Last Sunday, I was forced to use the computer of one of the computer café (Iantech Cafe) here in Maasin City because Reems Cafe was closed. And I found out that the computers were installed with Key Loggers.

Well. We all know that Key Logger is a program designed to record which keys are pressed. It can be a legitimate program used by the cafe administrator as surveillance but most of the times it’s malicious one.

Checked the Flash Drive

Since all computers of that cafe including their cafe timer were installed by this, so I withdrawn from using the computer and went home to check my flash drive for possible infection. My accounts on different blogs will be compromised if I will continue using a computer installed with key loggers.

And here’s the result:

(1) Bootex.Log

I found a hidden file on the root directory of the flash drive with filename: BOOTEX.LOG. When I open the log file it contains this message: “Checking File system on E: One of your disks needs to be checked for consistency. You may cancel the disk check but it is strongly recommended that you continue. Windows will now check the disk. …”

There’s no wonder why the bootex.log contains this message because normally, the bootex.log is a log file written when the scandisk run. The only question is: why is it that bootex.log is saved on my flash drive when in fact I don’t run scandisk to check the flash drive nor the Windows automatically check the flash drive for error using the scandisk command?

(2) Recycler folder

I found a hidden directory with directory name: RECYCLER. The folder “Recycler” is hidden and can be viewed when browsing it using the Windows Explorer. To view it, you must use the DOS Prompt and use the “dir /a” command.

FYI, the folder called Recycler is a windows folder which is associated to the Recycle Bin. Each of the Windows XP user has assigned folder on the Recycler folder. Once the Recycle Bin of one of the users is emptied, the folder in the Recycler which is assigned to that user will be emptied too.

Now, if you emptied all of the Recycle Bin of all the accounts in your Windows XP, but the Recycler is not being emptied, then it only means that your Windows XP is infected by any malware.

(3) INFO.EXE

Inside the folder “Recycler” INFO.EXE is saved there. This file is not a legitimate file of the Windows XP. Usually, it is used by worms, virus, or any malware in activating themselves.

Thus, this finding warns me that the Key Loggers I found on those computers are malicious Key Loggers.

(4) DESKTOP.INI

The DESKTOP.INI file is the 2nd file inside the folder “Recycler”. It contains this registry command: [.ShellClassInfo] CLSID= <645ff040-5081-101b-9f08-00aa002f954e>

How to detect these files?

Just like what I said above, these files can’t be viewed when using the Windows Explorer even if you set its option to view hidden files. You can only view it when you’re at the DOS prompt.

Here’s what to do:

1. Click START then click RUN. And type on the dialogue box “COMMAND” and then click OK.

   

2. Then a window with black background will appear. At the command prompt (here in my computer it says: “C:\Docume~1\Reems6>“) type E: (E: if your flash drive is assigned as drive E:. If it is assigned as drive D: then type D: on the command prompt) and then press the ENTER key. Then the command prompt will now be “E:\>“.
3. Then type “dir /a” and press the ENTER key. The content of your flash drive will now appear similar to what appeared here:

   

4. Check for the files and folder I mentioned above. If your flash drive contains those files and folder, then that flash drive is already infected by Key Logger.

Note about Key Loggers

Remember that Key Loggers will record what keys are pressed, and then the data will be send to the remote servers. In other words, your passwords might be collected by this program and then send them to someone who has access to the remote servers. Thus, your accounts might be compromised.

Similar posts:

1. How To Remove Worm@W32.Resik From Your PC and Flash Drive
2. How to View the Hidden Files of Worm@W32.Resik Worm?
3. How To Delete the Hidden Files of the Resik Worm?

• Sign up for PayPal and start accepting credit card payments instantly.
  As the world's number one online payment service, PayPal is the fastest way to open your doors to over 150 million member accounts worldwide.
• Promote your product to high quality, targeted websites and blogs.
  Find effective, influential blogs and highly targeted audiences to advertise.Choose to display your ad across entire blog networks to maximize your exposure to a wide audience.