MD5: d6a62ad9b22a846c6b7595b420d553ce
SHA1: 20af3e4fa5d0a15750f9dd1a281d398e50ecb8a2
SHA256: c7e5aedba89b72e2a97a05023d400a8b614d6455476949352290ad813d275c17
SSDeep: 98304:RJj4KU9ULx9ie T22S2LSaY0P4u62 EGKN2LgbIncinze44OxudvqWwI2Rqs :DjDOULx99 y2S2fP4u6tE/28cnciJPPs
Size: 4920351 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: WinRAR32bitSFXModule, UPolyXv05_v6
Company: no certificate found
Created at: 2001-03-02 20:25:22
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

bpk.exe:264
rinst.exe:3512
%original file name%.exe:2180
CF Modz Plus 2.1 [Setup].exe:3580

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process bpk.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\pk.bin (4 bytes)
C:\Windows\System32\bpkhk.dll (24 bytes)
C:\Windows\System32\bpkwb.dll (40 bytes)

The process rinst.exe:3512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\bpkhk.dll (784 bytes)
C:\Windows\System32\bpk.exe (15602 bytes)
C:\Windows\System32\rinst.exe (7 bytes)
C:\Windows\System32\pk.bin (4 bytes)
C:\Windows\System32\inst.dat (996 bytes)
C:\Windows\System32\bpkwb.dll (1552 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkwb.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpk.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\inst.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkhk.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pk.bin (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\rinst.exe (0 bytes)

The process %original file name%.exe:2180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CF Modz Plus 2.1 [Setup].exe (5398 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkwb.dll (80 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpk.exe (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\inst.dat (1000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkhk.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pk.bin (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\rinst.exe (15 bytes)

Registry activity

The process bpk.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID]
"(Default)" = "PK.IE"

[HKCR\PK.IE\CurVer]
"(Default)" = "PK.IE.1"

[HKCR\PK.IE\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IViewSource"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0]
"(Default)" = "BPK IE Plugin Type Library"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PK.IE.1\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\bpkwb.dll"

[HKCR\PK.IE.1]
"(Default)" = "IE Plugin Class"

[HKCR\PK.IE]
"(Default)" = "IE Class"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32]
"(Default)" = "C:\Windows\system32\bpkwb.dll"
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID]
"(Default)" = "PK.IE.1"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IE Plugin Class"

[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bpk" = "C:\Windows\system32\bpk.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "PK IE Plugin"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"bpk"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bpk"

The process rinst.exe:3512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process CF Modz Plus 2.1 [Setup].exe:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
457932818ebecf46832679db91b4167e

URLs

URL	IP
gmail-smtp-in.l.google.com	173.194.222.26

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Perfect Keylogger Install Email Report

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.idata

@.rsrc

shlwapi.dll

%s %s %s

GETPASSWORD1

sfxcmd

__tmp_rar_sfx_access_check_%u

-el -s2 "-d%s" "-p%s" "-sp%s"

%s.%d.tmp

Software\Microsoft\Windows\CurrentVersion

%s%s%d

<head><meta http-equiv="content-type" content="text/html; charset=

riched32.dll

riched20.dll

COMCTL32.DLL

%.*s(%d)%s

rtmp%d

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CF Modz Plus 2.1 [Setup].exe

d%Program Files%\CF Modz Plus 2.1.0

lu2.iu

ADVAPI32.DLL

KERNEL32.DLL

COMDLG32.DLL

GDI32.DLL

SHELL32.DLL

USER32.DLL

OLE32.DLL

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

GetCPInfo

GetProcessHeap

SHFileOperationA

ShellExecuteExA

:(,4;<=>;?@

3,45657879

8888888888887

version="1.0.0.0"

<requestedExecutionLevel level="asInvoker"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Shell.Explorer

Enter password

&Enter password for the encrypted file:

Extracting %s

Skipping %s

The file "%s" header is corrupt%The archive comment header is corrupt

Unknown method in %s

Cannot open %s

Cannot create %s

Cannot create folder %s6CRC failed in the encrypted file %s (wrong password ?)

CRC failed in %s

Packed data CRC failed in %s

Wrong password for %s5Write error in the file %s. Probably the disk is full

Read error in the file %s

Extracting from %s

ErroraErrors encountered while performing the operation

Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.

bpk.exe_264:

.text

`.rdata

@.data

.rsrc

0WSSh

SSSSh

YSSSh

SSSSh4<E

ujSSh

tn9.uc

tq9.uf

!"#$%&'()* ,-./012

!"#$%&'()* ,-./012345678

kw.dat

mc.dat

Software\Blazing Tools\Perfect Keylogger\1.2

readme.txt

inst.dat

rinst.exe

pk.bin

inst.bin

inst.tmp

bpk.dat

$#$#$#$#$#$#$#$#$#$#$#$#$#$

web.dat

bpkch.dat

keystrokes.html

websites.html

chats.html

Logs.zip

bpk.chm

apps.dat

titles.dat

temporary.bmp

th_temp.bmp

report.txt

hXXp://VVV.blazingtools.com/

update.tmp

updates/bpk.dat

install.log

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

FtpPutFileA

FtpCreateDirectoryA

FtpSetCurrentDirectoryA

WININET.dll

MFC42.DLL

MSVCRT.dll

_acmdln

KERNEL32.dll

EnumChildWindows

GetKeyNameTextA

MapVirtualKeyA

MapVirtualKeyExA

GetKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutList

RegisterHotKey

UnregisterHotKey

USER32.dll

GDI32.dll

comdlg32.dll

RegCloseKey

RegCreateKeyA

RegOpenKeyExA

RegDeleteKeyA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

COMCTL32.dll

ole32.dll

OLEAUT32.dll

URLDownloadToFileA

urlmon.dll

WSOCK32.dll

MSVCP60.dll

RPCRT4.dll

.PAVCFileException@@

.PAVCException@@

.PAVCObject@@

0xx %d

%u 0xx

%d %d

%d %d %d

Ss=%d, Se=%d, Ah=%d, Al=%d

%d: dc=%d ac=%d

%d: %dhx%dv q=%d

0xx: %u, %u, =%d

RST%d

0xx, %d

to %d

%d = %d*%d*%d

%4u %4u %4u %4u %4u %4u %4u %4u

0xx, length %u

%d x %d

%d.d

%dx%d %d

= = = = = = = =

%d precision %d

0xx: 0xx

Ðxx 0xx, %d

0xx 0xx

0xx

Ss=%d Se=%d Ah=%d Al=%d

.PAVCOXJPEGException@@

options_alerts.htm

%d-%d-%d %d:%d:%d

%d-%d-%d %d:%d

options_PTF.htm

OLEACC.DLL

oleacc.dll

TskMultiChatForm.UnicodeClass

TMsgForm

__oxFrame.class__

options_notification.htm

The .EXE file is invalid

(non-Win32 .EXE or error in .EXE image).

%s action failed!

Failed to execute unknown action!

The operating system is out

The operating system denied

There was not enough memory to complete the operation.

d-d-%d d:d:d

WININET.DLL

%s <%s>

Content-Location: %s

Content-ID: %s

Content-Base: %s

Content-Type: %s; charset=%s

Content-Type: %s; charset=%s; Boundary="%s"

Content-Type: %s; charset=%s; name=%s

Content-Disposition: attachment; filename="%s"

Content-Type: %s; charset=%s; name=%s; Boundary="%s"

--%s--

Microsoft Outlook Express 6.00.2800.1437

Reply-To: %s

Content-Type: %s;

charset=%s

Content-Type: %s

Content-Type: %s; boundary="%s"

Subject: %s

Date: %s

X-Mailer: %s

Cc: %s

From: %s

To: %s

%a, %d %b %Y %H:%M:%S

=?%s?q?

EHLO %s

HELO %s

MAIL FROM:<%s>

RCPT TO:<%s>

Password:

AUTH LOGIN

AUTH LOGIN PLAIN

Opera

Mozilla

Firefox

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

Build 1.6.8.0

version.dll

options_common.htm

options_diary.htm

options_title.htm

options_email.htm

Perfect Keylogger Test

KERNEL32.DLL

Setup=rinst.exe

Program files (*.exe)

*.exe

All files (*.*)

explorer.exe

\shell32.dll

-$!.#"%&'(

d-d-%d d:d

user32.dll

EnableSpecialKeysLogging

main.htm

Windows

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Perfect Keylogger

%d-%d-%d_%d-%d-%d

th_%d-%d-%d_%d-%d-%d

th_%d-d-d_d-d-d-%d

%d-d-d_d-d-d-%d

nopass

d-d-d-d-d-d

CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32

i.dll

un.exe

vw.exe

wb.dll

hk.dll

r.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

psapi.dll

<H2>%s, %s</H2><H3>%s</H3>

<H1> %s</H1>

%d/%d/%d %d:%d:%d

<H2>%s %s</H2><H3>%s</H3><P><A target=_blank href="%s" title="%s">%s</A></P>

%s, %s

<H2>%s - %s, %s</H2><H3>%s</H3>

advapi32.dll

\StringFileInfo\XX\FileDescription

Application files (*.exe)

options_ex_programs.htm

options_screenshots.htm

%ld%c

00000409

##.kkJ

):76666'$

<840.----#

33<<33::3399338833773333

33<<33::3399

8833773333

11<<11::119;66;811771111

))<<))::);

;)77))))

''<<%'::%

#!<<##::#

111111111111111

11111111111111111111

#-5874.*'&&()('#

'-.,(%&)0686.&

#-5874.*'&&()('"

& .010.- (%!

(17<>=<97641.)$

fdUD2(( -.CA*7

"(.67420' !'

%,27>=:97/)).

(.3431/...148

@?940.04

@?:5/,,.

%(()))** -.

, (&#! "#

  (&#""#

}@"7>>7&$

LOGIN PLAIN

version="1.0.0.0"

name="Microsoft.Windows.Manifest"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Password

Password required

Enter the password:

Perfect Keylogger can carry out visual surveillance. It means the screen capturing every time when the specified interval is elapsed and storing the compressed images on a disk. You can review it later using Log Viewer.

&Web log (websites visited)

&Also hide keylogger's icon when it will start next time

Please notice, that "Run on Windows startup" option is checked. This means, that keylogger's startup screen will appear after PC reboot. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.

&SMTP server:

Example: smtp.aol.com

&Port number:

&Password:

Text log (&keystrokes)

Password protection

&Try to upload logs by FTP every

HTML (can be viewed with a web browser)

Example: PTF.prohosting.com

Remote dir is the directory on the FTP server where you want to store log files. You can leave it blank to store logs at the initial directory.

Use passive &mode (this may be necessary for some firewalls)

T&est FTP

Capture mouse clicks &only in the following windows:

This software may be installed and evaluated for 5 days to ensure that it meets your needs. This screen will appear every time when keylogger starts until you buy the program.

Days remaining: %d.

Perfect Keylogger's Registration

Enter &old password:

Enter &new password:

&Repeat new password:

To remove the password, leave the fields blank.

To set or change the password for using keylogger, click Password button.

&Password...

&Monitor only online activity (disable keylogger when computer is offline)

&Use progressive method of keystroke interception

(flip this option if you have problems with keyboard logging)

&Include non-character keys in the log

Perfect Keylogger's Home Page

About Perfect Keylogger

VVV.blazingtools.com

support@blazingtools.com

Use the newest solution in the visual surveillance and keyboard monitoring!

&Run on Windows startup

Hotkeys

msctls_hotkey32

HotKey1

&Make the program invisible in the Windows startup list

Click here to uninstall keylogger

Welcome to the Remote Installation Wizard! This wizard will help you to create compact deployment package for Perfect Keylogger

The wizard will combine Perfect Keylogger and any other specified program. When somebody will run that program, keylogger will be immediately installed on the computer in the absolutely stealth mode.

Please configure keylogger before creating installation package. All current settings will be applied immediately after the stealth installation.

The wizard can also create package for removal of the installed keylogger.

&Automatically uninstall remote keylogger after

Now you can use this package to install keylogger on the another PC. You can copy it to the floppy disk or send by e-mail. When somebody will run this program, keylogger will be installed and activated in the stealth mode.

Keylogger will be installed into the following folder:

&Install new or update existing keylogger on the remote computer

Uninstall existing copy of the Perfect Keylogger on the remote computer

By FTP

Create a list of "on alert" words or phrases and Perfect Keylogger will continually monitor keyboard typing and web pages for these words.

When a keyword or phrase will be detected, Perfect Keylogger can immediately send you an instant alert via e-mail.

&Add keyword

Keyword detection action

BlazingTools Perfect Keylogger

PathYFile PSAPI.DLL not found in your system. Target applications feature will be unavailable.

Targets.Enter window title or its part (any substring)ASpecify an applications where you want Perfect Keylogger enabled:\Specify window titles or their parts (substrings), where you want Perfect Keylogger enabled:&Error writing program-exceptions file.#Error writing windows titles file.

This is a Perfect Keylogger report for computer "%s", IP address %s, user "%s".

support@blazingtools.comnYou haven't specified the hotkey to put keylogger into the visible mode. Do you really want to disable hotkey?/Please, specify the destination e-mail address.

Perfect Keylogger report:

Keylogger is ready to work! Type any text in any application, then double click on Perfect Keylogger's icon to view the log. To hide the icon, right click on it and select "Hide program icon" from the context menu. Thank you for installing Perfect Keylogger!

Invalid password!

5An error occured on saving file "%s". Error code = %u

An error has occurred while creating the package. The wizard will be closed. Please make sure that keylogger is running from the original location.CType folder path here or click "Next" to install to "System" folder;"System" folder (path will be detected during installation)

VVV.blazingtools.com/bpk.html

VVV.blazingtools.comVPlease, first specify the hotkey to show the icon next time. Do you want to do it now?TYou're about to hide the program icon.

Attention: use %s to show the icon next time.

FTP server

OError while connecting to site. Please make sure that FTP settings are correct.

Unable to set FTP directory.

Incorrect hook DLL version.ZCan't to set hotkey combination #%d (already in use). Please, specify another combination.

Enter re&gistration code...ETo remove this screen and other trial limitations, please buy it now.)hXXp://VVV.blazingtools.com/orderbpk.html_This is a Perfect Keylogger test message. If you've received it, all mail settings are correct.6Test message was sent succesfully. Check your mailbox.$COPYING TO THE CLIPBOARD WAS LOGGED:$Test file was uploaded successfully!HCongratulations! If you are reading this file, FTP settings are correct.5&Specify the program to combine with the uninstaller:6&Specify the program to combine it with the keylogger:

YA new version of Perfect Keylogger is available. Do you want to download the new version?

When somebody will run this package, it will stop running keylogger and remove it.

Attention: Perfect Keylogger version 1.45 or higher is required..Perfect Keylogger was installed successfully: ZPerfect Keylogger was installed on the computer %s, with IP address %s, user %s at %s, %s.KLog upload date: %s

Time: %s

Computer: %s

IP address: %s

User: %s

Please notice, that keylogger's startup screen will appear when installation package will be launched. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.

Perfect Keylogger Alert: ePerfect Keylogger has detected that keyword "%s" was typed by user %s at the computer %s.

Context: %s

Error launching Log Viewer.zPefect Keylogger has detected that web page %s contains keyword "%s". This page was visited by user %s at the computer %s.

AttentionARegistration succeeded. Thank you for choosing Perfect Keylogger!

Hide program &icon "Set new Perfect Keylogger password!Change Perfect Keylogger password

Wrong old password.

Passwords do not match.*hXXp://VVV.blazingtools.com/downloads.html

Perfect Keylogger Test Message

This option forces the keylogger to delete itself from the Windows Startup to make it more stealth.

If you choose it, the keylogger won't run at Startup after the power failure or incorrect PC shutdown.

Password captured: %Where do you want to store your logs?3Select the folder where you want to store the logs:

Change ZIP file password

Set ZIP file password

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   bpk.exe:264
   rinst.exe:3512
   %original file name%.exe:2180
   CF Modz Plus 2.1 [Setup].exe:3580

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\System32\pk.bin (4 bytes)
   C:\Windows\System32\bpkhk.dll (24 bytes)
   C:\Windows\System32\bpkwb.dll (40 bytes)
   C:\Windows\System32\bpk.exe (15602 bytes)
   C:\Windows\System32\rinst.exe (7 bytes)
   C:\Windows\System32\inst.dat (996 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CF Modz Plus 2.1 [Setup].exe (5398 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkwb.dll (80 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpk.exe (868 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\inst.dat (1000 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkhk.dll (48 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pk.bin (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\rinst.exe (15 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "bpk" = "C:\Windows\system32\bpk.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.