Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Psw Onlinegames Trojan And Other Pains


  • Please log in to reply
10 replies to this topic

#1 Cloverleaf

Cloverleaf

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2008 - 08:38 AM

Hello. I found this site while trying to research some malware that got onto my computer. It looks great! I've tried reading through some other threads where people had similar problems, but this is all honestly way over my head and way out of my league, so I'm posting my own thread. Also, I don't have much of a grip on this stuff, so please forgive me if the info I provide is really superfluous.

Recently AVG has been throwing up tons of warnings--not constantly, but about 5 to 15 per volley--about Trojan horse PSW.OnlineGames.ZLF (or someother two letters at the end); also Trojan horse Generic9.ADDR (and some with a different number or set of letters at the end of that as well) and Downloader Generic9.ADDR.

So, I throw them all into the virus vault, and in the meantime can't do anything because they just keep rolling in. A friend of mine helping me out found SpyHunter 3 when searching for this virus. So, I downloaded that, didn't pay for it, came here and saw how bad it is, and then promptly uninstalled it. heheh (It's not actually a type of malware itself, is it?) Norton hasn't been finding anything, and I had SuperAntiSpyware on my computer before, but it never picked up on all this. After seeing that SpyHunter was a sham, I thought SuperAntiSpyware might be too, so I uninstalled it. Since coming here, I have DL'ed it again and am running it right now.

I would like to know how to clean my computer up, and I would also like to know what to do for security purposes. I changed all my passwords last night (although, the AVG warnings have been coming up for maybe a few days), and I entered all my new passwords without using any keystrokes (hoping that would circumvent any possible keylogging? but then I realized I was having Internet Explorer save some of them, and then deleted them. Should I reset those passwords again?)

Also, I found something called ctfm0n.exe and deleted it. I saw on another website that this was malware, and I searched for related files (named n0tepad and things like that) but didn't find any of them. I also just noticed some other files in the AVG virus vault: Virus identified Java/ByteVerify (two of those).

Please help! Thanks!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 PM

Posted 11 January 2008 - 09:11 AM

Please post the results of the SAS scan log in your next reply.

To retrieve the SAS scan log information, launch SUPERAntispyware.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Java.ByteVerify is actually a method to exploit a security vulnerability in the Microsoft Virtual Machine that is stored in the java cache as a java-applet. The vulnerability arises as the ByteCode verifier in the Microsoft VM does not correctly check for the presence of certain malformed code when a java-applet is loaded. Attackers can exploit the vulnerability by creating malicious Java applets and inserting them into web pages that could be hosted on a web site or sent to users as an attachment. Trojan Exploit ByteVerify indicates that a Java applet - a malicious Java archive file (JAR) - was found on your system containing the exploit code.

When a browser runs an applet, the Java Runtime Environment (JRE) stores all the downloaded files into its cache directory for better performance. Microsoft stores the applets in the Temporary Internet Files. The Java.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code...Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality.

These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011). If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer. See: here.

AVG, eTrust EZ Antivirus, Pest Patrol and others will find Java/ByteVerify but cannot get rid of them. If you have the Java-Plugin installed, then deleting them from the Java cache should eliminate the problem. The Java Plug-In in the Control Panel is only present if you are using Sun's Java. If you don't have the Java-Plugin installed then just delete the files manually. The Microsoft Virtual machine stores the applets in the Temporary Internet Files.

Recommended Solution:
If your using Sun Java, follow the instructions for Clearing the Java Runtime Environment (JRE) Cache.
If your using IE, Netscape, Mozilla, Opera, or AOL, follow the instructions for Clearing your Web Browser Cache.

Download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Cloverleaf

Cloverleaf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2008 - 09:36 AM

Thank you, quietman7.

I do have Sun Java, so I followed the instructions for deleting the Java files.

SuperAntiSpyware is going on 2 and half hours and has found 3 tracking coolies and 1 trojan so far. I will post the results as soon as it finishes.

#4 Cloverleaf

Cloverleaf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2008 - 09:45 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2008 at 03:41 PM

Application Version : 3.9.1008

Core Rules Database Version : 3378
Trace Rules Database Version: 1372

Scan type : Complete Scan
Total Scan Time : 02:29:48

Memory items scanned : 567
Memory threats detected : 0
Registry items scanned : 6109
Registry threats detected : 0
File items scanned : 80030
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Prince Phillip.PHILLIPSAPP\Cookies\prince_phillip@serving-sys[2].txt
C:\Documents and Settings\Prince Phillip.PHILLIPSAPP\Cookies\prince_phillip@bs.serving-sys[1].txt
C:\Documents and Settings\Prince Phillip.PHILLIPSAPP\Cookies\prince_phillip@advertising[2].txt

Trojan.Unclassified\NVDISPDRV
C:\WINDOWS\MSPRINT32D.EXE





I am rebooting now, as it suggested.

#5 Cloverleaf

Cloverleaf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2008 - 10:10 AM

Also, this started happening too, but I forgot to mention it. My active desktop is messed up. When I click Restore My Avtive Desktop, I get this Internet Explorer Script Error:

Line : 65
Char: 1
Error: Object doesn't support this action
Code: 0
URL: file:///C:/Documents%20and%20Settings/......./Application%20Data/Microsoft/Internet%20Explorer/Desktop.htt

How do I fix that, and what could I have done to mess it up? I'm just hoping nothing important got sent to the virus vault. Maybe there was something I should have healed with AVG instead of moving it to the vault? I have no clue.

Edited by Cloverleaf, 11 January 2008 - 10:11 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 PM

Posted 11 January 2008 - 01:42 PM

Can you post the contents of the log from the Dr.Web CureIt scan?

Msprint32d.exe is Trojan/Backdoor

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Cloverleaf

Cloverleaf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2008 - 08:07 PM

Here are my results from Dr.Web:


system76.ins;c:\program files\common files\microsoft shared\msinfo;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
00190484.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
00226046.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
00261687.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
00300203.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
00336296.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
00351312.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
00829156.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
00891312.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
00919593.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
00935062.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
01748515.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
01793671.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
01827578.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
01878500.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
01923625.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
01941703.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
02847187.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
02883906.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
02925312.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
02949625.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
03311421.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
03367109.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
03397281.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
03605578.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
03649781.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
03712343.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
03738625.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
03759421.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
03966968.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
04036703.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
04050796.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
04110671.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04209625.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
04214328.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
04261828.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
04319734.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
04333765.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04503796.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
04519890.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04538375.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04544593.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
04571406.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
04654421.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
04704578.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
04766828.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
04813828.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
04848062.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04860843.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
04960562.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
05021234.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
05065765.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
05879468.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
05926890.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
05997203.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
06024734.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
06148796.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
06163531.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
09446656.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
12227156.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
12229968.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
15007125.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
20892312.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
20906296.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
20913984.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
21568781.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
24623536.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6632;Deleted.;
24659708.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2659;Deleted.;
24669520.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2646;Deleted.;
24674989.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6672;Deleted.;
24680505.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6664;Deleted.;
24684817.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
24750723.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
24778411.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
24810786.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
25624282.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
25657344.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
27186157.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
27453532.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
44632068.FIL;C:\$VAULT$.AVG;Trojan.PWS.Lineage.origin;Incurable.Moved.;
44648568.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
44650037.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
44650756.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
44652740.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
44652802.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
44655287.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6671;Deleted.;
44656865.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6671;Deleted.;
44656974.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
44660365.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
44660537.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
44662146.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
44662256.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
44663615.FIL;C:\$VAULT$.AVG;Trojan.PWS.Lineage.origin;Incurable.Moved.;
55005145.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6632;Deleted.;
55005833.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2659;Deleted.;
55006067.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
55006317.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2646;Deleted.;
55006489.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6664;Deleted.;
55006708.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6672;Deleted.;
67128287.FIL;C:\$VAULT$.AVG;Trojan.PWS.Lineage.origin;Incurable.Moved.;
67134349.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
79814156.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6663;Deleted.;
79817906.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
79824796.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
79828390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
79829406.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79832687.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
79835953.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79842562.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79842750.FIL;C:\$VAULT$.AVG;Trojan.PWS.Lineage.origin;Incurable.Moved.;
79842937.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
79843140.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
79843484.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79843796.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79844125.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6671;Deleted.;
79844703.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79844890.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79845234.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79845406.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79845546.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79845718.FIL;C:\$VAULT$.AVG;Trojan.PWS.Lineage.origin;Incurable.Moved.;
79845906.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
79846093.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
79846250.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
94308343.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
94363859.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
3 Months Free NetZero.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;Deleted.;
host5.exe;C:\Documents and Settings\..............\Local Settings\Temp;Trojan.PWS.Wsgame.2757;Deleted.;
deSrcAs.dll;C:\Program Files\MyWaySA\SrchAsDe;Adware.MyWay.origin;;
A0033648.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP110;Adware.TryMedia;;
A0021749.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP84;Adware.TryMedia;;
A0074530.Ins;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP319;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP319\snapshot;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
A0075639.exe;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP322;Trojan.PWS.Wsgame.2757;Deleted.;
A0075653.exe;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP323;Trojan.PWS.Wsgame.2757;Deleted.;
A0075654.dll;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP323;Trojan.PWS.Wsgame.2725;Deleted.;
A0075707.exe;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP323;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
A0075722.exe;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP323;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
A0075733.dll;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP323;Trojan.PWS.Gamania.origin;Incurable.Moved.;
A0075736.exe;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP323;Trojan.PWS.Wsgame.2757;Deleted.;
A0075815.exe;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP324;Trojan.PWS.Gamania.6670;Deleted.;
A0075816.exe;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP324;Trojan.PWS.Wsgame.2757;Deleted.;
A0075846.Ins;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP324;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
A0075847.exe;C:\System Volume Information\_restore{83F1A79A-E742-439F-A44A-B1EA74591623}\RP324;Trojan.Click.1487;Deleted.;

Edited by Cloverleaf, 11 January 2008 - 08:09 PM.


#8 Cloverleaf

Cloverleaf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2008 - 08:15 PM

Also, I forgot to ask; this seemed strange. When I've been starting Windows in safe mode the last two nights to try to sort this out, one of my user accounts wasn't coming up. I have my main user account (with admin. capabilty) and I had another for a long time but that I never used. When Windows started up in safe mode, I had my main user account, and above that was one just called Administrator, with an icon I've never chosen for an account, which didn't show up in the control panel area for editing user accounts. Is it normal for that Administrator user account to show up, or does that have to do with one of my viruses? Maybe a RAT? (It only had two things on the desktop: Recycle Bin and EOS whatever, which I guess is my camera's software, though I never use it).

Also, I don't understand why that other user account wasn't showing up.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 PM

Posted 11 January 2008 - 10:04 PM

  • Right click on your desktop.
  • Select Properties > Themes tab.
  • Choose a different theme from your list.
  • Click apply.
  • Reselect your current theme and Click apply.
Also see:
An Error Has Occurred in the Internet Explorer Script
How to Enable or Disable the Active Desktop

I'm not aware of this infection creating a new Administrator account but other malware can. W Trj/Artesimda.A creates a new account in Windows XP, whose user name is "Administrator". It uses rootkit functionalities to gain remote access and full control of the affected computer by using a Windows service of remote administration. It steals confidential data, such as usernames and passwords belonging to banking and email accounts, computer information, IP addresses, open ports and sends it to a server.

In Windows XP Home Edition, the built-in "Administrator Account" is only accessible in Safe Mode and is the default account for that mode.

In Windows XP Pro, the "Administrator Account" logon option appears in Safe mode if more than one account is created on the system. The administrator account is available in Normal mode only if there are no other accounts on the system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Cloverleaf

Cloverleaf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2008 - 10:17 PM

Quietman7, thanks a ton. A few things.....

1. For the first answer: Thanks. That was too simple, hahah....

2. So are you saying that that Administrator account that I only saw in Safe Mode was in fact just the default account? I'm not sure what the conclusion is on that. Also, is it suspicious that my other legit user account wasn't coming up? I didn't need it, so I've since deleted anyway. But that concerned me.

3. Is there anything else I need to do about all this? Shall I consider myself bug-free? I would like to be able to start just typing my passwords in, as I've been too scared to do so lately, not knowing whether the info was being snagged from me. Am I being overly cautious?

Edited by Cloverleaf, 11 January 2008 - 10:17 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 PM

Posted 11 January 2008 - 10:25 PM

Am I being overly cautious?

Re-read post #6 with my warning about your infection. Consider the fact that your computer was compromised and change all passwords as instructed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users