cant find or remove perfection keylogger

[Beyonder]

I hope someone can help with this.

I seem to have this "perfection keylogger" installed on my system
somehow. but none of the utilties I've run can seem to find it or
remove it. seems to have been installed by adware or trojan or worm
through IE.

I fouhd it through some notice because norton antivirus 2005 pro
popped up with a message saying that "perfection keylogger" could not
send an email because the email was too large. that was the only way I
knew it even existed.

but norton 2005 pro even with the latest updates, intelligent updater,
spybot, spyware doctor, ad aware SE Pro, and microsoft anti-spyware,
none of these utilities will even FIND this thing, let alone remove
it.

does anyone have a way of finding this stupid thing and removing it?
please send email ASAP

i already have to change every password I use because of this. even
though the email was blocked, who knows what was leaked. and even
though I know the email it was sending to was invalid, its still
better safe than sorry.

funny thing is, internet firewall, zone alarm and norton internet
security wont stop this thing. Only way I finally prevented it totally
is to put an access rule on my router. so now its totally impossible
for any logger or other software to send email at all.

of course I can send email, but the access control is done in a way
that a logger never could.

any help would be appreciated! ASAP! thanks!

 

[Dodo]

Post an Autoruns log.
http://spywareguy.com/

 

[Beyonder]

Theres nothing in ZA's logs or program list at all.
theres nothing in msconfig about it at all either.
there is no service related to it showing in services/tasks list.

I'll have to check those forums and sites, and the autoruns thing.

B.

 

[Beyonder]

Well nice try but no go.
autoruns shows nothing suspicious, nothing even quesitonable.
as I mentioned previously there was nothing listed in processes or
services (including msconfig). so this tool also does not show the
malware.

next suggestion?

 

[Dodo]

Use HijackThis to scan for suspicious IE BHOs and toolbars.

 

[Dodo]

http://blazingtools.com/bpk.html

I wonder is that the app in question? Try taking a look at the documentation
and forum.

 

[David W. Hodgins]

next suggestion?

Spybot search & destroy - install, update, reboot into safe mode, then scan.

If that doesn't find anything, print a list of everything that is running (as per
process explorer, not task manager), boot from dos (assuming fat32 file system),
and compare those files to known good copies. I'm thinking the boot logger has
renamed a valid process, used it's name for itself, and as well as running under
the spoofed processes name, also calls the original process, when needed.

Regards, Dave Hodgins

 

[Beyonder]

That certainly looks like it.
its bad that someone can attach such things to spyware or other.

I can almost pinpoint exactly when my system got it too. I happened to
have to use IE for something (because websites would only support IE
with ASP and nothing else) and i think thats when it got it. it was
pretty much immediately after that the problems started.

theres no other way to get it. unless someones going to break into the
house, break into the computer work room, leave no evidence and just
install the software and nothing else. but thats a bit crazy. and
they'd have to bypass the things like screensaver passwords, or login
passwords, etc. its a bit much!

B.

 

[Roger Wilco]

That certainly looks like it.
its bad that someone can attach such things to spyware or other.

It looks like a legitimate spyware (not adware or malware), but I wonder
about the legitimacy of having the remote installation trojanizer
feature. Why would a legitimate user of this tool need this? If you're
not the administrator of the machine, you have no business installing it
anyway.

Do AVs (such as kaspersky) have def & removal for this under the
"potentially unwanted programs" subset?

[snip]

 

[treehugger]

Theres nothing in ZA's logs or program list at all.
theres nothing in msconfig about it at all either.
there is no service related to it showing in services/tasks list.

I'll have to check those forums and sites, and the autoruns thing.

B.

Download Security Task Manager (free trial) from http://www.neuber.com/taskmanager/
I successfully removed a keylogger from mine with this software

 

[Catamount]

That certainly looks like it.
its bad that someone can attach such things to spyware or other.

It looks like a legitimate spyware (not adware or malware), but I wonder
about the legitimacy of having the remote installation trojanizer
feature. Why would a legitimate user of this tool need this? If you're
not the administrator of the machine, you have no business installing it
anyway.

Do AVs (such as kaspersky) have def & removal for this under the
"potentially unwanted programs" subset?

[snip]

documentation

Symantec Corp edition detects it as a Keylogger virus and deletes it
unless I approve it.

 

[Roger Wilco]

Roger Wilco wrote:

Symantec Corp edition detects it as a Keylogger virus and deletes it
unless I approve it.

That is good to know, thanks. I will assume others will follow suit.
This remote install feature makes it malware in my eyes.

 

[Beyonder]

Important Note:

Norton Anti-virus Pro 2005 will *NOT* detect or clean this keylogger.
even if you use update, intelligent updater, whatever.

methinks Symantec is being a bit hypocritical....

PS - look for a file called "BPK.EXE" in \windows\system32 <- thats
the keylogger (as long as the infector hasn't renamed it)

B.

 

[Roger Wilco]

Important Note:

Norton Anti-virus Pro 2005 will *NOT* detect or clean this keylogger.
even if you use update, intelligent updater, whatever.

Are you saying it can't be configured to alert on "gray area" threats
(potentially unwanted programs), or are you suggesting that this program
shouldn't be 'gray' in the first place (since it does have the remote
install capability)? I can see why they shouldn't detect some commercial
spyware by default as straight out malware, they are legit tools after
all, but their claim to legitimacy falls short when they provide the
means to integrate the installation program with another unrelated
program (trojaned). Let the blackhats use their own trojanizer and they
would at least have a better claim to legitimacy.

methinks Symantec is being a bit hypocritical....

IMO, not all keyloggers are 'malware' and AVs that routinely detect
these tools can cause problems for the admin using them. AVs, if
detecting these, should provide a way for the admin to exclude them from
the alert display or have them in an optional definitions set for
programs that may or may not be undesired by the administrator.

 

[Beyonder]

malware is malware. period.
there is no excuse for "remote installation".
and thats not even how this was infected on the system.
it rode in on an IE ASP.NET webpage without the users knowledge or
consent.

and no, norton AV pro 2005 cannot detect or alert on this item.
or "gray area" threats. I've got it set to maximum, even maximum on
bloodhound, and still wont alert on it.
cant find it, let alone clean it.

you need to put a keylogger on your users? seems rather legally
quesitonable to me. regardless of corporate policies. so unless you
have an iron-clad corporate policy covering this, with a decent reason
for it, and its only used for specifics, yer asking for a heap of
trouble, if thats even legal without some sort of "wiretap" court
order. but then laws differ from place to place.

then again, if yer a company that blatantly says you'll keylog people
without notice or warning, you'd be pretty stupid to work for such a
place. regardless. its not just privacy, its respect.

why not go ahead and microchip your employees with GPS units, so you
know where they are and what they are doing 24/7 ?

where does it end?

if it comes down to needing to do this for legal reasons, then I'm
sure the admin can go in and disable such detection, heck the help
page on the website for the commercial product even discusses how to
do this, how to make it avoid all AVs, spyware checkers and firewalls.
there are many ways.

hell you dont even NEED a keylogger really, just throw a packet
sniffer on their connection and watch everything they do.

or even better, but a freaking webcam in their cubicle and watch them!
be creative, there are far easier ways to watch people.

B.

 

[Roger Wilco]

malware is malware. period.

Absolutely, what I said was not all spyware (specifically keyloggers)
are malware.

there is no excuse for "remote installation".
Agreed.

and thats not even how this was infected on the system.
it rode in on an IE ASP.NET webpage without the users knowledge or
consent.

The user doesn't matter - it is the administrator that matters.

and no, norton AV pro 2005 cannot detect or alert on this item.
or "gray area" threats. I've got it set to maximum, even maximum on
bloodhound, and still wont alert on it.
cant find it, let alone clean it.

If AVs want to play in the general malware detection arena, they must
start detecting things like this. Even if the tool didn't include a
trojanizer, the blackhats could still do it with a third party of
homegrown program.

you need to put a keylogger on your users?

The need could arise. In a perfect world maybe not, but in the real
world trust is not always the best policy.

seems rather legally
quesitonable to me. regardless of corporate policies. so unless you
have an iron-clad corporate policy covering this, with a decent reason
for it, and its only used for specifics, yer asking for a heap of
trouble, if thats even legal without some sort of "wiretap" court
order. but then laws differ from place to place.

Then you agree there are legitimate uses for keyloggers?

then again, if yer a company that blatantly says you'll keylog people
without notice or warning, you'd be pretty stupid to work for such a
place. regardless. its not just privacy, its respect.

Cashiers still work at places where their every move is monitored by
CCTV - ohh where's the respect and trust there?

Not all companies make 'cuddly-toys' - and even those have corporate
spies.

why not go ahead and microchip your employees with GPS units, so you
know where they are and what they are doing 24/7 ?

Funny, I didn't see a.u.k. in the newsgroup header.

where does it end?

if it comes down to needing to do this for legal reasons, then I'm
sure the admin can go in and disable such detection,

I should hope so, and without crippling the rest of the AV in the
process.

heck the help
page on the website for the commercial product even discusses how to
do this,

I must have missed that part, but it sounds like legit software to me
except for the remote install.