BehaviorSpyware.QuickKeylogger is a spyware that logs keystrokes and application activities.
SymptomsYour Symantec program detects Spyware.QuickKeylogger.
TransmissionThis program has to be manually installed.
technical detailsFile names:
qk_setup.exe
qlib.dll
qpanel.exe
qutils.dll
svchost.exe
When Spyware.QuickKeylogger is installed, it performs the following actions:
1. Creates the following files:
* %UserProfile%\Local Settings\Temp\Quick Keylogger Log.htm
* %UserProfile%\Local Settings\Temp\readme.htm
* %System%\MSIDLLSI.DAT
* %System%\svchost.exe
* %System%\launchinie.dll
* %System%\qlib.dll
* %System%\qpanel.exe
* %System%\qutils.dll
* %Windir%\ddemal.bin
Notes:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000)
2. Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4BEF2011-88FB-0546-1BD1-FCD02B406654}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8809076-71C2-4B90-8DD6-6BF107F4F029}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7EBC9879-80A3-4F7C-8962-CB66B7D25F19}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1008EEB-37BC-4E5C-8A18-F30A111D98DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EEA8E1E1-81D8-4AB9-B796-58C5A057A022}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AC348A2D-469C-4346-A115-4CB9F1EC5FEB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LaunchInIE.Launch
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LaunchInIE.Launch.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\RockinFewl\LaunchinIE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVCHOST
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVCHOST
3. Adds the value:
"{R7C0DB872A3F777C0}" = "[risk generated value]"
"{K7C0DB872A3F777C0}" = "[risk generated value]"
"{I566CAE8832A7BB26}" = "[risk generated value]"
"{0566CAE8832A7BB26}" = "[risk generated value]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
4. Adds the value:
"TrapPollTimeMilliSecs" = "3A98"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters
5. Modifies the value:
"Window_Placement" = "[risk generated value]"
in the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
6. Logs keystrokes and application activities.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/spyware.quickkeylogger.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
Then click OK.
Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
3. Navigate to and delete the subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVCHOST
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVCHOST
4. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
