Corporate Keylogger

WolfgangDS · May 13, 2013

So I bought a computer from a friend of mine, who then proceeded to tell me that he put a keylogger on it, in full confidence that I couldn't find it.

He's right. I have no clue where to start.

To make matters worse, it's one of those corporate keyloggers that tell antivirus programs that they're supposed to be there and get overlooked as a result (so he says).

How would I go about finding and removing this thing?

Running Windows 7 Ultimate 32-bit.

chaslang · May 13, 2013

Welcome to Major Geeks!

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

In addition, please run the below too.

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

Restart the computer.

As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

Use the arrow keys to select the Repair your computer menu item.

Select US as the keyboard language settings, and then click Next.

Select the operating system you want to repair, and then click Next.

Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...

Select Command Prompt

In the command window type in notepad and press Enter.

The notepad opens. Under File menu select Open.

Select "Computer" and find your flash drive letter and close the notepad.

In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.

The tool will start to run.

When the tool opens click Yes to disclaimer.

Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

WolfgangDS · May 13, 2013

Okay, did the scan in System Recovery like you told me.

FRST.exe is attached to this post.

chaslang · May 14, 2013

FRST was part two of what I requested. You need to run the READ & RUN ME FIRST and attach those logs. FRST did not reveal anything related to keylogger. It did show that you have too many antvirus programs running. I see Authentium\AntiVirus5, Microsoft Security Essentials, and some left overs from AVG.

WolfgangDS · May 15, 2013

Not really sure what to do about Authentium or AVG. There are no uninstallers and they don't show up in Revo or any other uninstaller program.

Authentium is located in C:\Program Files\Common. Should I just delete the folder and kill the registry items? And what about AVG?

chaslang · May 15, 2013

I repeat, "You need to run the READ & RUN ME FIRST and attach those logs."

Then we can help you. No you should not just delete files and folders. There are services and drivers related to Authentium that need to be stopped, disabled, and removed.

WolfgangDS · May 16, 2013

I can't follow all of the instructions because I can't get rid of Authentium or AVG. Neither of these are showing up in Revo or Windows' own Add/Remove Programs feature, and I can't find any uninstaller files. I can do everything else, but I can't get rid of the extra antivirus stuff.

chaslang · May 18, 2013

Just run the READ & RUN ME and we will help you get rid of it after we get the logs we need.

Log in or Sign up

Corporate Keylogger

WolfgangDS Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

WolfgangDS Private E-2

Attached Files:

FRST.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

WolfgangDS Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

WolfgangDS Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member