Possible virus - keyboard.exe on Win XP

Channel Hopper · Sep 21, 2006

I have been trying to remove this odd thing on a customers PC for nearly two weeks.

Everytime I carry out a full scan (even in safe mode) with all other systems turned off, Norton AV detects it, but fails to remove it from the Win/Sys32 directory, and so the problem still remains.

I have turned off system restore, and am now ploughing through all the specific mydoom and other worm 32 tools to see where it comes from, but this may take the rest of the night.

I do not know if it is a real nasty one as no Anti spyware programme will tell me

Any pointers ?

Lancelot · Sep 21, 2006

Also known as 'ultrakeyboard spyware' hundreds of google entries. Just need to find a REAL free fix in there mate.

Norton will deal with it if you have it, it would seem

Good luck.

L.

Channel Hopper · Oct 3, 2006

Still trying to clear this one of the bug.

Norton detects it but cannot remove it, Microsoft patches detect malicious software at work, and have recommended upgrading to service Pack 2, but the problem remains.

Any pointers to a free removal tool ? , I have installed Anti-Keylogger, but it appears to suppress outgoing info, rather than removing it competely.

Thanks

Saturlight · Oct 3, 2006

Channel, m8, not tried Outpost? Worth a shot.

fieryjack · Oct 3, 2006

llok at
http://www.securitystronghold.com/enc/NLS-Keyboard-keyboard.exe-problem-solution-5080.php

Channel Hopper · Oct 3, 2006

UPDATE

Looking at the Symantec removal instructions

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2005-060911-2901-99&tabid=3

none of the regkeys listed at the bottom of the page tie in with whats installed on the PC, so I am now wondering if this is actually the spyware in the box.

What a pain.

(will look up NLS when I get a chance)

Red Hugh · Oct 5, 2006

It seems, you are still having problems. If you have'nt tried this,

Create a new folder in your primary drive, usually C: & rename this folder HJT.

Download HighjackThis from the following link & save in HJT folder.

http://www.filehippo.com/download_highjackthis/

(Note; Systems infected with the 'Ms4Hd' rootkit parasite will experience crashes in HighjackThis 1.99.x since this parasite deliberately crashes programs that try to detect it.)

Open HJT folder, run HighjackThis, click on, Do a system scan & save a logfile.
Important; Please do not check any boxes or alter log in notepad.

Copy & post the contents of notepads logfile, unaltered, in this thread.
Close notepad & HighjackThis.

T_G · Oct 5, 2006

I recently tries webroot spysweeper and it removed some stuff that norton did not find. Also, try out Kaspersky anti virus, again it removed some stuff that Norton did not.. worth a try, both available on time limited try outs

Channel Hopper · Oct 5, 2006

Red Hugh said:
http://www.filehippo.com/download_highjackthis/

Open HJT folder, run HighjackThis, click on, Do a system scan & save a logfile.

I dare not run the infected PC on the Net just in case it sends out important data/info from the files (its a colleagues that has asked for help). Your link comes up 'error 404'.
so Ive taken it from Majorgeeks

(though making a log that I can put back on the site may take a little while)

Terrydlm · Oct 5, 2006

I would highly recommend removing Norton and replacing it with Grisoft's AVG. It is a free AV solution and it works very well.

Just after Christmas a client of mine had a virus which he could not remove. He had up to date Norton security suite and this could not detect the virus. He called me & i went to have a look. As he said his Norton was up to date & a scan of the complete machine did not find the virus. I left Norton on the machine & installed AVG and while it was still finishing off it's installation & before it updated the definition file it found this virus & put it into quarentine straight away. The client told me to remove Norton which i did.

I put AVG on all home PC's now as it is a.) FREE b.) Works very well. I have never had a problem with an AVG install. A lot of my home installs are on the typical home usr's PC's who don't want lots of hassle with there software tgey just want it to work which AVG does.

I can't guarentee that it will remove your virus in this case Channel Hopper but it is certainly worth a go. You can leave Norton on the PC and install AVG and try it if you like then remove Norton later on.

Channel Hopper · Oct 7, 2006

Thanks

It's not my PC (yet) so I cannot remove the official files, but will try another AV software - my own runs Avira and I like the functions.

I have run a few more tests

Webroot - detects the following
Apropos
ist istbar
Topconvert downloader
Backdoor Poebot
Exact Cashback / Barrow Buddy
and
Ist Yoursitebar

but I cannot remove them unless I subscribe to the official purchased version

As for HJT, I have a file of the log, but the PC will not tranfer to any medium outside the hard drive, even looking in theWindows explorer throws up some strange paths in the various folders.

david77 · Oct 7, 2006

hi everyone.its simple.run spybot with full updates.if the spybot cant remove it auto it will remove it on the next restart.you have to confirm that system restore isnt active and check every regkey in regedit that refers to keyboard.exe is deleted manually is the better choise.after that do a search file in your hard drive to check if the file is still there or not...

Channel Hopper · Oct 7, 2006

david77 said:
hi everyone.its simple.run spybot with full updates.if the spybot cant remove it auto it will remove it on the next restart.you have to confirm that system restore isnt active and check every regkey in regedit that refers to keyboard.exe is deleted manually is the better choise.after that do a search file in your hard drive to check if the file is still there or not...

Earlier post

none of the regkeys listed at the bottom of the page tie in with whats installed on the PC, so I am now wondering if this is actually the spyware in the box

Red Hugh · Oct 7, 2006

In the absense of a HJT Log

The following will give you some idea why there are so many paths.

Poebot also known as Backdoor Win32 Poebot. (usually followed by a letter)
It also Mutates itself under different aliases.

It drops a copy of itself using a filename from a list:
– To: %SYSDIR%\ Using one of the following names:
• csrs.exe
• logon.exe
• explorer.exe
• supoolsvc.exe
• lsass.exe
• algs.exe
• iexplore.exe
• winamp.exe
• firewall.exe
• lssas.exe
• winIogon.exe
• spooIsv.exe
• spoolsvc.exe
It deletes the initially executed copy of itself.

One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Client Server Runtime Process"="%SYSDIR%\csrs.exe"
• "Windows Logon Application"="%SYSDIR%\logon.exe"
• "Windows Explorer"="%SYSDIR%\explorer.exe"
• "Spooler SubSystem App"="%SYSDIR%\supoolsvc.exe"
• "Local Security Authority Service"="%SYSDIR%\lsass.exe"
• "Application Layer Gateway Service"="%SYSDIR%\algs.exe"
• "Microsoft Internet Explorer"="%SYSDIR%\iexplore.exe"
• "Winamp Agent"="%SYSDIR%\winamp.exe"
• "Windows Network Firewall"=%SYSDIR%\firewall.exe
• "Local Security Authority Service"="%SYSDIR%\lssas.exe"
• "Windows Logon Application"="%SYSDIR%\winIogon.exe"
• "Spooler SubSystem App"="%SYSDIR%\spooIsvc.exe"
• "Spooler SubSystem App"="%SYSDIR%\spoolsvc.exe"

to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note: %SYSTEM% refers to the System folder.

The following Tool is designed to remove this nasty.

Create a new folder in your primary Drive, rename it FFORCE.

First download the tool to this folder & the latest update to the
same folder, (extract here)

http://www.f-secure.com/tools/f-force.zip
ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip

You should consider running this cleaning Tool in (Safe Mode with System Restore Disabled)

Click open the FForce tool, runs auto,

The other named "Apropos" is normally associated with installed software, (People)
It is Spyware, may be subject to EULA?

If you have'nt done so already, install,
Adaware, SpywareBlaster, Spybot S & D, Ewido, CWSShredder, About Buster (all free)
Most definitely a two-way Firewall, such as Zone alarm (free)
Also McAfee, nice port monitoring window & tracing of possible hackers.
(Shareware)

Good Luck

Channel Hopper · Oct 8, 2006

Thanks, will try some of the suggestions, my main PC already has ZoneAlarm, , Avira, Spybot and Ad-Aware running in the background with no real problems, (but it is a WinME machine).

d122k7trb · Oct 8, 2006

DO you have WIN XP with all patches and Hotfixes till April 2006. It's a nice XP version I've find till now. Combine it with ZoneAlarm Security Suite 6.5.737.0.0 and Norton Corporate Edition 10, I think you'll get a fine result. I haven't got any problems since I'm using these three except some stupid windows ones.

Also as the Red Hugh says the registry is the other choice too.

Arbi.

Channel Hopper · Oct 8, 2006

d122k7trb said:
DO you have WIN XP with all patches and Hotfixes till April 2006. It's a nice XP version I've find till now. Combine it with ZoneAlarm Security Suite 6.5.737.0.0 and Norton Corporate Edition 10, I think you'll get a fine result. I haven't got any problems since I'm using these three except some stupid windows ones.

Also as the Red Hugh says the registry is the other choice too.

Arbi.

The machine with issues had Win XP with SP2 freshly installed a couple of weeks ago, so I dont believe there were any immediate updates that would cure the problem. I installed Norton AV myself, and the PC was connected behind the Zone Alarm 6.1.744.

Channel Hopper · Oct 29, 2006

Update

Further to the suggestions on this thread
http://www.satellites.co.uk/satelli...zone/81054-test-your-anti-virus-software.html

I installed Avast home edition and updates, and (fingers crossed) the PC is now free of the keyboard issues.
I first connected it to the Net late last night and it appears to be behaving itself (some worrying programmes were running in the background before running a full AV scan), but now there are no pop ups at all.

So I now have a more or less up to date Advent 3000 (2 GHz Pentium 4 processor and NVidia Graphics system) and it has the two headphone ports at the front so I might even get onto Skype soon - just got to sort out the niggling multimedia Centre issues (and get used to Win XP )
Does anyone have a recovery disc with drivers for this model (C-media AC97) ?

PoloMint · Oct 29, 2006

Channel Hopper said:
...Does anyone have a recovery disc with drivers for this model (C-media AC97)

That’s a very common audio chipset, does Windows XP not manage to install it’s own driver for it?

If not something this might do it, if yours isn't the 9738/9739 you might need to hunt around that site a bit.

Edit: Or the PC World (advent) website, do they not have driver packs for their Advent range there?

Channel Hopper · Oct 29, 2006

Advent is a PC world brand name ?

Will look, but I might have been too optimistic earlier , the PC slowed down dramatically in the past three hours and then froze, so it may not be fully fit to connect online.

Possible virus - keyboard.exe on Win XP

Suffering fools, so you don't have to.

Retired Mod

Suffering fools, so you don't have to.

Regular Member

Member

Suffering fools, so you don't have to.

Member

The Consumate Dreamer

Suffering fools, so you don't have to.

Learning Fast !

Suffering fools, so you don't have to.

lost somewhere...

Suffering fools, so you don't have to.

Member

Suffering fools, so you don't have to.

Judas Priest

Suffering fools, so you don't have to.

Suffering fools, so you don't have to.

Super Minty Mod

Suffering fools, so you don't have to.