What kind of keylogger is this?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
(see image link below as I can't attach a *.txt file to this group).

http://i13.tinypic.com/40l2t81.jpg


When I found my IE 6 browser refusing to open several browsers at a time,
I did a ctrl-alt-delete and found two SERVICES processes.  I also saw that
my IEXPLORE.exe file would still be open as a memory hog (130 mg) even
after closing all open browser screens.  After using Crapcleaner to clean
the temp files and cache,  I ran a services.msc command and noticed this
Key*** service, which I knew I never had before.  The attached image link
shows half of the places I found where it appeared in my registry.  
Obviously, Crap Cleaner deleted the exe file in the temp directory.
When I was in services, I disabled it (it was set to "manual").


I've searched all over Google and can't find any references to it.

Hijackthis picked it up as an 023 item  - Unknown owner - \LOCALS~1\Temp
\exe (file missing)

Before I delete all the registry references to it, would anyone here know
of any site that discusses it?

 



Re: What kind of keylogger is this?


| (see image link below as I can't attach a *.txt file to this group).
|
|
http://i13.tinypic.com/40l2t81.jpg
|
| When I found my IE 6 browser refusing to open several browsers at a time,
| I did a ctrl-alt-delete and found two SERVICES processes.  I also saw that
| my IEXPLORE.exe file would still be open as a memory hog (130 mg) even
| after closing all open browser screens.  After using Crapcleaner to clean
| the temp files and cache,  I ran a services.msc command and noticed this
| Key*** service, which I knew I never had before.  The attached image link
| shows half of the places I found where it appeared in my registry.
| Obviously, Crap Cleaner deleted the exe file in the temp directory.
| When I was in services, I disabled it (it was set to "manual").
|
| I've searched all over Google and can't find any references to it.
|
| Hijackthis picked it up as an 023 item  - Unknown owner - \LOCALS~1\Temp
| \exe (file missing)
|
| Before I delete all the registry references to it, would anyone here know
| of any site that discusses it?
|



Please submit a sample of  "keygodsx.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

It uses RootKit techniques so I suggest using Gmer.
http://www.gmer.net /



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: What kind of keylogger is this?


Quoted text here. Click to load it

I'd like to submit the file, except that I ran Crap Cleaner even before I
knew it was on the system.  Crap Cleaner deleted it.  
I'm going to run the above rootkit program as well as Sysinternals and a
few others.

Do you think it's time for Multi A-V?    Is is safe to run these online
scanners rather than downloaded the signatures like Multi-AV does?
Don't the online scanners record every filename on your computer?
Secondly, isn't there stuff they can't find because of one's firewall?

I have McAfee's SiteAdvisor as a BHO, use IE-Spyad and have a HOSTS file,
plus use Avast and a firewall.  Still, it's amazing how these things
infiltrate a computer.  I was reading on one of the security sites that
Spyware problems are soaring.

I wonder if it pays to change the name of your computer, sign on name,
password, and release and renew IP addresses on a regular basis.

Someone better inform the media soon how serious a problem this is
becoming.  Any guesses as to how many home computers are seriously
infected around the world?

(Please excuse my crossposting, but I'm incensed at my violation of
privacy with this spyware/malware/trojan problem and I feel that the more
individuals who read about this particular keylogger, if that's what it  
is, the better.)

Re: What kind of keylogger is this?



| I'd like to submit the file, except that I ran Crap Cleaner even before I
| knew it was on the system.  Crap Cleaner deleted it.
| I'm going to run the above rootkit program as well as Sysinternals and a
| few others.
|
| Do you think it's time for Multi A-V?    Is is safe to run these online
| scanners rather than downloaded the signatures like Multi-AV does?
| Don't the online scanners record every filename on your computer?
| Secondly, isn't there stuff they can't find because of one's firewall?
|
| I have McAfee's SiteAdvisor as a BHO, use IE-Spyad and have a HOSTS file,
| plus use Avast and a firewall.  Still, it's amazing how these things
| infiltrate a computer.  I was reading on one of the security sites that
| Spyware problems are soaring.
|
| I wonder if it pays to change the name of your computer, sign on name,
| password, and release and renew IP addresses on a regular basis.
|
| Someone better inform the media soon how serious a problem this is
| becoming.  Any guesses as to how many home computers are seriously
| infected around the world?
|
| (Please excuse my crossposting, but I'm incensed at my violation of
| privacy with this spyware/malware/trojan problem and I feel that the more
| individuals who read about this particular keylogger, if that's what it
| is, the better.)

I have more confidence in Gnmer that RootKit Revealer so I suggest using it
first.

Sure, you can use my Multi AV Scanning Tool.  The McAfee module alone knows
hundreds of
Keylogging Trojans.  Additionally, you never know what else any of the modules
might find.

I really do NOT know what you had.  I looiked in virus libraries and could not
find it.  It
may be new or it may be an old one that is using new names for Registry keys and
files.

I would assume the worst.  That is you need to immediately redo *all* passwords
that have
been used on that PC.  Online Banking, Forum accounts, Quicken, -- every and all
of them.
Chaning ther name of the computer is waste of time.  The PC name is meaningless.
 Getting a
new IP address is also worthless.  I do suggest that if you are on Broadband,
get and use a
Cable/DSL Router sucgh as the Linksys BEFSR41.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: What kind of keylogger is this?


Quoted text here. Click to load it

I just used it and can't make head or tail from it.
Secondly, Drwatson appears about 2nd use and closes it.

Right now, I see that the gmer.exe file is still running in my task
manager, yet I can't see the program, nor can I close it.

The same goes for sysinternals.com Process Explorer.  

When I ran the Rootkit scan, I saw a load of things scrolling by,
but I didn't see anything marked "hidden" like his FAQ's show (unless I'm
reading the FAQ's wrong).  I did see some of the MJ's and some TCP/IP
things floating by.  I thought I was getting very advanced, but I'm not
sure what boxes s/b checked, nor how many of the 50+ services in the other
tab I see that I should research.  There's quite a few I'm not sure about.

I'm going to delete all references to the "keylogger(?)" in my registry
now, and then run a multitude of security programs - including Multi-AV.

I hope that whatever it is is only in my system partition or registry,
because I have a very large hard drive, and also use a large, multi-
partitioned external drive on occasion.

To scan all those partitions with Multi-AV might take the rest of the
winter - LOL!  Usually, these bugs are in the OS directory, registry,
documents and settings, or program files on the main partition.

Re: What kind of keylogger is this?


|
Quoted text here. Click to load it
|
| I just used it and can't make head or tail from it.
| Secondly, Drwatson appears about 2nd use and closes it.
|
| Right now, I see that the gmer.exe file is still running in my task
| manager, yet I can't see the program, nor can I close it.
|
| The same goes for sysinternals.com Process Explorer.
|
| When I ran the Rootkit scan, I saw a load of things scrolling by,
| but I didn't see anything marked "hidden" like his FAQ's show (unless I'm
| reading the FAQ's wrong).  I did see some of the MJ's and some TCP/IP
| things floating by.  I thought I was getting very advanced, but I'm not
| sure what boxes s/b checked, nor how many of the 50+ services in the other
| tab I see that I should research.  There's quite a few I'm not sure about.
|
| I'm going to delete all references to the "keylogger(?)" in my registry
| now, and then run a multitude of security programs - including Multi-AV.
|
| I hope that whatever it is is only in my system partition or registry,
| because I have a very large hard drive, and also use a large, multi-
| partitioned external drive on occasion.
|
| To scan all those partitions with Multi-AV might take the rest of the
| winter - LOL!  Usually, these bugs are in the OS directory, registry,
| documents and settings, or program files on the main partition.

The MOST important areas to scan with Multi AV...

C:\Documents and Settings

C:\Program Files

%windir%

You can have it selectively scan those specific areas.

Delete those Registry entries.  Exit Regedit and then go back into Regedit and
see if they
still exist.

If they still exist, the malware is still running.
If they don't still exist, reboot the PC and then run selectyive area scan using
the Multi
ACV Scanning Tool.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: What kind of keylogger is this?


Quoted text here. Click to load it


I've already scanned it with Regseeker and Registrar Lite from
Resplendence.com (who has some nice stuff).  Regseeker picked up 34
instances and Registrar Lite found another 20 or so.  I also just did a
Regedit search, and the registry was clean (from this one, at least).  
Now onto Multi-AV, a-squared, Ad-Aware, Spybot, Windows Defender (it it
really worth it?), Regclean, and Avast.

I'm beginning to wonder about Mcafee's Site Advisor.  There are some
questionable sites that they say is clean, yet they have a warning about
Resplendence.com, who makes some good registry cleaners.


Do the scanners in Multi-AV also clean the system (look for all instances
where the virus or trojan may be) once it finds a bug, or do I have to
research everything it finds?

I remember reading here once that the Kaspersky scanner left marks on
every file it found, and a tool was needed to remove the Kaspersky
extensions.

I'm surprised that there hasn't been more participation in this thread.  
This was the first place I thought of posting the problem since it's
easier to post to newsgroups, and it's open to all readers of forums such
as Wilders Security, Castle Cops, etc.

The WWW is beginning to make the old wild, wild, west look tame by
comparison!  Why can't Microsoft, with all their programmers, have a
department that collects all info about rootkits, trojans, spyware, etc,
and issue a daily, or twice weekly updated program - even if it has a 100
mg signature file, that deeply cleans every aspect of the registry, and
once it finds something, has a lookup table of what exe or dll files it's
associated with?  I wouldn't care if the program took 4 hours to run, as
long as it guaranteed a clean registry, with no strange services running.

I wonder if I'll be safer now with Firefox?




Re: What kind of keylogger is this?


Replies are inline...

|
| I've already scanned it with Regseeker and Registrar Lite from
| Resplendence.com (who has some nice stuff).  Regseeker picked up 34
| instances and Registrar Lite found another 20 or so.  I also just did a
| Regedit search, and the registry was clean (from this one, at least).
| Now onto Multi-AV, a-squared, Ad-Aware, Spybot, Windows Defender (it it
| really worth it?), Regclean, and Avast.


You can leave out;  Ad-Aware, Spybot, Windows Defender, Regclean, and Avast.


|
| I'm beginning to wonder about Mcafee's Site Advisor.  There are some
| questionable sites that they say is clean, yet they have a warning about
| Resplendence.com, who makes some good registry cleaners.
|
| Do the scanners in Multi-AV also clean the system (look for all instances
| where the virus or trojan may be) once it finds a bug, or do I have to
| research everything it finds?


Yes.  That's why it isn't always giood to use a surrogate PC to scan a hard disk.
(that is removing the hard disk from the affected PC and plaing it in another PC
and having
that PC scan it)


|
| I remember reading here once that the Kaspersky scanner left marks on
| every file it found, and a tool was needed to remove the Kaspersky
| extensions.


I haerd that too.  I think it was version 5.


| I'm surprised that there hasn't been more participation in this thread.
| This was the first place I thought of posting the problem since it's
| easier to post to newsgroups, and it's open to all readers of forums such
| as Wilders Security, Castle Cops, etc.


It's Sunday night.  Friday and Sunday nights are usually quite.


|
| The WWW is beginning to make the old wild, wild, west look tame by
| comparison!  Why can't Microsoft, with all their programmers, have a
| department that collects all info about rootkits, trojans, spyware, etc,
| and issue a daily, or twice weekly updated program - even if it has a 100
| mg signature file, that deeply cleans every aspect of the registry, and
| once it finds something, has a lookup table of what exe or dll files it's
| associated with?  I wouldn't care if the program took 4 hours to run, as
| long as it guaranteed a clean registry, with no strange services running.

Yepper.  The landscape of the Internet is full of pitfalls and dangers waiting
for the
unsuspecting user and is getting worse.


|
| I wonder if I'll be safer now with Firefox?
|


Moderately, yes.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: What kind of keylogger is this?


Quoted text here. Click to load it

You're that down on Avast?  What AV program do you use?

Re: What kind of keylogger is this?


|
Quoted text here. Click to load it
|
| You're that down on Avast?  What AV program do you use?

McAfee Enterprise and AntiVir.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: What kind of keylogger is this?


< snip >

I submitted your JPEG to some real experts.  We'll see what feedback they
provide.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline