Malware name: backdoor/keylogger for ROTMG / Trojan.Win32.Jorik.Shakblades.hbi (Kaspersky) BackDoor.Comet.104 (DrWeb)
Newest version detection rate: 14/41
Detected by Malwarebytes: yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This backdoor bot/keylogger is automatically downloaded and installed on your computer after visiting a malicious site containing a java exploit.
It usually steals login information from the game Realm of the mad god but can also steal other personal information.
It uses .net framework to connect to the internet and send your personal information to the hacker.


Symptoms:

Losing items on ROTMG or other games.
Internet spiking or lagging.


Files created:

C:\Documents and Settings\Administrator\bnnFZJ.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\netiomig.exe
C:\Documents and Settings\Administrator\Templates\shfusion.exe
C:\Documents and Settings\Administrator\Application Data\fg (file containing all of your passwords and personal information)
C:\Documents and Settings\Administrator\Application Data\TQLPWK2HC8.EXE


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run\Microsoft® Windows® Operating System
{C:\Documents and Settings\Administrator\Templates\shfusion.exe}


Removal:

To remove this malware, follow these simple steps.
First, press ctrl+alt+del to open the task manager and go to the process tab.
Find netiomig.exe and rightclick and make sure to select "End process tree"
If you simply press end process, shfusion.exe will relaunch netiomig.exe in a matter of milliseconds, same thing if you try to end task to shfusion.
Next, end task to AppLaunch.exe and bnnFZJ.exe

After this, click on start - control panel - folder options - view tab - show hidden files and folders
Open My Computer and go to C:\Documents and Settings\Administrator\ and delete bnnFZJ.exe.
Then, go to C:\Documents and Settings\Administrator\Local Settings\Temp\ and delete netiomig.exe
Then, C:\Documents and Settings\Administrator\Templates\ and delete shfusion.exe
Then, C:\Documents and Settings\Administrator\Application Data\ delete the file named fg (no extension) and TQLPWK2HC8.EXE

To delete the startup registry key, click on start - run and type "regedit" without the quotes and press enter.
Double click on HKEY_CURRENT_USER, then on \Software\Microsoft\Windows\CurrentVersion\run\
On the right side, there should be a key named Microsoft® Windows® Operating System. Rightclick and delete it.

Make sure to change all of your passwords after removing this backdoor, or simply change them on another non-infected computer.


Extra information:

From what I've seen, there's only one site that leads to this exploit/keylogger which is actually visited by a lot of people.

The exploit on the site cannot work on the newest version of java, therefor it's always good to keep your add-ons/browser up to date.

Malware name: Backdoor Caphaw
Newest version detection rate: 13/43
Detected by Malwarebytes: yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is a backdoor which can steal your information and download other malware on your computer.
This backdoor is pretty hard to remove, it hides most of its files, process and registry keys with rootkit technology.


Symptoms:

None visible


Files created:

C:\Documents And Settings\Administrator\Application Data\Mozila\Firefox\Profiles\(Random)\...\(random).exe (Hidden rootkit)
or
C:\Documents And Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\(random)\...\(random).exe (Hidden rootkit)
or
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\(random)\...\(random).exe (Hidden rootkit)
(I may have missed a few depending on your installed programs/add-ons)


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run\(random) (Hidden Rootkit)
{"one of the file locations above"}


Removal:

To remove this malware, you will need to download Malwarebytes Anti-Malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Install the program and update it.
Make sure to select Full Scan. The quickscan won't scan in the area that the malware is located.
After the scan is complete, click on remove selected and restart your computer once it asks you to.
If Malwarebytes doesn't detect the file or registry key, do the Manual removal below.


Manual removal:

To remove this malware manually, you will need to restart your computer in safemode.
To do this, restart your computer and press f8 before your computer boots up.
You should arrive at a black screen with a few choices, use the arrow keys to select Safe mode.
Click on start - run and type "regedit" without the quotes and press enter.
Double click on HKEY_CURRENT_USER then Software\Microsoft\Windows\CurrentVersion\Run
On the right side, there should be a key named something like {8C435D4D-3AFF-9334-54F4-C2DE871E453D}
Double click on it, the Value data should be the location of the file, take note of it.
Open My Computer and locate that file and delete it.
Go back to the registry editor and rightclick the registry key and delete it.
Restart your computer normally and it should be gone.

Since this backdoor can download other malware on your computer, it's always good to do a full scan with your anti-virus program.


Extra information:

If you try the manual removal when you're not in safemode, the file will simply come back in another location once you delete it since there's still a thread running from the malware.
Same thing goes for the registry key.

Malware name: Trojan-Dropper.Win32.Injector.frks (Kaspersky)
Newest version detection rate: 2/42
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is downloaded on your computer by the blackhole exploit kit while visiting malicious websites.
The malware itself is an injector which injects malicious code/threads into legit processes including explorer.exe, svchost.exe and ctfmon.exe
It connects to the hacker to either steal your credit card information, passwords or other personal information.


Symptoms:

Iexplore.exe running in the background, connected to tcp/ip.


Files created:

C:\Documents and Settings\Administrator\Application Data\"random"\"random"\LicenseValidator.exe
Note that the executable can have many different names.
Here are some examples:
UpgradeChecker.exe
Upgrade.exe
Validator.exe

It either chooses a folder at random in application data or it creates one with a common name like Opera, Teamviewer, Google Inc, etc...


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LicenseValidator.exe
{C:\Documents and Settings\Administrator\Application Data\"random"\"random"\LicenseValidator.exe}


Threads injected:

0xe0 ctfmon.exe 0xfc 0x7c810856
0xe0 ctfmon.exe 0x100 0x7c810856
0xe0 ctfmon.exe 0x104 0x7c810856
0xe0 ctfmon.exe 0x108 0x7c810856
0xe0 ctfmon.exe 0x10c 0x7c810856
0xe0 ctfmon.exe 0x16c 0x7c810856
0x348 svchost.exe 0x784 0x7c810856
0x788 explorer.exe 0x94 0x7c810856
0x788 explorer.exe 0xb8 0x7c810856
0x788 explorer.exe 0xec 0x7c810856
0x788 explorer.exe 0xf4 0x7c810856
0x788 explorer.exe 0xf8 0x7c810856
0x788 explorer.exe 0x168 0x7c810856
0x788 explorer.exe 0x18c 0x7c810856
0x788 explorer.exe 0x7e4 0x7c810856


Removal:

The easiest and fastest way to remove this malware is to remove it in safemode.
To access safemode, restart your computer and press F8 before the computer boots up.
A black screen will appear with a few options, use the arrow key to select Safemode.

Once there, you can either do a scan with Malwarebytes Anti-Malware or remove it manually.
You can download Malwarebytes here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022%5F4-10804572.html
Install it and update it. Do the Quick scan and remove everything that it finds in safemode.
(since you don't have internet connection in safemode, you'll need to download it in normal mode first or place it on a USB.

If malwarebytes didn't detect it completely, you can also remove it manually by following these steps in safemode:
Click on start - run - type "regedit" without the quotes and press enter.
Double click on HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
On the right side, there should be a key named the same as the files mentionned above.
Find it and double click it. The value data will tell you where the executable is located.
Simply open My Computer and locate the file. Rightclick and delete it.
Return to the registry editor and delete the registry key by rightclicking it and selecting delete.

Run a full scan with your anti-virus afterwards to make sure nothing else is on your computer.


Additional information:

When you delete the registry key when this malware is present in the memory, it will copy the file to another place in application data and recreate the startup key even if you didn't delete the other executable.

Not a lot of programs can detect the loaded threads in the infected programs which was annoying and made it very hard to remove it in normal mode, that's why safemode is needed to remove this malware.

This post was edited by ShadowFiend on Sep 24 2012 12:05pm

Malware name: VirTool:Win32/VBInject.UG (microsoft, generic detection)
Newest version detection rate: 26/44
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is a backdoor and keylogger which connects to the hacker and sends him all of your passwords and private information.
It doesn't really have a name as of yet since it's not that popular, that's why I only placed a generic detection from Microsoft.


Symptoms:

Explorer.exe takes longer to load.
Explorer.exe crashes/closes more often than usual.


Files created:

C:\Windows\Win\Win.exe
C:\Windows\Win\logg.dat - stores all of your passwords/private information


Registry key created:

HKEY_CLASSES_ROOT\CLSID\{FA81A4A9-9348-EC5F-4338-D36D53AEC2E3}
I can't access key for some reason, tried with multiple programs, only malwarebytes detects it.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{FA81A4A9-9348-EC5F-4338-D36D53AEC2E3}\stubpath
{C:\windows\win\win.exe s}


Process running:

Iexplorer.exe (used for backdoor connection) (Hidden Rootkit)


Removal:

The removal is quite simple.
First, download Malwarebytes anti-malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Update the program (you don't need to try the free trial)
Then click on Quick scan.
Once the scan is complete, click on remove selected and once asked, restart your computer.


Tips:

Make sure to change all of your passwords after removing this malware or change them on a non-infected computer.

Malware name: Backdoor:Win32/Hostposer.B (microsoft)
Newest version detection rate: 30/44
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is a backdoor which can steal your passwords/personal information and download other malware on your computer.
It creates a hidden extension to your browser so that every time you launch your browser, it will also launch the backdoor.
This method makes it a bit harder to detect it on your computer since there's no visible process.
It also scans a lot of your browsers file to see if you have any saved passwords or other information you stored.
My sample was also encrypted with a free VB Crypter which is complete crap because most anti-virus/anti-malware will detect the encryption.


Symptoms:

Page loads slower when browsing the internet
Browser takes longer to open


Files created:

%appdata%/libmscr.dll
%appdata%/iconla.sys
%appdata%/pixelc.sys


Registry key created:

HKEY_CLASSES_ROOT\CLSID\{1D2F060E-6F2C-4D53-AFBC-41ED4CC4FD33}
HKEY_CLASSES_ROOT\TypeLib\{E5CC4134-A827-4F78-9748-43E371010A81}
HKEY_CLASSES_ROOT\Interface\{9D5EAABB-09B0-4D9B-9D16-7996A9C7C308
HKEY_CLASSES_ROOT\Chilibins.Maskis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D2F060E-6F2C-4D53-AFBC-41ED4CC4FD33}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D2F060E-6F2C-4D53-AFBC-41ED4CC4FD33}


Modules loaded:

libmscr.dll - Loaded into browser as DLL


Removal:

Removal is quite simple.
First, download malwarebytes anti-malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Install and update the program then run a Quick scan.
Once it's done, click on remove selected.

Secondly, it won't remove all the files, so you'll need to open My Computer and type %appdata%/ in the URL bar.
Find iconla.sys and pixelc.sys and delete them.

You can also remove this malware manually by deleting all the files and registry keys above although it's not recommended since the names of the registry keys may change from computer to computer.
To delete the files, simply open My Computer, go in %appdata%/ and delete the files above.
To delete the registry keys, click on start - run - type "regedit" without the quotes and press enter.
Delete the keys above by rightclicking and selecting delete.
None of the registry keys or files are hidden. If it says libmscr.dll is in use when trying to delete it, close all of your browsers then try again.


Additional information:

Make sure to change all of your passwords after removing this malware or change them on a non-infected computer since this malware is known to steal passwords.

The 2 .sys files aren't really system files, they're just notepad (.txt) files used to store your passwords/private information (keylogger) and libmsc.dll will send them through the backdoor to the hacker.

This malware can attach itself to all browsers, even if you have the latest version.

Malware name: FBI Ransomware
Newest version detection rate: 14/43
Detected by Malwarebytes: yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is a ransomware, which takes your computer "hostage" and demands a ransom (cash payment).
What it does is it blocks your screen with information saying your that your computer has been locked because of several violations (copyrights/pornography/child pornography/promoting terrorism/neglect computer use/gambling/etc..)
Then enables your webcam (if you have one) and displays it on your screen saying that they are watching you (which is false)
The malware kills all process (except the ones needed to run windows) when executed and continues to close them if you try to open them somehow.
It will block/disable all shortcut keys (ctrl+alt+del/alt+tab/winkey/ctrl+esc/etc...).
Some variations of this malware also delete some registry keys for safemode. If you try to boot from safemode, it will give you a blue screen of death because of the missing registry keys and makes the removal a bit harder.


Symptoms:

Pretty obvious, screen like this every time you start your computer:
http://i.imgur.com/Y53oZ.png
(click to see image)
Unable to boot from safemode (blue screen of death)
Unable to open any program/use shortcut keys


Files created:

c:\"path"\"program name".exe
The path can vary depending on what installed it on your computer.
If you got it by visiting a bad website (exploit) it will most likely be in %temp% or %userprofile%\application data or %userprofile%\local settings\application data.
The program name can also vary, usually it's something like svchost.exe or a spoof of it.


Registry key created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svñhîst
{"path"}
The path is the same as the file created above.
The name of the registry key is correct, I think it's because I don't have the Russian language pack installed and the character ñ in russian looks like 'c' and î like 'o' to make svchost.


Removal:

This malware would be extremely easy to remove if you would be able to open programs/alt+tab but you can't

Removal #1

If you're able to boot in safemode (with the steps below) follow this part of the guide, if not, continue to the second part.
To boot in safemode, restart your computer and press f8 (spam it if you have to) before your computer boots/before windows starts up.
If done correctly, there should be a black screen with a few options, select safemode. If it gives you a blue screen of death (for half a second) skip to the second part.

Once you're in safemode, click on start - run - type "regedit" withou the quotes.
Double click on HKEY_LOCAL_MACHINE then on Software\Microsoft\Windows\CurrentVersion\Run
Now on the right side, there should be a registry key named svñhîst. Rightclick it and delete it.
Now you'll be able to restart your computer normally again without it blocking your screen.

Restart your computer in normal mode and download malwarebytes anti-malware:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Update the program and run a quick scan.
Once it's done, it should have found the ransomware file, click on remove selected.


Removal #2

If you're unable to boot in safemode, use this method to remove this ransomware. It might get a bit complicated and long so make sure to follow the all of the steps.

What you'll need is kaspersky rescue disk and another computer with an internet connection to download it.
You can download it here:
http://support.kaspersky.com/4162 (click on the green text: Kaspersky Rescue Disk 10 )
Once you've finished downloading it on your other computer/friends computer/librarys computer/etc..., either place it on a cd/dvd or a usb device.
Now you'll need to boot from the cd/usb device. To do this, restart your infected computer and press f2 before it boots. If done correctly, you'll access your BIOS. If it doesn't work, try f12 or ESC.

Next, use the arrow keys to go in the Boot tab in the bios. With the -/+ keys, make it so it boots the cd-rom drive or Removable devices before the Hard Drive.
Then go to the Exit tab and select Exit saving changes.
This will restart your computer, once it's restarting, it should show "press any key to continue" press any key.
It will boot from the kaspersky application. Select your language then press 1 in the next screen. Then select Kaspersky Rescue Disk. Graphic Mode.
It will take a few minutes to start and it should look like windows explorer.
Once it's done loading, close Kaspersky Rescue disk (or do a scan with it if you want, it takes 30-45 mins+ if c:\ is included)
Double click on Kaspersky Registry editor.
Expand (click the + sign) Microsoft Windows ## service pack #.
Then double click on HKEY_LOCAL_MACHINE then on Software\Microsoft\Windows\CurrentVersion\Run
Now on the right side, there should be a registry key named svñhîst. Rightclick it and delete it.

Now you'll be able to restart your computer normally again without it blocking your screen.
Restart your computer in normal mode and download malwarebytes anti-malware:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Update the program and run a quick scan.
Once it's done, it should have found the ransomware file, click on remove selected.


Additional information:

Since some variations delete registry keys needed for safemode, you can restore them by downloading this:
http://support.kaspersky.com/faq/?qid=208279889
Scroll down until you see Sality_RegKeys.zip
Download it and unzip it. Double click the .reg file corresponding to your operating system (make sure it's the correct one)
Click Yes once it asks you to add the registry keys.
You should be able to boot in safemode now for future problems.

Never pay them, they will not unlock your computer and you'll end up with a stolen credit card.

The web cam is only there to scare the user, don't beleive anything from the page that it displays, it's pretty much all false information just to scare you onto paying the 100 dollars (and get your credit card information sold on the internet "black market").

There's also a quicker method to remove this malware, but you have to be fast.
Simply boot your computer normally and spam ctrl+shift+esc to open task manager and select the malicious process as soon as it pops up and spam the delete key.
The malware takes 1-2 seconds before it blocks your screen and I was actually able to remove it this method. Once you've ended task to the process, follow the guide above by deleting the registry key and running malwarebytes.
And if you fail, you can always restart your computer and try again

Malware name: XP Defender, Vista Defender, Windows 7 Defender
Newest version detection rate: Yes
Detected by Malwarebytes: 12/44
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is known as a rogue anti-virus that belongs into the Rogue.FakeRean-Braviax family.
A rogue anti-virus is a program which scares the user with fake error messages saying that your computer is infected with viruses/spyware/worms/etc... and that you need to purchase the program to remove the infections.
The payment is by credit card, if you do pay them, your credit card will be stolen and will be used by the hacker or sold to other people. Plus, you'll lose around 80 dollars for buying this rogue anti-virus which offers you no protection if you buy it.
Therefore, it's obviously not recommended to give them your credit card information or any information about yourself.
Depending on your operating system, this rogue will be named XP Defender, Vista Defender, or Windows 7 Defender. It may also have the year at the end, like XP Defender 2013.


Symptoms:

Unable to start programs properly or access the internet.
xp defender displaying error and warning messages telling you that you're infected.
Here's what this rogue looks like and a few of the error/warning messages:





Files created:

C:\Documents and settings\All Users\Application Data\pcdfdata\"random".exe
C:\Documents and settings\All Users\Application Data\pcdfdata\app.ico
C:\Documents and settings\All Users\Application Data\pcdfdata\uninst.ico
C:\Documents and settings\All Users\Application Data\pcdfdata\support.ico
C:\Documents and settings\All Users\Application Data\pcdfdata\config.bin
C:\Documents and settings\All Users\Application Data\pcdfdata\defs.bin
C:\Documents and settings\All Users\Application Data\pcdfdata\vl.bin


Registry key created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\pcdfdata
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pcdfdata
{C:\Documents and settings\All Users\Application Data\pcdfdata\"random".exe}


Modified registry key:

HKEY_CLASS_ROOTS\.exe
HKEY_CLASS_ROOTS\.exe\shell\open\command


Removal:

Since this malware blocks most executable files, the most common removal is by renaming the extensions of the files (from .exe to something else)

To do this, click on start - control panel - folder options - view tab - Uncheck hide extensions for known file types

Next, find the path of your browser, to do this simply rightclick your browsers icon on your desktop and select properties. The target is the path.
For Firefox, it will be C:\Program Files\Mozilla Firefox, for internet explorer, C:\Program Files\Internet Explorer, etc...
Next, locate the executable file (.exe), for example iexplore.exe or firefox.exe, rightclick it and select Copy, then rightclick anywhere in the folder and select Paste.
This will create a copy of the file, now rightclick the file and select rename. Rename it to either iexplore.com or firefox.com or "programname".com (change .exe to .com)
Double click the .com file and it will open your browser.

Next, download Malwarebytes Anti-Malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Save it on your desktop.
You probably won't be able to install/run it, what you need to do is, once again, change the extension from .exe to .com of malwarebytes.
Install and update the program by opening the .com file.
Run a quick scan, once the scan has finished, click on remove selected and if it asks you to restart your computer, press on Yes

If you already had Malwarebytes installed and can't open it, simply find the installation folder (usually C:\Program Files\Malwarebytes' Anti-Malware) and rename MBAM.exe to MBAM.com and open it.


Additional information:

The .exe registry shell will stay the same in safemode, so it won't really change anything if you try to remove it in safemode, your programs still won't be able to run and the rogue will run in safemode when you try to open them.

The removal can be used by pretty much all rogue anti-viruses if they block your executable files from running.

There's an uninstall option in add/remove program (windows xp) / programs and features (windows vista/7) in the control panel.
If you click it, it will simply start the rogue like normally and won't uninstall it. (too good to be true )

Malware name: Path of Exile keyloggers (generic guide)
Newest version detection rate: Usually pretty low
Detected by Malwarebytes: Most of them, yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

There are many keyloggers running around for new games. This is a very generic guide on how to remove keyloggers and how to avoid them for games like path of exile.
If I were to make a guide for every keylogger for path of exile alone, it would take years to complete so that's why I'm just making one guide for all of them.
In this guide, I'll be focusing more on keyloggers (fake hacks/key generators/etc.. ) located on youtube for path of exile but they're pretty much the same as anywhere else.
I've tested over 10 "hacks" on youtube for path of exile and they were all keyloggers (most videos had over 2k views with 50+ likes and 1-2 dislikes) how!?
Most of the keyloggers has a secondary program which opens your browser in the background and likes/favorites the video on youtube on your current logged account without you even knowing.

Prevention is always the best method to not get keylogged or account lost, a few ways to do this is to simply not download hacks even if you think it's from a legit source.
Also, make sure to have an up to date anti-virus, an up to date browser/add-ons and a strong password.


Symptoms:

Unable to connect to your account (password changed)
Lost all items
Email account stolen


Files created:

I will post the most common place to find the files of all the keyloggers that I've tested, most of them were the same keyloggers with different settings.

From most common to less:
%temp% (type this in the url)
%appdata%
%userprofile%
c:\windows
c:\windows\system32

For the names of the files, they're usually the same from the one you executed on your desktop or has similar names.
There may also be a text file without an extension that stores all of your private information in the same folder as the executable.
These files can be hidden.
Some other common names include:
Svchost.exe (unless it's in c:\windows\system32, that one is legit)
csrss.exe (same warning as above)
flashplayer.exe
googlechrome.exe
PathOfExileHack.exe (or similar names)

Most keyloggers also use .net framework to bypass your firewall. Because of this, you'll most likely see AppLaunch.exe or another legit net framework program in the process.
Don't delete those files, just end the process with task manager when it comes to the removal below.


Registry key created:

Most common location for startup registry keys created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"name"
HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run\"name"
Usually the name matches the executables name.

Most common registry keys modified for startup:

HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Shell
HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Userinit


Removal:

The removal of these keyloggers is very basic although most anti-virus programs can't detect them.

To remove them manually (not really for novice users), simply click on start - control panel - folder options - view tab - show hidden files and folders and uncheck hide operating system files.
Next, either check the most common areas above for the executable(s) and text file(s) or click on start - run - msconfig - startup and check the file location of the keylogger and the registey key.
To delete the startup registry key, click on start - run - type "regedit" without the quotes. Check the locations above for the most common areas of the startup keys.
Once found, rightclick the key and select Delete then restart your computer.

An easier method is to download Malwarebytes Anti-Malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Make sure to update the program and to do a quick scan (or full scan if you have the time)
It should find one or more executable files and a registry key. Once the scan is done, click on remove selected and restart your computer if asked.
If it does not find something you should try scanning with other malware removal programs like spybot or try the manual removal above.


Additional information:

Most hacks are too good to be true.
If you have been keylogged, the first thing to do is to change all of your passwords on another computer or change them after you've removed it.