General discussion

Cant remove aegis keylogger - pls help

I have been away from my computer for 3 weeks, during which time a friend has been using my machine. Upon returning I started to clean up my machine - anti-virus, spyware etc. After cleaning out a number of trojans and spyaware, I have found that i have reduced my problems down to one - ageis which i pick up on Spybot everytime boot. At this point Spybot says that it cannot remove it because its actively in/using memory may remove it when rebooted, but this never happens.

According to Spybot the problem lies in HKEY_CURRENT_CONFIG\Display\Settings\ but I have no idea how to get rid of this thing and would appreciate any help. The only other reference to this problem I found on another discussion(refer to: http://www.opentechsupport.net/forums/showthread.php?threadid=29102 ), but in reading this there doesnt seem to be any solution other than reformating my machine.

Any suggestions?

Thanks.

Discussion is locked

Follow
Reply to: Cant remove aegis keylogger - pls help
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Cant remove aegis keylogger - pls help
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
try here
- Collapse -
Also try..

to scan using Ad-aware SE and Spybot Search & Destroy in Safe mode.

If those programs will not succeed in removing the offending file, please write the exact location of the offending item. If possible write everything that Spybot Search & Destroy show after the scan (threat name, complete location of the offending file etc.)

Have you tried to scan using online scan that might help, http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php or http://www.pandasoftware.es/activescan/activescan-com.asp

- Collapse -
Totally Desperate ?
- Collapse -
the problem remains......

First of all thanks for the advice. I have gone through and tried most of them to no avail. Each time upon booting Spybot runs and diagnoses two problems; firstly AE Covert Operations monitor(aka. aegis), one entry and DSO Exploit, 5 entries. I run the fix program each time and it says the DSO are fixed, but then appears each time I boot, and the AE cannot be fixed because it is running in the memory. Aside from this, Spybot also picks up the other anti-adware/spyware programs that I have installed in the course of trying to solve this problem.

What I have done after reading your responses is as follows:

Firstly, I tried booting in safe mode and running Spybot and Ad-Aware. This gave much the same result as a normal boot. Spybot identified the problems, attempted to fix them but upon re-booting it they were found again. Ad-Aware found one critical object, Alexa ? a data miner in registry - which seems to be gone now, but that?s all.

Secondly, I tried the two internet scan suggestions of Donna but they yielded nothing.

Thirdly, I downloaded and tried Spyhunter which identified some cookies and files but with the d/loaded version it doesn't remove things. What with this current problem I am reluctant to put anything like credit card details over the net to purchase anything.

Fourthly, I have downloaded anti-keylogger but this doesn?t seem to solve the problem.

Fifth, I tried looking with code stuff starter but I can see anything that looks suspicious. Then again, if this thing?s purpose is to lurk in the background I don?t think its going to identify itself easily.

My last resort is to follow Donna?s suggestion if these steps didn?t work, namely to post the details of the Spybot scan. So here the results of the most recent scan:

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-854245398-839522115-2147143203-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

AE Covert Operation Monitor: Settings (Registry key, nothing done)
HKEY_CURRENT_CONFIG\Display\Settings\?

NoAdware: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE5B8E34-973C-4FBE-AC83-99F064009FC7}

SpyHunter: Program group (Directory, nothing done)
C:\Program Files\Enigma Software Group\

SpyHunter: Program file (File, nothing done)
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

SpyHunter: Autorun settings (SpyHunter) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyHunter


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\LSP.sbi
2004-11-29 Includes\Cookies.sbi
2005-01-27 Includes\Dialer.sbi
2005-01-27 Includes\Hijackers.sbi
2005-01-11 Includes\Keyloggers.sbi
2005-01-27 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-27 Includes\Spybots.sbi
2005-01-27 Includes\Trojans.sbi
2004-11-29 Includes\Tracks.uti


Since discovering this problem I have avoided using IE altogether and am now using Firefox. I am sure this stop-gap measure may be ok for the short-term, it still does not solve the problem. So any suggestions on what to do would be most appreciated.

I would also like to ask the forum about the nature of this malicious aegiscode. Is there any literature on how it works, how to counter it or even how to trace who installed it and to whom it is sending this information to?

Thank you.

- Collapse -
What is DSO Exploit?
- Collapse -
Good Luck
- Collapse -
AE Covert Operation Monitor

It's late here - but I did a search for it - have a look here:

AE Covert Operation Motor Search

DSO Exploit - download the DSO Exploit Fix - HOTFIX here let it fix the DSO Exploits - reboot and run it again.

- Collapse -
You may be using wrong version of S&D
- Collapse -
AE Covert Operation Monitor

As per Spybot Search & Destroy's Threat KB:

AE Covert Operation Monitor
Functionality: Monitors keystrokes, window names, internet activity, makes desktop screenshots.
Description: Stealth, password protected.

http://www.safer-networking.org/en/threats/125.html

In Spybot Search & Destroy official forum, there are reports on this keylogger being detected but removal failed too
See http://forums.net-integration.net/index.php?act=Search&CODE=show&searchid=2b2e5f5f2fb65ffb2bc05704653265f8&search_in=posts&result_type=topics&highlite=covert+operation+monitor

Try to view your Add/Remove Programs for: AE Covert Operations. If it is listed uninstall it.

Patch your Spybot Search & Destroy (see Marianna and badabing's posts). Scan again.

Also give TrojanHunter a try to scan the system - http://www.trojanhunter.com/

In Google Groups, the same person has that and HijackThis wouldn't show the registry entry that Spybot Search & Destroy flagged as AE Covert Operation Monitor Sad but you can try to post your Hijackthis in forums that offers HijackThis analysis. See How to use HijackThis and where to post the log.

As for SpyHunter, it is flagged because it is not a recommended program. Please see http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note

- Collapse -
....and it remains

After the last batch of replies I read up all of the links, threads and discussions I could find. some of them I had come across before, but in the end there basically seems to be no answer to removing AE Covert Operations Monitor. Does this mean I have to reformat my machine?

Just for your reference, I updated Spybot to fix the DSO problem, which it did succesffuly. Not only did it fix this problem but highlighted more nasties lurking in my machine(33 in total!). So far it seems that they are now delt with.

I also installed d/l~ed Trojan Hunter Guard and found another 5 trojans in my system. These too seem, at least for the moment, to be gone.

One other software I d/l~ed was Xoftspy which yeilded nothing. I should also note, this was installed and run before TrojanHunterGuard.

For all the help so far in de-bugging my machine I would like to offer a big thanks to all those who have take time to respond to my questions.

Lastly though does anyone have any more hints on what I could possibly do to remove AE?

Thanks

- Collapse -
hmmm,
- Collapse -
That application was taken
- Collapse -
The official forum doesn't have resolved info

on how to deal with it Sad
Could be because no new report about it. I mean, the lastest post made is July 2004 http://forums.net-integration.net/index.php?showtopic=20347

Try creating a new topic in their official forum to ask them about this AE Covert Operation Monitor to hopefully get answer from Spybot Team or from the author himself.

Good to know that TrojanHunter dealt the 5 trojans properly.

- Collapse -
thanks....

for all the help and suggestions. Once again CNET has been a great source of assistance.

One last thing, in the last notice Donna mentioned posting in the offical forum, by this do you mean Spybot's offical forum or someother forum?

Thanks

- Collapse -
The link that Donna gave you is
- Collapse -
ok

thanks, when I read the message I wasn't sure if she meant that forum or not. Ok will post there later.

- Collapse -
(NT) (NT) You're welcome, good luck.

CNET Forums

Forum Info