[Help] I cant remove a keylogger from my PC :-(

[nikola247]

Good Evening all,

A friend put on 2 pieces of software yesterday, scanspyware and Trendmicro, I have ran a scan on scanspyware, and it keeps coming up with 2 things, that I delete and they come back when I reboot. They are

e-surveiller – Reg Key – HKEY-CLASSES-ROOT.ZIG – HIGH RISK

e-surveiller – Reg Key – HKEY-LOCAL-MACHINE\SOFT – HIGH RISK

I started in safe mode, and they had gone, but soon as I rebooted in normal mode they were back.

I then turned off system restore and ran the following

ScanSpyware - had the 2 e-surveiller ones - I deleted them

TrendMicro - Didnt pick any up

Adaware - didnt pick any up

Spybot - Picked up a couple, but deleted them.

I then turned on system restore, and rebooted pc, just ran ScanSpyware again, and hey ho, they are back

Does anyone know how I can remove them please, as I am worried.

Thanks in advance

Nikki

[N1K]

You could try Spyware Doctor which is not free but has the best detection in my opinion..

I had the situation where I made a full scan with updated Spybot S&D and Adaware Personal Edition and they removed few threats, but the PC was still infected..

Then the customer bought Spyware Doctor which found more than 500 infections and removed them all..

Two monhts passed, and the customer didn't have any problems with his computer or spyware B)

[Sonic]

If keys are recreated, it's because a program is re-executed at startup. Check all program at startup with this tools : AutoRuns from sysinternals.

[nikola247]

Thanks so much N1K and sonic,

I did run autorun, but didnt understand it, my friend who is a pc buff logged in remotely to my pc, and he ran process explorer which is sort of the same thing, and there was something that confused him.

There was something called INTERRUPTS - HARDWARE INTERUPTS and was running so high, but had no properties in it, and couldnt be deleted. Do you or anyone else know what this is, he couldnt find the keylogger either. here is a picture of it.

This is driving me nuts, as I darent use internet banking or anything

Kindest regards

Nikki

Have to go to bed now, but will check back in the morning, not sure if this interrupts thing is connected to the keylogger..

Thanks again

Nikki

[N1K]

Ok, try this...

First go to ur Start --> All Programs --> Startup - check that folder for suspicious apps..(doubt you'll find something here)

Second, navigate to:

Start-->Run--> type regedit+enter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - see if there's something suspicious, if you're not sure, post screenshot here and we'll help you..

Third, navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

- same thing as step before..

[trickstar]

try this tool: http://www.ewido.net/en/

online virus scan (u need to enable active x)

http://www.kaspersky.com/virusscanner

http://www.pandasoftware.com/products/activescan.htm

delete system restore > scan & delete the logger > then enable sys restore...

[WolfX2]

if its a process that wont stop running try downloading and installing ms antispyware, its a avalible at microsoft.com. Once installed go to the system exponents section and there should be a section called startup, or something like that go there and it gives you the option to stop or terminate a runnng process form starting, find your starting process and click (stop this process from running) or something like that .

[LLXX]

There might be a rootkit present as well, which is hiding some registry keys and startup entries.

Get the Rootkit Revealer (also from Sysinternals) to check.

[nikola247]

Morning all,

Thank you very much for the advice, I have to take my Nan for a Hospitla appointment this morning, but as soon as I get home, I will try your advice, and if I get stuck I will holla back.

Once again, thanks

Kindest Regards

Nikki

[nikola247]

N1K – Hi, and thanks for taking the time to look at this for me. I have ran spyware doctor, and the weird thing was it came up with 2 minor things, but not the 2 e-surveiller keyloggers, if they had been on there I would have purchased it just to remove them, but as they didn’t appear I didn’t bother.

I went to Start All Programs > Startup but wouldn’t really know id anything was odd, so my friend checked it, and he couldn’t find anything strange either.

I have also gone into regedit, and wouldn’t know if anything was dodgy, and my friend is now away until tomorrow so I have copied all the folders here for you too look at if you don’t mind.

Here is what is in HKEY\LOCAL\MACHINE

Here is what is in the HKEY\CURRENT USER

LLXX I have ran the rootkit thinggy, and this was the only 2 things in it, and I dont understand what it means, but you may know if something looks dodgy. I did have firefox open and pspx..hope that didnt effect the scan, also, should I have turned off system restore? cos I didnt..hehe

Trickstar - I am going to run pandascan and ewido now, so fingers crossed one of em deletes this nasty thing.

Wolf - I will run microsoft one after these, but unsure about terminating process's, I dont really know what I am doing and will probably terminate something important, an then I be in trouble

Im working my way down the list though slowly.

WOW..What a big post...sorrrrryyy

Thank you all again

Nikki

[N1K]

I don't see anything suspicious here, I would go now with Microsoft Anti-Spyware to see if it'll be more lucky..

[nikola247]

N1K - Phewww.. Glad you didnt see anything nasty, I just cant understand why task manager CPU is fluctuating (sp?) between 43% & 100% when Ive only got this site, zone alarm,peer guardian and avg running..I will now try microsoft antispyware, ewido and pandascan, please god, let one of them work. I am going to turn off system restore first, I was told to turn it off when you scan for spyware.

Thanks again

Nikki

[LLXX]

The Rootkit Revealer results seem a bit suspicious... are you running it with other programs open at the same time? Close all open windows and then run it. Otherwise it'll give false results.

[nikola247]

Hi LLXX, I did have a couple of things open, but I will rerun it now, and will close everything except avg and zone alarm an repost the info if that is ok.

Thanks alot

Nikki

[trickytwista]

would definately try ewido as i find it to be very kean and finds majority of shady stuff on pc... let us know how you get on, dont forget to update definations before running it..