Click here to get back home

stubborn Keylogger !
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.security.virus    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
stubborn Keylogger ! RJK 03-25-2008
Posted by RJK on March 25, 2008, 4:19 pm
Please log in for more thread options
 Hi,

I've got a XP Pro SP2 machine on the bench that has/had/or maybe still has a
keylogger in it.
AVG / Ewido scan found it and seemed to remove it, but, I'm sure there's
something quite nasty still in there.
AVG anti-virus wouldn't install - it's as though something is blocking it
from being installed.
Adaware didn't really find anything, and seems to be not functioning
properly in Safe Mode - it becomes unresponsive.

...and Multi-av - which I copied across in Safe mode from a USB pen-drive =
press 1 for the Sophos sweep and multi-av just vanishes. Press (2) for
Trend, and apparantly psapi.dll is missing (it's not - it is present in
system32).
...anyhow (1) Sophos and (2) Trend scans will not run.
Several previous attempts to start multi-AV sweeps 1 and 2, in Normal and
Safe Mode caused XP to shut down !

....Mcafee (3) in multi-av is running in Windows "Diagnostic startup - basic
services etc" mode ...is that any good ?

This machine was built and configured by a real PC clever clogs, who built
it for his girlfriend, ...long story ...relationship broke up, ...PC has
been a nightmare ever since, ...I'm told by the young ladys' father !!! I
have a strong suspicion that this keylogger was installed by him and not
picked up on the web, ...though of course that could be complete rubbish.

....where do I start ?

Mcafee just found "Generic Pup.a.Temp\DealioKit1-stub-0.exe ... "
...I'll Google on that in a minute....
....interesting Google results....

any tips appreciated,

regards, Richard



Posted by David H. Lipman on March 25, 2008, 4:44 pm
Please log in for more thread options
| Hi,
|
| I've got a XP Pro SP2 machine on the bench that has/had/or maybe still has a
| keylogger in it.
| AVG / Ewido scan found it and seemed to remove it, but, I'm sure there's
| something quite nasty still in there.
| AVG anti-virus wouldn't install - it's as though something is blocking it
| from being installed.
| Adaware didn't really find anything, and seems to be not functioning
| properly in Safe Mode - it becomes unresponsive.
|
| ...and Multi-av - which I copied across in Safe mode from a USB pen-drive =
| press 1 for the Sophos sweep and multi-av just vanishes. Press (2) for
| Trend, and apparantly psapi.dll is missing (it's not - it is present in
| system32).
| ...anyhow (1) Sophos and (2) Trend scans will not run.
| Several previous attempts to start multi-AV sweeps 1 and 2, in Normal and
| Safe Mode caused XP to shut down !
|
| ....Mcafee (3) in multi-av is running in Windows "Diagnostic startup - basic
| services etc" mode ...is that any good ?
|
| This machine was built and configured by a real PC clever clogs, who built
| it for his girlfriend, ...long story ...relationship broke up, ...PC has
| been a nightmare ever since, ...I'm told by the young ladys' father !!! I
| have a strong suspicion that this keylogger was installed by him and not
| picked up on the web, ...though of course that could be complete rubbish.
|
| ....where do I start ?
|
| Mcafee just found "Generic Pup.a.Temp\DealioKit1-stub-0.exe ... "
| ...I'll Google on that in a minute....
| ....interesting Google results....
|
| any tips appreciated,
|
| regards, Richard
|



1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of
the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's
System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by RJK on March 25, 2008, 5:05 pm
Please log in for more thread options
Big thanks, ...will do,
..(4) Kaspersky sweep is running on it atm, am tempted to terminate it !
...just what are all those "error : delete wrong pointer" 's ? :-)

regards, Richard


>
> | Hi,
> |
> | I've got a XP Pro SP2 machine on the bench that has/had/or maybe still
> has a
> | keylogger in it.
> | AVG / Ewido scan found it and seemed to remove it, but, I'm sure
> there's
> | something quite nasty still in there.
> | AVG anti-virus wouldn't install - it's as though something is blocking
> it
> | from being installed.
> | Adaware didn't really find anything, and seems to be not functioning
> | properly in Safe Mode - it becomes unresponsive.
> |
> | ...and Multi-av - which I copied across in Safe mode from a USB
> pen-drive =
> | press 1 for the Sophos sweep and multi-av just vanishes. Press (2) for
> | Trend, and apparantly psapi.dll is missing (it's not - it is present in
> | system32).
> | ...anyhow (1) Sophos and (2) Trend scans will not run.
> | Several previous attempts to start multi-AV sweeps 1 and 2, in Normal
> and
> | Safe Mode caused XP to shut down !
> |
> | ....Mcafee (3) in multi-av is running in Windows "Diagnostic startup -
> basic
> | services etc" mode ...is that any good ?
> |
> | This machine was built and configured by a real PC clever clogs, who
> built
> | it for his girlfriend, ...long story ...relationship broke up, ...PC has
> | been a nightmare ever since, ...I'm told by the young ladys' father !!!
> I
> | have a strong suspicion that this keylogger was installed by him and not
> | picked up on the web, ...though of course that could be complete
> rubbish.
> |
> | ....where do I start ?
> |
> | Mcafee just found "Generic Pup.a.Temp\DealioKit1-stub-0.exe ... "
> | ...I'll Google on that in a minute....
> | ....interesting Google results....
> |
> | any tips appreciated,
> |
> | regards, Richard
> |
>
>
>
> 1. Download and execute HiJack This! (HJT)
> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>
> 2. Disable Notepad's word wrap:
> In Notepad.exe; Format --> uncheck; "Word wrap"
>
> 3. Download/run Deckard's System Scanner:
> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>
> 4. Save the scan results (Main.txt and Extra.txt)
>
> 5. And then post the contents of Main.txt and Extra.txt in your post in
> one of the below
> expert forums...
>
>
> { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
>

>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>



Posted by David H. Lipman on March 25, 2008, 5:14 pm
Please log in for more thread options

| Big thanks, ...will do,
| ..(4) Kaspersky sweep is running on it atm, am tempted to terminate it !
| ...just what are all those "error : delete wrong pointer" 's ? :-)
|
| regards, Richard
|

I don't know -- they can be ignored.

Please provide the URL of the expert forum you end up posting to.

BTW: I have updated the Multi-AV to v6.00 which includes the Trend Micro anti
spyware
capability and other improvements. It is not yet available on PCTipp. However,
if you
email me, I will provide you the URL of a site which will always host the latest
build.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by ~BD~ on March 25, 2008, 7:06 pm
Please log in for more thread options
Hi Richard!

I wondered if you would, please, ask Mr Lipman why he doesn't recommend
AumHa for reviewing HJT and Deckard's System Scanner logs. He won't give me
an answer, yet tells me that PA Bear *is* one of the good guys. BTW, I noted
that you never gave him - Mr Bear - the apology he demanded from you! ;)

I'm afraid I fell foul of Mr Castner too. I got a funny feeling, though,
that there was a 'team' of people providing answers, not just one individual
(but all using the same name). Regardless, I may no longer post there - at
least that's what I've been told by Jim Eshelman! :)

Dave

PS With regard to your suspected Key-logger, I'd save any data required and
then flatten (remove *all* partitions) and re-install Windows from scratch.


> Big thanks, ...will do,
> ..(4) Kaspersky sweep is running on it atm, am tempted to terminate it !
> ...just what are all those "error : delete wrong pointer" 's ? :-)
>
> regards, Richard



Similar ThreadsPosted
Please help me with a keylogger! December 3, 2005, 1:03 pm
PC ACME Keylogger Monitor...can't uninstall March 10, 2006, 10:06 pm
Is monitor.exe in ZoneAlarm directory a keylogger? May 27, 2007, 2:34 pm
KEYLOGGER KEYSTROKES MONITORING IN CHAT ROOMS. October 28, 2005, 12:32 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap