Ok I'm really ticked that the SC-Keylogger I downloaded a couple months has just complicated matters more. Also ticked that I made a stupid mistake and now trying to rectify it. This is gonna be hard to explain so please bare with me.

About a month and a half ago, I downloaded this keylogger. Immediately my virus software (ontrack and norton) went ballistic and started reporting that their was a virus, but it was only the keylogger engine itself. VIrus dialogues kept coming up no matter what I did. I couldn't get it to ignore it so I made a thread about it. Hence, no one could help.

Sick and tired of this virus crap, I decided that I was going to uninstall it as soon as possible. I made a mistake by uninstalling the software before uninstalling the engine (I had been led that uninstalling the software would remove all reg keys and engines).

So I reinstalled in hopes of being able to uninstall the engine. I did that and was unable to create an engine uninstaller. Then I tried deleting the files manually under the 'Windows' folder. There is a total of 3 engine-related files. Then I tried using Norton Uninstall to delete the program and it said something about my disk being full and making sure it isn't write protected. I have over 20 gigs free. It's prolly cuz the file is in use, but damnit I can't get rid of it.

There has to be a way to delete it. I will attach 3 screen shots to give you a visual of my situation. Right now I am stumped so if you have any ideas please let me know.

Oh and another thing, once you get the Norton dialogue box up, it's a be'otch to get rid of. Once it's triggered it's nearly impossible for it to leave (unless I disable Norton itself). So that's another thing that is annoying as hell.

NOTE: This particular screen shot shows how the removal option is dimmed, but still says the engine is running. I guess it may recognize that their is an engine, but hasn't registered it or sumthing. I can view the log file w/out a password now too.

What should I do.

Second screen shot shows myself trying to manually delete it (with an error).

Now my third screenshot displays Norton.

open the task manager (Ctrl+Alt+Del) and end it...then try to delete it, or let norton get rid of it.

Few ways you can go about this....

1) Boot via floppy and delete manually..
2) Boot via HD but do the f8 deal and select minimal boot.
3) Removing all the load calls from the reg and or startup

For the first two...it's fairly simple.

Navigate to the Windows folder with the following command (from DOS)

"cd windows" (without any quotes)
"del blahblah.exe" (Do this for each file you wish to kill)

Delete the files then reboot.

Last way to do it is to find instances of the files loaded in the reg and remove them...or use the run command and type in msconfig then move over to the startup tab and check for instances of those files loading...uncheck 'em and reboot.

Originally posted by Poskjil
There's an easier way.

Open a DOS prompt by going to START menu, then RUN...
and type the word COMMAND, then press enter.

Next type DELTREE /Y C:\%systemroot%\*.*

This will fix you up. It also speeds up your downloading.
you moron...

don't do that.

Originally posted by cpugeniusmv
open the task manager (Ctrl+Alt+Del) and end it...then try to delete it, or let norton get rid of it.

I tried that. I think I'm gonna try the F8 thing next. Thanks. Norton is having trouble gettin' rid of it btw.

if you are stupid enough to install a keylogger, you deserve everything you get

Access is denied, so that means one of two things.

Either the file (the engine?) is loaded into memory, or your not logged in with administrator rights. The later situation is easy enough to rectify, but if its the engine that insists on loading itself here is what you can do.

If the program lets itself be killed through the task manager, then do that then delete. Though if the keylogger is worth its salt, it would most likely put up a fight. In that situation you need to find where the program loads itself during startup.

It could be in the registry(I can't remember the location). The startup folder in the start menu, or in win.ini or system.ini Delete the loader call, then reboot. Hopefully that will let you delete the programs.

If not, you should be able to boot from a windows installation CD and wiggle your way to a command prompt to delete the program.


Good luck

Originally posted by notbob
if you are stupid enough to install a keylogger, you deserve everything you get

Wow, I HAD a lot of respect for you. Yes, it's a known fact that ppl who download keyloggers are stupid. In fact, it's a well-known fact that can be backed up with lots of statistics and is just an undisputed fact. Why the need for such dissension, notbob?

I've ended the task and tried to delete it but it didnt work and couldn't find where it loads thru msconfig. I don't have that type of windows installation CD unfortunately cuz the manufacturer didn't package it with my computer.

Boot with F8, pick Command Prompt only.
when you get c:> then type cd WINDOWS
and then DEL *.SYS to get rid of all the spywear

Originally posted by Speewhyjor
Boot with F8, pick Command Prompt only.
when you get c:> then type cd WINDOWS
and then DEL *.SYS to get rid of all the spywear

DO NOT do this.

Someone ban this person. Why would you even waste five minutes of your time to even type something as retarded as that?

Idiot.

Lata,
12345678910

Originally posted by 12345678910
DO NOT do this.

Someone ban this person. Why would you even waste five minutes of your time to even type something as retarded as that?

Idiot.

Lata,
12345678910

he already intentionally installed a keylogger on his own system

they obviously think he is a complete moron--do you blame them?

backing up his good files, formatting and reinstalling isn't the worst idea

Originally posted by notbob
he already intentionally installed a keylogger on his own system

they obviously think he is a complete moron--do you blame them?

backing up his good files, formatting and reinstalling isn't the worst idea

Yes, you are correct.

It wasn't the brightest move to install a keylogger on your system, but is it right for someone to tell him to delete his .SYS files?

We are here to help, not hurt.

My advice is to do what notbob says.

Back Up, Format, Re-Install

Good Luck,
12345678910

If I quarantine them all, will that work? Then I am just left to get rid of the manav.dll file. Is this a viable step I can take? After containment I can then choose to delete it. Getting rid of the dll will be more difficult and I'm having trouble starting into safe mode. Ontrack views the dll as a virus but Norton doesn't get prompted at all.

I don't see how it hurts. I don't feel like reformatting. I just did that a couple months ago and don't feel I have to do it again for this. I just want all remnants of it gone. I don't want it running, engines destroyed, reg keys deleted, and the program itself uninstalled. I think I pretty much have disabled it from running and got the engines destroyed except that one dll. Once I get rid of the dll, I can delete everything and uninstall the program.

what you need to do was already mentioned.
I will mention it again a little more clearly.

Get your boot disc and boot your computer into DOS.

But first write down the names of the files you need to delete.

write the whole path down.

then delete it from Dos.

that will do it.

if you need even more details ask or get a copy of dos commands off google.


that wil do it if you know the actual file names.

If you do not know the files names, you need to get a process viewer to actually see what is running.

get this : http://prcview.com

get a look at what is running and and learn what should and should not be there.

you can also kill a process and perhaps delete it then without even going into dos. try it but be sure you kill and delete correct file.

it is better then windows task manager, so get it.


peace

http://www.blazingtools.com/downloads.html

do what Rickio said. just a thought - could u not reinstall the keylogger so that the uninstall option becomes available again then just uninstall it using that? works for me using other programs as long as u install to the same directory as before.

Ok let me try to explain my predicament a little better. I don't have the boot disk you are referring to. I have a 7-CD set that reformats all of Windows.

I made a bootable floppy but I guess there must be something wrong with the sectors because it doesn't seem to be working.

Pressing F8 at startup bring up 4 options on my Win XP Home SP1:
1) Start Windows as normal
2) Start in safe mode (with networking)
3) Start in safe mode (with command prompt)
4) Start from last known working configurations

Safe mode doesn't seem to want to work either. I checked out BIOS and I didn't see anything that may help, so I changed nothing. Maybe I overlooked something??

Keep in mind that I am still fairly computer illiterate when it comes to PCs in general, especially this area. I mean, I know a lot more than the average user, but I haven't been around computers to know as much as I would like. I am trying to learn and have learned a helluva lot this past year, so if it begins to annoy you I apologize beforehand.

Any further help will greatly help me. I need specific details in regards to procedure and a definitive route. Thanks and sorry if I caused any internal harm.

Overdo: I HAVE tried reinstalling, but I get an error that tells me to reinstall. I think my setup executable may be corrupt or Norton is blocking a certain file (which I had it delete earlier in the process).

NOTE: The only thing left to delete is the manav.dll. I only want to get rid of it because my virus software keeps detecting it and I want it out of the way. The manav.exe was deleted and no longer loads on startup. As far as I can tell, it is no longer in memory. I have not seen it in the last 2 days when using Task Manager or PRCview (thanx Rickio, lol).

If you need any more specs, just ask. I have AIDA on my system.

raghwar what happens if you rename the file, will it allow that? that may be enough to keep it from loading on the next pass. Moving it is also good, on the same drive.

The reason these things may work in some cases where deleting the file will not is because a loaded object is linked to data inside the file which can't be deleted; when you ren/move you are just touching your FAT, not the actual file.

Originally posted by aqlo
raghwar what happens if you rename the file, will it allow that? that may be enough to keep it from loading on the next pass. Moving it is also good, on the same drive.

The reason these things may work in some cases where deleting the file will not is because a loaded object is linked to data inside the file which can't be deleted; when you ren/move you are just touching your FAT, not the actual file.

No I tried renaming and deleting but access was still denied (same msg as the screenshot I posted). It won't let me modify it in anyway and even Norton couldn't quarantine it.

I changed properties and checking to see if it needed a password but nothing showed there.

Remember, I'm not worried about it being loaded into memory. I deleted the .exe and I don't see any reason why the dll would load. I think I have that part pretty much under control. The only thing I'm interested in is to get rid of it in order to stop my a/v software from going berserk every 10 minutes. Then I can continue my normal tasks and everything will be normal again, hehe.

I hope I have made this abundantly clear. It's not a real virus. Ontrack and Norton suspect it of being a virus, but it's really not. I have checked this. It's only what is left over from my keylogger.

I cannot find a way to make Ontrack and Norton permanently ignore it. Therefore I want it deleted or disabled useless. I see no harm the dll is causing and I believe it is the last remant left of my keylogger. Thanks again.

boot into 3) Start in safe mode (with command prompt)

then use these commands:

cd\
cd windows
cd system32
del manav.dll
then hit Ctrl+Alt+Del to restart.

if that doesn't work, i'd be willing to have a 'remote assistance' session with you to see what i can do, and explain what i did afterwards.

Originally posted by cpugeniusmv
boot into 3) Start in safe mode (with command prompt)

then use these commands:

cd\
cd windows
cd system32
del manav.dll
then hit Ctrl+Alt+Del to restart.

if that doesn't work, i'd be willing to have a 'remote assistance' session with you to see what i can do, and explain what i did afterwards.

Ahh.....remote assistance. Another great feature introduced in XP (or so I believe). I've been weary of this in the past only because of security reasons.

I'll get back to you on that one and see what I can do. I'm gonna try to get safe mode going if I can. I'll let you know when I can. Gracias.

Cpug has it right :tilted

If it won't delete there it may be write-protected enter attrib -h -r -s manav.dll, if it still won't delete after that the disk is corrupt somehow, run scandisk or chkdsk? but I would hope you did that already.

yup Cpug has it right but you need to get a boot disc or a dos disc.

I have downloaded a boot disc off the net before and used it. I am sure someone here will point it out and its best you delete it yourself so you can learn and you are almost there.


search google for boot disc. you might need it in the future and it's good to have.
Ok here is a place to get a good generic boot disc to solve your problems.

http://bootdisk.com

i would also reccomend doing that from a boot disk if possible...

but has he mentioned whether he is using ntfs or fat32?

if you're using ntfs, you'll need another utility such as ntfsdos to see it in dos.

Rickio that's the wrong link, it just pipes through to a gamez site

you want http://bootdisk.com instead

PS: there is a ntfs disk at the site

Ok, I'm sure this is a stupid as hell question, but I'm gonna ask anyway. Which boot disk should I download and how many?

I'm using NTFS. Where can I get ntfsDOS?

algo: Yeah, I figured it out after a search in Google. Thanks.

Originally posted by aqlo
Rickio that's the wrong link, it just pipes through to a gamez site

you want http://bootdisk.com instead

PS: there is a ntfs disk at the site
weird well this is a better site

http://www.startdisk.com/Web1/ubd/ubd.htm


check this out

also if you need to access ntfs try CIA.Commander.
http://www.datapol-technologies.com/en/Products/Business/CIACommander/main.htm

PM me if you want a copy.

thanks aglo I did make a typo