cancel
Showing results for 
Search instead for 
Did you mean: 

Need help removing a keylogger!!!!!

I have a pop-up that says its from windows firewall saying it is blocking a "trojan-keylogger.Win32.Fung. It does not give a choice to block it. i dont trust this so i just close the box, but it reappears every 5 minutes or so. any help would be appreciated. i have a sony vaio running windows xp.
14 Replies
melboy
Level 7
Report Inappropriate Content
Message 2 of 15

RE: Need help removing a keylogger!!!!!

You dont have a keylogger. What you have is a trojan trying to scare you into buying a rogue program with a fake alert.

Download Malwarebytes ' Anti-Malware from Here or Here Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart (reboot) the computer, please do so immediately

RE: Need help removing a keylogger!!!!!

thanks for your help, the pop-up stopped showing up. here is a copy of the log!
Malwarebytes' Anti-Malware 1.30
Database version: 1358
Windows 5.1.2600 Service Pack 3

11/2/2008 8:52:56 PM
mbam-log-2008-11-02 (20-52-56).txt

Scan type: Quick Scan
Objects scanned: 78388
Time elapsed: 1 hour(s), 23 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0CE33E7B-B3DB-274A-6FBC-0246C2FE2E57} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Spyware.Sinowal) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\procsmartadm (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wixpo (Rogue.PersonalDefender2009) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Helper (Adware.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\loanntf\ProcSmartAdm.dll (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shanon Kreicar\Application Data\Google\mupd1_2_1931888.exe (Rogue.PersonalDefender2009) -> Delete on reboot.
Highlighted
melboy
Level 7
Report Inappropriate Content
Message 4 of 15

RE: Need help removing a keylogger!!!!!

reboot? How are things running now?

It looks like you have had/have traces of a rootkit infection at some point. it would probably be wise if i suggest you post a Hijackthis (HjT) log at any one of the forums on Ex_Brits post here

HijackThis generates a log that a trained malware removal expert can analyze to see what may be wrong with your system.

Further HjT forums can be found here.

Rootkit: "A Rootkit is software that cloaks the presence of files and data to evade detection, while allowing an attacker to take control of the machine without the user's knowledge. Rootkits are typically used by malware including viruses, spyware, trojans, and backdoors, to conceal themselves from the user as well as from malware detection software such as anti-virus and anti-spyware applications. Rootkits are also used by some adware applications and DRM (Digital Rights Management) programs to thwart the removal of that unwanted software by users."

RE: Need help removing a keylogger!!!!!

yes i rebooted and the pop-up is gone. Everything seems to be working properly. i will try and post an HJT. thank you!
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 6 of 15

RE: Need help removing a keylogger!!!!!

Can this be moved to the solved area then? Melboy, did you get my email?
melboy
Level 7
Report Inappropriate Content
Message 7 of 15

RE: Need help removing a keylogger!!!!!



I did and replied to the address from which it was sent. 🙂

Did you not receive it?
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 8 of 15

RE: Need help removing a keylogger!!!!!

Found it, it was caught by Spamcop as you used a different email address than the one I had whitelisted. OK no need to repeat.

Thanks and good luck.
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 9 of 15

RE: Need help removing a keylogger!!!!!

So is this case solved...?

Sent HJT

I have posted my HJT report on the forum that was posted above! sorry it took a while.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community