forum.

Thanks for your help, guys.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Honor 9 Lite review

How Sam Falconer transforms science and geology into digestible, elegant illustrations

HomePod review

Les meilleures séries Netflix (2018)