Tech Support Forum - View Single Post

**amateur** · 12-29-2007, 09:21 PM

Hi,

It appears that you are infected with a password stealing trojan. If this computer is ever used for on-line banking, or shopping, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

===========================

You seem to be running two antivirus applications, i.e. Yahoo Antivirus and McAfee. You'll have to decide on one and remove the other via Add or Remove Programs in Control Panel. Multiple antivirus programs can bog down your system, interfere with each other, and may even cause crashes.

===========================

Scan with HijackThis and put a checkmark against the following entries:

O4 - HKLM\..\Run: [tasa] C:\DOCUME~1\ycchen\LOCALS~1\Temp\taso.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm492YYUS

Close all browsers/windows other than HijackThis and click on "fix checked". Exit HijackThis.

===========================

Download Combofix from one of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Open notepad (Start>All programs>accessories>notepad ). and copy/paste the text in the quotebox below into it (It must be notepad, not wordpad, or it won't work):

Code:

File::
C:\WINDOWS\system32\kavo.exe
C:\DOCUME~1\ycchen\LOCALS~1\Temp\taso.exe

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

12-29-2007, 09:21 PM	#4 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,504 OS: XP SP3	Re: Troj/Backdoor Found, Very Laggy Hi, It appears that you are infected with a password stealing trojan. If this computer is ever used for on-line banking, or shopping, I suggest you do the following immediately: 1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers. 2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. =========================== You seem to be running two antivirus applications, i.e. Yahoo Antivirus and McAfee. You'll have to decide on one and remove the other via Add or Remove Programs in Control Panel. Multiple antivirus programs can bog down your system, interfere with each other, and may even cause crashes. =========================== Scan with HijackThis and put a checkmark against the following entries: O4 - HKLM\..\Run: [tasa] C:\DOCUME~1\ycchen\LOCALS~1\Temp\taso.exe O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm492YYUS Close all browsers/windows other than HijackThis and click on "fix checked". Exit HijackThis. =========================== Download Combofix from one of the links below, and save it to your desktop. Link 1 Link 2 Link 3 Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- 1. Disconnect from the internet. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Open notepad (Start>All programs>accessories>notepad ). and copy/paste the text in the quotebox below into it (It must be notepad, not wordpad, or it won't work): Code: File:: C:\WINDOWS\system32\kavo.exe C:\DOCUME~1\ycchen\LOCALS~1\Temp\taso.exe Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006