Spyware.PCSpyKeyLogger

Printer Friendly Page

Updated: February 13, 2007 11:46:41 AM

Type: Spyware

Publisher: YL Computing

Risk Impact: Medium

File Names: %ProgramFiles%\PSK\ToolKeylogger.exe %ProgramFiles%\PSK\unins000.exe %ProgramFiles%\PSK\DLLs\Too

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.PCSpyKeylogger is installed, it performs the following actions:

Creates the following files:
- %ProgramFiles%\PSK\Buy.url
- %ProgramFiles%\PSK\Data\ToolKeylogger\Log\2006-02-15.htm
- %ProgramFiles%\PSK\DLLs\jmail.dll
- %ProgramFiles%\PSK\DLLs\ToolKeyloggerDLL.dll
- %ProgramFiles%\PSK\DLLs\ToolKeyloggerDLL.Language
- %ProgramFiles%\PSK\Help.url
- %ProgramFiles%\PSK\Home.url
- %ProgramFiles%\PSK\Images\Application.gif
- %ProgramFiles%\PSK\Images\BlockExe.gif
- %ProgramFiles%\PSK\Images\Clipboard.gif
- %ProgramFiles%\PSK\Images\Keystroke.gif
- %ProgramFiles%\PSK\Images\Password.gif
- %ProgramFiles%\PSK\Images\Screen.gif
- %ProgramFiles%\PSK\ToolKeylogger.exe
- %ProgramFiles%\PSK\ToolKeylogger.language
- %ProgramFiles%\PSK\ToolKeylogger.xml
- %ProgramFiles%\PSK\unins000.dat
- %ProgramFiles%\PSK\unins000.exe
- %UserPrograms%\PC Spy Keylogger\Help Online.lnk
- %UserPrograms%\PC Spy Keylogger\Homepage.lnk
- %UserPrograms%\PC Spy Keylogger\PC Spy Keylogger.lnk
- %UserPrograms%\PC Spy Keylogger\Purchase.lnk
- %UserDesktop%\PC Spy Keylogger.lnk
  
  Notes:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
Creates the following registry keys:

HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Application.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Application HKEY_CLASSES_ROOT\ToolKeyloggerDLL.BlockExe.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.BlockExe HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Clipboard.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Clipboard HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Hotkey.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Hotkey HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Keyboard.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Keyboard HKEY_CLASSES_ROOT\ToolKeyloggerDLL.LogToFTP.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.LogToFTP HKEY_CLASSES_ROOT\ToolKeyloggerDLL.LogToMail.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.LogToMail HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Password.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Password HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Screen.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.Screen HKEY_CLASSES_ROOT\ToolKeyloggerDLL.TaskList.1 HKEY_CLASSES_ROOT\ToolKeyloggerDLL.TaskList HKEY_CLASSES_ROOT\TypeLib\{4C4AB6B2-4BC3-494A-9232-5001E0793AC4} HKEY_CLASSES_ROOT\CLSID\{17B307BE-B2EC-43E8-8605-5E1F257273B1} HKEY_CLASSES_ROOT\CLSID\{5388D0EE-ACE4-4C4D-8532-72F234399AEB} HKEY_CLASSES_ROOT\CLSID\{60FB8D96-D4E9-461B-81A1-2356040B73E5} HKEY_CLASSES_ROOT\CLSID\{A9676C29-ED6E-4C33-9295-8BC13CD3947D} HKEY_CLASSES_ROOT\CLSID\{B44432C2-4D5C-4495-AC72-55A39917142C} HKEY_CLASSES_ROOT\CLSID\{B7385BC9-4857-471B-9E06-CF2807288633} HKEY_CLASSES_ROOT\CLSID\{BA7A51FA-04F1-45CB-B493-36AD46950432} HKEY_CLASSES_ROOT\CLSID\{C080FFDA-6D65-4F98-BA30-89A340FC2C2C} HKEY_CLASSES_ROOT\CLSID\{C610B319-5EF8-4302-AC99-4580932A5957} HKEY_CLASSES_ROOT\CLSID\{E27D817E-A07E-481D-B449-48F83D7A18F4}
Adds the value:

"PC Spy Keylogger" = "%ProgramFiles%\PSK\ToolKeylogger.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that it runs every time Windows starts.
Creates the following files which may have other legitimate uses:
- %System%\XPToolsLicenseComponent\LicenseManager.dll
- %System%\gdiplus.dll
  
  Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following registry keys which may have other legitimate uses:

HKEY_CLASSES_ROOT\CLSID\{0D821067-FCF9-4704-9287-0D8F76FE6513} HKEY_CLASSES_ROOT\CLSID\{10E321CC-683E-4060-B938-4F53234D9593} HKEY_CLASSES_ROOT\CLSID\{81CA5571-C109-47AE-BE1C-2DF9CB8999FF} HKEY_CLASSES_ROOT\CLSID\{90D0A753-AD45-40FD-8C6E-555600EE5EB4} HKEY_CLASSES_ROOT\CLSID\{A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41} HKEY_CLASSES_ROOT\CLSID\{AC3F1977-CD10-41B2-9977-7693A4C13377} HKEY_CLASSES_ROOT\CLSID\{AED3A6B3-2171-11D2-B77C-0008C73ACA8F} HKEY_CLASSES_ROOT\CLSID\{B10BF17C-F7EC-4EE2-AD7A-6F42816AEC0F} HKEY_CLASSES_ROOT\CLSID\{B1CC9084-0177-4136-9B1B-C06C061F1E1D} HKEY_CLASSES_ROOT\CLSID\{B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD} HKEY_CLASSES_ROOT\CLSID\{DBAAEA4B-AD29-47BD-8776-C787D5BE28AA} HKEY_CLASSES_ROOT\CLSID\{E5FF9F62-0E7C-4372-8AD5-DA7D2418070C} HKEY_CLASSES_ROOT\CLSID\{F812B147-0E26-4222-8EE4-9F753CD2B39C} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Attachment HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Attachments HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Headers HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.MailMerge HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Message HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Messages HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResult HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResultCollection HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResults HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.POP3 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Recipient HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Recipients HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.SMTPMail HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.SpeedMailer HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LicenseManager.RegCode HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LicenseManager.RegCode.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08B9999C-DAD2-4353-B25B-8CCAFFCA4D16} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{14E61A41-8846-11D2-B7E4-0008C73ACA8F} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E6D8684-755D-4847-BF40-68EC5E4BC1E9} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E86816-772B-4B28-A924-A135CFF6469A} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A037057-57F0-4904-A1E0-AD0EA2FB564E} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41DBA1FA-44F6-4BD5-82DF-1A7FDEA0475D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{56930358-AD72-408F-83C4-A2B0DC8037B2} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{607A06FE-2FDA-4ADC-854D-D016D98D83DB} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{65C53BE7-ED21-4C25-B189-DA0E8FAD5231} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{684130B2-2B8A-4E8D-BE71-8F4052882076} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{952F0B99-50B6-44B3-AE0D-700D5B98B416} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AED3A6B1-2171-11D2-B77C-0008C73ACA8F} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E05AEA1E-BCB1-473A-8B2A-4829D9E1AD23} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3C8833E7-D218-4A96-972A-389E23F364DC} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}