Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have A Keylogger, And Have Run Tried Scans...


  • Please log in to reply
15 replies to this topic

#1 Ryum

Ryum

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 28 January 2008 - 11:33 AM

I believe i got the keylogger from a link on the world of warcraft message baord.

This was bout a week ago, I had my account characters gold, items, ect stolen/deleted
and had account temp banned


During which time I ran housecall, avast, avg, and more.. occasionally one of them would find something like a trojan named ad-ware.. but don't rememeber the details
I thought everything was clear, when someone other than me changed the password to my wow account again

I ran to another computer, reset and changed the pw there before they could do anything on my account.


I have family photos, videos of my kid taking his first steps on this computer... I can not reformat it... I am running AVG as we speak to see if I can get that trojan to pop up so i can give more exact info on what this program is, but til then do you guys have any advice on how I can possibly get rid of this thing once and for all?

Thanks

BC AdBot (Login to Remove)

 


#2 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:30 AM

Posted 28 January 2008 - 12:05 PM

Hello,

If all those AV products couldn't find anything then there are two posibilities,
1 it is a very sophisticated kind of malware that is hidden in a rooktkit or something similar
2 someone else other than you had the password from your account, have you talked to the people running it? they should have a list of times and possibly addresses that the account was accessed, it may shed some light on the situation.

To be safe, I would advise that you made a backup of your files on to a CD or removable media of any description, this way if the worst should happen it isn't a total loss.
Regards,

Alan.

#3 Ryum

Ryum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 28 January 2008 - 12:20 PM

no one has the password to the account... avg is still running

/sigh avg just came back clear

Edited by Ryum, 28 January 2008 - 12:33 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 PM

Posted 28 January 2008 - 02:16 PM

Are you using AvgFree anti-virus or AVG Anti-spyware?

You did not specify and I see you are also using avast!
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Ryum

Ryum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 29 January 2008 - 08:52 AM

both anti virus, DLing the anti spyware now

any other anti spywares i should try?

i have always used ad-ware lavasoft, and spybot but they both missed this bug

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 PM

Posted 29 January 2008 - 09:03 AM

AVG Anti-Spyware Install-Scan Instructions

Note: Using more that one anti-virus program is not advisable even if your using one of them as a stand-alone on demand scanner. Even when one of them is disabled, it can affect the other. Issues can arise when the active anti-virus detects the non-active one's definitions or quarantined files. Further, dual installation is not always possible because some anti-virus programs will detect the presence of others and may insist they be removed prior to installation.

The primary concern with using more than one anti-virus program is due to conflicts that can arise when both are running in real-time mode simultaneously. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognised by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software. When necessary, you can always get another opinion by performing an Online Virus Scan.

Most anti-virus vendors recommend that you install and run only one anti-virus program at a time:
Symantec's statement.
Avast's statement.
AVG's statement.
Dell Support advises the same for their systems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 narcispy

narcispy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 29 January 2008 - 11:02 AM

Might want to call up blizzard I know they can restore your deleted characters for a price and other things like that. Mine was gone for being off the server for so long but they were able to recover it.

#8 Ryum

Ryum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 29 January 2008 - 02:02 PM

I deleted all the anti virus stuff I had, and then dled avg spyware, and virus ran in safe-mode and finally i think i found this trojan that is the keylogger or something like it

called
psw.online.ackh

and looked it up and it seems to be able to reproduce itself in the forms of
Trojan horse PSW.OnlineGames. WZB
Trojan horse PSW.OnlineGames.XAN
Trojan horse PSW.OnlineGames.XAO
Trojan horse PSW.OnlineGames.WZC
Trojan horse PSW.OnlineGames.WYS
Trojan horse PSW.OnlineGames.WUJ

I don't know what it means, but it might be why I get the all clear then some how it comes back..

still looking for how to get rid of this specific bug for good short of reformatting... thanks

#9 Ryum

Ryum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 29 January 2008 - 02:27 PM

does this help?


ComboFix 08-01-29.3 - HP_Owner 2008-01-29 13:07:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2254 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\LVR6Z3IE\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
C:\Documents and Settings\HP_Owner\Application Data\macromedia\Flash Player\#SharedObjects\77G47ECD\www.broadcaster.com
C:\Documents and Settings\HP_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\HP_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 08:08 . 2008-01-29 08:08 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2008-01-29 08:04 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 10:14 . 2008-01-28 10:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 10:14 . 2008-01-29 11:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-01-28 10:13 . 2008-01-29 08:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-27 22:12 . 2008-01-27 22:12 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-27 01:27 . 2008-01-28 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-24 10:28 . 2008-01-24 10:28 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-24 09:34 . 2008-01-24 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 19:41 . 2008-01-23 19:41 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-01-23 19:41 . 2008-01-23 19:41 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\HouseCall 6.6
2008-01-22 18:24 . 2008-01-22 18:27 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-22 18:08 . 2008-01-22 18:08 <DIR> d-------- C:\Program Files\Citrix
2008-01-22 18:08 . 2008-01-22 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-01-22 18:07 . 2008-01-22 18:08 61,224 --a------ C:\Documents and Settings\HP_Owner\GoToAssistDownloadHelper.exe
2008-01-22 17:27 . 2008-01-22 17:27 81 -r-hs---- C:\WINDOWS\CT4CET.bin
2008-01-22 17:26 . 2008-01-22 17:26 <DIR> d-------- C:\Program Files\Common Files\Reallusion
2008-01-22 17:26 . 2008-01-22 17:26 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-01-22 17:26 . 2008-01-22 17:26 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InstallShield
2008-01-22 17:26 . 2007-02-14 12:27 5,627,904 --a------ C:\WINDOWS\system32\LiveCamVirtual.ocx
2008-01-22 17:26 . 2007-01-15 17:57 31,616 --a------ C:\WINDOWS\system32\drivers\livecamv.sys
2008-01-22 17:25 . 2008-01-22 17:25 <DIR> d-------- C:\Program Files\Creative Live! Cam
2008-01-22 17:20 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2008-01-22 17:19 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-01-22 17:19 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\dllcache\nabtsfec.sys
2008-01-22 17:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-22 17:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-22 17:19 . 2004-08-03 23:10 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2008-01-22 17:19 . 2004-08-03 23:10 17,024 --a------ C:\WINDOWS\system32\dllcache\ccdecode.sys
2008-01-12 20:13 . 2008-01-12 20:13 <DIR> d-------- C:\Program Files\QuickTime
2007-12-31 06:06 . 2007-12-31 06:12 <DIR> d-------- C:\Program Files\WinAce

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-27 05:24 13,084 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2008-01-26 11:01 --------- d-----w C:\Program Files\Lavasoft
2008-01-26 10:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-24 15:34 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2008-01-22 23:38 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Creative
2008-01-22 23:27 --------- d-----w C:\Program Files\Creative
2008-01-22 23:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 23:25 --------- d-----w C:\Program Files\Dell
2008-01-11 05:48 --------- d-----w C:\Program Files\Morpheus
2007-12-31 12:00 --------- d-----w C:\Program Files\Apple Software Update
2007-12-28 12:40 --------- d-----w C:\Program Files\Workspace Macro 4.6
2007-09-26 19:16 71,224 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 12:34 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 03:46 196608]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-30 04:25 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"OEM05Mon.exe"="C:\WINDOWS\OEM05Mon.exe" [2007-05-08 11:00 36864]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 12:24 53248]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 07:54 253952]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 05:42 659456]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [ ]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 16:34 245760]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 16:43 118784]
"CTHelper"="CTHELPER.EXE" [2003-11-13 12:18 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 02:00 45056]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-28 10:15 579072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-28 10:13 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-20 13:13 49152 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{001EA33E-D7A2-456A-AE04-EB9ABF822FE4}"= C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\aow.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll 2008-01-22 18:08 10536 C:\Program Files\Citrix\GoToAssist\508\g2awinlogon.dll

R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-23 13:16]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;C:\WINDOWS\system32\Drivers\OEM05Afx.sys [2007-06-07 11:00]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM05Vfx.sys [2007-03-05 04:45]
R3 OEM05Vid;Creative Camera OEM005 Driver;C:\WINDOWS\system32\DRIVERS\OEM05Vid.sys [2007-07-19 11:00]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;C:\WINDOWS\system32\DRIVERS\livecamv.sys [2007-01-15 17:57]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe" Start=service []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 14:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-29 19:19:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 13:17:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\OEM05Mon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-29 13:22:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 19:22:19

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 PM

Posted 29 January 2008 - 02:34 PM

Trojan-PSW:W32/OnlineGames

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. (ignore any prompts to update or check for a new version)
  • When the Dr.Web opens, an "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply.
Then perform this online Virus scan: F-Secure Online Scanner. <- Follow the directions on the F-Secure page for proper Installation. (also checks for rootkits) (Vista compatible)
(Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Ryum

Ryum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 29 January 2008 - 09:10 PM

04243656.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;;

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 PM

Posted 29 January 2008 - 09:45 PM

What did the F-Secure scan find?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Ryum

Ryum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 29 January 2008 - 09:51 PM

that is still running, will post when done

#14 Ryum

Ryum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 29 January 2008 - 10:21 PM

Scanning Report
Tuesday, January 29, 2008 20:17:10 - 21:17:23
Computer name:
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 1 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 44735
System: 5278
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\HP_OWNER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{12A29988-2C64-486E-BD90-EA24B5138BA0}

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2008-01-29
F-Secure AVP: 7.0.171, 2008-01-29
F-Secure Orion: 1.2.37, 2008-01-29
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2008-00-28
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXJPG SWF
Use Advanced heuristics

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 PM

Posted 29 January 2008 - 10:33 PM

How is your computer running now? Any more signs of malware?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users