Tutorial: How To Remove Keylogger and other Virus Threats
As we may all notice, there is this existing sticky thread regarding "how to avoid keyloggers and other virus threats". So his is precaution/prevention and mine is removal/cure. Hence, I believe this follow up thread will compliment that of airex22.
Oh yes, prevention is better than cure. But just in case you were so careless and you got your pc infected already, this tutorial is all for you.
To beat an enemy is to know the enemy. We start from defining the terms:
Malware - Malware is programming or files that are developed for the purpose of doing harm. Thus, malware includes computer viruses, worms, Trojan horses, spyware, hijackers, and certain type of adware.
---Adware - A program that generates pop-ups on your computer or displays advertisements. It is important to note that not all adware programs are necessarily considered malware. There are many legitimate programs that are given for free that display ads in their programs in order to generate revenue. As long as this information is provided up front then they are generally not considered malware.
---Backdoor - A program that allows a remote user to execute commands and tasks on your computer without your permission. These types of programs are typically used to launch attacks on other computers, distribute copyrighted software or media, or hack other computers.
---Dialler - A program that typically dials a premium rate number that has per minute charges over and above the typical call charge. These calls are with the intent of gaining access to pornographic material.
---Hijackers - A program that attempts to hijack certain Internet functions like redirecting your start page to the hijacker's own start page, redirecting search queries to a undesired search engine, or replace search results from popular search engines with their own information.
---Spyware - A program that monitors your activity or information on your computer and sends that information to a remote computer without your knowledge.
------Keylogger - a surveillance tool that is used to monitor computer activity and record keystrokes. Once it has been installed, it launches automatically at computer start-up and records information that is sent to a configurable email address or an FTP server. It runs processes in the Task Manager and installs entries on the registry. Removing keylogger completely involves removing all associate files and registry entries to ensure your computer is secure.
---Trojan - A program that has been designed to appear innocent but has been intentionally designed to cause some malicious activity or to provide a backdoor to your system.
---Virus - A program that when run, has the ability to self-replicate by infecting other programs and files on your computer. These programs can have many effects ranging from wiping your hard drive, displaying a joke in a small box, or doing nothing at all except to replicate itself. These types of infections tend to be localized to your computer and not have the ability to spread to another computer on their own. The word virus has incorrectly become a general term that encompasses trojans, worms, and viruses.
---Worm - A program that when run, has the ability to spread to other computers on its own using either mass-mailing techniques to email addresses found on your computer or by using the Internet to infect a remote computer using known security holes.
I have scanned quite a few files being uploaded here and noticed the most common infections are coming either from a trojan variant or from a spyware-keylogger. So we will be focusing our discussion on these two. Now, let us all get into business!
HOW TO REMOVE TROJANS MANUALLY
1. Download and extract the Autoruns program by Sysinternals to C:\Autoruns
2. Reboot into Safe Mode so that the malware is not started when you are doing these steps. Many malware monitor the keys that allow them to start and if they notice they have been removed, will automatically replace that startup key. For this reason booting into safe mode allows us to get past that defense in most cases.
3. Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.
4. When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.
------1. Include empty locations
------2. Verify Code Signatures
------3. Hide Signed Microsoft Entries
5. Then press the F5 key on your keyboard to refresh the startups list using these new settings.
6. The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove. You can check our Startup Database for that information or ask for help in our computer help forums.
7. Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.
8. Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden. To allow you to see hidden files you can follow the steps for your operating system found in this tutorial:
How to see hidden files in Windows
9. When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection.
HOW TO REMOVE KEYLOGGERS MANUALLY
1. Backup your computer system before proceeding. To do so, click the Windows "Start" button and select "All Programs." Select "Accessories" and choose "System Tools." Click "System Restore" to open the System Restore wizard.
2. Click the "Create a new restore point" button and choose "Next." Type the name for the restore point and click "Create." This will back up your computer by creating a restore point you can come back to if you accidentally make an error.
3. Press "Ctrl," "Alt" and "Delete" together to open the Windows Task Manager. Click the "Processes" tab. Scroll down and click "akl.exe." Select "End Process." Perform the same procedure to the following remaining processes: akv.exe, and nsk.exe. Close the Windows Task Manager.
4. Click the Windows "Start" button and click "Run" or "Start Search" (Windows Vista users). Type "regedit" (without quotes) and press "Enter" to open the registry.
5. Press "F3" to open the search window. Search for and delete the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Ardamax Keylogger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\NSK
HKEY_CURRENT_USER\Software\Ardamax Keylogger Lite
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\App Paths\akl.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Ardamax Keylogger
Close the registry.
6. Click the Windows "Start" button and select "Search." Click "All Files and Folders" to open the search box. Click "More Advanced Options" and place a check on all the options. Search for and delete the following files: akl.exe, akv.exe, nsk.exe, il.dll, kh.dll, akv.ini and settings.ini.
7. Double-click "My Computer" on your desktop and select the "C:" drive. Double-click the "Program Files" folder and delete the Ardamax Keylogger and NSK folders.
8. Empty the recycle bin and restart your computer to complete the removal process.
Additional Info:
How To Kill Malicious Processes:
How To Remove Registry Entries:
Recommended Anti-trojan tools:
* Kaspersky Anti-virus
* ESET Nod32
* AVG
* Avast
* BitDefender
* Microsoft Security Essentials
* Trend Micro
* Antivir
Recommended Anti-spyware tools:
* Spyware Doctor
* Malwarebytes Anti-Malware
* Spy Sweeper
* Windows Defender
* SUPERAntiSpyware
Sources:
![i[aM]-*CaRlo is offline](images/elitepvpers/statusicon/user_offline.gif){kind=small}
