Help Deleting Keylogger

Hey my virus scanner found a keylogger on my laptop. For some reason it would identify it, but wouldn't disinfect nor delete it. I found where the keylogger is located and when I try to delete it I get the following pop up error:

Cannot delete 5wrw23ky: Cannot read from the source file or disk.

Any help getting rid of this virus would be appreciated. Thanks in advance.

 

Got a name?

 

This is what my antivirus says when I open the folder it's in:

Infected with:
Trojan.Keylogger.Ardamax.F

 

Ewido will rid it.

Go here to download the trial version of Ewido Anti-spyware.

Install and update.
Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter).
Open Ewdio and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report".
Click "Save report as" and save it to the desktop.

Look at the report and make sure it was "Cleaned with backup". If so, click "Infections" from menu. Select all and click "Remove finially".

Be sure to change [bold]ALL[/bold] your passwords, user names, and anything to do with banking or personal information.

Let me know if it was rid by Ewido.

 

Ewido isn't updating for some reason. I went to the folders where the keylogger is and manually scanned the infected files and ewido picked up nothing. Do you know any other programs I could try?

 

Download HijackThis.
Create a folder in C: named Hjt.
Extract HijackThis to the new folder.
Run a scan and save a log file.
Post the log here.

Then, run Ewido in safe mode anyway.

 

This is the log from hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 6:44:33 AM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\program files\softwin\bitdefender9\bdmcon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\FireFox Downloads\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\program files\softwin\bitdefender9\bdswitch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

 

The file is located in C:\Documents and Settings\Owner\Local Settings\Temp\ and the other is in mozilla firefox's cache.

 

Delete everything in this folder: C:\Documents and Settings\Owner\Local Settings\[bold]Temp[/bold]

Go here and download [bold]CCleaner[/bold].

[bold]Note[/bold]: If you do not want Yahoo! Toolbar uncheck the option when installing.

Close all windows.
Open CCleaner.
Click "Run Cleaner".

Then, go here and run ActiveScan. When it finishes, save the resutls and post them.

 

Should I delete all the folders inside the Temp folder too?

 

Yes, before running ActiveScan.

 

CCleaner got rid of everything except the infected files. I am currently scanning with ActiveScan. Will see how it goes. Also, thanks for all the help you've been providing me with.

 

Hey I saw on google that the virus makes registry entries with 'run' at the end of the entry. I downloaded a program called eTrust PestPatrol and it said there is a trojan in Hkey_Local_Machine\Software\Microsoft\Windows\Currentversion\Run should I delete this or it is a neccessary file for my computer?

 

Yes, that's true and PestConrol is probably right. Does it give a name?

 

The name is, Trojan.Win32.FTP Attack. I'm starting to wonder if bitdefender is being faulty because nothing else is picking up the keylogger..

 

Oh...that's not good, not good at all. That's a Backdoor trojan. Backdoors are difficult to clean and I cannot guarantee that we will be able to remove everything, because anything on the computer could have been changed and anything could have been installed. Someone could have had access to all the information on the computer, and could have installed anything they like on it.

The safety of this computer has been completely compromised, and the only way to be sure it is safe to use it again is to reformat.

And since there is also a keylogger not showing in your log, the logger is probably using 'rookit like stealth'. Again, very hard to remove and not guaranteed.

If this computer has been used for financial transactions, you need to let your banks know immediately and cancel all online banking access.

From a clean computer. Change all the passwords for all online services this computer has been used for.

If you do not wish to format, then we can try to clean the computer out, but you will never be able to trust the computer again unless you reformat.

Let me know your decision, and I help you clean or reformat.

 

This is the computer my sister uses for her banking and schoolwork and I really need to get rid of this virus. I just need to save her bookmarks and documents. Any help doing this would be appreciated. Or should I just take it into a repair a shop and let them do it properly?

 

***Before doing anything else*** Get on another, non-infected machine and change the banking and all other passwords immediately. Niobis is right on all accounts, but I must stress that time is also of the essence. Do not allow the infected computer internet access until it is reformatted. With luck, the stolen passwords and other data have not been picked up yet, but don't wait to find out.

Since you mentioned Firefox, you can simply export your Bookmarks by going into Bookmarks->Manage Bookmarks->File->Export. It'll make a perfect copy and put it wherever you want. Your sister's documents are presumably, if she's using Windows 2000 or XP, in c:\documents and settings\{her login name}\My Documents.

I do not know what vector those keyloggers use to infect, but I noticed it appeared in your Firefox cache. While Firefox is vastly more secure than Internet Explorer, it isn't immune to problems, especially if Java and XPInstall is enabled. I recommend disabling Java no matter what browser you use, enabling it only if direly needed an on a site-by-site basis. I also recommend disabling XPInstall. I can tell you how to do that, but the more important issue is securing you and your sister's banking records and getting that machine reformatted.

 

Kk thanks for the help. I've backed up all the important stuff I need. I've changed all passwords except for my sisters banking. That will have to be done tomorrow.

 

Rather than taking it to a repair shop, you should format and reinstall windows.

First, backup anything important. Do it file by file, not folder by folder. There could be something in a folder that should not be there.

If you have a Windows XP install disc, you can format. If not, get magic Jelly bean or whatever the XP key viewer is and get your XP key. Write it down. Then, get a copy of Windows XP.

When you install Windows, delete all partitions and crete new ones. Make sure you format the parition you install Windows in. Since formatting takes time, you can consider using a small partition size like 6GB. This is enough to install XP and have lots of room just in case. Use other partitions for installing games, non-important software, etc...

That should get rid of the Backdoor.

There are some virus that install themselves on Boot and those usually stay in your system even if you format. If it is that type, you may have to low level format your HDD. This takes time (do a full low level format, not a quick one). You can get the software from the manufacturers website of the HDD. Make an HDD bott disc and run it through DOS at boot.

When you re-install XP, make sure to install an Anti-virus first, before gong online. Next, install a firewall and disable the Windows firewall again before going online. Then, install Firefox and get scriptblock and adblock. Also, when you are going to iffy websites, use peerguardian. That will stop tons of malware.

Just as it was suggested, only allow Java temporarily for sites you trust at a per use basis. That is what I do. Also, I set cookies to "Ask". Then I slowly filter through cookies as I browse. I never use "allow" and only use "allow for session". For sites you use often [bold]and[/bold] trust, use the "remember slection" option. It works like a firewall, but for cookies.