BehaviorSpyware.InlookExpress logs keystrokes and captures screenshots.
SymptomsYour Symantec program detects Spyware.InlookExpress.
TransmissionSpyware.InlookExpress must be manually installed.
technical detailsFile names:
inlookexpresssetup.exe
svchost.exe
final.exe
IEControl2.exe
When Spyware.InlookExpress is installed, it performs the following actions:
1. Creates the following files:
* %Windir%\inlook.exe
* %Windir%\is-QV2PM.exe
* %Windir%\is-QV2PM.lst
* %Windir%\sds20.oca
* C:\sds20\final.exe ( viral )
* C:\sds20\IEControl2.exe ( viral )
* C:\sds20\ijl11.dll
* C:\sds20\remie20.exe
* C:\sds20\settings.dat
* C:\sds20\svchost.exe ( viral )
* C:\sds20\svchost32.exe
* C:\sds20\TheHook.dll
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
2. Creates the following registry key:
* HKEY_LOCAL_MACHINE\SOFTWARE\sds
3. Adds the value:
"sds20" = "C:\sds20\svchost.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
4. Logs keystrokes and captures screenshots.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/spyware.inlookexpress.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
Then click OK.
Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
3. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"sds20" = "C:\sds20\svchost.exe"
5. Navigate to and delete the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\sds
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
