AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
December 02, 2008, 10:40:07 AM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 4756 Members
Latest Member: Uobeley
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Spyware Alerts  |  Topic: Spyware.PaqKeylog 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Spyware.PaqKeylog  (Read 752 times)
Brad
SysAdmin
Tech Team
Hero Member
********
Offline Offline

Posts: 391



View Profile
Spyware.PaqKeylog
« on: June 13, 2005, 12:59:18 AM »
Behavior
Spyware.PaqKeylog is a spyware program that logs keystrokes and can run in stealth mode.

Symptoms
Your Symantec program detects Spyware.PaqKeylog.

Transmission
Spyware.PaqKeylog must be manually installed.

technical details
File names:
klog204.exe
KeyLog.exe

When Adware.Starware is installed, it performs the following actions:

   1. Creates the following files:

          * %UserProfile%\Start Menu\Programs\PaqTool\Paq Keylog.lnk
          * %UserProfile%\Start Menu\Programs\PaqTool\Uninstall Paq keylog.lnk
          * %UserProfile%\Desktop\Paq Keylog.lnk
          * %ProgramFiles%\PaqTool\keylog\KeyLog.exe
          * %ProgramFiles%\PaqTool\keylog\launchDll.dll
          * %ProgramFiles%\PaqTool\keylog\logo.avi
          * %ProgramFiles%\PaqTool\keylog\paqlog.cfg
          * %ProgramFiles%\PaqTool\keylog\unins000.dat
          * %ProgramFiles%\PaqTool\keylog\unins000.exe
          * %System%\golyy5dd1.dll

            Notes:
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
          * %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Creates the following registry keys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Paq KeyLog_is1
      HKEY_LOCAL_MACHINE\SOFTWARE\golbup

   3. Adds the value:

      "VC_Log" = "%ProgramFiles%\PaqTool\keylog\keylog.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

   4. Logs keystrokes.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/spyware.paqkeylog.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

      Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

   3. Navigate to and delete the subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Paq KeyLog_is1
      HKEY_LOCAL_MACHINE\SOFTWARE\golbup

   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "VC_Log" = "%ProgramFiles%\PaqTool\keylog\keylog.exe"

   6. Exit the Registry Editor.
Logged
Mambo Hosting Resources
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Spyware Alerts  |  Topic: Spyware.PaqKeylog « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!