Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS Log - Please diagnose (Possible Key Logger)


  • This topic is locked This topic is locked
14 replies to this topic

#1 Cas34

Cas34

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 25 January 2009 - 12:37 AM

I recently found a key logger on my PC when I ran a-squared free. When I found it I rebooted in safe mode and ran AVG, Spybot S&D and a-squared free. Both AVG and Spybot were clean and A-Squared showed the key logger which I used to quarantine the key logger. I then ran HJT and it showed some things that I had not seen before "O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll", this showed 9 times on just one run. It also had a couple of other suspicious entries in lines 08 and 09. I used HJT to kill both and then I deleted the registry entries. I also done a system restore and registry restore to the day before I got the key logger. I think I have managed to get rid of the key logger but want to make sure. Therefore would be grateful if someone could take a look at my log and tell me if I managed to zap it. I should add that I use key pass which runs from my USB drive and I never manually type my passwords, I also do not have any sensitive information on my PC, so there is nothing for a keylogger to steal that would concern me. ANyway here are the logs:


DDS (Ver_09-01-19.01) - NTFSx86
Run by LHC08 at 5:10:43.53 on 25/01/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.892.355 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\SiS VGA Utilities\SiSTray.exe
C:\Program Files\Spare Messaging\MessagingApp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\The TechGuys\Launch\Launch.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Software\Key Pass\KeePass.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\LHC08\Documents\Downloaded Software\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI;
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI;
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI;
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [kdx] c:\program files\KHost.exe -all
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
mRun: [<NO NAME>]
mRun: [SpareMessaging] "c:\program files\spare messaging\MessagingApp.exe"
mRun: [UpdateP2GShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\5.0"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\launch.lnk - c:\windows\installer\{4a65dad2-e914-4923-9c2a-81b968a68ce2}\_A685CC3126A7CC37D335DE.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\lhc08\appdata\roaming\mozilla\firefox\profiles\vlz2pn9x.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPFxViewer.dll
FF - plugin: c:\users\lhc08\appdata\roaming\mozilla\firefox\profiles\vlz2pn9x.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-28 97928]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\drivers\avgwfpx.sys [2008-11-28 69128]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-10-24 342016]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2008-9-9 458752]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-9-9 48128]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-28 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-28 231704]

=============== Created Last 30 ================

2009-01-21 17:01 <DIR> --d----- c:\program files\a-squared Free
2009-01-21 16:31 0 a------- c:\windows\Bootus.INI
2009-01-21 16:28 73,728 a------- c:\windows\system32\GkSui18.EXE
2009-01-21 06:32 0 a------- c:\windows\system32\tviresource.val
2009-01-21 06:31 <DIR> --d----- c:\windows\TweakVI
2009-01-21 06:27 <DIR> --d----- c:\program files\NeoSmart Technologies
2009-01-19 19:22 <DIR> --d----- c:\users\lhc08\appdata\roaming\Foxit
2009-01-19 19:22 <DIR> --d----- c:\program files\Foxit Software
2009-01-18 06:32 <DIR> --d----- c:\program files\ShadowExplorer
2009-01-17 03:19 <DIR> --d----- c:\program files\VS Revo Group
2009-01-14 03:32 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-12 22:03 <DIR> --d----- c:\programdata\WindowsSearch
2009-01-12 11:18 <DIR> --d----- c:\program files\DAMN NFO Viewer
2009-01-12 11:07 <DIR> a-d----- c:\programdata\TEMP
2009-01-12 11:07 <DIR> --d----- c:\program files\WirelessMon
2009-01-11 15:06 67,616 a------- c:\windows\unTMV.exe
2009-01-09 11:48 <DIR> --d----- c:\program files\Trend Micro
2009-01-09 08:45 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-05 23:51 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-01-05 23:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-05 23:51 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy

==================== Find3M ====================

2009-01-11 19:38 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-11 19:38 51,200 a------- c:\windows\inf\infpub.dat
2009-01-11 19:38 86,016 a------- c:\windows\inf\infstor.dat
2008-11-28 12:40 69,128 a------- c:\windows\system32\drivers\avgwfpx.sys
2008-11-28 12:40 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-28 12:40 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-11-24 14:01 499,712 a------- c:\windows\system32\msvcp71.dll
2008-11-24 14:01 348,160 a------- c:\windows\system32\msvcr71.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-01 03:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 03:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 03:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 03:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 03:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-11-01 03:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-11-01 01:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 a------- c:\windows\explorer.exe
2008-06-20 07:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 02:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 12:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-21 14:39 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 5:11:49.77 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 31 January 2009 - 03:01 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


then ran HJT and it showed some things that I had not seen before "O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll", this showed 9 times on just one run.

This may be a key logger but it could be used for legitimate or malicious purposes. From what I see it is probably used for legitimate purposes, it's related to Windows Vista - Windows Parental Control Related. Your parents may have set this to manage what you do on the computer. If you want to bypass that and remove it then I will not help you that. If this is the reason you posted this topic then I'm sorry, I will not continue. I do not know if you are removing this for legitimate or bad reasons so I cannot proceed. If you want to check if you have any malware still on your computer then please follow the instructions below and I will be glad to help you. I will not be removing the Windows Parental Control, however.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTScanIt

Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Rootkit Scan setting from "No" to Yes.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Run Kaspersky Online Scanner
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Please post back with:
-OTScanIT log
-Kaspersky log
-What Problems do you still have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Cas34

Cas34
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 01 February 2009 - 04:55 AM

Hi EB,

In your response you mentioned parental control. Can I just say that I am 34 years old and the only user of this PC, I also have parental control disabled in the services (see attached screenshot). If I have it disabled should it be showing up in HJT logs? If you look at my original post you will see why I posted here. I had a key logger which I think I managed to delete and I was looking for someone to verify if I was clean or it is still there.

Anyway I have now followed the instructions and here are the results:

1. ATF Cleaner is for XP and 2000 but I am running Vista, will it still work on Vista? If so let me know and I will run it.

2. I have attached the OTscanIT log as well.

3. Kaspersky was totally clean when I ran it:

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
S:\
Scan statistics
Files scanned 73537
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 02:01:13

No malware has been detected. The scan area is clean.
The selected area was scanned.

Thank you for taking the time to look at this for me and I look forward to your reply.

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 01 February 2009 - 10:12 AM

Hello Cas34.

Can I just say that I am 34 years old and the only user of this PC, I also have parental control disabled in the services (see attached screenshot). If I have it disabled should it be showing up in HJT logs? If you look at my original post you will see why I posted here. I had a key logger which I think I managed to delete and I was looking for someone to verify if I was clean or it is still there.

Fair enough, but I can't really help you on physically removing it.. You could disable it if you wish and from what I see you already disabled it. BleepingComputer even has a tutorial on setting it up and disabling it. Worth reading, and it can be found in this link.

It's not showing, it's just the LSP (LSPs are designed to integrate directly into the computer's TCP/IP layer - the protocol used to communicate on the Internet. LSPs are installed in such a way that each LSP in the TCP/IP handler are chained together) is showing in the Hijackthis log but that doesn't matter, the service is not shown that mean it won't be started at every startup.

Could you tell me the file name of the keylogger? The Kaspersky was clean and the OTScanIT2 log looks fine to, just a few "orphaned" entries and some other temp files that can't really do too much, but we will still remove it.

1. ATF Cleaner is for XP and 2000 but I am running Vista, will it still work on Vista? If so let me know and I will run it.

No need to run it then.

Run Script with OTScanIT2

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files if you lost your copy..
It will create a folder named OTScanIt2 on your desktop. Double click the OTScanIT2 folder than double click on OTScanIT2.exe to star the program.

Copy/Paste the information in the codebox below into the green pane where it says "Paste fix here" and then click the Run Fix button at the top.

[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3248220882-685060463-2188232748-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-3248220882-685060463-2188232748-1000\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
[Alternate Data Streams]
NY -> @Alternate Data Stream - 148 bytes -> %AllUsersProfile%\TEMP:B7177954
[CatchMe Rootkit Scan by GMER]
NY -> C:\ProgramData\TEMP:B7177954 148 bytes ->

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Re-Run Scan with OTScanIT2

Run a new OTScanIt2 scan with the following options.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS that you have opened currently.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt2 and locate the OTScanIt.txt file in the folder where OTScanIt2.exe is located (Should be in the OTScanIT2 folder)
  • Attach that file back here in your next reply.
From what I can see I think the keylogger is probably already gone. If you do believe you had a keylogger then it would be wise to use another clean computer to change all passwords including games, banking, finacial works etc..

Post back with:
-GMER Log
-The Keylogger file name, if you remember
-What Problems do you still have?


Attach back with:
-OTScanIT2 Fix Log
-New OTScanIT2 Scan log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Cas34

Cas34
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 01 February 2009 - 11:27 AM

Hi EB,

Thank you for getting back to me on this. I ran the fix in OTscan IT and have attached the log.

With regards to gmer I downloaded it and extracted it to its own folder as suggested but when I try to run it the programme stops responding, therefore I am unable to run a scan with it. Is this because I have Vista?

As I was unable to run gmer I did not bother running OTscanIt again but can run it if you still wish me to.

WIth regards the key logger, since I started using A-squared free I have found 2 key loggers on my PC. Here are the names of them as requested.

1. trojan spy.win32.key logger!IK

2. trojan spy.win32.banker.to!IK

With regards my passwords and sensitive information, I do not use this PC for anything sensitive so if there is a keylogger they would not get anything worthwhile. I am also using software called key pass and it runs from my USB drive. This software manages all my passwords and I used a strong password generator to make my passwords so I do not think that a key logger would be able to gain any passwords I use.

Please let me know what the next step is when you get a free moment.

p.s. When I boot up my PC a parental control message appears, it has been a while since I rebooted my PC so cannot remember exactly what it is. If you need this information let me know and I will reboot to find it. Also there are only 2 accounts on this PC one is LHC08 and the other is Administrator which I created to minimise the hastle of UAC. Both of these accounts are administrator accounts and you are not able to set up parental control on them as far as I can gather.

p.s.s. The LSPs are still appearing in my HJT log. I do not want to mess about with that as I know that it can stop my internet working.

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 01 February 2009 - 11:59 AM

Hello.

A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc. It doesn't matter if you have a strong password or not as long as you have went into your account or type your password at anytime, the keylogger programs probably already knows your password..

WIth regards the key logger, since I started using A-squared free I have found 2 key loggers on my PC. Here are the names of them as requested.

I wasn't really looking for the name of the malware but rather the file name meaning what file it's pointing to. Could you tell me what file/registry key/folder etc.. is being flagged as "trojan spy.win32.key logger!IK"?

p.s. When I boot up my PC a parental control message appears, it has been a while since I rebooted my PC so cannot remember exactly what it is. If you need this information let me know and I will reboot to find it.

Sure, reboot and tell me what the message is..

p.s.s. The LSPs are still appearing in my HJT log. I do not want to mess about with that as I know that it can stop my internet working.

This will not be dealt with because it's related to your Parental Control. As long as you disabled it (read the link if you are not sure) I think it would be fine.. It won't do anything.

Please reboot your computer and try GMER again. If that doesn't work reboot into Safe Mode and try to run GMER as I have explained in my previous post. Also GMER in Vista is different so after you double click on it, let it run after it's done hit the scan button and post the log once it's done.. Re-Run OTScanIT2 as well. Answer my questions in your next post that I have asked above.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Cas34

Cas34
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 01 February 2009 - 12:56 PM

Hi EB,

I am still unable to run gmer it just stops working soon after double clicking on it. I have made sure all programmes are shutdown and I have also tried it in safe mode, on top of that I tried both downloads that you linked. Is there an alternative to this?

With regards the key loggers I found, I am afraid I do not remember the paths but I remember they were contained in files I downloaded and I deleted the offending files when I realised I had a key logger.

When I boot up my PC I get a pop up for parental control. In the pop up it tells me to view activity reports. This is rather odd as I do not or have never used parental control and like I said it is disabled. I even went in to parental control to check for activity reports and there were none there.

Hope this answers the questions you posed in the last post.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 01 February 2009 - 01:36 PM

Hello.

As long as you removed those files and didn't run it, you are probably fine as I don't see much signs of infection anywhere right now.

Try renaming GMER.exe into something random such as: darkness.com. Try running it again and see if it works. If not run Avira anti-rootkit instead.

Download and Run Avira AntiRootkit

Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop. Right click it and select Extract All. Delete the .zip file after extraction.
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe, then Next.
  • Highlight the radio button to accept the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish You may now also delete the folder with the extracted files from the zip archive).
You successfully installed Avira AntiRootkit
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run. Be patient and the scan finishes.
  • Click View report and copy the entire contents into your next reply.
Note: Do not choose to rename any items found yet. There may be false positives.

Post back with:
-GMER Log <- if it works
-Avira Log
-New OTScanIT log
-Is pop up for parental control the only problem you have? That doesn't seem malware related though.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Cas34

Cas34
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 01 February 2009 - 02:31 PM

Hi EB,

I was still unable to run gmer but I did manage to run Avira and here is the log:

Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started 01 February 2009 - 19:07:53
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 138.31 GB
- Working disk free size : 82.36 GB (59 %)
--------------------------------------------------------------------------------------------------------

Scan task finished. No hidden objects detected!

--------------------------------------------------------------------------------------------------------
Files: 0/77787
Registry items: 0/271438
Processes: 0/49
Scan time: 00:03:40
--------------------------------------------------------------------------------------------------------
Active processes:
- iqetfqki.exe (PID 3924) (Avira AntiRootkit Tool - Beta)
- System (PID 4)
- smss.exe (PID 432)
- csrss.exe (PID 512)
- wininit.exe (PID 560)
- csrss.exe (PID 572)
- services.exe (PID 616)
- lsass.exe (PID 648)
- lsm.exe (PID 656)
- winlogon.exe (PID 664)
- svchost.exe (PID 876)
- svchost.exe (PID 940)
- svchost.exe (PID 1008)
- svchost.exe (PID 1076)
- svchost.exe (PID 1096)
- audiodg.exe (PID 1212)
- SLsvc.exe (PID 1244)
- svchost.exe (PID 1280)
- svchost.exe (PID 1412)
- svchost.exe (PID 1576)
- a2service.exe (PID 1796)
- avgwdsvc.exe (PID 1860)
- KService.exe (PID 1936)
- svchost.exe (PID 124)
- svchost.exe (PID 276)
- SearchIndexer.exe (PID 300)
- avgemc.exe (PID 1252)
- avgrsx.exe (PID 1472)
- avgnsx.exe (PID 1584)
- avgcsrvx.exe (PID 2060)
- taskeng.exe (PID 2224)
- taskeng.exe (PID 2644)
- dwm.exe (PID 2700)
- explorer.exe (PID 2752)
- RtHDVCpl.exe (PID 2876)
- SiSTray.exe (PID 2892)
- MessagingApp.exe (PID 2944)
- avgtray.exe (PID 3020)
- jusched.exe (PID 3040)
- wpcumi.exe (PID 3048)
- Launch.exe (PID 3132)
- WmiPrvSE.exe (PID 3580)
- unsecapp.exe (PID 3592)
- PresentationFontCache.exe (PID 3780)
- firefox.exe (PID 3944)
- taskeng.exe (PID 772)
- VSSVC.exe (PID 2812)
- svchost.exe (PID 2056)
- avirarkd.exe (PID 4076)
========================================================================================================
- Scan finished 01 February 2009 - 19:11:33
========================================================================================================


After I done that I ran OTscanIT on default settings and have attached the log.

WIth regards the pop up it is only a small window that appears reminding me to check activity reports. This is the only thing that happens. My PC is running as I wish it to run though and I have not seen any problems. As I said in my original post I think I managed to clean my PC myself but I was wanting an expert to confirm this. Speak to you soon.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 01 February 2009 - 03:00 PM

Hello.

After I done that I ran OTscanIT on default settings and have attached the log.

I don't see it :thumbup2:

As I said in my original post I think I managed to clean my PC myself but I was wanting an expert to confirm this. Speak to you soon.

Probably right, let's just make sure one last online scan before I let you go. Regarding the popup that's probably because the Windows Parental Control is set to startup. We will remove it once you post the OTScanIT log back to me and it should be gone :)

F-Secure Online Scan

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
Attach back with:
-OTScanIT log<- You can attach this one first and then run F-Secure scan.

Post back with:
-F-Secure log
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Cas34

Cas34
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 01 February 2009 - 05:44 PM

Hi,

I have run both scans now and here are the results:

F-Secure log:

Scanning Report
Sunday, February 01, 2009 21:51:54 - 22:38:05

Computer name: HOME-PC
Scanning type: Scan system for malware, rootkits
Target: C:\ S:\
Result: 1 malware found
TrackingCookie.Doubleclick (spyware)

* System

Statistics
Scanned:

* Files: 26619
* System: 3198
* Not scanned: 38

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\228480A62A4D0715C466674F6073C62C_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2E2E84207950E3560EBF20C9D673F21A_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\437A5D9ECF66D4F4944E9BA6CE5CDD23_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4E1830A976F29F4FB3D5D6BDDFCD1190_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\62119A43AB52AB9FBD6FF16CBC4E820A_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\65176B3CA5C15F46CA043346F090219A_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7B56A7F92EB2E0C3FCEA30423FD08340_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7BF82891804CDDCF0A0245E6926B41C6_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\954498C49F476FF0BD6AB2AFE12D794B_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A10E0B8857DABFED732A7ACEC450012E_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A7483C0914A35FAFEA5BAC8E711EDD3A_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B0C9159A0BBFB433ACB76E55DFB95290_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B1012BD0A994490BE4B52EBB7354AAE2_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\BE91DF32ABFA432652DEF56FFF058DD2_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C8C7ACBDCAF61888F884D58A7480ECEF_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D30145269348FD5A9555D9A514BED78B_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D5CB1F484CB89052CF08BAED8E1100E1_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DC0F931A0F9DB58D59B4089D95A16201_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DEF91036546C2D4EF41D589CFF7377F2_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DFED6BE5B9937B68752E7EAA820AD26E_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\F22AF8E3050BED848A662E0FA898C37E_2A121F45-6D58-4BFE-BF19-47AFBB41DE03
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\F269863622CE5ECE237BB0AD2434D2D6_2A121F45-6D58-4BFE-BF19-47AFBB41DE03

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-01
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure AVP: 7.0.171, 2009-02-01

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

I have attached the log from OTscanIt as well.

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 01 February 2009 - 05:59 PM

Hello.

I looked it over. OTScanIT2 log looks fine. F-Secure scan also looks fine, you probably didn't have an infection. You just downloaded a "bad" file, but glad your AV detected it and removed it immediatly. :thumbup2:

Regarding the popup you still get at startup, that is because you didn't disable the startup. Let's disable the startup.

We will use Hijackthis as it's probably easier.

Fix HijackThis Entries
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • To the left of each entry you will see a box.Put a checkmark next to the following entries:


    O4 - HKLM\..\Run: [WPCUMI] c:\windows\system32\WpcUmi.exe


    If you no longer see some of the entries, don't worry. It is possible that the uninstaller or removal tool already took care of it. If it is marked " (file missing) ", put a check mark next to its box anyways.
  • Close all open windows except HijackThis.
  • Click Posted Image and OK at the prompt.
  • Close HijackThis.
That entry is related to the Parental Control, so by removing it you shouldn't have it on startup anymore :)

Reboot and tell me how it goes. Do you have any more problems? From what I can see you look fine so far.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Cas34

Cas34
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 02 February 2009 - 01:29 PM

Hi EB,

I have now run HJT and followed your instructions which has stopped the pop up when I reboot. I do not have any other issues. I would like to thank you for all the help that you provided and I am pleased that my PC is still clean from all malware. I hope you have a good day and thanks again :thumbup2:

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 02 February 2009 - 03:43 PM

Hello Cas34 :step5:

Glad I could help. Just some stuff we need to take care of including removing the tools and purging a system restore point.


Uninstall GMER
We will now remove GMER.
  • Go to Start ---> Run ----> In the Open Field type in: C:\WINDOWS\gmer_uninstall.cmd
  • Now Click Ok
  • This shall uninstall GMER and everything related to it.
Download and Run OTCleanIt

We will now remove the tools we used during this fix.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed witht the cleanup process, click Yes. Restart your computer when prompted.
You may delete the tool after use.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 05 February 2009 - 01:10 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users