SCKeylogger found - what is next?

[Jim Kuhn]

I have a wireless router with three computers connected. I rarely use my laptop. Today I logged onto the laptop and entered a poker tourney. As I had not run spybot on this computer for a while I updated and checked the laptop. It came back with SCKeylogger found.

My kids utilize the laptop very often and play online games. I suspect this is how the virus was picked up. I restarted the laptop and am running spybot again. It says the keylogger has been fixed. I am on one of the pc's and checked my poker account balances. Those balances appear intact. I am running spybot on all three machines.

What should I do next? I have windows firewall turned on. Will that help? My router I think also acts as a firewall? If I remove that virus and change all of my passwords will I be safe? Thank you for any help you may provide!

Thank you,

Jim Kuhn

[LeapFrog]

First thing, change passwords to all sites that the laptop accessed recently. Do this from a secure computer. I will post more in a bit but that is the most important thing for the moment.

[Jim Kuhn]

Thank you for the response. I don't think I have accessed any of my poker or email accounts from this computer recently. I also recently changed most of my passwords. I am not sure if I should change those again. By changing those again could I actually be helping a hacker gain those new passwords? One pc came back from spybot and adaware clean. I am utilizing that pc.

The other pc I am not sure about. My spybot icon was missing so I went to download.com and downloaded the latest version of spybot. It froze my computer when I tried to download the latest definitions. I rebooted the computer and received a spybot message that spybot terminated abnormally and was altered or something like that. It suggested a possible virus or keylogger. I ran adaware and it came back fine. I am trying to download new definitions for spybot.

Thanks,

Jim

[LeapFrog]

Be sure to change passwords to email sites as well as they can be used to launch social engineering attacks.

Well, my recommendation is to format the laptop to be on the safe side. Yes, you can try removal and spybot may have done the job, but many of the trojans nowadays are able to resurrect themselves. Also you could have some sort of stealth trojan thats not showing up that was responsible for installing the logger.

Only thing to consider is if you want to save the HD for possible forensics investigation (ie everything is fine now, in a day your have problems with money missing from the bank, the cops may be intersted in the HD contents). Thats up to you... As for using the laptop, to me its just not worth the risk that the laptop hasn't been fully cleaned, format is safest.

Some other advice -- have a completely separate computer for poker/financial transactions if you can afford to. Don't let the kids use it. Don't websurf with it except to go to known safe sites, ie bank/neteller, etc. If your patches/security isn't up to date it can be easy for lots of nasty crap to get on the computer just by websurfing.

I would add ZoneAlarm as well to your computers. Its a free firewall that last time I checked is considered superior to windows firewall.

Make sure your wireless connection is encrypted.

[Jim Kuhn]

Also - this keylogger could have been on the laptop for several weeks. I have not run spybot on the laptop for a long time!

Thanks,

Jim

[LeapFrog]

[ QUOTE ]
Thank you for the response. I don't think I have accessed any of my poker or email accounts from this computer recently. I also recently changed most of my passwords. I am not sure if I should change those again. By changing those again could I actually be helping a hacker gain those new passwords?


[/ QUOTE ]

np.

Well that would be a problem if your not 100% sure about the computer you are using to change the passwords. If a keylogger is installed its going to see everything you type. Ssome have evolved to even take screenshots now on mouseclicks [img]/images/graemlins/frown.gif[/img]

[ QUOTE ]

The other pc I am not sure about. My spybot icon was missing so I went to download.com and downloaded the latest version of spybot. It froze my computer when I tried to download the latest definitions. I rebooted the computer and received a spybot message that spybot terminated abnormally and was altered or something like that. It suggested a possible virus or keylogger. I ran adaware and it came back fine. I am trying to download new definitions for spybot.

[/ QUOTE ]

This could be a concern. I had a nasty trojan once upon a time that would actually reboot my machine when I tried to run adaware -- malware is certainly capable of interfering with cleaning programs.

If your at all unsure about any computers I would honestly recommend a complete reformat. Its a serious pain I know but really the only 100% sure way. Also, if you do reformat be sure to get a firewall on first thing (preferable before you connect to the net for the first time(ie use a flashdrive/portable HD to load it) then patch up immediately.

[signal]

[ QUOTE ]
If your at all unsure about any computers I would honestly recommend a complete reformat. Its a serious pain I know but really the only 100% sure way. Also, if you do reformat be sure to get a firewall on first thing (preferable before you connect to the net for the first time(ie use a flashdrive/portable HD to load it) then patch up immediately.

[/ QUOTE ]

Leap,

you offer good advice; I would only add one thing: I have a DVDburner on my comp and I created a 'reformat' disk. It contains all necessary applications as well as their patches (i.e. AV, anti-spyware apps, etc). That way when you connect to the internet for the first time you have decent protection (usb drive can hold all smaller patches).

Coldcaller(or Kyle...something)'s post made me realize you need your defenses up as soon as you are connected for the first time.

On average I do reformat about once every six months. I guess I am a geek, but for that 1/2 day you spend tweaking & re-tweaking the comp is a small price to pay for cleanliness, speed, etc.

[DING-DONG YO]

Would Mcafee pick up a keylogger running in the background?

[signal]

I don't think I am qualified to answer this, but I think it depends. Maybe someone more knowledgeable will intervene....

All of these anti-(spy,virus,etc.) work off definition libraries. So if a scan yields an infection, there necessarily must be a detected 'signature' of this virus on yr comp which matches the virus definition library.

This implies that obscure, new, or novel (i.e. more sophisticated) viruses (malware) may be undetectable via AV scans. As a virus proliferates, it is logged, then added to libraries, then you download a definition update et voila you detect it.

A promising new method of scanning is heuristic scans... [quoting wikipedia: "In computer science, a heuristic is a technique designed to solve a problem that ignores whether the solution can be proven to be correct, but which usually produces a good solution or solves a simpler problem that contains or intersects with the solution of the more complex problem.

Heuristics are intended to gain computational performance or conceptual simplicity, potentially at the cost of accuracy or precision."]

So, I think a motivated hacker who is smart will stay ahead of detection in a manner similar to the bankrobbers of the 1800s: it was much easier to rob a bank and get away with it in the 1800s rather than nowadays: there is so much technology to put up with; big-brother type intrusion... and I think its sphere of influence will eventually encompass the cyber sphere as well.

[Ray Zee]

you are probably lucky this time jim. it has been said many times never let anyone touch a computer that has anything financial or personal on it but yourself. and use that computer only on secure sites and dont follow any links you arent familar with.
computers are cheap you can have a few if neccessary. a person wouldnt let someone know their ss number or their bank accounts number but put it on their computer and go surfing.