Full name: Keylogger.W32/Vlogger.U
Type: [Keylogger] - Trojan that uses various methods to capture the keystrokes made by the user at the keyboard.
Platform: [W32] - PE Executable (. EXE,. SCR. DLL) that runs on Windows 32 bits: 95, 98, Me, NT, 2000, XP, 2003
Size (bytes): 28,672
Alias: TrojanSpy: Win32/Vlogger.U (Microsoft), PWS-Redneck (McAfee)

When the trojan is run for the first time, it creates the following files:

% system% \ regWindowsupdatexptovista.bat
% system% \ SYSTEMTIME-5474596193354
% system% \ SYSTEMTIME-5474596193354 \ csrs.exe
% system% \ SYSTEMTIME-5474596193354 \ security.dat
% system% \ SYSTEMTIME-5474596193354 \ securityreference.dat
Note:% System% is a variable that refers to the Windows system directory.
The default is C: \ Windows \ System (Windows 95/98/Me), C: \ Winnt \ System32 (Windows NT/2000), or C: \ Windows \ System32 (Windows XP).

It also creates the following entries in the Windows registry:

Key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ currentversion \ run \

Value: client server runtime process = c: \ windows \ system32 \ SYSTEMTIME -
5474596193354 \ csrs.exe


Solution
If you use Windows Me, XP or Vista, and knows when the infection occurred, you can use the feature of 'System Restore' to eliminate the virus back to a restore point prior to infection (note that the changes are undone Windows Setup and remove all the executable files you created or downloaded from the date of the restore point). If you have any questions or problems regarding this option please see our guides on Restore in Windows XP or Windows Vista Restoration.

If you are unable to return to a previous restore point or do not work, we recommend that you temporarily turn off System Restore before removing the virus through other means, as it could have created a backup copy of the virus. If you need help see the Disable System Restore in Vista, XP and Me. Then follow these steps to eliminate the virus:

Restart your computer in Safe Mode or Safe Mode. If you do not know how to do this follow the instructions in this manual How to Start your computer in Safe Mode.

With an updated antivirus, locate all copies of the virus on the hard drive of your PC. If you do not have antivirus, visit our Free Antivirus.

Delete the following files:

% system% \ regWindowsupdatexptovista.bat
% system% \ SYSTEMTIME-5474596193354
% system% \ SYSTEMTIME-5474596193354 \ csrs.exe
% system% \ SYSTEMTIME-5474596193354 \ security.dat
% system% \ SYSTEMTIME-5474596193354 \ securityreference.dat
Note:% System% is a variable that refers to the Windows system directory.
The default is C: \ Windows \ System (Windows 95/98/Me), C: \ Winnt \ System32 (Windows NT/2000), or C: \ Windows \ System32 (Windows XP).

Note: Often the antivirus report that 'it can not repair a file' in the case of worms or Trojan horses because there's nothing to fix, simply delete the file.

If you can not repair or delete infected files, it might be because the file is in use by the virus are in progress (based on memory).
In case you can not remove the virus file, you must manually complete the process in execution of the virus. Open Task Manager (press Control + Shift + Esc). In Windows 98 / Me select the name of the process and stop. Windows 2000/XP/Vista, the tab 'Processes' right-click on the process and select' End Process'. Then try deleting or repair the files that were created by the action of the virus. You can get more information in the "Task Manager" on page Delete libraries. DLL or. EXE.

Then we must edit the registry to undo the changes made by the virus. For information about editing the registry can view this guide editing registry. Be very careful when handling the registration. If you modify some keys in the wrong way can leave the system unusable.

Delete the following registry entries:

Key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ currentversion \ run \

Value: client server runtime process = c: \ windows \ system32 \ SYSTEMTIME -
5474596193354 \ csrs.exe
Delete all temporary files from your computer, including the browser's temporary files, empty the Recycle Bin.

Restart your computer and browse the entire hard drive with an antivirus to ensure the elimination of the virus. If you disable the system restore, remember to re-activate it. Create a restore point, it will be useful to him in case of possible infections or problems in the future.
... in this way the malware is executed at each Windows start.