Log in
Register
Menu
Log in
Register
Home
What's new
Latest activity
Authors
Forums
New posts
Search forums
What's new
New posts
Latest activity
Members
Current visitors
New posts
Search forums
Menu
Log in
Register
Install the app
Install
Forums
Miscellaneous Sections
Tech Head - The Technology Section
Computer Discussion
Possible virus - keyboard.exe on Win XP
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Red Hugh" data-source="post: 284261" data-attributes="member: 202630"><p>In the absense of a HJT Log</p><p></p><p>The following will give you some idea why there are so many paths.</p><p></p><p>Poebot also known as Backdoor Win32 Poebot. (usually followed by a letter)</p><p>It also Mutates itself under different aliases.</p><p></p><p>It drops a copy of itself using a filename from a list:</p><p>– To: %SYSDIR%\ Using one of the following names:</p><p>• csrs.exe</p><p>• logon.exe</p><p>• explorer.exe</p><p>• supoolsvc.exe</p><p>• lsass.exe</p><p>• algs.exe</p><p>• iexplore.exe</p><p>• winamp.exe</p><p>• firewall.exe</p><p>• lssas.exe</p><p>• winIogon.exe</p><p>• spooIsv.exe</p><p>• spoolsvc.exe</p><p>It deletes the initially executed copy of itself.</p><p></p><p></p><p>One of the following values is added in order to run the process after reboot:</p><p></p><p>– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] </p><p>• "Client Server Runtime Process"="%SYSDIR%\csrs.exe"</p><p>• "Windows Logon Application"="%SYSDIR%\logon.exe"</p><p>• "Windows Explorer"="%SYSDIR%\explorer.exe"</p><p>• "Spooler SubSystem App"="%SYSDIR%\supoolsvc.exe"</p><p>• "Local Security Authority Service"="%SYSDIR%\lsass.exe"</p><p>• "Application Layer Gateway Service"="%SYSDIR%\algs.exe"</p><p>• "Microsoft Internet Explorer"="%SYSDIR%\iexplore.exe" </p><p>• "Winamp Agent"="%SYSDIR%\winamp.exe"</p><p>• "Windows Network Firewall"=%SYSDIR%\firewall.exe</p><p>• "Local Security Authority Service"="%SYSDIR%\lssas.exe"</p><p>• "Windows Logon Application"="%SYSDIR%\winIogon.exe"</p><p>• "Spooler SubSystem App"="%SYSDIR%\spooIsvc.exe"</p><p>• "Spooler SubSystem App"="%SYSDIR%\spoolsvc.exe"</p><p></p><p>to the following registry key: </p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</p><p><em>Note: %SYSTEM% refers to the System folder.</em></p><p></p><p>The following Tool is designed to remove this nasty.</p><p></p><p>Create a new folder in your primary Drive, rename it FFORCE.</p><p></p><p>First download the tool to this folder & the latest update to the </p><p>same folder, (extract here)</p><p></p><p><span style="font-family: 'Arial'"><span style="font-size: 10px">http://www.f-secure.com/tools/f-force.zip</span></span></p><p><span style="font-family: 'Times New Roman'"><span style="font-size: 12px"><a href="ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip" target="_blank">ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip</a></span></span></p><p></p><p>You should consider running this cleaning Tool in (Safe Mode with System Restore Disabled)</p><p></p><p>Click open the FForce tool, runs auto,</p><p></p><p>The other named "Apropos" is normally associated with installed software, (People)</p><p>It is Spyware, may be subject to EULA?</p><p></p><p>If you have'nt done so already, install,</p><p>Adaware, SpywareBlaster, Spybot S & D, Ewido, CWSShredder, About Buster (all free)</p><p>Most definitely a two-way Firewall, such as Zone alarm (free)</p><p>Also McAfee, nice port monitoring window & tracing of possible hackers.</p><p>(Shareware)</p><p></p><p>Good Luck</p></blockquote><p></p>
[QUOTE="Red Hugh, post: 284261, member: 202630"] In the absense of a HJT Log The following will give you some idea why there are so many paths. Poebot also known as Backdoor Win32 Poebot. (usually followed by a letter) It also Mutates itself under different aliases. It drops a copy of itself using a filename from a list: – To: %SYSDIR%\ Using one of the following names: • csrs.exe • logon.exe • explorer.exe • supoolsvc.exe • lsass.exe • algs.exe • iexplore.exe • winamp.exe • firewall.exe • lssas.exe • winIogon.exe • spooIsv.exe • spoolsvc.exe It deletes the initially executed copy of itself. One of the following values is added in order to run the process after reboot: – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] • "Client Server Runtime Process"="%SYSDIR%\csrs.exe" • "Windows Logon Application"="%SYSDIR%\logon.exe" • "Windows Explorer"="%SYSDIR%\explorer.exe" • "Spooler SubSystem App"="%SYSDIR%\supoolsvc.exe" • "Local Security Authority Service"="%SYSDIR%\lsass.exe" • "Application Layer Gateway Service"="%SYSDIR%\algs.exe" • "Microsoft Internet Explorer"="%SYSDIR%\iexplore.exe" • "Winamp Agent"="%SYSDIR%\winamp.exe" • "Windows Network Firewall"=%SYSDIR%\firewall.exe • "Local Security Authority Service"="%SYSDIR%\lssas.exe" • "Windows Logon Application"="%SYSDIR%\winIogon.exe" • "Spooler SubSystem App"="%SYSDIR%\spooIsvc.exe" • "Spooler SubSystem App"="%SYSDIR%\spoolsvc.exe" to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [I]Note: %SYSTEM% refers to the System folder.[/I] The following Tool is designed to remove this nasty. Create a new folder in your primary Drive, rename it FFORCE. First download the tool to this folder & the latest update to the same folder, (extract here) [FONT=Arial][SIZE=2]http://www.f-secure.com/tools/f-force.zip[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3][URL]ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip[/URL][/SIZE][/FONT] You should consider running this cleaning Tool in (Safe Mode with System Restore Disabled) Click open the FForce tool, runs auto, The other named "Apropos" is normally associated with installed software, (People) It is Spyware, may be subject to EULA? If you have'nt done so already, install, Adaware, SpywareBlaster, Spybot S & D, Ewido, CWSShredder, About Buster (all free) Most definitely a two-way Firewall, such as Zone alarm (free) Also McAfee, nice port monitoring window & tracing of possible hackers. (Shareware) Good Luck [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Miscellaneous Sections
Tech Head - The Technology Section
Computer Discussion
Possible virus - keyboard.exe on Win XP
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…
Top