Help removing keylogger

Welcome to Major Geeks!

Your HijackThis log appears to be from safe boot mode. We need logs from normal boot mode. After completing the below instructions, make sure that the new requested log is from normal boot mode.

What was the problem with BitDefender running? Any error messages? Were you using Internt Explorer?

I see you also installed CounterSpy. Did it find anything? Did you Quarantine what was found? Do you have a log?

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Continue by downloading a tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
dhcpeng.dll
After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
dhcpeng.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
dhcpeng.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MS-DOS Security Service] ms-dos.pif
O20 - Winlogon Notify: dhcpeng - C:\WINDOWS\SYSTEM32\dhcpeng.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Because some processes that should have been running were not.

Actually you do not even have Sun Java installed according to your logs. You need to install it from the link given in step 6 of the READ ME.

Uninstall it now. It is of no use to you once the trial period expires unless you buy it. Then delete the below folder which could remain:

C:\Documents and Settings\Simon\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Make it appear on the screen and don't exit it. And then do the below.

Did you do the step to remove Windows Messenger? I still see it in your HJT log.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run this Using Sophos Anti-Rootkit and attach the log.

Now run this Running GMER to detect rootkits and attach the log.

Now attach a new log from GetRunKey and also HijackThis!

 

In the process list of your HJT log, the below file showed this time.

C:\WINDOWS\system32\dhcpset.exe

Did you install and run this? It could be this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8017

If you did not download and install this, then it could be malware.

Also in your GMER logs I see a file that is unknown:
C:\WINDOWS\system32\biohost.dll

Can you see this file? If so, put it into a ZIP file and attach it here.

Also do you see the below files? If so delete them. Let me know what you find.
C:\WINDOWS\system32\Drivers\ao4nyhd7.SYS
C:\WINDOWS\system32\9.tmp


CounterSpy did not get completely removed. Use HijackThis to fix the below line:
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

 

I cannot get these joined together because I don't know what the disk labels or archive names should be. You can email me the single ZIP file (unsplit). Send it to chaslang at majorgeeks.com (obviously replace the at with @ and don't put in any spaces). Post a message here after you have mailed it.

See if you can delete the C:\WINDOWS\system32\dhcpset.exe
Boot into safe mode if necessary to delete it.
Let me know the results

 

What is the key combo you are referring to? Also can you post a snapshot of the window that comes up? Try to capture only the window area not the whole screen because in a screen snapshot, things will not normally be legible.

I got the ZIP DLL and I'm looking at it. One thing I noticed in the file is a reference to this: http://www.eldos.com/solfs/index.php
Does that look familiar to you? I also see references to ICQ. I still not sure what this file is for and it has no embedded properties information that describes who it belongs to. That in itself is not necessarily bad but it does raise questions. Is it possible that the DLL file is related to BioShock that you have installed. The name seems to be related.

 

Are you sure that no one else in the family has installed a keylogger on purpose????

Most uninstalls are far from complete. They leave many many files laying around and also leave dozens if not hundreds of things in the registry. Try this, rename the biohost.dll file to biohost.BAD Then reboot your PC and see if any error messages occur. Now reinstall you BioShock game and see if the biohost.dll file has come back. This result will then let you know if the DLL belongs to BioShock and I would bet it does.



Now let's see if we can dig into the possible keylogger (but if some one installed it, it would be much easier to speak to them about uninstalling it).

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Attach the Kaspersky log to your next reply.

 

There are not problems indicated in the Kaspersky log.

Okay then I suggest youjust leave he file renamed for a few days more just to make sure it is not for something you need. Then you can delete it. There is still a chance that it is part of your game and that you just have not taken the action within your game that causes this file to appear. However, since the popup window is gone things do look better. But I would then also ask, is it possible that the key sequence is something for the BioShock game?