Keyboard Disabled

[Chris]

I installed Antispyware last night and was delighted when
it found a serious problem - a stealth keylogger, which
my other spy removing software hadn't found. Antispyware
recommended removing the keylogger immediately. This I
did.

All was fine until I switched on this morning to find my
keyboard totally disabled! - This is not good news when
you need to type a password to log on!! Hardware profile
said the device wasn't working properly (it's a Microsoft
USB Internet Keyboard Pro 102). Reinstalling didn't help.
Unplugging and plugging didn't cure it. Eventually I
managed to get into SAFE MODE (my Administrator account
didn't need a password!!), and do a system restore from
there. This was successful.

Re-installing the software caused exactly the same
problem to occur. Asking the software to quarantine the
keylogger had exactly the same effect as when it was
removed. I think I'll wait for the full version before
downloading again!

In the meantime, anyone know how to remove the stealth
keylogger?

Best Regards
Chris

 

[Nevarre]

Are you sure it was actually a keylogger and not a false
positive on software used with your keyboard (I haven't
gotten around to intentionally infecting a machine to see
how useful the reports are)? Here's an interesting way to
test this idea:

Assuming that you have PS/2 ports on your computer,
temporarily acquire a PS/2 keyboard .

Shutdown your computer, disconnect the USB keyboard, plug
in the PS/2 keyboard, boot the machine up, and use MS
Antispyware (MSAS in the rest of this message) to remove
the suspected software, if it doesn't detect the
software, maybe it was related to the USB keyboard driver
in some way.

See if the keyboard works, if the PS/2 keyboard works,
maybe you weren't actually infected. Down the machine,
swap keyboards, see if the USB keyboard works, see if a
scan detects a keylogger.

Elsewhere in this board, several people have suggested
using multiple scanners (Adaware, Spybot and so on).
Thats a good idea.

(It's a beta, it's a beta, it's a beta).

 

[Bill Sanderson]

In the directory where Microsoft Antispyware is installed, there's a file:

cleaner.log

If you could post the segment showing the cleaning of the supposed
keylogger, that might be useful.

I know there have been false positives involving keyloggers reported here.

Clearly, you want to be as certain as possible that this is a false positive
before leaving it in place, however. So--any information from the screens
presented upon detection (ctrl-a, ctrl-c should work to get stuff to the
clipboard,) and a segment from cleaner.log would be very helpful.

 

[chris]

Thanks Nevarre. I'll try that this weekend. Will post an
answer. Thanks again for your feedback. Chris

 

[Chris]

Bill,

Apologies for the delay, I've been away a lot this week.
Thanks for your advice. Section of log file as below:-

18/02/2005 00:32:54::Initializing Clean - (ScanID:
0F0CFBEF-E7FC-4452-9C2A-4D58BC)
18/02/2005 00:32:54::Remove Threat (ID:7199)
18/02/2005 00:32:54::Clean Threat Invisible KeyLogger
Stealth (ID:7199)
18/02/2005 00:32:57::Removing file c:\windows\iks.dat
18/02/2005 00:32:57:isable file c:\windows\iks.dat and
quarantine to C:\Program Files\Microsoft
AntiSpyware\Quarantine\FA9ED694-B7EE-404C-BFE7-9170C7
\0EB23EA7-23A8-4093-99F9-CE28F9
18/02/2005 00:32:57::Removing file C:\WINDOWS\system32
\drivers\iks.sys
18/02/2005 00:32:57:isable file C:\WINDOWS\system32
\drivers\iks.sys and quarantine to C:\Program
Files\Microsoft AntiSpyware\Quarantine\FA9ED694-B7EE-404C-
BFE7-9170C7\068B75A0-2B5A-4D16-8DBE-7C2035
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [0=ACPI\PNP0303\4&2e6719a8&0
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [Count=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [NextInstance=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [1=HID\Vid_045e&Pid_002b&MI_00\8&1af3adc7&1&0000
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Type=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[ErrorControl=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Start=3
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Removing registry key
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Clean Threat Invisible KeyLogger
Stealth (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:15100)

If this is some help, I'd be grateful if you can tell me
what it means.

Thanks again
Chris

 

[Bill Sanderson]

Bill,

Apologies for the delay, I've been away a lot this week.
Thanks for your advice. Section of log file as below:-

18/02/2005 00:32:54::Initializing Clean - (ScanID:
0F0CFBEF-E7FC-4452-9C2A-4D58BC)
18/02/2005 00:32:54::Remove Threat (ID:7199)
18/02/2005 00:32:54::Clean Threat Invisible KeyLogger
Stealth (ID:7199)
18/02/2005 00:32:57::Removing file c:\windows\iks.dat
18/02/2005 00:32:57:isable file c:\windows\iks.dat and
quarantine to C:\Program Files\Microsoft
AntiSpyware\Quarantine\FA9ED694-B7EE-404C-BFE7-9170C7
\0EB23EA7-23A8-4093-99F9-CE28F9
18/02/2005 00:32:57::Removing file C:\WINDOWS\system32
\drivers\iks.sys
18/02/2005 00:32:57:isable file C:\WINDOWS\system32
\drivers\iks.sys and quarantine to C:\Program
Files\Microsoft AntiSpyware\Quarantine\FA9ED694-B7EE-404C-
BFE7-9170C7\068B75A0-2B5A-4D16-8DBE-7C2035
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [0=ACPI\PNP0303\4&2e6719a8&0
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [Count=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [NextInstance=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [1=HID\Vid_045e&Pid_002b&MI_00\8&1af3adc7&1&0000
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Type=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[ErrorControl=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Start=3
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Removing registry key
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Clean Threat Invisible KeyLogger
Stealth (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:15100)

If this is some help, I'd be grateful if you can tell me
what it means.[/QUOTE]

This doesn't look like a false positive to me, but perhaps removal of a
keylogger without properly reconstruction of some chains within the OS that
allow the keyboard to function.

Here is Symantec's description of this bug or a close variant:

http://securityresponse.symantec.com/avcenter/venc/data/spyware.invisiblekey.b.html

They recommend cleaning in safe mode, which probably stops the keylogger
from running.

Other antivirus vendors also detect this--but in Symantec's case, and
perhaps others as well, only in specific classes of their product--the extra
cost ones, presumably, that deal with threats beyond viruses.

Symantec's description and removal instructions mention that this critter
modifies the UpperFilters value in the registry key associated with the
keyboard.

However, they don't specify what the change is, nor do they mention
reversing that change as part of the process of cleaning this bug.

I would want that value to be set to kbdclass as noted in Symantec's
article--that is the default. I don't have sufficient technical depth to be
sure that's the issue, but I'd be interested to know what that value is set
to now on your machine.

This is a keystroke logger, and is installed manually. This can have any
number of meanings in the real world, from jealous boyfriend or roommate to
corporate management, or the traditional route of simply inducing someone to
run the code under some false but effective pretense.

The keystrokes are logged and if that log has been exported or viewed by
others, anything that you've typed is no longer confidential.

It is possible that other threats also present at the same time are relevant
in terms of how this got into place, and or whether the logs are likely to
have been exported in some way.

I'm reaching a limit to my competency, I think, in passing judgement about
what might or might not have happened in terms of a combination of other
threats present on your machine--a keylogger is bad news, and you should
take steps to secure confidential information that might have leaked via
this route.

So if cleaning in normal mode hasn't worked, I'd like to try cleaning in
safe mode. Additionally, I'd like to be sure after the cleaning that the
UpperFilters value is set to the default - kbdclass.

Hmm - I wish I was more of a hardware person--I do wonder whether simply
deleting the keyboard in device manager would fix all this up rather more
easily than messing about with the registry--then the steps would be clean
in safe mode, and delete the keyboard in device manager before restarting.
On restart, the keyboard should be redetected and eventually work correctly,
perhaps requiring one more reboot in the process.

There are a bunch of folks out there better at this stuff than I
am--critiques, anyone?
(in other words--sit tight for a bit and see if someone else chimes in and
says--yeah--that should work! (in a convincing tone of voice.))

 

[Bill Sanderson]

Chris, just had a better thought.

If you are in the U.S. or Canada, call Microsoft PSS at 1-866-pcsafety.

Tell them you have found that you have a keylogger (giving the name used by
Microsoft Antispyware or by Symantec, and ask for their help in removing it
correctly. It is better to avoid mentioning Microsoft Antispyware itself,
because there is no support for this beta product. However, removing the
actual critter that you have in place is absolutely what they are there to
do, and they know how to do it properly.

If you are not in the U.S. or Canada, call the nearest Microsoft Subsidiary.
Use the phone number for paid support if you can find one, but specify that
you need the free support for virus or trojan issues or security-patch
related problems. The phone call itself may not be free, but Microsoft
Product Support staff help will be.

This advice is just slightly "iffy" because of the issue of the beta product
being unsupported. However, your fundemental issue is removal of the
keylogger, an item which I believe this support is directly targeted at
helping with.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Bill,

Apologies for the delay, I've been away a lot this week.
Thanks for your advice. Section of log file as below:-

18/02/2005 00:32:54::Initializing Clean - (ScanID:
0F0CFBEF-E7FC-4452-9C2A-4D58BC)
18/02/2005 00:32:54::Remove Threat (ID:7199)
18/02/2005 00:32:54::Clean Threat Invisible KeyLogger
Stealth (ID:7199)
18/02/2005 00:32:57::Removing file c:\windows\iks.dat
18/02/2005 00:32:57:isable file c:\windows\iks.dat and
quarantine to C:\Program Files\Microsoft
AntiSpyware\Quarantine\FA9ED694-B7EE-404C-BFE7-9170C7
\0EB23EA7-23A8-4093-99F9-CE28F9
18/02/2005 00:32:57::Removing file C:\WINDOWS\system32
\drivers\iks.sys
18/02/2005 00:32:57:isable file C:\WINDOWS\system32
\drivers\iks.sys and quarantine to C:\Program
Files\Microsoft AntiSpyware\Quarantine\FA9ED694-B7EE-404C-
BFE7-9170C7\068B75A0-2B5A-4D16-8DBE-7C2035
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [0=ACPI\PNP0303\4&2e6719a8&0
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [Count=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [NextInstance=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [1=HID\Vid_045e&Pid_002b&MI_00\8&1af3adc7&1&0000
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Type=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[ErrorControl=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Start=3
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Removing registry key
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Clean Threat Invisible KeyLogger
Stealth (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:15100)

If this is some help, I'd be grateful if you can tell me
what it means.

Thanks again
Chris[QUOTE]
-----Original Message-----
In the directory where Microsoft Antispyware is installed, there's a file:

cleaner.log

If you could post the segment showing the cleaning of the supposed
keylogger, that might be useful.

I know there have been false positives involving keyloggers reported here.

Clearly, you want to be as certain as possible that this is a false positive
before leaving it in place, however. So--any information from the screens
presented upon detection (ctrl-a, ctrl-c should work to get stuff to the
clipboard,) and a segment from cleaner.log would be very helpful.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm




.

[/QUOTE]

 

[Bill Sanderson]

Let me reinforce this one. I've just passed it by a group of experts and
the answer is DO IT--give Microsoft a call on this one.

They may well advise you to format and rebuild your machine, but they will
get this fixed properly for you.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Chris, just had a better thought.

If you are in the U.S. or Canada, call Microsoft PSS at 1-866-pcsafety.

Tell them you have found that you have a keylogger (giving the name used
by Microsoft Antispyware or by Symantec, and ask for their help in
removing it correctly. It is better to avoid mentioning Microsoft
Antispyware itself, because there is no support for this beta product.
However, removing the actual critter that you have in place is absolutely
what they are there to do, and they know how to do it properly.

If you are not in the U.S. or Canada, call the nearest Microsoft
Subsidiary. Use the phone number for paid support if you can find one, but
specify that you need the free support for virus or trojan issues or
security-patch related problems. The phone call itself may not be free,
but Microsoft Product Support staff help will be.

This advice is just slightly "iffy" because of the issue of the beta
product being unsupported. However, your fundemental issue is removal of
the keylogger, an item which I believe this support is directly targeted
at helping with.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Bill,

Apologies for the delay, I've been away a lot this week.
Thanks for your advice. Section of log file as below:-

18/02/2005 00:32:54::Initializing Clean - (ScanID:
0F0CFBEF-E7FC-4452-9C2A-4D58BC)
18/02/2005 00:32:54::Remove Threat (ID:7199)
18/02/2005 00:32:54::Clean Threat Invisible KeyLogger
Stealth (ID:7199)
18/02/2005 00:32:57::Removing file c:\windows\iks.dat
18/02/2005 00:32:57:isable file c:\windows\iks.dat and
quarantine to C:\Program Files\Microsoft
AntiSpyware\Quarantine\FA9ED694-B7EE-404C-BFE7-9170C7
\0EB23EA7-23A8-4093-99F9-CE28F9
18/02/2005 00:32:57::Removing file C:\WINDOWS\system32
\drivers\iks.sys
18/02/2005 00:32:57:isable file C:\WINDOWS\system32
\drivers\iks.sys and quarantine to C:\Program
Files\Microsoft AntiSpyware\Quarantine\FA9ED694-B7EE-404C-
BFE7-9170C7\068B75A0-2B5A-4D16-8DBE-7C2035
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [0=ACPI\PNP0303\4&2e6719a8&0
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [Count=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [NextInstance=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [1=HID\Vid_045e&Pid_002b&MI_00\8&1af3adc7&1&0000
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Type=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[ErrorControl=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Start=3
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Removing registry key
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Clean Threat Invisible KeyLogger
Stealth (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:15100)

If this is some help, I'd be grateful if you can tell me
what it means.

Thanks again
Chris[QUOTE]
-----Original Message-----
In the directory where Microsoft Antispyware is installed, there's a file:

cleaner.log

If you could post the segment showing the cleaning of the supposed
keylogger, that might be useful.

I know there have been false positives involving keyloggers reported here.

Clearly, you want to be as certain as possible that this is a false positive
before leaving it in place, however. So--any information from the screens
presented upon detection (ctrl-a, ctrl-c should work to get stuff to the
clipboard,) and a segment from cleaner.log would be very helpful.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I installed Antispyware last night and was delighted when
it found a serious problem - a stealth keylogger, which
my other spy removing software hadn't found. Antispyware
recommended removing the keylogger immediately. This I
did.

All was fine until I switched on this morning to find my
keyboard totally disabled! - This is not good news when
you need to type a password to log on!! Hardware profile
said the device wasn't working properly (it's a Microsoft
USB Internet Keyboard Pro 102). Reinstalling didn't help.
Unplugging and plugging didn't cure it. Eventually I
managed to get into SAFE MODE (my Administrator account
didn't need a password!!), and do a system restore from
there. This was successful.

Re-installing the software caused exactly the same
problem to occur. Asking the software to quarantine the
keylogger had exactly the same effect as when it was
removed. I think I'll wait for the full version before
downloading again!

In the meantime, anyone know how to remove the stealth
keylogger?

Best Regards
Chris




.

[/QUOTE]

 

[Chris]

Bill,

I took your (and your friends) advice and called
Microsoft today (it was shut over the weekend (for UK
callers)). Was passed to a very helpful technician who
went through an entire manual removal procedure
(Symantec's method), which gave exactly the same results
as the MSAS - ie a disabled keyboard! It is interesting
that my NIS and NAV have both failed to detect this
keylogger as being a "nasty" on my system.

One thing that is comforting though, there are no .exe
files on my system that are normally present with this
spyware's id.

What is concerning is that whatever this thing is, its
registry entry has linked itself to some other (unknown)
registry value - so delete one, and the other won't work
either.

What Microsoft were able to do whilst I was then going
through my system restores, was help me with another
problem I'd been experiencing with my PC. It does look as
if I've got a slightly corrupt version of WinXP SP2 (I
downloaded this version over the web). So maybe once this
is reinstalled (from a CD, this time), it might eliminate
the problem of the linked registry entries, as well as
sort out my other problem. Who knows? It's worth a try.
MSAS might then be able to eliminate the keylogger within
my system if this "link" problem can be resolved.

Microsoft also recommended two other courses of action.
1) Check with the PC manufacturer (Mesh) to make sure
this isn't something they install with their USB
keyboards. (It isn't, I checked - though incidentally
Mesh kindly gave me a keylogger detection/removal tool...
which failed to find this particular keylogger problem on
my system!)

2) Follow the advice posted on an earlier reply by
Nevarre, and see if a PS2 keyboard is similarly affected.
Have not had the chance to do this yet.

Upshot of all this...Microsoft and Mesh are fairly
confident my "keylogger" is not a malicious problem, but
I'm advised by both of them, and you, that the only way
to be totally sure is to reformat and start again. (Gulp!)

I'll do the SP2 thing first, and swap keyboards, before
assessing whether I go for the "Big F".

Bill, thanks ever so much for help and advice. It's been
quite an eye-opener!

Chris

-----Original Message-----
Let me reinforce this one. I've just passed it by a group of experts and
the answer is DO IT--give Microsoft a call on this one.

They may well advise you to format and rebuild your machine, but they will
get this fixed properly for you.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Chris, just had a better thought.

If you are in the U.S. or Canada, call Microsoft PSS at 1-866-pcsafety.

Tell them you have found that you have a keylogger (giving the name used
by Microsoft Antispyware or by Symantec, and ask for their help in
removing it correctly. It is better to avoid mentioning Microsoft
Antispyware itself, because there is no support for this beta product.
However, removing the actual critter that you have in place is absolutely
what they are there to do, and they know how to do it properly.

If you are not in the U.S. or Canada, call the nearest Microsoft
Subsidiary. Use the phone number for paid support if you can find one, but
specify that you need the free support for virus or trojan issues or
security-patch related problems. The phone call itself may not be free,
but Microsoft Product Support staff help will be.

This advice is just slightly "iffy" because of the issue of the beta
product being unsupported. However, your fundemental issue is removal of
the keylogger, an item which I believe this support is directly targeted
at helping with.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Bill,

Apologies for the delay, I've been away a lot this week.
Thanks for your advice. Section of log file as below:-

18/02/2005 00:32:54::Initializing Clean - (ScanID:
0F0CFBEF-E7FC-4452-9C2A-4D58BC)
18/02/2005 00:32:54::Remove Threat (ID:7199)
18/02/2005 00:32:54::Clean Threat Invisible KeyLogger
Stealth (ID:7199)
18/02/2005 00:32:57::Removing file c:\windows\iks.dat
18/02/2005 00:32:57:isable file c:\windows\iks.dat and
quarantine to C:\Program Files\Microsoft
AntiSpyware\Quarantine\FA9ED694-B7EE-404C-BFE7-9170C7
\0EB23EA7-23A8-4093-99F9-CE28F9
18/02/2005 00:32:57::Removing file C:\WINDOWS\system32
\drivers\iks.sys
18/02/2005 00:32:57:isable file C:\WINDOWS\system32
\drivers\iks.sys and quarantine to C:\Program
Files\Microsoft AntiSpyware\Quarantine\FA9ED694-B7EE- 404C-
BFE7-9170C7\068B75A0-2B5A-4D16-8DBE-7C2035
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [0=ACPI\PNP0303\4&2e6719a8&0
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [Count=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [NextInstance=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [1=HID\Vid_045e&Pid_002b&MI_00\8&1af3adc7&1&0000
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Type=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[ErrorControl=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Start=3
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Removing registry key
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Clean Threat Invisible KeyLogger
Stealth (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:15100)

If this is some help, I'd be grateful if you can tell me
what it means.

Thanks again
Chris
-----Original Message-----
In the directory where Microsoft Antispyware is
installed, there's a file:

cleaner.log

If you could post the segment showing the cleaning of
the supposed
keylogger, that might be useful.

I know there have been false positives involving
keyloggers reported here.

Clearly, you want to be as certain as possible that this
is a false positive
before leaving it in place, however. So--any
information from the screens
presented upon detection (ctrl-a, ctrl-c should work to
get stuff to the
clipboard,) and a segment from cleaner.log would be very
helpful.
--
FAQ for Microsoft Antispyware:
[URL]http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm[/URL]

message
I installed Antispyware last night and was delighted
when
it found a serious problem - a stealth keylogger,
which
my other spy removing software hadn't found.
Antispyware
recommended removing the keylogger immediately. This I
did.

All was fine until I switched on this morning to find
my
keyboard totally disabled! - This is not good news when
you need to type a password to log on!! Hardware
profile
said the device wasn't working properly (it's a
Microsoft
USB Internet Keyboard Pro 102). Reinstalling didn't
help.
Unplugging and plugging didn't cure it. Eventually I
managed to get into SAFE MODE (my Administrator account
didn't need a password!!), and do a system restore from
there. This was successful.

Re-installing the software caused exactly the same
problem to occur. Asking the software to quarantine the
keylogger had exactly the same effect as when it was
removed. I think I'll wait for the full version before
downloading again!

In the meantime, anyone know how to remove the stealth
keylogger?

Best Regards
Chris




.

.

 

[Bill Sanderson]

I'm glad that you were able to get help, and didn't get hassled about it
being related to the beta program which isn't supported.

It sounds like you are getting good support from both Mesh and
Microsoft--that's another good story for all of us to hear--a good support
tale from a vendor.

I don't know enough about the ins and outs of the registry to tell whether
this idea of a link between that entry and another is a reasonable way to
explain the set of issues you've encountered.

Thanks for letting me know how this worked out--some issues are beyond the
scope of what is easily managed within the format of an online forum--so I'm
glad that the direct support was possible.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Bill,

I took your (and your friends) advice and called
Microsoft today (it was shut over the weekend (for UK
callers)). Was passed to a very helpful technician who
went through an entire manual removal procedure
(Symantec's method), which gave exactly the same results
as the MSAS - ie a disabled keyboard! It is interesting
that my NIS and NAV have both failed to detect this
keylogger as being a "nasty" on my system.

One thing that is comforting though, there are no .exe
files on my system that are normally present with this
spyware's id.

What is concerning is that whatever this thing is, its
registry entry has linked itself to some other (unknown)
registry value - so delete one, and the other won't work
either.

What Microsoft were able to do whilst I was then going
through my system restores, was help me with another
problem I'd been experiencing with my PC. It does look as
if I've got a slightly corrupt version of WinXP SP2 (I
downloaded this version over the web). So maybe once this
is reinstalled (from a CD, this time), it might eliminate
the problem of the linked registry entries, as well as
sort out my other problem. Who knows? It's worth a try.
MSAS might then be able to eliminate the keylogger within
my system if this "link" problem can be resolved.

Microsoft also recommended two other courses of action.
1) Check with the PC manufacturer (Mesh) to make sure
this isn't something they install with their USB
keyboards. (It isn't, I checked - though incidentally
Mesh kindly gave me a keylogger detection/removal tool...
which failed to find this particular keylogger problem on
my system!)

2) Follow the advice posted on an earlier reply by
Nevarre, and see if a PS2 keyboard is similarly affected.
Have not had the chance to do this yet.

Upshot of all this...Microsoft and Mesh are fairly
confident my "keylogger" is not a malicious problem, but
I'm advised by both of them, and you, that the only way
to be totally sure is to reformat and start again. (Gulp!)

I'll do the SP2 thing first, and swap keyboards, before
assessing whether I go for the "Big F".

Bill, thanks ever so much for help and advice. It's been
quite an eye-opener!

Chris

-----Original Message-----
Let me reinforce this one. I've just passed it by a group of experts and
the answer is DO IT--give Microsoft a call on this one.

They may well advise you to format and rebuild your machine, but they will
get this fixed properly for you.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Chris, just had a better thought.

If you are in the U.S. or Canada, call Microsoft PSS at 1-866-pcsafety.

Tell them you have found that you have a keylogger (giving the name used
by Microsoft Antispyware or by Symantec, and ask for their help in
removing it correctly. It is better to avoid mentioning Microsoft
Antispyware itself, because there is no support for this beta product.
However, removing the actual critter that you have in place is absolutely
what they are there to do, and they know how to do it properly.

If you are not in the U.S. or Canada, call the nearest Microsoft
Subsidiary. Use the phone number for paid support if you can find one, but
specify that you need the free support for virus or trojan issues or
security-patch related problems. The phone call itself may not be free,
but Microsoft Product Support staff help will be.

This advice is just slightly "iffy" because of the issue of the beta
product being unsupported. However, your fundemental issue is removal of
the keylogger, an item which I believe this support is directly targeted
at helping with.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Bill,

Apologies for the delay, I've been away a lot this week.
Thanks for your advice. Section of log file as below:-

18/02/2005 00:32:54::Initializing Clean - (ScanID:
0F0CFBEF-E7FC-4452-9C2A-4D58BC)
18/02/2005 00:32:54::Remove Threat (ID:7199)
18/02/2005 00:32:54::Clean Threat Invisible KeyLogger
Stealth (ID:7199)
18/02/2005 00:32:57::Removing file c:\windows\iks.dat
18/02/2005 00:32:57:isable file c:\windows\iks.dat and
quarantine to C:\Program Files\Microsoft
AntiSpyware\Quarantine\FA9ED694-B7EE-404C-BFE7-9170C7
\0EB23EA7-23A8-4093-99F9-CE28F9
18/02/2005 00:32:57::Removing file C:\WINDOWS\system32
\drivers\iks.sys
18/02/2005 00:32:57:isable file C:\WINDOWS\system32
\drivers\iks.sys and quarantine to C:\Program
Files\Microsoft AntiSpyware\Quarantine\FA9ED694-B7EE- 404C-
BFE7-9170C7\068B75A0-2B5A-4D16-8DBE-7C2035
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [0=ACPI\PNP0303\4&2e6719a8&0
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [Count=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [NextInstance=2
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num [1=HID\Vid_045e&Pid_002b&MI_00\8&1af3adc7&1&0000
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks\E
num
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Type=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[ErrorControl=1
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
[Start=3
18/02/2005 00:32:57::Removing registry value
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Removing registry key
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\iks
18/02/2005 00:32:57::Clean Threat Invisible KeyLogger
Stealth (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:7199) Complete
18/02/2005 00:32:58::Remove Threat (ID:15100)

If this is some help, I'd be grateful if you can tell me
what it means.

Thanks again
Chris
-----Original Message-----
In the directory where Microsoft Antispyware is
installed, there's a file:

cleaner.log

If you could post the segment showing the cleaning of
the supposed
keylogger, that might be useful.

I know there have been false positives involving
keyloggers reported here.

Clearly, you want to be as certain as possible that this
is a false positive
before leaving it in place, however. So--any
information from the screens
presented upon detection (ctrl-a, ctrl-c should work to
get stuff to the
clipboard,) and a segment from cleaner.log would be very
helpful.
--
FAQ for Microsoft Antispyware:
[URL]http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm[/URL]

message
I installed Antispyware last night and was delighted
when
it found a serious problem - a stealth keylogger,
which
my other spy removing software hadn't found.
Antispyware
recommended removing the keylogger immediately. This I
did.

All was fine until I switched on this morning to find
my
keyboard totally disabled! - This is not good news when
you need to type a password to log on!! Hardware
profile
said the device wasn't working properly (it's a
Microsoft
USB Internet Keyboard Pro 102). Reinstalling didn't
help.
Unplugging and plugging didn't cure it. Eventually I
managed to get into SAFE MODE (my Administrator account
didn't need a password!!), and do a system restore from
there. This was successful.

Re-installing the software caused exactly the same
problem to occur. Asking the software to quarantine the
keylogger had exactly the same effect as when it was
removed. I think I'll wait for the full version before
downloading again!

In the meantime, anyone know how to remove the stealth
keylogger?

Best Regards
Chris




.

.