|
|
Rank: Member
Groups: Member
Joined: 3/16/2006
Posts: 20
Location: PA
|
Hi, N.F. Parton.
Download and install HijackFree
Start the program, click "Save logfile" at the bottom and select "HijackThis Compatible"
Post the log with your next reply.
Update and run A-Squared again.
Copy the log from that and post it with your next reply
ShadowPuterDude should be around soon and this way he will have some info to look over to get things moving more quickly.
Best regards,
Windsor
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 5/23/2006
Posts: 2,252
Location: Northern NY
|
C:\WINDOWS\system32\wsys.dll is a component of Iopus Starr Pro Key Logger.
Vendor Description
Visual logging (Screenshots): See EVERYTHING that happens on your PC with the built-in screenshot recorder. STARR creates an unique easy-to-read "all-in-one" interactive activity report.
Text Logging: Log keystrokes, user names, passwords, path names, access times, windows titles and send the log file by email, all invisible to the user. Fully searchable for keywords. This makes even the evaluation of large log files a snap!
"WEB Spy" : Record all URLs of visited websites. The report can made in plain text or HTML (just click & browse to the recorded sites). Works with all popular browsers!
"IM/CHAT Spy": Record both sides of an Instant Message (IM) or chat conversation. This feature works with all leading chat software (AOL Instant Messenger, ICQ, Microsoft Messenger, Yahoo Chat). For all other chat software STARR does basic chat recording of all outgoing chats.
"AOL Spy": Record IM and chat conversations, emails and other content inside of AOL. Receive the activity reports directly in your email. STARR sends them invisibly. For maximum security and speed the report can be sent as password-protected, compressed ZIP file. [STARR PRO only] Network functions: STARR can save the log files directly over a local area network (LAN) and is prepared for an easy remote deployment. [STARR PRO only]
Create individual log and report files for each user. [STARR PRO only]
STARR is protected against manipulation: It runs invisibly and maintenance free. The log file is encrypted and the setup und uninstallation is password protected.
Did you install this program?
a-squared Team - www.emsisoft.com
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 5/23/2006
Posts: 2,252
Location: Northern NY
|
Look in Add or Remove Programs in the Control Panel and uninstall the program if it is present.
You are strongly advised to do the following immediately:
1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
If there is no entry for the Keylogger in Add or Remove Programs, we will proceed with manual steps to remove the keylogger. This will require several logs from a couple of different tools and time. If a keylogger is present on the system there is a good chance that there is other malicious processes present.
a-squared Team - www.emsisoft.com
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 5/23/2006
Posts: 2,252
Location: Northern NY
|
Download to your Desktop:
- MGTOOLS.zip
- HijackThis-1991.exe
Double-click HijackThis-1991.exe this will install HijackThis. Accept default prompts, insure you create a Desktop Icon. Let the installer launch HijackThis. select Do a system scan and save a log file. Close HijackThis
Extract the contents of the zip file to the root directory of drive C:\ (C:\MGTOOLS). This will create a folder named MGTOOLS with 5 files in it.
Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\MGTOOLS and locate ShowNew.bat and double-click on it to run it. ( Do not attempt to run the program from inside the ZIP file or by using Winzip. It will not work properly. ) It will create a file named newfiles.txt in the root of drive C: (C:\newfiles.txt) . This log will also popup in a notepad window which your can just close.
Now locate GetRunKey.bat and double-click on it to run it. ( Do not attempt to run the program from inside the ZIP file or by using Winzip. It will not work properly. ) It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close.
Possible Error Messages
- If your newfiles.txt or runkeys.txt log appear to be empty or semi-empty or if you get an error message similar to the below when running ShowNew.bat or GetRunKey.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS
Quote:C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.
To fix the above error message, choose the download below which is appropriate for your system
- For Windows XP Pro: download and run: XPproFix
- For Windows XP Home: download and run: XPHomeFix
- For Windows 2000: download and run: W2KFix
Then run ShowNew.bat or GetRunKey.bat again and attach the log.
- A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem
Quote:16 bit MS-DOS Subsystem[color]
drive:\program path
XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application.
-or-
[color=red]16 bit MS-DOS Subsystem
drive:\program path
SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.
After attempting to fix the above errors, run ShowNew.bat or GetRunKey.bat again and attach the log.
NOTE: For Win9x and WinMe users! ShowNew now supports Win9x and WinMe; however, it makes the assumption that you have Windows installed on drive C. If you do not have Windows installed on drive C, it will not work properly.
Paste the contents of both C:\newfiles.txt and C:\runkeys.txt to your reply
Post your HijackThis log.
This may take several posts to post post all 3 logs.
a-squared Team - www.emsisoft.com
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 5/23/2006
Posts: 2,252
Location: Northern NY
|
Please print these instructions out, or write them down, as you can't read them during the fix.
Download:
- Pocket Killbox http://www.majorgeeks.com/download4709.html
- ExplorerXP http://www.majorgeeks.com/ExplorerXP_d4201.html
Using Add or Remove Programs in the Control Panel; uninstall the following:Quote:J2SE Runtime Environment 5.0 Update 10
ErrorDoctor
ErrorDoctor is a rogue registry cleaning utility.
Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).Quote:REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000 Close Notepad.
Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.
Download and Install RogueRemover Free http://www.majorgeeks.com/RogueRemover_d5360.html]
Run RogueRemover and select Scan and the program will walk you through the remaining steps.
Step 1:
Download SmitfraudFix (c) S!Ri http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Do NOT run any other option other than 1
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Step 2:
Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode
5) Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Continue in Normal Mode.
Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.
Now run Pocket Killbox:
Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..
Select:- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
Quote:C:\Documents and Settings\All Users\Application Data\PitStop7.oem
C:\WINDOWS\system32\wsys.dll
C:\WINDOWS\system32\drivers\RKL56.tmp.sys
C:\WINDOWS\Temp\Acr3DD4.tmp
C:\WINDOWS\Temp\Acr7F91.tmp
C:\WINDOWS\Temp\AcrBE20.tmp
C:\WINDOWS\Temp\AcrD1CF.tmp
C:\WINDOWS\Temp\kernel.sys
C:\WINDOWS\Temp\Perflib_Perfdata_4fc.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8cc.dat
C:\WINDOWS\Temp\Perflib_Perfdata_58c.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8ac.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8ec.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8b0.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8f0.dat
C:\WINDOWS\Temp\Perflib_Perfdata_820.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8c0.dat
C:\WINDOWS\Temp\Perflib_Perfdata_900.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8a0.dat
C:\WINDOWS\Temp\Perflib_Perfdata_850.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8b4.dat
C:\WINDOWS\Temp\Perflib_Perfdata_5f4.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8c4.dat
C:\WINDOWS\Temp\Perflib_Perfdata_874.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8a4.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8e4.dat
C:\WINDOWS\Temp\Perflib_Perfdata_914.dat
C:\WINDOWS\Temp\Perflib_Perfdata_894.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8b8.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8f8.dat
C:\WINDOWS\Temp\Perflib_Perfdata_868.dat
C:\WINDOWS\Temp\Perflib_Perfdata_878.dat
C:\WINDOWS\Temp\Perflib_Perfdata_908.dat
C:\WINDOWS\Temp\Perflib_Perfdata_858.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8e0.dat
C:\WINDOWS\Temp\Perflib_Perfdata_8c8.dat
C:\WINDOWS\Temp\Perflib_Perfdata_910.dat
C:\WINDOWS\Temp\Perflib_Perfdata_848.dat
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\6aef0.msi
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\8A56EAB7.TMP
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\f4664235-df14-4f8a-8be0-0d529ad36fae.rsf
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\kernel.sys
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\RunTime.ini
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\szu1.tmp
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\UninstManager.log - Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.
Now boot into SAFE MODE
Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)Quote:C:\WINDOWS\Temp\c4602490-2178-4ad4-9f89-78a7546808ea
C:\WINDOWS\Temp\40a40456-4149-4b11-bcba-0457fd33b024
C:\WINDOWS\Temp\43e16a7d-4190-4088-b166-527b5a6e71bc
C:\WINDOWS\Temp\8376bf67-e3dc-4e7c-928b-66c705840368
C:\Program Files\Common Files\iS3
C:\Documents and Settings\All Users\Application Data\ZILLAbar
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\VCHCFHa03448
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\VCHCFHb03448
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\WPDNSE
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx10
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx11
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx2
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx3
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx4
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx5
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx6
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx7
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx8
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\xx9
C:\Documents and Settings\Nigel Paton\Local Settings\Temp\{AC76BA86-1033-0000-7760-100000000002} Now run CCleaner.
Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.
REBOOT to Normal Mode.
Post the following logs:
1. Rapport from SmitFraudFix
2. ShowNew
3. GetRunKey
4. HijackThis
Make sure to tell me how things are working.
a-squared Team - www.emsisoft.com
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 5/23/2006
Posts: 2,252
Location: Northern NY
|
Submit this file, C:\WINDOWS\system32\winlogon.exe, to Virus Total. Post the results from the scan.
Winlogon is in the correct location and has the correct filename, but ShowNew shows a file creation date of 19 Feb 2007. Otherwise your logs are clean.
a-squared Team - www.emsisoft.com
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 5/23/2006
Posts: 2,252
Location: Northern NY
|
You're wlecome.
One last thing to do temporarily turn off system restore to flush all your restore points and then turn on system restore. This will create a new clean restore point for your system.
Delete everything in !Killbox, empty the Recycle Bin and run CCleaner.
Safe Surfing.
a-squared Team - www.emsisoft.com
|
|
|
Guest User |