Keylogger and Other Malware

Just to let you know we are currently reviewing your logs and will get back to you with a set of instructions as soon as we possibly can. Thankyou for your patience

Kes

 

HI

Can I ask what programs were giving you the warning regarding the keylogger?


Also...you ran scans in safe mode...could you run everything again please in normal mode? And upload the logs to us here.

Thanks
Kes13!

 

Yes skip Spybot Search and Destroy, MBAM and SAS.
Ensure you are in normal mode now for the following:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Thanks
kes13!

 

1) You are running two different Anti-Virus which is not a wise idea due toboth softwares fighting for control over system files which in turn leads to much inner conflict and system instability.

Please tell me is your Norton360 a free trial or paid for software? If it is paid for please uninstall PCTools Anti Virus4.0 and keep Norton360 and if it is just a trial please uninstall Norton360 and keep PCTools Anti Virus 4.0.

Towards the end of the thread I will give you a link for the Norton removal Tool and some basic instructions for running it.

2) Please go to add and remove programs and unsinstall the following software:

• Java(TM) 6 Update 3

Reboot your machine and install the current version available here at the below link:

Java Runtime 6

3) Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)


After clicking Fix exit HJT.

4) Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Users\Tom Smith\AppData\Local\Temp

5) Now Run Ccleaner!

6) Please navigate to C:\Windows\SavePOH64.exe

I would like for you to right click on the SavePOH64.exe file and re-name it to SavePOH.exe.old

As a result of doing this I would like for you to tell me if you receive any error messages and let me know if anything out of the usual happens after doing the above.


7) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Thanks
Kes13!

 

Please re read my step 1 in post #8 regarding Anti-Virus and let me know whether your Norton360 is paid for or a free trial.

Your latest MGLogs are incomplete. Did you let it run till it told you it was finished? Did you get an error message when it ran.

Use windows explorer to find and delete:
C:\ProgramData\xqkcebzs.dik

Now tell me exactly what problems you are having.
Thanks
Kes

 

I didn't want to include the Norton Removal Tool until I know for sure what is happening with your Anti Virus situation.

You have three different Anti Virus there, and should only be using one.
What I want to know is was your copy of Norton360 a Free Trial? (I suspect so if you are telling me you have Symantec AntiVirus which hasn't yet expired)

Thanks
Kes

 

Hi

1) Use this link for the Norton Removal Tool and instructions for running it. I suggest you run in twice.

http://service1.symantec.com/support/norton360.nsf/docid/2006112909122875

2) Now I would like for you to delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip.

3) Visit this link below for some excellent freeware anti-virus, only choose one to download and install it.

How to Protect yourself from malware

4) Re-download MGTools.exe and run it afresh.

5) Attach the MGlogs.zip into your next post after doing all of the above.

Thanks
Kes13!

 

Did you do what I previously asked in step 2 above?

Did you then do the below?

Did you not run the Norton Removal Tool?

Did you disable all anti-virus and spyware programs before running MGTools? DId it just stop and not proceed or did you stop it yourself?

If you could answer these questions that would be great

Thanks
Kes

 

Please re-run MGTools this time making sure you have disabled your Anti Virus and any Anti-Spyware apps and when it finishes, attach the log it produces. Also run Combo again.

Did you run the Norton Remoal Tool ok?

Thanks
Kes

 

Great So just combofix and MgTools to be done now, first as mentioned do disable all anti-virus and anti-spyware apps before doing so. I will be here waiting

 

Check your task manager to see if it is still running and right click and end hijackthis.exe process.

Then run Combofix as requested and re run MGTools (again make sure anti spyware and antivirus are disabled before doing so)

Thanks
Kes

 

Step 2: Disabling User Account Control



Now we need to make sure to turn off UAC ( UAC = User Account Control )

1. Click Start, and then click Control Panel.
2. In Control Panel, click User Accounts.
3. In the User Accounts window, click User Accounts.
4. In the User Accounts tasks window, click Turn User Account Control on or off.
5. If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
6. Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK. If it is already uncheck, then you should also notice a red shield with an X in it located in your system tray. Ignore any mesages about UAC being disabled.
7. Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)

NOTE: DO NOT CONTINUE UNTIL UAC has been disabled and you have rebooted.




Did you make sure all the above was done before running the tools?

 

Hi

1) Please use Windows Explorer to find and delete the following file:

C:\ProgramData\xqkcebzs.dik

2) Delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

and finally....

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Are you sure you are logged on as administrator?

Code:

Users on this computer:
Is Admin? | Username
------------------
          | adminfree
   Yes    | Administrator [B][U](Disabled)[/U][/B]
          | Guest
   Yes    | Tom Smith

I am not familiar with tamper protection in symnatec....but it may be the cause of your issue.

I would suggest that you post in the software section regarding those questions.

 

Hi there

Can you make sure that your machine is set to show hidden files and folders if it isn't already?

If you don't know how to do this here are some instructions:

• Go to start > computer> organise > folder and search options > open the "view" tab under "hidden files and folders" select to show hidden files and folders.
• Also uncheck Hide protected operating system files (Recommended)

Once you have done this please navigate to the following to empty your temp files:

C:\Users\Tom Smith\AppData\Local\Temp

Thanks
Kes13!

 

As explained above regarding emptying your temps, you just need to ensure that you have hidden files and folders showing I explained how to do that above also.

So make sure you delete the below in red after checking you have hidden files and folders showing:

C:\ProgramData\xqkcebzs.dik

Then use the same steps I gave to reverse the process after you're done to hide them again.

Kes13!

 

Do not worry about the "Access denied" message you are getting when attempting to open C:\Documents and Settings\Tom Smith\Local Settings\Temp. It is normal that you are receiving the access denied message as we are using Vista....I get the same.

We already emptied your temps when you did the below:

Are you having any further malware problems?

Thanks
Kes

 

You are welcome