Trojan:KeyLogger.QB is a keystroke-logging trojan designed to silently capture everything you type on your computer — including passwords, credit card numbers, private messages, and other sensitive information. Once installed, it runs invisibly in the background, recording your keystrokes and transmitting them to remote attackers who can use this data for identity theft, financial fraud, or corporate espionage. This threat typically arrives bundled with pirated software, malicious email attachments, or fake software updates, and it employs various stealth techniques to avoid detection by standard antivirus programs.

Trojan:KeyLogger.QB — cybersecurity illustration
Photo by AI25.Studio Studio on Pexels
Think you're infected right now? Disconnect from the internet immediately (unplug Ethernet or disable Wi-Fi). Do not enter any passwords or financial information until the infection is removed. Every keystroke you make while infected is potentially being recorded and transmitted to attackers. Call us at (770) 824-3575 or bring your machine to our Roswell shop for same-day cleaning.

Threat Profile

Attribute Details
Threat Family Trojan-Keylogger (information stealer)
Known Aliases Trojan.KeyLogger.QB, Keylogger.QB, TROJ_KEYLOG.QB
Platform Windows (all versions from XP through Windows 11)
Discovery Period Mid-2010s (variant still active in updated forms)
Distribution Methods Software bundles, malicious email attachments, exploit kits, fake updates
Persistence Mechanism Registry Run keys, scheduled tasks, Windows service installation
Primary Capabilities Keystroke logging, clipboard monitoring, screenshot capture, credential harvesting
Network Behavior Periodic data exfiltration via HTTP/HTTPS to C2 servers; may use SMTP for email-based reporting
Common File Locations %APPDATA%, %TEMP%, %LOCALAPPDATA% subdirectories with randomized names
Typical IoCs Hidden .exe/.dll files with random names, encrypted log files (.dat/.log), new Run registry values
Detection Difficulty Moderate — uses rootkit-like hiding, process injection, and encrypted communication
Removal Difficulty Moderate — requires safe mode boot and registry cleaning to fully eliminate persistence

How It Spreads

Trojan:KeyLogger.QB doesn't replicate itself like a worm — it relies on social engineering and deceptive distribution tactics to get installed on victim systems. The most common infection vector involves software bundling, where the keylogger piggybacks on seemingly legitimate free software downloads from third-party hosting sites. Users who click through installation wizards without reading carefully often inadvertently agree to install "additional components" that include the keylogger payload.

Email-based distribution is another primary spreading mechanism. Attackers send messages with enticing subjects ("Invoice Past Due," "Package Delivery Notification," "Security Alert") containing malicious attachments disguised as PDF files, Word documents, or ZIP archives. When opened, these files exploit document vulnerabilities or use macros to download and execute the keylogger. Fake software update notifications — particularly fake Flash Player or codec updates on sketchy streaming sites — also serve as effective delivery mechanisms for this threat family.

Common infection vectors for Trojan:KeyLogger.QB include:

  • Bundled installers from freeware/shareware download sites offering "free" versions of commercial software
  • Malicious email attachments with executable content hidden in document macros or compressed archives
  • Fake software updates presented on compromised websites or through malicious advertising
  • Exploit kits that silently install the trojan when you visit a compromised website with outdated browser plugins
  • Pirated software and key generators distributed through torrent sites and file-sharing networks
  • Malicious USB drives configured with autorun scripts (though less common on modern Windows versions)
  • Remote desktop exploits targeting systems with weak RDP credentials or unpatched vulnerabilities

What It Does On Your Machine

Once Trojan:KeyLogger.QB successfully installs on your system, it immediately begins monitoring every keystroke you make. Unlike legitimate keylogging software used for parental controls or employee monitoring, this malicious version operates without your knowledge or consent. The trojan hooks into low-level keyboard input functions at the operating system level, capturing keystrokes before they even reach the application you're typing into. This means it records everything: passwords typed into login forms, credit card numbers entered on shopping sites, private conversations in messaging apps, and confidential business documents you're working on.

Beyond simple keystroke logging, variants in this threat family typically include additional spying capabilities. Most versions monitor your clipboard, capturing anything you copy and paste — a common method people use to transfer passwords from password managers. The trojan often takes periodic screenshots of your desktop to provide attackers with visual context for the captured keystrokes. Some variants also harvest stored credentials from web browsers, email clients, and FTP programs, instantly compromising accounts you've saved passwords for without requiring the attacker to wait for you to type them.

The collected data gets stored in encrypted log files on your hard drive before being transmitted to the attacker's command-and-control server. This exfiltration typically happens on a schedule — every few hours or once daily — to minimize network traffic that might trigger security alerts. The trojan often disguises its communications as legitimate HTTPS traffic or uses compromised legitimate websites as drop points for stolen data. Because the malware runs with user-level or system-level privileges, it can access virtually any file or folder on your computer, making even supposedly "secure" encrypted drives vulnerable if you enter the decryption password while infected.

Typical Trojan:KeyLogger.QB Filesystem Artifacts
C:\Users\[Username]\AppData\Roaming\{random-GUID}\svchost.exe # Fake system process name C:\Users\[Username]\AppData\Local\Temp\log_20240115.dat # Encrypted keystroke log C:\Windows\System32\config\systemprofile\AppData\Local\{GUID}\update.dll # Registry persistence entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"System Update Service" HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Security Module" # Scheduled task for persistence: \Microsoft\Windows\SystemMaintenance # Runs keylogger executable hourly

Performance impact is usually minimal — keyloggers are designed to be stealthy, not disruptive. You probably won't notice significant slowdowns, though you might observe occasional brief CPU spikes when the trojan encrypts and transmits log files. More concerning signs include unfamiliar processes in Task Manager with generic Windows-sounding names (like "System Service Host" or "Windows Update Service"), unexpected network activity when you're not actively browsing, or security software warnings about registry modifications that you didn't initiate.

Manual Removal — Step by Step

01

Disconnect From the Network Immediately

Before doing anything else, physically disconnect your computer from the internet by unplugging the Ethernet cable or disabling Wi-Fi. This prevents the keylogger from transmitting any additional data it has collected and stops it from receiving new instructions from the attacker's server. Do not attempt to use the computer for sensitive activities — assume everything you've typed recently has been compromised.

02

Boot Into Safe Mode With Networking

Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, and select option 5 (Enable Safe Mode with Networking). On older Windows versions, repeatedly press F8 during startup. Safe Mode loads only essential system drivers, which prevents most malware — including Trojan:KeyLogger.QB — from automatically starting.

03

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes with generic Windows-sounding names that aren't legitimate Microsoft services. Common disguises include "svchost.exe" running from unusual locations (legitimate svchost.exe only runs from C:\Windows\System32), "update.exe," or processes with random character strings. Right-click any suspicious process, select "Open file location," note the path, and then end the process. If you're uncertain, search the process name online before terminating it.

04

Remove Registry Persistence Entries

Press Win+R, type "regedit," and press Enter to open Registry Editor. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries you don't recognize, especially those pointing to the executable locations you identified in the previous step. Right-click suspicious entries and delete them. Also check the RunOnce keys in the same location and the Startup folders referenced in the registry.

05

Delete Scheduled Tasks Created by the Trojan

Open Task Scheduler by typing "taskschd.msc" in the Run dialog. Expand Task Scheduler Library in the left pane and look through the list of scheduled tasks for any with suspicious names or those that run executables from the locations you identified earlier. Select suspicious tasks, check their "Actions" tab to confirm they're running the malware executable, then right-click and delete them. Pay special attention to tasks in Microsoft\Windows folders with generic maintenance-sounding names.

06

Delete the Malware Files and Folders

Navigate to the file locations you identified in Step 3 (typically in %APPDATA%, %LOCALAPPDATA%, or %TEMP%) and delete the entire folder containing the malicious executable. Also search these directories for .dat and .log files that may contain encrypted keystroke logs. Empty your Recycle Bin afterward. If Windows reports that files are in use and cannot be deleted, the process wasn't fully terminated — return to Step 3 or consider using a specialized unlocker utility.

07

Scan With Reputable Anti-Malware Tools

Download and run Malwarebytes Free (temporarily reconnect to the internet if necessary, but only in Safe Mode). Let it perform a full system scan to catch any components you might have missed or additional infections that piggybacked with the keylogger. Quarantine and remove all detected threats. For additional verification, also run a scan with your existing antivirus software (update definitions first) and consider a second-opinion scanner like HitmanPro or ESET Online Scanner.

08

Reset Browser Settings and Check Extensions

Some keylogger variants install browser extensions to capture web form data. Open each of your browsers and check installed extensions, removing any you don't recognize or didn't install yourself. In Chrome, Firefox, and Edge, you can reset browser settings to defaults, which removes malicious extensions and restores settings the trojan may have changed. This won't delete your bookmarks or saved passwords, but you'll need to reconfigure custom settings.

09

Change All Passwords From a Clean Device

This is critical: assume that every password you've typed on the infected machine has been compromised. Using a different device (a clean computer, tablet, or smartphone), change passwords for all important accounts — email, banking, shopping sites, social media, work accounts. Enable two-factor authentication wherever possible. Do not change passwords on the infected computer until you're absolutely certain the infection is completely removed and you've rebooted successfully into normal mode.

10

Reboot Normally and Verify Removal

Restart your computer and boot into normal Windows mode. Immediately check Task Manager for any suspicious processes, verify that the registry entries haven't reappeared, and confirm that scheduled tasks remain deleted. Run one more quick scan with Malwarebytes to ensure nothing reactivated during normal boot. Monitor your system over the next few days for unusual behavior, unexpected network activity, or security software alerts that might indicate remnants of the infection.

Prevention

  1. Download software only from official sources. Avoid third-party download sites that bundle additional "offers" with installers. Get programs directly from the developer's website or through Microsoft Store, Apple App Store, or other verified distribution platforms. If you must use a third-party site, read every installation screen carefully and decline optional components.
  2. Never open unexpected email attachments. Even if an email appears to come from someone you know, verify with them through a separate communication channel before opening attachments, especially executable files (.exe, .scr, .bat) or Office documents that prompt you to enable macros. Remember that attackers can spoof sender addresses to make malicious emails look legitimate.
  3. Keep your operating system and software updated. Enable automatic updates for Windows and all installed applications, particularly web browsers, PDF readers, and Java. Keyloggers often gain initial access through exploitation of known vulnerabilities in outdated software. Patch management eliminates these entry points before attackers can exploit them.
  4. Use reputable antivirus software with real-time protection. Install a quality security suite and keep it updated with the latest definitions. Enable real-time scanning, which monitors files as they're downloaded and executed. While no antivirus catches everything, it provides an essential baseline defense against known threats and suspicious behavior patterns.
  5. Be skeptical of software update prompts on websites. Legitimate software updates come through the application itself or Windows Update, not through pop-ups while browsing. If a website tells you that your Flash Player, video codec, or browser is out of date, close the tab and update directly through the official software or operating system update mechanism.
  6. Disable macros in Office documents by default. Configure Microsoft Office to disable macros in documents from the internet. If you receive a document that prompts you to enable macros to view content, treat it as highly suspicious — this is the number one infection vector for malware delivered via email attachments.
  7. Use a password manager instead of typing passwords. Password managers auto-fill credentials without generating keystrokes, which makes them invisible to keyloggers that only capture keyboard input. This won't protect against all information-stealing techniques (some advanced malware can hook auto-fill mechanisms), but it significantly reduces exposure from basic keystroke logging trojans.
  8. Monitor your financial accounts regularly. Check bank and credit card statements frequently for unauthorized transactions. Early detection of fraudulent activity can minimize damage and alert you to a possible infection even before you notice technical symptoms on your computer. Set up transaction alerts through your financial institution for real-time notifications.
Our 90-Day Warranty Promise: When we remove malware from your computer at Computer Repair Roswell, we guarantee our work. If the same infection comes back within 90 days, we'll re-clean your system at no additional charge. We use professional-grade tools and manual verification techniques to ensure complete removal, not just quick scans that leave remnants behind.

Bring It In

Keylogger infections are particularly serious because of the sensitive information they compromise. Even if you successfully remove the malware using the steps above, you may still be wondering whether you caught everything, or whether the attacker already used your stolen credentials for fraudulent purposes. The peace of mind that comes from professional verification is worth the investment, especially when identity theft and financial fraud are potential consequences of incomplete removal.

At Computer Repair Roswell, we've cleaned thousands of infected machines, and we've seen firsthand the damage that keyloggers can cause when they're not properly removed. Our technicians use enterprise-grade scanning tools, manual registry inspection, and behavioral analysis to ensure that every trace of the infection is eliminated. We're located right here in Roswell, and we typically offer same-day service for malware removal. Give us a call at (770) 824-3575 or stop by our shop at 1735 Hembree Road, Suite 100. We'll get your computer clean, verify that your data hasn't been compromised, and help you set up proper defenses to prevent reinfection. Don't gamble with your passwords and financial information — bring it in and let us handle it right.