I have a MalWare problem - Key Logger.

Hi Major,

I try to practice very safe-surfing, but recently I've been surfing off the beaten path, and it looks like I've picked-up something nasty. I noticed unexpected Ethernet traffic on my Router and discovered that I had the "NGC" Key-logger on my Win2K PC.

I've tried to do everything in the "Read & Run Me First? post; however, I had a couple of problems. I couldn't get Microsoft Windows Defender installed, so I didn't run that, and I kept getting the Blue-Screen of Death during the BitDefender scan.

I have attached the HJT Panda ActiveScan logs and was wondering if you could take a look at them.

Also, do you know of any tools that I could use to:

1. See what program is doing the sending? I didn't see it in the Task List.
2. Monitor my LAN traffic to see who is sending what to whom?

Thanks,
o

 

No, I'm not a total Bone-Head.

I had the attachments uploaded and ready to go before I started entering my original post. Then I got distracted, and my session timed-out, so I had to re-enter my post. Luckily I was able to cut-and-paste my original post into the new post window, but I forgot to re-attach my log files.

I tried editing my original post to attach the files, but I got a server error. Now I'm getting "upload errors" when I try to attach the files, so I may have to try another PC.

Thanks,
o

 

Log Files Attached

Note that I did not use the infected PC for my original post, but I went to a different PC, and now I can upload files. They are attached.

Thanks again for your help,
o

 

Hi chaslang,

First, thank you very much for your help.

I think that proxy server is OK. I think I needed it to access the www when I was telecomuting via a VPN. Fortunately, I only did that once a couple of months ago.

I ran Spy Sweeper, Ewido AM, and HJT - Logs are attached.

The problem still seems to be there.

I am currently using Verizon and the Yahoo Anti-Mal-Ware software that comes bundled with it. Do you know if there should be zero (0) internet traffic if I'm not doing anything (i.e., no internet-related applications open)? I think that in the past this was the case.

Thanks again,
o

 

Hi Chaslang,

One other thing. Some my applications are now taking very long to start now. Windows takes at least a minute longer than usual to start. Windows Explorer and Internet Explorer takes 30-40 seconds longer to start. Any ideas?

Thanks,
o

 

Hi chaslang,

I won't be able to try your latest suggestions on the infected machine until later tonight.

Regarding the internet-related applications:

The Folding @ Home client, winFAH.exe, only uses the internet about once every 48 hours when it uploads its latest results to its server and then downloads a new work-package from its server. Also, I've killed this app, and I still see the internet traffic.

Regarding my home page:
Yes, that is simple, static, page that has my most frequently-used links listed on it. I generally use it instead of Favorites.

Regarding the software firewall:
I thought that by using a router, the NAT function indirectly acted as a firewaal. Am I missing something? If so, do you have any suggestions for firewall software?

Do you know anything about this process that is running on my PC:

ScsiAcc.exe

I don't know why, but I have a funny feeling about it?

Thanks again,
o

 

Hi chaslang,

I had a software firewall when I was running Norton AV, then I switched to the Verizon/Yahoo Mal-ware Suite of tools, and I didn't realize that I didn't have a software firewall anymore. I will get one immediately.

No, I don't recognize any of that.

I did the following as you suggested:

I did the above, and I didn't see any change.

I had the HJT Log attached to my post, but then had the following problem:

1. It usually takes me a while to create a post, because I try to get the words right.
2. When I hit the "Submit Reply" Button, I guess my session had timed-out, so it took me to a Login Screen.
3. I logged-in, but got an error that said the Thread Id was incorrect and to contact the Sys Admin.
4. I went to the Sys Admin page, but it wasn't obvious what to do there, so I am doing it here.
5. From that point-on, I couldn't attach a log file.
6. I had the same problem the other day.
7. So I went to a different PC to do my post and attach the Log. That worked the other day, when I had this problem, but today I can't attach a file from this PC either.

I'll see if it lets me attach a Log File in a little while after I reboot everything.

Another question, Do you know why the following would show-up twice in the HJT Log under "Running processes":?

C:\WINNT\system32\Ati2evxx.exe

Thanks,
o

 

HJT Log Attached

HI chaslang,

I just waited a while, and now I can attach the HJT Log file. Note that I had logged-out between sessions.

o

 

Yes, I'd like to try that. How do I do it?

Also, I installed the Zone Alarm firewall, and the following program is trying to access the internet:

C:\WINNT\system32\services.exe
​

Is that normal?

Thanks,
o

 

Hi Chaslang,

Sorry for taking so long to get back to you. A few other things have popped-up that I had to take care of. I've been so paranoid with this PC that I went-out and bought another very inexpensive PC so that I can use it until I get the "Problem PC" straightened-out. I'm going to reformat the HD of the Problem PC and start-over so that I can reserve that PC for all sensitive work (e.g., online banking).

I'll re-read your Pos on how to protect that machine, and also limit how I use it (e.g., no surfing off the beaten path).

Thanks again for all of your help!

Many blessings to you and your family.

o