When I connected a pen drive to my PC, I
found that the pendrive's root directory had two files, although I had never
copied them
1. xmmcc.exe
2. Autorun.inf
I tried deleting them, but as soon as they were deleted, they came back within a second automatically. After some googling, I found that it was a keystroke logger virus.I could not find proper steps in a single place (must be bad googling), so here I am consolidating all steps I followed to clean the virus.
Step 1:
Using Process Explorer, I found that
there were two "services.exe" running. One had the company name as
"Microsoft Corporation", but the other file did not have any detail
displayed under the "Description" column. Also, it had the same icon I saw in the pendrive (of two fingers pressing the keyboard). I
first killed the process.
Step 2:
In the following folder, there were 3
files.
C:\Windows
1. xmmcc.exe
2. services.exe (with the same finger
icon).
3. hardshad.log
One more verification point for the exe
file is that the properties of the EXE file shows the original name as
"hardshad.exe".
The file "hardshad.log"
contains all the keystroke made by the
user since the time the virus got installed.
I deleted all 3 files.
Step 3:
Opened registry (regedit.exe).
Selected the root node. Then, searched
for "xmmcc"..
It showed many entries, most of them
pointing to drives allocated to pendrives. I deleted them all, except one.
which showed
"explorer.exe xmmcc.exe"
Here, I opened the value entry, and
removed only the "xmmc.exe" and left the "explorer.exe" as
it is.
After I rebooted the system, the virus
was no longer present.
