|
Help Deleting Keylogger
|
|
|
Shoker
Member
|
1. October 2006 @ 19:02 |
Link to this message
|
|
Hey my virus scanner found a keylogger on my laptop. For some reason it would identify it, but wouldn't disinfect nor delete it. I found where the keylogger is located and when I try to delete it I get the following pop up error:
Cannot delete 5wrw23ky: Cannot read from the source file or disk.
Any help getting rid of this virus would be appreciated. Thanks in advance.
|
|
Advertisement
|
 |
|
|
Senior Member
|
1. October 2006 @ 19:14 |
Link to this message
|
|
Got a name?
|
|
Shoker
Member
|
1. October 2006 @ 21:14 |
Link to this message
|
|
This is what my antivirus says when I open the folder it's in:
Infected with:
Trojan.Keylogger.Ardamax.F
|
Senior Member
|
1. October 2006 @ 21:30 |
Link to this message
|
Ewido will rid it.
Go here to download the trial version of Ewido Anti-spyware.
Install and update.
Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter).
Open Ewdio and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report".
Click "Save report as" and save it to the desktop.
Look at the report and make sure it was "Cleaned with backup". If so, click "Infections" from menu. Select all and click "Remove finially".
Be sure to change ALL your passwords, user names, and anything to do with banking or personal information.
Let me know if it was rid by Ewido.
This message has been edited since posting. Last time this message was edited on 1. October 2006 @ 21:31
|
|
Shoker
Member
|
1. October 2006 @ 22:15 |
Link to this message
|
|
Ewido isn't updating for some reason. I went to the folders where the keylogger is and manually scanned the infected files and ewido picked up nothing. Do you know any other programs I could try?
|
Senior Member
|
1. October 2006 @ 22:47 |
Link to this message
|
Download HijackThis.
Create a folder in C: named HjT.
Extract HijackThis to the new folder.
Run a scan and save a log file.
Post the log here.
Then, run Ewido in safe mode anyway.
|
|
Shoker
Member
|
2. October 2006 @ 05:45 |
Link to this message
|
This is the log from hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 6:44:33 AM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\program files\softwin\bitdefender9\bdmcon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\FireFox Downloads\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\program files\softwin\bitdefender9\bdswitch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared...,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
|
|
Shoker
Member
|
2. October 2006 @ 07:18 |
Link to this message
|
|
The file is located in C:\Documents and Settings\Owner\Local Settings\Temp\ and the other is in mozilla firefox's cache.
|
Senior Member
|
2. October 2006 @ 11:23 |
Link to this message
|
Delete everything in this folder: C:\Documents and Settings\Owner\Local Settings\Temp
Go here and download CCleaner.
Note: If you do not want Yahoo! Toolbar uncheck the option when installing.
Close all windows.
Open CCleaner.
Click "Run Cleaner".
Then, go here and run ActiveScan. When it finishes, save the resutls and post them.
|
|
Shoker
Member
|
2. October 2006 @ 13:56 |
Link to this message
|
|
Should I delete all the folders inside the Temp folder too?
|
Senior Member
|
2. October 2006 @ 14:02 |
Link to this message
|
|
Yes, before running ActiveScan.
|
|
Shoker
Member
|
2. October 2006 @ 14:36 |
Link to this message
|
|
CCleaner got rid of everything except the infected files. I am currently scanning with ActiveScan. Will see how it goes. Also, thanks for all the help you've been providing me with.
|
|
Shoker
Member
|
2. October 2006 @ 14:57 |
Link to this message
|
|
Hey I saw on google that the virus makes registry entries with 'run' at the end of the entry. I downloaded a program called eTrust PestPatrol and it said there is a trojan in Hkey_Local_Machine\Software\Microsoft\Windows\Currentversion\Run should I delete this or it is a neccessary file for my computer?
|
Senior Member
|
2. October 2006 @ 15:19 |
Link to this message
|
|
Yes, that's true and PestConrol is probably right. Does it give a name?
|
|
Shoker
Member
|
2. October 2006 @ 16:23 |
Link to this message
|
|
The name is, Trojan.Win32.FTP Attack. I'm starting to wonder if bitdefender is being faulty because nothing else is picking up the keylogger..
This message has been edited since posting. Last time this message was edited on 2. October 2006 @ 16:24
|
Senior Member
|
2. October 2006 @ 16:58 |
Link to this message
|
|
Oh...that's not good, not good at all. That's a Backdoor trojan. Backdoors are difficult to clean and I cannot guarantee that we will be able to remove everything, because anything on the computer could have been changed and anything could have been installed. Someone could have had access to all the information on the computer, and could have installed anything they like on it.
The safety of this computer has been completely compromised, and the only way to be sure it is safe to use it again is to reformat.
And since there is also a keylogger not showing in your log, the logger is probably using 'rookit like stealth'. Again, very hard to remove and not guaranteed.
If this computer has been used for financial transactions, you need to let your banks know immediately and cancel all online banking access.
From a clean computer. Change all the passwords for all online services this computer has been used for.
If you do not wish to format, then we can try to clean the computer out, but you will never be able to trust the computer again unless you reformat.
Let me know your decision, and I help you clean or reformat.
|
|
Shoker
Member
|
2. October 2006 @ 17:44 |
Link to this message
|
|
This is the computer my sister uses for her banking and schoolwork and I really need to get rid of this virus. I just need to save her bookmarks and documents. Any help doing this would be appreciated. Or should I just take it into a repair a shop and let them do it properly?
|
Senior Member
|
2. October 2006 @ 18:07 |
Link to this message
|
***Before doing anything else*** Get on another, non-infected machine and change the banking and all other passwords immediately. Niobis is right on all accounts, but I must stress that time is also of the essence. Do not allow the infected computer internet access until it is reformatted. With luck, the stolen passwords and other data have not been picked up yet, but don't wait to find out.
Since you mentioned Firefox, you can simply export your Bookmarks by going into Bookmarks->Manage Bookmarks->File->Export. It'll make a perfect copy and put it wherever you want. Your sister's documents are presumably, if she's using Windows 2000 or XP, in c:\documents and settings\{her login name}\My Documents.
I do not know what vector those keyloggers use to infect, but I noticed it appeared in your Firefox cache. While Firefox is vastly more secure than Internet Explorer, it isn't immune to problems, especially if Java and XPInstall is enabled. I recommend disabling Java no matter what browser you use, enabling it only if direly needed an on a site-by-site basis. I also recommend disabling XPInstall. I can tell you how to do that, but the more important issue is securing you and your sister's banking records and getting that machine reformatted.
-Do you believe you own your computer and shouldn't be told what you can run and do? Then say *NO* to Microsoft Vista!
-Since half the questions here involve media problems, here ya go: Only use Verbatim or Taiyo-Yuden discs (get your TYs from Rima.com, not Supermediastore or meritline). Forget the rest, no matter what "brand" they sell under. Always burn at 4x speed regardless of the speed rating of this discs or your drive. If you have burn problems with these then you have to update your drive's firmware. For double-layer discs, only use Verbatim DVD+R DL and burn them at 2.4x speed.
|
|
Shoker
Member
|
2. October 2006 @ 18:18 |
Link to this message
|
|
Kk thanks for the help. I've backed up all the important stuff I need. I've changed all passwords except for my sisters banking. That will have to be done tomorrow.
|
|
JaguarGod
Senior Member
|
2. October 2006 @ 18:43 |
Link to this message
|
Rather than taking it to a repair shop, you should format and reinstall windows.
First, backup anything important. Do it file by file, not folder by folder. There could be something in a folder that should not be there.
If you have a Windows XP install disc, you can format. If not, get magic Jelly bean or whatever the XP key viewer is and get your XP key. Write it down. Then, get a copy of Windows XP.
When you install Windows, delete all partitions and crete new ones. Make sure you format the parition you install Windows in. Since formatting takes time, you can consider using a small partition size like 6GB. This is enough to install XP and have lots of room just in case. Use other partitions for installing games, non-important software, etc...
That should get rid of the Backdoor.
There are some virus that install themselves on Boot and those usually stay in your system even if you format. If it is that type, you may have to low level format your HDD. This takes time (do a full low level format, not a quick one). You can get the software from the manufacturers website of the HDD. Make an HDD bott disc and run it through DOS at boot.
When you re-install XP, make sure to install an Anti-virus first, before gong online. Next, install a firewall and disable the Windows firewall again before going online. Then, install Firefox and get scriptblock and adblock. Also, when you are going to iffy websites, use peerguardian. That will stop tons of malware.
Just as it was suggested, only allow Java temporarily for sites you trust at a per use basis. That is what I do. Also, I set cookies to "Ask". Then I slowly filter through cookies as I browse. I never use "allow" and only use "allow for session". For sites you use often and trust, use the "remember slection" option. It works like a firewall, but for cookies.
|
|
Shoker
Member
|
2. October 2006 @ 18:56 |
Link to this message
|
Do you guys have any guides that I could follow to reformat?
I went to that magic jelly bean site to download the xp key viewer and my firewall blocked it saying it has a trojan. Is this because it goes through the registry to find the key? I guess it's fine to download?
This message has been edited since posting. Last time this message was edited on 2. October 2006 @ 18:59
|
Senior Member
|
2. October 2006 @ 20:15 |
Link to this message
|
|
|
JaguarGod
Senior Member
|
2. October 2006 @ 20:34 |
Link to this message
|
Get key finder from here:
http://rapidshare.de/files/35301720/kf151.zip.html
Before formatting, make sure that everything important is backed up. Consider formatting a permanent way of deletion. Once the data is gone, it cannot be recovered by normal means.
Do not attempt to re-install Windows until after you get your key and you are sure you have a CD to install Windows.
Formatting is simple. Just turn on your PC and insert the WindowsXP CD. If the CD does not boot, enter your BIOS and set boot priority to CD first. At the setup screen when it asks you where to install windows, Delete all partitions you have.
Next, create a new partition. It will ask you how big you want it, so choose a size. You can create multiple partiitons if you like. Install Windows to C:\.
When you select to install to C:, you will have the following options:
"Quick Format ... with NTFS"
"Quick Format ... with FAT32"
"Format ... with NTFS"
"Format ... with FAT32"
Choose the "Format ... with NTFS". If your partition is too large, it will take some time to do this. After formatting, just follow the wizard and Windows will install. Then it is just like you bought a fresh PC.
After Windows installs and you install your firewall & Antivirus and you have internet access, you should download eraser. It is a tool that wipes files. This is better than deleting them, but this is more permanent than a Format.
http://www.heidi.ie/eraser/download.php
After installing this tool, wipe all your free space using the 1 pass method. If you have very large partitions, it will take a long time. Most important is to wipe the free space on your C:\. This will ensure that everything on that partition is gone. Also, make sure that you disable the scheduler tool. You do not need anything except your Antivirus and firewall starting when Windows boots. For instance, my PC boots with 17 processes running.
This message has been edited since posting. Last time this message was edited on 2. October 2006 @ 20:35
|
|
Shoker
Member
|
2. October 2006 @ 20:54 |
Link to this message
|
|
Kk thanks for your guys's help. I found that my settings in bitdefender weren't set up properly so I changed them and managed to delete 1/3 of the keylogger files. The problem with the other two files is they are stuck in the recycle bin where I cannot scan them. Is there another way I could access the recycle bin. But I'm still going to reformat to be safe.
This message has been edited since posting. Last time this message was edited on 2. October 2006 @ 20:55
|
|
Advertisement
|
|
|
|
Shoker
Member
|
2. October 2006 @ 21:34 |
Link to this message
|
|
Nvm it detected all the keyloggers and removed them.
|
