Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keylogger Detected In System File: Qkbfltr.sys


  • Please log in to reply
18 replies to this topic

#1 daggoth

daggoth

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 28 June 2008 - 02:48 PM

I have to keep my post short since i get disconnected when i use my keyboard often. It's a keylogger in my system file "qkbfiltr.sys" that tracks my keystrokes to steal passwords. I used Kaspersky, Search & destroy Spybot and Malbyte Anti-Malware but they couldn't erase the threat (Kaspersky found the keylogger threat in the file though). Please help, thank you.

Edited by daggoth, 28 June 2008 - 03:14 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:54 AM

Posted 28 June 2008 - 09:51 PM

Hello is this an XP system??
Please run another scan.
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 daggoth

daggoth
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 29 June 2008 - 08:12 AM

Thank you for helping, and my system is XP. I did all you mentioned above, but my system started to freeze for a very short time (like 1.5 seconds) every 10 second. Also, kaspersky still finds viruses and trojans on my computer even though i made sure kaspersky erase all of them , trojans with similar names (all of them related to online game password stealing) started to appear. When i run full scan and erase them all again the only threat that was left is once again the "qkbfiltr.sys" file, and as time passes they appear again (this happened for 3 or 4 times in this week).

Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/29/2008 at 03:31 PM

Application Version : 4.15.1000

Core Rules Database Version : 3493
Trace Rules Database Version: 1484

Scan type : Complete Scan
Total Scan Time : 02:25:44

Memory items scanned : 411
Memory threats detected : 0
Registry items scanned : 6362
Registry threats detected : 33
File items scanned : 286308
File threats detected : 27

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}
HKCR\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}
HKCR\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}
HKCR\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}\InProcServer32
HKCR\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\WYRSDJ.DLL
HKLM\Software\Classes\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}
HKCR\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}
HKCR\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}
HKCR\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\InProcServer32
HKCR\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\InProcServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32
HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDSERH.DLL
HKLM\Software\Classes\CLSID\{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}
HKCR\CLSID\{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}
HKCR\CLSID\{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}
HKCR\CLSID\{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}\InProcServer32
HKCR\CLSID\{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\FSRGEB.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}
HKCR\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}
HKCR\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}
HKCR\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\InProcServer32
HKCR\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\ZGRJDX.DLL

Adware.Tracking Cookie
C:\Documents and Settings\X\Cookies\x@apmebf[2].txt
C:\Documents and Settings\X\Cookies\x@trackit.ku.edu[1].txt
C:\Documents and Settings\X\Cookies\x@server.cpmstar[1].txt
C:\Documents and Settings\X\Cookies\x@ad.yieldmanager[1].txt
C:\Documents and Settings\X\Cookies\x@atdmt[2].txt
C:\Documents and Settings\X\Cookies\x@www.trafficrank[1].txt
C:\Documents and Settings\X\Cookies\x@metacafe.122.2o7[1].txt
C:\Documents and Settings\X\Cookies\x@fastclick[2].txt

Adware.WhenU
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg#UrlInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg#UninstallString
C:\Documents and Settings\X\Start Menu\Programlar\WhenU\Customer Support.lnk
C:\Documents and Settings\X\Start Menu\Programlar\WhenU\Learn More About WhenU Save.url
C:\Documents and Settings\X\Start Menu\Programlar\WhenU\Learn More About WhenU SaveNow.url
C:\Documents and Settings\X\Start Menu\Programlar\WhenU\Uninstall Instructions.lnk
C:\Documents and Settings\X\Start Menu\Programlar\WhenU\WhenU.com Website.url
C:\Documents and Settings\X\Start Menu\Programlar\WhenU
C:\DOCUMENTS AND SETTINGS\X\BELGELERIM\BSPLAYER_WHENUSAVE_INSTALLERINSTRE.EXE
C:\PROGRAM FILES\DAEMON TOOLS\SETUPDTSB.EXE

Adware.eZula
C:\MPQ PLUGIN\MPQ.WCX
C:\TOTALCMD\MPQ.WCX

Trojan.Downloader-Gen/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0AEBACA0-FDB4-4453-BDB5-9BCA97E7808C}\RP402\A0158531.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0AEBACA0-FDB4-4453-BDB5-9BCA97E7808C}\RP403\A0161139.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0AEBACA0-FDB4-4453-BDB5-9BCA97E7808C}\RP404\A0165487.EXE
C:\WINDOWS\SYSTEM32\MRSINGDK.EXE
C:\WINDOWS\Prefetch\MRSINGDK.EXE-392ACE6D.pf

Edited by daggoth, 29 June 2008 - 08:15 AM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 29 June 2008 - 08:36 AM

R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver>


Is your file in this same location?

I am always a little skeptical about conflicts with these hot key drivers, even Intel's have had some bad issues
Chewy

No. Try not. Do... or do not. There is no try.

#5 daggoth

daggoth
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 29 June 2008 - 09:22 AM

R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver>


Is your file in this same location?

I am always a little skeptical about conflicts with these hot key drivers, even Intel's have had some bad issues


Yes, thats the file and location. At first i thought that the file may not be a keylogger and Kaspersky is just too suspicious, but since i have no explanation to the trojans reappearing after every full removal and that file is actually needed for my keyboard to function (this is a laptop btw) and the trojans are meant to steal passwords, i think they are quite related.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 29 June 2008 - 10:08 AM

http://virusscan.jotti.org/

http://www.virustotal.com/

these 2 sites can give you a second opinion(often mixed) on that file

I would look for an updated driver, a conflict or even disable the hot key part

it's probably a conflict, that is harder to run down and solve than malware issues

would you update MBAM and post a new scan

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

Edited by DaChew, 29 June 2008 - 10:09 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 daggoth

daggoth
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 29 June 2008 - 10:43 AM

I ran all my protection programs everyday (including today, and including MBAM) after these trojans showed up.

I would look for an updated driver, a conflict or even disable the hot key part

How do i do those?

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 29 June 2008 - 10:59 AM

http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

I would suggest starting thread in our xp forum, there are several excellent people there who might have suggestions

Provide a link to this thread and some more details about your laptop

It might take a few of them to sort this out
Chewy

No. Try not. Do... or do not. There is no try.

#9 daggoth

daggoth
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 29 June 2008 - 12:07 PM

http://www.bleepingcomputer.com/forums/t/154957/keylogger-hiding-in-system-file-qkbfiltrsys/

done

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 29 June 2008 - 12:21 PM

Would you please post a new updated scan log from MBAM

make sure you have rebooted the computer before the scan

Edited by DaChew, 29 June 2008 - 12:23 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#11 daggoth

daggoth
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 29 June 2008 - 01:01 PM

Tried twice, system doesn't last long enough to run a full scan right after reboot, it freezes in mid of MBAM scan. I can only use the system by running a quickscan immediately after windows start so it can deal with trojans immideately,

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 29 June 2008 - 01:21 PM

More clues!

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

could you post this scan first


next

Try to install and/or update all 3 programs and then run them back to back, but make sure you are disconnected from the internet

Malware can still access the internet thru wireless even when you think you are offline

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

SDFix is another powerful program to use
Chewy

No. Try not. Do... or do not. There is no try.

#13 daggoth

daggoth
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 29 June 2008 - 01:27 PM

I'll try that in 2 hours or so. Thanks for advice.

#14 daggoth

daggoth
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 29 June 2008 - 04:38 PM

When i open SmitFraudFIX (both in desktop and C:) i only see a blank command window. And i already tried those removal programs one after another in both normal windows mode and safe mode. Doesn't work.

I managed to have a MBAM log. Here:

Malwarebytes' Anti-Malware 1.18
Database version: 883

00:21:23 30.06.2008
mbam-log-6-30-2008 (00-21-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182132
Time elapsed: 48 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\arjrgler.dll (Spyware.OnlineGames) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9c69034a-f45f-d34d-a33a-c33c4d324fc9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c69034a-f45f-d34d-a33a-c33c4d324fc9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c8d1401-a58d-a81c-cd24-a5915c4517c7} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c8d1401-a58d-a81c-cd24-a5915c4517c7} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84143967-b645-4bff-b873-da1dc886e9a7} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{528df602-9541-a985-210a-984a698c6f25} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{528df602-9541-a985-210a-984a698c6f25} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{470165f1-9f65-569f-f895-f14f58f41074} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{470165f1-9f65-569f-f895-f14f58f41074} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9c69034a-f45f-d34d-a33a-c33c4d324fc9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\arjrgler.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\System Volume Information\_restore{0AEBACA0-FDB4-4453-BDB5-9BCA97E7808C}\RP404\A0165472.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0AEBACA0-FDB4-4453-BDB5-9BCA97E7808C}\RP405\A0167735.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mkjraler.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 29 June 2008 - 05:44 PM

there are several commands that can be used to get sdfix to work, have you tried them?

cdralw.sys
Trojan.Alman

is quite nasty,

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

The HJT forum would really be better, they use more powerful tools and can give you exact directions for using them, many people find it easier and safer to just reload their computers

http://technet.microsoft.com/en-us/library/cc512587.aspx
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users