Help me uninstall Blogdesk, its a keylogger

[Zippo]

Hi forum,

If you go to Blogdesk.org you might think this is a great software...I thought so too, great for my blogging....but upon installing, ZoneAlarm alerted me that its a keylogger.

Makes sense, now why would it be free unless there was a catch? But I'll wait for you guys final verdict..

Then I searched Google for the term...Blogdesk is keylogger

Sure enough, look at the results, very, very shady....

I uninstalled it by Windows Add/Remove program...

But wait...a bunch of shared files pop up and Windows asks me whether I want to remove those...

Geez...those are Windows 32 files, so I said no except for the first one, I accidentally deleted....

I'm afraid my PC got messed up a bit....and there are traces of this bad program still lurking there, and worse, I deleted a shared dll file...

Please helpme , if you got a test machine, can you duplicate the uninstall process and tell me how to unsinstall this freaking thing and every trace while getting back all the dll files that are shared?

And please pass the word if this is really a spyware/keylogger...lots of people can get caught by this...

[Zippo]

People are recommending this software everywhere in blogs and forums...if its bad, can you imagine the damage?

Need urgent attention

[tashi]

Hello.

Makes sense, now why would it be free unless there was a catch?

Our software program Spybot-S&D is free and there is no catch. We recommend several free programs here: So how did I get infected in the first place?

But anyway, this is the malware removal forum and the procedure is here: "BEFORE you POST"(READ this Procedure before Requesting Assistance)

I'm afraid my PC got messed up a bit....and there are traces of this bad program still lurking there, and worse, I deleted a shared dll file...

Copy/paste the logs requested into this topic, and a helper will try to assist you when available.

FYI for the future, if Spybot-S&D does not detect an item you consider malware.

Zip or rar the file/s and send them to: detections(AT)spybot.info (Replace AT with @)

Regards.

[Zippo]

Hi Tashi,

When I uninstalled it, I didnt think of copying the logs, I'm not good at this...unless you want me to install it all over again?

But the program is located at the guys site - http://blogdesk.org

I'm not totally 100% sure if it's bad, but the signs are there:

1) it embeds itself inside your dll files
2) its quite a large program (several megabytes) complete with WYsiWYG and the download is a .exe (And you tell me some one coded this by himself?)
3) Most importantly, ZoneAlarm called it a keylogger...it could be wrong though
4) If you register on the forum there, the German guy needs to approve you before you are accepted. Now what is he afraid of, if his software is clean and all good? In fact it sounds too good to be true, that we can remote post to our blogs using his totally free software, right? What does he get out of this?
5) Search on Google and you'll see some dubious blogs and sites in non English talking about it...looks fishy all the way.

I hope you guys really take a look at this program and examine it. Because the fact is, lots of people have already downloaded it , maybe thousands...and used it. If it is really malicious, then it could do a lot of harm out there...

I really don't know, but hoping Spybot team take a closer look at it. Its several megabytes in size, so not really practical to send by email. The download word on his site is in big letters, so should be easy to acquire it.

[shelf life]

hi Zippo,

read the link Tashi provided and post a hjt log. could certainly be a false alarm on zone alarm parts.

your in luck, i love trojans and i would enjoy installing it to check it out. ive had enough of the smitfraud/vundo payloads.

shelf life

[Zippo]

Hi Spybot Team,

I've done as you said, finally figured out what you meant, and the scan from the etrust AV showed nothing, so there is no logfile.

When I scanned with Spybot, it showed nothing except for the Windows firewall disabled, which I think happens ever since I used Zone Alarm. The funny thing is at that time the PC is running in safe mode, so dont know why its still shut off....other spyware? Clicked yes to fix, and the Windows is still shut off after I restart the PC again....but besides that Spybot found nothing.

Now the HJT log is as below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:02 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Logitech\Profiler\lwemon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PDF3 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "D:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CABCFD5D-CD51-4568-97DE-324D4FA64090}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 7001 bytes

Thanks, and hope you can see what is wrong if any.

[shelf life]

hi Zippo,

it all looks good to me.

shelf life

[Zippo]

I'm relieved to hear that at least there's nothing major with my system

I always try to stay safe online, so the last thing I need is some keylogger logging my passwords...etc

So what's your verdict on this program?

It should either be:

1) malicious
or
2) clean, but still bloatware (seeing it gets into the dll files and is hard to uninstall)

If its ok, you can shift this thread to the resolved section, I'm glad nothing looks bad from the HJT and last but not least a huge THANKS from me, shelf life !

If you need any further info from me, I'll be glad to provide it.

[shelf life]

hi Zippo,

So what's your verdict on this program?

It should either be:

1) malicious
or
2) clean, but still bloatware (seeing it gets into the dll files and is hard to uninstall)

i didnt install it. seems like alot of work just to install a keylogger as a payload. the coder must only be interested in capturing bloggers data? because thats the only people who would download it.

maybe he just cant wait for you to publish it and wants to read it ahead of time (joke).

a quick search didnt turn up anything.

bloatware? iam not familiar with blogging or blog software, so i couldnt say if it comes with a bunch of useless stuff, ie: bloatware.

i would say its safe to use. if you dont think so,there must be many more apps that will do the same thing.

shelf life