SPYWARE_KEYL_NICESOFT.KEYLOGGER

October 08, 2012

Analysis by: adel

PLATFORM:

Windows 98, ME, NT, 2000, XP, Server 2003

OVERALL RISK RATING:

REPORTED INFECTION:

SYSTEM IMPACT RATING:

INFORMATION EXPOSURE:

Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes

OVERVIEW

This spyware logs a user's keystrokes to steal information.

TECHNICAL DETAILS

File Size:

Varies

Memory Resident:

Yes

Initial Samples Received Date:

28 Aug 2007

Installation

This spyware drops the following file(s)/component(s):

%Desktop%\NS Keylogger Personal Monitor.lnk
%Documents and Settings%\All Users\Start Menu\Programs\NS Keylogger Personal Monitor\Help Document.lnk
%Documents and Settings%\All Users\Start Menu\Programs\NS Keylogger Personal Monitor\NiceSoft Anti-Monitoring&Monitoring Technology.lnk
%Documents and Settings%\All Users\Start Menu\Programs\NS Keylogger Personal Monitor\NS Keylogger Personal Monitor Homepage.lnk
%Documents and Settings%\All Users\Start Menu\Programs\NS Keylogger Personal Monitor\NS Keylogger Personal Monitor.lnk
%Documents and Settings%\All Users\Start Menu\Programs\NS Keylogger Personal Monitor\Order NS Keylogger Personal Monitor Now.lnk
%Documents and Settings%\All Users\Start Menu\Programs\NS Keylogger Personal Monitor\Uninstall NS Keylogger Personal Monitor.lnk
%Program Files%\NS Keylogger Personal Monitor\configs.ini
%Program Files%\NS Keylogger Personal Monitor\data\appdata.dat
%Program Files%\NS Keylogger Personal Monitor\data\appdata.dll
%Program Files%\NS Keylogger Personal Monitor\data\assdata.dat
%Program Files%\NS Keylogger Personal Monitor\data\log1.gif
%Program Files%\NS Keylogger Personal Monitor\data\logsbk.bmp
%Program Files%\NS Keylogger Personal Monitor\data\pass1.gif
%Program Files%\NS Keylogger Personal Monitor\gdiplus.dll
%Program Files%\NS Keylogger Personal Monitor\init\images\BD10263_.gif
%Program Files%\NS Keylogger Personal Monitor\init\images\BD15061_.gif
%Program Files%\NS Keylogger Personal Monitor\init\images\j0115844.gif
%Program Files%\NS Keylogger Personal Monitor\init\images\j0195812.wmf
%Program Files%\NS Keylogger Personal Monitor\init\images\nskeylogger_sh1.gif
%Program Files%\NS Keylogger Personal Monitor\init\images\welcomebk.bmp
%Program Files%\NS Keylogger Personal Monitor\init\welcome.htm
%Program Files%\NS Keylogger Personal Monitor\keylogger.dll
%Program Files%\NS Keylogger Personal Monitor\logs\log.txt
%Program Files%\NS Keylogger Personal Monitor\Manual.chm
%Program Files%\NS Keylogger Personal Monitor\messenger.dll
%Program Files%\NS Keylogger Personal Monitor\NiceSoft Anti-Monitoring&Monitoring Technology.url
%Program Files%\NS Keylogger Personal Monitor\NS Keylogger Personal Monitor Homepage.url
%Program Files%\NS Keylogger Personal Monitor\Order NS Keylogger Personal Monitor Now.url
%Program Files%\NS Keylogger Personal Monitor\unins000.dat
%Program Files%\NS Keylogger Personal Monitor\unins000.exe

(Note: %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops and executes the following files:

%Program Files%\NS Keylogger Personal Monitor\services.exe
%Program Files%\NS Keylogger Personal Monitor\winlogon.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SysService = "%Program Files%\NS Keylogger Personal Monitor\services.exe"

Other System Modifications

This spyware adds the following registry entries:

HKEY_CLASSES_ROOT\CLSID\ {0D821067-FCF9-4704-9287-0D8F76FE6513}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {10E321CC-683E-4060-B938-4F53234D9593}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {252A0AFD-BA48-4CA3-98AD-022B58BD0185}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {3D1F63A7-CE32-46EC-8E45-53733227E71B}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {53DECA78-C334-4235-9165-1FE7D8912A76}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {552D3DF3-F32A-459A-8C26-45AD5C1D987C}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {69B1417C-A1EB-4049-86B8-9CBE318E2B1D}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {761EA5D9-5171-432D-99A7-282109373EB8}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {81CA5571-C109-47AE-BE1C-2DF9CB8999FF}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {83C02270-7BC9-444E-ADBF-E7AEBA849154}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {8B7971F3-4BD8-43A4-A432-5A80DB640BA9}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {90D0A753-AD45-40FD-8C6E-555600EE5EB4}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {AC3F1977-CD10-41B2-9977-7693A4C13377}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {AED3A6B3-2171-11D2-B77C-0008C73ACA8F}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {B10BF17C-F7EC-4EE2-AD7A-6F42816AEC0F}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {B1CC9084-0177-4136-9B1B-C06C061F1E1D}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {BDAEB579-3B30-46BF-9BFD-D2F48862BB84}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {BF9BCED1-67F2-43DE-8351-16DF6520B7BC}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {DBAAEA4B-AD29-47BD-8776-C787D5BE28AA}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {E5FF9F62-0E7C-4372-8AD5-DA7D2418070C}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {F4C9FA0B-4E73-41B4-BBBB-B680AB4F9C9D}
(Default) =

HKEY_CLASSES_ROOT\CLSID\ {F812B147-0E26-4222-8EE4-9F753CD2B39C}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {08B9999C-DAD2-4353-B25B-8CCAFFCA4D16
(Default) =

HKEY_CLASSES_ROOT\Interface\ {0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {14E61A41-8846-11D2-B7E4-0008C73ACA8F}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {1E6D8684-755D-4847-BF40-68EC5E4BC1E9}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {23E86816-772B-4B28-A924-A135CFF6469A}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {3A037057-57F0-4904-A1E0-AD0EA2FB564E}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {41DBA1FA-44F6-4BD5-82DF-1A7FDEA0475D}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {56930358-AD72-408F-83C4-A2B0DC8037B2}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {607A06FE-2FDA-4ADC-854D-D016D98D83DB}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {65C53BE7-ED21-4C25-B189-DA0E8FAD5231}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {684130B2-2B8A-4E8D-BE71-8F4052882076}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {952F0B99-50B6-44B3-AE0D-700D5B98B416}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {AED3A6B1-2171-11D2-B77C-0008C73ACA8F}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8}
(Default) =

HKEY_CLASSES_ROOT\Interface\ {E05AEA1E-BCB1-473A-8B2A-4829D9E1AD23}
(Default) =

HKEY_CLASSES_ROOT\jmail.Attachment
(Default) =

HKEY_CLASSES_ROOT\jmail.Headers
(Default) =

HKEY_CLASSES_ROOT\jmail.MailMerge
(Default) =

HKEY_CLASSES_ROOT\jmail.Message
(Default) =

HKEY_CLASSES_ROOT\jmail.PGPDecodeResult
(Default) =

HKEY_CLASSES_ROOT\jmail.PGPDecodeResultCollection
(Default) =

HKEY_CLASSES_ROOT\jmail.PGPDecodeResults
(Default) =

HKEY_CLASSES_ROOT\jmail.POP3
(Default) =

HKEY_CLASSES_ROOT\jmail.Recipient
(Default) =

HKEY_CLASSES_ROOT\jmail.Recipients
(Default) =

HKEY_CLASSES_ROOT\jmail.SMTPMail
(Default) =

HKEY_CLASSES_ROOT\jmail.SpeedMailer
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.AboutBox
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.AboutBox.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.Explorer
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.Explorer.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.HotkeyControl
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.HotkeyControl.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.LoginBox
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.LoginBox.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.MailSetting
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.MailSetting.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.MonitorControl
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.MonitorControl.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.PasswordControl
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.PasswordControl.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.RegisterBox
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.RegisterBox.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.RegisterTip
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.RegisterTip.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.SetPasswordBox
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.SetPasswordBox.1
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.SettingBox
(Default) =

HKEY_CLASSES_ROOT\NiceRecorderDll.SettingBox.1
(Default) =

HKEY_CLASSES_ROOT\TypeLib\ {6E9B9701-EDEF-4D00-804C-FD23644C0131}
(Default) =

HKEY_CLASSES_ROOT\TypeLib\ {AED3A6B0-2171-11D2-B77C-0008C73ACA8F}
(Default) =

Information Theft

This spyware logs a user's keystrokes to steal information.

Other Details

This spyware adds the following registry entries to add an uninstall option to the Control Panel:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
DisplayName = "NS Keylogger Personal Monitor 3.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
HelpLink = "http://www.{BLOCKED}oft.com/"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
Inno Setup: App Path = "%Program Files%\NS Keylogger Personal Monitor"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
Inno Setup: Icon Group = "NS Keylogger Personal Monitor"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
InstallLocation = "%Program Files%\NS Keylogger Personal Monitor"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
Publisher = "NiceSoft STUDIO Security Technology , Inc."
QuietUninstallString = "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
UninstallString = "%Program Files%\NS Keylogger Personal Monitor\unins000.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
URLInfoAbout = "http://www.{BLOCKED}oft.com/"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
NS Keylogger Personal Monitor_is1
URLUpdateInfo = "http://www.{BLOCKED}oft.com/"

Based on analysis of the codes, it has the following capabilities:

Capture screen information on every mouse click
Captures AOL, AIM, Yahoo!, ICQ chats
Captures the passwords
Log text strings typed in every application, websites visited
Monitors computer activity
Perform a visual surveillance by capturing screenshots
Perform remote installation, update, or uninstallation without a user’s consent
Record contents of password-protected Web pages, including Web mail messages
Record keystrokes from certain applications
Run in invisible mode

SOLUTION

Minimum Scan Engine:

8.000

VSAPI OPR PATTERN File:

6.963.00

VSAPI OPR PATTERN Date:

31 Mar 2010

Step 1

Terminate this process

[ Learn More ]

For Windows 98 and ME users, the Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

%Program Files%\NS Keylogger Personal Monitor

Step 2

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- SysService = %Program Files%\NS Keylogger Personal Monitor\services.exe

DATA_GENERIC_KEY

In the right panel, locate and delete the entry:
DATA_GENERIC_ENTRY

Close Registry Editor.

Step 3

Delete this registry key

[ Learn More ]

In HKEY_CLASSES_ROOT\CLSID\
- {0D821067-FCF9-4704-9287-0D8F76FE6513}
In HKEY_CLASSES_ROOT\CLSID\
- {10E321CC-683E-4060-B938-4F53234D9593}
In HKEY_CLASSES_ROOT\CLSID\
- {252A0AFD-BA48-4CA3-98AD-022B58BD0185}
In HKEY_CLASSES_ROOT\CLSID\
- {3D1F63A7-CE32-46EC-8E45-53733227E71B}
In HKEY_CLASSES_ROOT\CLSID\
- {53DECA78-C334-4235-9165-1FE7D8912A76}
In HKEY_CLASSES_ROOT\CLSID\
- {552D3DF3-F32A-459A-8C26-45AD5C1D987C}
In HKEY_CLASSES_ROOT\CLSID\
- {69B1417C-A1EB-4049-86B8-9CBE318E2B1D}
In HKEY_CLASSES_ROOT\CLSID\
- {761EA5D9-5171-432D-99A7-282109373EB8}
In HKEY_CLASSES_ROOT\CLSID\
- {81CA5571-C109-47AE-BE1C-2DF9CB8999FF}
In HKEY_CLASSES_ROOT\CLSID\
- {83C02270-7BC9-444E-ADBF-E7AEBA849154}
In HKEY_CLASSES_ROOT\CLSID\
- {8B7971F3-4BD8-43A4-A432-5A80DB640BA9}
In HKEY_CLASSES_ROOT\CLSID\
- {90D0A753-AD45-40FD-8C6E-555600EE5EB4}
In HKEY_CLASSES_ROOT\CLSID\
- {A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41}
In HKEY_CLASSES_ROOT\CLSID\
- {AC3F1977-CD10-41B2-9977-7693A4C13377}
In HKEY_CLASSES_ROOT\CLSID\
- {AED3A6B3-2171-11D2-B77C-0008C73ACA8F}
In HKEY_CLASSES_ROOT\CLSID\
- {B10BF17C-F7EC-4EE2-AD7A-6F42816AEC0F}
In HKEY_CLASSES_ROOT\CLSID\
- {B1CC9084-0177-4136-9B1B-C06C061F1E1D}
In HKEY_CLASSES_ROOT\CLSID\
- {B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD}
In HKEY_CLASSES_ROOT\CLSID\
- {BDAEB579-3B30-46BF-9BFD-D2F48862BB84}
In HKEY_CLASSES_ROOT\CLSID\
- {BF9BCED1-67F2-43DE-8351-16DF6520B7BC}
In HKEY_CLASSES_ROOT\CLSID\
- {DBAAEA4B-AD29-47BD-8776-C787D5BE28AA}
In HKEY_CLASSES_ROOT\CLSID\
- {E5FF9F62-0E7C-4372-8AD5-DA7D2418070C}
In HKEY_CLASSES_ROOT\CLSID\
- {F4C9FA0B-4E73-41B4-BBBB-B680AB4F9C9D}
In HKEY_CLASSES_ROOT\CLSID\
- {F812B147-0E26-4222-8EE4-9F753CD2B39C}
In HKEY_CLASSES_ROOT\Interface\
- {08B9999C-DAD2-4353-B25B-8CCAFFCA4D16}
In HKEY_CLASSES_ROOT\Interface\
- {0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}
In HKEY_CLASSES_ROOT\Interface\
- {14E61A41-8846-11D2-B7E4-0008C73ACA8F}
In HKEY_CLASSES_ROOT\Interface\
- {1E6D8684-755D-4847-BF40-68EC5E4BC1E9}
In HKEY_CLASSES_ROOT\Interface\
- {23E86816-772B-4B28-A924-A135CFF6469A}
In HKEY_CLASSES_ROOT\Interface\
- {3A037057-57F0-4904-A1E0-AD0EA2FB564E}
In HKEY_CLASSES_ROOT\Interface\
- {41DBA1FA-44F6-4BD5-82DF-1A7FDEA0475D}
In HKEY_CLASSES_ROOT\Interface\
- {56930358-AD72-408F-83C4-A2B0DC8037B2}
In HKEY_CLASSES_ROOT\Interface\
- {607A06FE-2FDA-4ADC-854D-D016D98D83DB}
In HKEY_CLASSES_ROOT\Interface\
- {65C53BE7-ED21-4C25-B189-DA0E8FAD5231}
In HKEY_CLASSES_ROOT\Interface\
- {684130B2-2B8A-4E8D-BE71-8F4052882076}
In HKEY_CLASSES_ROOT\Interface\
- {821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}
In HKEY_CLASSES_ROOT\Interface\
- {952F0B99-50B6-44B3-AE0D-700D5B98B416}
In HKEY_CLASSES_ROOT\Interface\
- {AED3A6B1-2171-11D2-B77C-0008C73ACA8F}
In HKEY_CLASSES_ROOT\Interface\
- {B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}
In HKEY_CLASSES_ROOT\Interface\
- {CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8}
In HKEY_CLASSES_ROOT\Interface\
- {E05AEA1E-BCB1-473A-8B2A-4829D9E1AD23}
In HKEY_CLASSES_ROOT\
- jmail.Attachment
In HKEY_CLASSES_ROOT\
- jmail.Headers
In HKEY_CLASSES_ROOT\
- jmail.MailMerge
In HKEY_CLASSES_ROOT\
- jmail.Message
In HKEY_CLASSES_ROOT\
- jmail.PGPDecodeResult
In HKEY_CLASSES_ROOT\
- jmail.PGPDecodeResultCollection
In HKEY_CLASSES_ROOT\
- jmail.PGPDecodeResults
In HKEY_CLASSES_ROOT\
- jmail.POP3
In HKEY_CLASSES_ROOT\
- jmail.Recipient
In HKEY_CLASSES_ROOT\
- jmail.Recipients
In HKEY_CLASSES_ROOT\
- jmail.SMTPMail
In HKEY_CLASSES_ROOT\
- jmail.SpeedMailer
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.AboutBox
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.AboutBox.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.Explorer
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.Explorer.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.HotkeyControl
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.HotkeyControl.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.LoginBox
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.LoginBox.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.MailSetting
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.MailSetting.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.MonitorControl
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.MonitorControl.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.PasswordControl
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.PasswordControl.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.RegisterBox
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.RegisterBox.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.RegisterTip
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.RegisterTip.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.SetPasswordBox
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.SetPasswordBox.1
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.SettingBox
In HKEY_CLASSES_ROOT\
- NiceRecorderDll.SettingBox.1
In HKEY_CLASSES_ROOT\TypeLib\
- {6E9B9701-EDEF-4D00-804C-FD23644C0131}
In HKEY_CLASSES_ROOT\TypeLib\
- {AED3A6B0-2171-11D2-B77C-0008C73ACA8F}

To delete the registry key this malware/grayware created:

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>CLSID>
Still in the left panel, locate and delete the key:
{0D821067-FCF9-4704-9287-0D8F76FE6513}
Again Still in the left panel, locate and delete the key:
{10E321CC-683E-4060-B938-4F53234D9593}
Again Still in the left panel, locate and delete the key:
{252A0AFD-BA48-4CA3-98AD-022B58BD0185}
Again Still in the left panel, locate and delete the key:
{3D1F63A7-CE32-46EC-8E45-53733227E71B}
Again Still in the left panel, locate and delete the key:
{53DECA78-C334-4235-9165-1FE7D8912A76}
Again Still in the left panel, locate and delete the key:
{552D3DF3-F32A-459A-8C26-45AD5C1D987C}
Again Still in the left panel, locate and delete the key:
{69B1417C-A1EB-4049-86B8-9CBE318E2B1D}
Again Still in the left panel, locate and delete the key:
{761EA5D9-5171-432D-99A7-282109373EB8}
Again Still in the left panel, locate and delete the key:
{81CA5571-C109-47AE-BE1C-2DF9CB8999FF}
Again Still in the left panel, locate and delete the key:
{83C02270-7BC9-444E-ADBF-E7AEBA849154}
Again Still in the left panel, locate and delete the key:
{8B7971F3-4BD8-43A4-A432-5A80DB640BA9}
Again Still in the left panel, locate and delete the key:
{90D0A753-AD45-40FD-8C6E-555600EE5EB4}
Again Still in the left panel, locate and delete the key:
{A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41}
Again Still in the left panel, locate and delete the key:
{AC3F1977-CD10-41B2-9977-7693A4C13377}
Again Still in the left panel, locate and delete the key:
{AED3A6B3-2171-11D2-B77C-0008C73ACA8F}
Again Still in the left panel, locate and delete the key:
{B10BF17C-F7EC-4EE2-AD7A-6F42816AEC0F}
Again Still in the left panel, locate and delete the key:
{B1CC9084-0177-4136-9B1B-C06C061F1E1D}
Again Still in the left panel, locate and delete the key:
{B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD}
Again Still in the left panel, locate and delete the key:
{BDAEB579-3B30-46BF-9BFD-D2F48862BB84}
Again Still in the left panel, locate and delete the key:
{BF9BCED1-67F2-43DE-8351-16DF6520B7BC}
Again Still in the left panel, locate and delete the key:
{DBAAEA4B-AD29-47BD-8776-C787D5BE28AA}
Again Still in the left panel, locate and delete the key:
{E5FF9F62-0E7C-4372-8AD5-DA7D2418070C}
Again Still in the left panel, locate and delete the key:
{F4C9FA0B-4E73-41B4-BBBB-B680AB4F9C9D}
Again Still in the left panel, locate and delete the key:
{F812B147-0E26-4222-8EE4-9F753CD2B39C}
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>Interface>
Still in the left panel, locate and delete the key:
{08B9999C-DAD2-4353-B25B-8CCAFFCA4D16}
Again Still in the left panel, locate and delete the key:
{0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}
Again Still in the left panel, locate and delete the key:
{14E61A41-8846-11D2-B7E4-0008C73ACA8F}
Again Still in the left panel, locate and delete the key:
{1E6D8684-755D-4847-BF40-68EC5E4BC1E9}
Again Still in the left panel, locate and delete the key:
{23E86816-772B-4B28-A924-A135CFF6469A}
Again Still in the left panel, locate and delete the key:
{3A037057-57F0-4904-A1E0-AD0EA2FB564E}
Again Still in the left panel, locate and delete the key:
{41DBA1FA-44F6-4BD5-82DF-1A7FDEA0475D}
Again Still in the left panel, locate and delete the key:
{56930358-AD72-408F-83C4-A2B0DC8037B2}
Again Still in the left panel, locate and delete the key:
{607A06FE-2FDA-4ADC-854D-D016D98D83DB}
Again Still in the left panel, locate and delete the key:
{65C53BE7-ED21-4C25-B189-DA0E8FAD5231}
Again Still in the left panel, locate and delete the key:
{684130B2-2B8A-4E8D-BE71-8F4052882076}
Again Still in the left panel, locate and delete the key:
{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}
Again Still in the left panel, locate and delete the key:
{952F0B99-50B6-44B3-AE0D-700D5B98B416}
Again Still in the left panel, locate and delete the key:
{AED3A6B1-2171-11D2-B77C-0008C73ACA8F}
Again Still in the left panel, locate and delete the key:
{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}
Again Still in the left panel, locate and delete the key:
{CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8}
Again Still in the left panel, locate and delete the key:
{E05AEA1E-BCB1-473A-8B2A-4829D9E1AD23}
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>
Still in the left panel, locate and delete the key:
jmail.Attachment
Again Still in the left panel, locate and delete the key:
jmail.Headers
Again Still in the left panel, locate and delete the key:
jmail.MailMerge
Again Still in the left panel, locate and delete the key:
jmail.Message
Again Still in the left panel, locate and delete the key:
jmail.PGPDecodeResult
Again Still in the left panel, locate and delete the key:
jmail.PGPDecodeResultCollection
Again Still in the left panel, locate and delete the key:
jmail.PGPDecodeResults
Again Still in the left panel, locate and delete the key:
jmail.POP3
Again Still in the left panel, locate and delete the key:
jmail.Recipient
Again Still in the left panel, locate and delete the key:
jmail.Recipients
Again Still in the left panel, locate and delete the key:
jmail.SMTPMail
Again Still in the left panel, locate and delete the key:
jmail.SpeedMailer
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.AboutBox
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.AboutBox.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.Explorer
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.Explorer.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.HotkeyControl
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.HotkeyControl.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.LoginBox
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.LoginBox.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.MailSetting
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.MailSetting.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.MonitorControl
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.MonitorControl.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.PasswordControl
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.PasswordControl.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.RegisterBox
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.RegisterBox.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.RegisterTip
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.RegisterTip.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.SetPasswordBox
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.SetPasswordBox.1
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.SettingBox
Again Still in the left panel, locate and delete the key:
NiceRecorderDll.SettingBox.1
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>TypeLib>
Still in the left panel, locate and delete the key:
{6E9B9701-EDEF-4D00-804C-FD23644C0131}
Again Still in the left panel, locate and delete the key:
{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}
Close Registry Editor.

Step 4

Scan your computer with your Trend Micro product to delete files detected as

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

SPYWARE_KEYL_NICESOFT.KEYLOGGER

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

SPYWARE_KEYL_NICESOFT.KEYLOGGER

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific