Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Perfect Keylogger and Keylogger Pro


  • Please log in to reply
34 replies to this topic

#1 Flaxtelios

Flaxtelios

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:British Columbia, Canada
  • Local time:10:45 AM

Posted 17 December 2008 - 09:49 AM

I'm unsure if this is the right area to post, please forgive a newbie.

Let me start off by a small introduction before I start asking for help,
My name is Kyle. Okay now that's done and over with.

For starters, this problem started to occur a little while back,
I assume around 3-4 months ago. I started to discover whenever
I used right clicked on properties on the desktop, it would lag a while
and would not open. When I opened Control panel, add/remove programs
didn't work and afterward all icons in the control panel didn't work, they just
had the cursor with the hourglass thing (sorry for my lack of appropriate terms)
and then the Perfect keylogger would show up. (It was in the form that it had already
been installed.)

I googled my problem many times,
at first my Rundll32.exe seemed to have an effect with perfect keylooger
and I often just closed it under processes in my task manager but when
I realised that I couldn't do many things because of it I decided to remove it.
(stupid me for not removing it earlier)

Oh and for system restore points, all points don't seem to effect so yeah.
I also have problems with windows installer so I couldn't use some of the
solutions I had found online.

So, I tried several things to remove it including
Malwarebyte's Anti-Malware and S&D Spybot; which seemed to have the most effect.

On S&D spybot, the perfect keylogger and keylogger pro are removed everytime.
I should mention that after the first scan/removal using S&D, perfect keylogger whenever
it opened it would be in evaluation form, telling me to purchase it, and everytime i removed it
with S&D, it would go back to 3 day evaluation.

Forgot to mention that I do not know where my windows disk is located
so I can't seem to reformat my harddrive either.

Nothing else is comprised besides the above listed problems (or so I think.)

This problem is really irritating me and I would hope for some help to be given as
soon as possible, Thanks looking for a reply soon.

-Kyle

Edited by Flaxtelios, 17 December 2008 - 09:50 AM.

Hey I'm Kyle, It's an honour to be in your presence.... hey wait that's your line. :o
Sometimes the Hardest thing and the Right thing are the same.

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 December 2008 - 10:38 AM

Hi Kyle,

Welcome here. :thumbsup:

1. Please do a new full scan with MalwareBytes' Anti-Malware, and post that logfile in your next reply.

2. Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#3 Flaxtelios

Flaxtelios
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:British Columbia, Canada

Posted 17 December 2008 - 08:41 PM

Thanks, I'll be doing that right now.
I'll edit the log into this post when I'm finished.

Oh and for 1 and 2, I assume you want me to do both steps?

Edited by Flaxtelios, 17 December 2008 - 08:46 PM.

Hey I'm Kyle, It's an honour to be in your presence.... hey wait that's your line. :o
Sometimes the Hardest thing and the Right thing are the same.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2008 - 04:04 AM

Yes please perform both steps. :thumbsup:

#5 Flaxtelios

Flaxtelios
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:British Columbia, Canada
  • Local time:10:45 AM

Posted 18 December 2008 - 11:04 AM

Okay thanks, I was scanning overnight yesterday but the computer must have restarted or something
and since I have many files, you'll have to wait a little longer before I can get the logfiles, Sorry for the
inconvenience.
Hey I'm Kyle, It's an honour to be in your presence.... hey wait that's your line. :o
Sometimes the Hardest thing and the Right thing are the same.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2008 - 12:11 PM

That's all right. :thumbsup:

#7 Flaxtelios

Flaxtelios
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:British Columbia, Canada

Posted 19 December 2008 - 12:40 AM

MalwareBytes' Anti-Malware's LOGFILE (I'll do Kaspersky Online Scanner soon... ) 12/18/2008 Right now

I did remove selected... oh and as for the other scanner, Kaspersky, when I scanned like half-way using
that yesterday before the restart of my computer i saw that there was a couple infected files/viruses already
so i'll try to the kaspersky scan as soon as possible.

Malwarebytes' Anti-Malware 1.31
Database version: 1517
Windows 5.1.2600 Service Pack 2

12/18/2008 9:40:00 PM
mbam-log-2008-12-18 (21-39-42).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|I:\|J:\|)
Objects scanned: 409381
Time elapsed: 5 hour(s), 34 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Flaxtelios, 19 December 2008 - 12:40 AM.

Hey I'm Kyle, It's an honour to be in your presence.... hey wait that's your line. :o
Sometimes the Hardest thing and the Right thing are the same.

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 04:59 AM

I'll wait for your Kaspersky-logfile. :thumbsup:

#9 Flaxtelios

Flaxtelios
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:British Columbia, Canada
  • Local time:10:45 AM

Posted 20 December 2008 - 11:59 AM

Finally the Kaspersky-Logfile is done... looks like I've been infected with lots of things o.o''
Most of these files look like games that my brother would play... I should get angry at him,
but hopefully with your assistance I won't need to get angry haha :thumbsup:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 19, 2008 08:48:08
Records in database: 1484170
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\
J:\

Scan statistics:
Files scanned: 386398
Threat name: 21
Infected objects: 62
Suspicious objects: 0
Duration of the scan: 09:09:58


File name / Threat name / Threats count
C:\Documents and Settings\Alan Lo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-762d32e9.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Alan Lo\Desktop\axampplite\A Blazing Battles\singing\new mic\autowoodcutter\AutoWoodCutter.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 4
C:\Documents and Settings\Alan Lo\Desktop\axampplite\A Blazing Battles\singing\new mic\autowoodcutter\AutoWoodCutter.exe Infected: not-a-virus:Monitor.Win32.Perflogger.bx 4
C:\Documents and Settings\Alan Lo\Desktop\axampplite\A Blazing Battles\singing\new mic\autowoodcutter\AutoWoodCutter.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad 4
C:\Documents and Settings\Alan Lo\Desktop\axampplite\Maplestory\ColdFlamez V5.rar Infected: Trojan.Win32.Delf.ceg 8
C:\Documents and Settings\Alan Lo\Desktop\IP Changer tibia\Ultimate 0.6\Ultimate 0.5.exe Infected: Trojan.Win32.Delf.bwf 1
C:\Documents and Settings\Alan Lo\Desktop\IP Changer tibia\Ultimate 0.6\Ultimate 0.6.exe Infected: Trojan.Win32.Delf.bwf 1
C:\Documents and Settings\Alan Lo\Desktop\IP Changer tibia\Ultimate 0.6.rar Infected: Trojan.Win32.Delf.bwf 2
C:\Documents and Settings\Alan Lo\Desktop\Kyle's work\extra\The Dark Ghettobladers V2.1\The Dark Ghettobladers V2.0\Divinity 7.6\otrestart.exe Infected: Trojan-PSW.Win32.Agent.kkj 1
C:\Documents and Settings\Alan Lo\Desktop\Kyle's work\other\c++ codings\wciii\Torpark 2.0.0.2a\App\Tconfig.exe Infected: not-a-virus:RiskTool.Win32.FWDisabler.a 1
C:\Documents and Settings\Alan Lo\Desktop\Kyle's work\other\c++ codings\wciii\Torpark_2.0.0.2a.exe Infected: not-a-virus:RiskTool.Win32.FWDisabler.a 1
C:\Documents and Settings\Alan Lo\Desktop\Kyle's work\other\use this\Webpage for Goobers\ipod files\HolyOrch_RL.rar Infected: not-a-virus:RemoteAdmin.Win32.PoisonIvy.20 1
C:\Documents and Settings\Alan Lo\Desktop\Kyle's work\other\use this\Webpage for Goobers\nub\Forever Avenged War Server\Nowy folder\Otserv.exe Infected: Trojan.Win32.Delf.dwz 1
C:\Documents and Settings\Alan Lo\Desktop\Kyle's work\other\use this\Webpage for Goobers\nub\Forever Avenged War Server\Nowy_folder.rar Infected: Trojan.Win32.Delf.dwz 1
C:\Documents and Settings\Alan Lo\Desktop\Kyle's work\other\use this\Webpage for Goobers\nub\Forever Avenged War Server\SVN.rar Infected: Trojan.Win32.Delf.dvw 1
C:\Documents and Settings\Alan Lo\Desktop\Kyle's work\other\use this\Webpage for Goobers\pff\Otserv.exe Infected: Trojan.Win32.Delf.dvw 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Copy (2) of Demonak 7.92\data2\npc\test scripts\Sources\XML Version 1.1\Zorzin OTServer 1.1 - XML.exe Infected: Trojan.Win32.Delf.dqo 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Copy (2) of Demonak 7.92\data2\npc\test scripts\Sources\XML Version 1.1\Zorzin_OTServer_1.1_XML.rar Infected: Trojan.Win32.Delf.dqo 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Copy (2) of Demonak 7.92\demonak-server.exe Infected: Trojan.Win32.Delf.bod 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Copy (2) of Demonak 7.92\demonak.exe Infected: Trojan.Win32.Delf.fxt 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Copy of Demonak 7.92\Evolutions-XML.exe Infected: Trojan.Win32.Delf.bod 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Demonak 7.92\data\npc\test scripts\Sources\XML Version 1.1\Zorzin OTServer 1.1 - XML.exe Infected: Trojan.Win32.Delf.dqo 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Demonak 7.92\data\npc\test scripts\Sources\XML Version 1.1\Zorzin_OTServer_1.1_XML.rar Infected: Trojan.Win32.Delf.dqo 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Demonak 7.92\demonak-server.exe Infected: Trojan.Win32.Delf.bod 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\demonak 8.0 underground\Demonak 7.92\demonak wars\Evolutions-XML.exe Infected: Trojan.Win32.Delf.bod 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\demonak 8.0 underground\Demonak 7.92\demonak-server.exe Infected: Trojan.Win32.Delf.bod 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\demonak 8.0 underground\project-xml\data\npc\scripts\lib\DevLand_0.89_XML\Project-XML\DevLand-XML.exe Infected: Trojan.Win32.Delf.drl 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\demonak 8.0 underground\project-xml\data\npc\scripts\lib\DevLand_0.89_XML.rar Infected: Trojan.Win32.Delf.drl 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\demonak 8.0 underground\project-xml\demonak-server.exe Infected: Trojan.Win32.Delf.drl 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Demonak SQL\data\npc\test scripts\Sources\XML Version 1.1\Zorzin OTServer 1.1 - XML.exe Infected: Trojan.Win32.Delf.dqo 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Demonak SQL\data\npc\test scripts\Sources\XML Version 1.1\Zorzin_OTServer_1.1_XML.rar Infected: Trojan.Win32.Delf.dqo 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\not frequently\demonak wars\World War 8.0\World-War.exe Infected: Trojan.Win32.Delf.epy 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\not frequently\demonak wars\World-War.exe Infected: Trojan.Win32.Delf.epy 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\not frequently\Endless War 3\20051104-server\data\dea\Evolutions 0.7.8 XML\Evolutions-XML.exe Infected: Trojan.Win32.Delf.bod 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\not frequently\Endless War 3\20051104-server\data\dea\Evolutions 0.7.8 XML.rar Infected: Trojan.Win32.Delf.bod 1
C:\Documents and Settings\Alan Lo\Desktop\letter stuff\Silent Harvest RPG\TheForgottenServer.exe Infected: Trojan.Win32.Delf.fxt 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55D25F90.htm Infected: Exploit.HTML.Mht 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\57BB7ADB.htm Infected: Exploit.HTML.Mht 1
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\WINDOWS\Downloaded Program Files\ClientAX.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
C:\WINDOWS\services.exe.vzr Infected: Trojan.Win32.Delf.ahj 1
C:\WINDOWSP\map.exe Infected: Trojan.Win32.Delf.ahj 1
C:\WINDOWSP\system32\rundll32.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad 1
C:\WINDOWSP\system32\rundll32.exe.tmp Infected: not-a-virus:Monitor.Win32.Perflogger.ad 1
I:\I386\Apps\APP24741\src\HPSummer2005.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1

The selected area was scanned.

Edited by Flaxtelios, 20 December 2008 - 12:01 PM.

Hey I'm Kyle, It's an honour to be in your presence.... hey wait that's your line. :o
Sometimes the Hardest thing and the Right thing are the same.

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 December 2008 - 12:01 PM

Download this file to your Desktop: http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
Start the setup_.exe-file and click "Next".
The tool will be unzipped now to his own folder on the Desktop, confirm this by pressing "Next" again.
Now, click "Scan" to start the quick scan.
When it's finished, the found malware will be showed to you, press "Delete".
Now click the button "Reports" in the main screen and save the logfile to your Desktop.
Post this logfile in your next reply (only the deleting-part!)
After that you'll get this message: "Do you want to uninstall?", choose "Yes".
The tool will be deleted then.

#11 Flaxtelios

Flaxtelios
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:British Columbia, Canada

Posted 20 December 2008 - 12:08 PM

AHH I'm so close to being free of the viruses I can taste it, thanks : )... I'll post the results when it's finished
Hey I'm Kyle, It's an honour to be in your presence.... hey wait that's your line. :o
Sometimes the Hardest thing and the Right thing are the same.

#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 December 2008 - 12:08 PM

Ok. :thumbsup:

#13 Flaxtelios

Flaxtelios
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:British Columbia, Canada
  • Local time:10:45 AM

Posted 20 December 2008 - 12:12 PM

I think there's a problem, when I open the batch file "Scan", after a couple of minutes it closes by itself.
Is that normal?

oh and when I click the start (shortcut) in the folder, at the bottom part it saids 3020 files were scanned.

Edited by Flaxtelios, 20 December 2008 - 12:16 PM.

Hey I'm Kyle, It's an honour to be in your presence.... hey wait that's your line. :o
Sometimes the Hardest thing and the Right thing are the same.

#14 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 December 2008 - 12:16 PM

Hi,

Please try it again by following the steps exactly. (If that won't help, we have other ways. :thumbsup:)

#15 Flaxtelios

Flaxtelios
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:British Columbia, Canada

Posted 20 December 2008 - 12:18 PM

Okay, Uninstalling and going to try to retrace my steps again :thumbsup:
Hey I'm Kyle, It's an honour to be in your presence.... hey wait that's your line. :o
Sometimes the Hardest thing and the Right thing are the same.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users