Suspected keylogger

Hello malware exterminators

A couple of days ago my home PC started writing by itself some times. Did some googling and found that it’s probably a keylogger. It just writes random jibberish like: awawssdwwdswwessawsawsdwas. Usually just the w-a-s-d-e keys. I have tried disconnecting both my internet and my keyboard during one of these occurrences but still keep on going. I have been running Avast! Internet Security for about two years now but this suspected keylogger somehow got through. Been scanning with both MBAM and Avast at highest sensitivity and removing all possible threats without success; it still keeps writing from time to time. I have also installed KeyScrambler as a precaution while I solve this dilemma.

Would be greatly appreciated if you could help me locate this bad boy, I’m not very keen on doing a complete re-installment of Windows (7)…

OTL, MBAM and aswMBR logs are in attachments. If there’s anything else you would need from me to solve this, please do not hesitate to ask!

Thank you in advance!

Hi,

Posted OTL log looks terrible. A lot of junk, remains … this requires additional cleaning. We’ll start with ComboFix.

Then we will use FRST tool. FRST shall show if there is anything that CF did not target or even display in his logs.


ComboFix


  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.
    ComboFix shall also create addition log. Please attach it to your reply.
    C:\Qoobox[b]ComboFix-quarantined-files.txt[/b]

FRST


Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Thanks for the quick answer!

Attached the logs in this reply.

P.S: Titles in ComboFix.txt are in Swedish.

Hi,

I do not see loaded malware (nor keyloger). I see also you have installed anti-keylogger tool KeyScrambler.

Related to KeyScrambler encrypts your keystrokes at the kernel driver level to protect your information from keyloggers. Note: Located in \%Program Files%\KeyScrambler\

I see some crapware entries (bad PUP software, we call them as adware, toolbar …), we shal use Zoek tool to preform these removal and additional cleaning …
PS: avast! need to be disabled while zoek is running …

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

EmptyCLSID;
c:\program files (x86)\Func;VS
Bundled software uninstaller;U
ipconfig /flushdns >> %temp%\log.txt;B
C:\Users\YooNiZz\AppData\Roaming\Mozilla\Firefox\Profiles\pvbrxhim.default\searchplugins\SweetIM Search.xml;f
C:\Users\YooNiZz\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx;f
C:\Users\YooNiZz\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx;f
C:\Users\YooNiZz\jagex_cl_runescape_LIVE.dat;f
C:\Users\YooNiZz\random.dat;f
ejpbbhjlbipncjklfjjaedaieimbmdda;CHR
ejpbbhjlbipncjklfjjaedaieimbmdda;CHR
AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Done!

If it is not a keylogger, then what could it be? As I said in my first post, I’ve tried plugging out both internet and keyboard but it still keeps typing :S.

do you have a wireless mouse?..how os the battery?

similar found with google search…
http://www.bleepingcomputer.com/forums/t/351005/computer-types-vs-on-its-own-topic-with-malware-logs/
https://answers.yahoo.com/question/index?qid=20110911094727AA2YweE
http://www.sevenforums.com/hardware-devices/270002-my-computer-randomly-types-q-qqqqqqqqqqq.html

I do not have a wireless mouse, it’s a Microsoft IntelliMouse Explorer 3.0 and my keyboard is a Microsoft Sidewinder X4. I have never had that problem with the cursor going crazy either, just the typing by itself.

If it is not a keylogger, then what could it be?
I suspect to keyboard. See this example:
awawssdwwdswwessawsawsdwas
Problematic buttons are "a", "s", "d" + "w" ... That's the circle on the keyboard. Have you tried another keyboard?

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

How can it be the keyboard if it doesn’t stop typing when I unplug it? Could it be software related? It might be worth mentioning that since my first post, other keys have been also been randomly typed. Once it wrote “dws tv liveswdwd”, first time it typed something that remotely looked like a word.

Ran the clean-up software, thanks.

Could it be software related?
Of course. I would try to uninstall the KeyScrambler and X-Chat 2 software you have.

Hello again

So I tried uninstalling xchat but it didn’t work. Keyscrambler was installed after the symptoms started to show so it doesn’t make sense that it would be the cause. Instead I waited until it started typing by itself again and terminated the processes that looked suspicious, one at a time. After a few days, I’ve confirmed that it was itype.exe (microsoft keyboard process) since it stopped typing every time I terminated that specific process. The weird thing is though, this process is not malware as I know. For what reason does it start typing by itself, has it been infected by some sort of unidentified malware or what?

Nope, but you have problem with keyboard as I said or more precisely with its software as you’ve already determined. :slight_smile:

Name :
itype

Filename:
itype.exe

Description Status:
Related to Microsoft_IntelliType_Pro MS Keyboard Software. Note: Located in %Program Files%\Microsoft IntelliType Pro\