Tech Support Forum banner
Status
Not open for further replies.

Credit card data theft

2K views 17 replies 2 participants last post by  No-Know 
#1 ·
Somebody used my credit card info to open an Amazon account. I'm not sure how they got the data. My main concern is whether there is some malware on my computer, in which case a new credit card won't do much good.
Any help will be appreciated.


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Falko at 13:16:23 on 2017-02-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1409 [GMT -6:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{D3284116-E7EA-4273-B08F-23EA62503736} : DHCPNameServer = 192.168.254.254
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\falko\application data\mozilla\firefox\profiles\ex9wq5lh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.siasl.org/
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\winamp detect\npwachk.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_24_0_0_194.dll
FF - ExtSQL: !HIDDEN! 2011-01-03 18:49; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-8-3 95896]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [2008-12-17 16896]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-10-13 11520]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2017-02-13 01:14:10 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2017-02-13 01:14:01 160256 ----a-w- c:\windows\system32\javacpl.cpl
2017-01-14 18:25:29 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-01-13 22:41:47 802904 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2017-01-13 22:41:47 144472 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 13:17:19.74 ===============
 

Attachments

See less See more
#2 ·
Hello No-Know,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

:arrowr: If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
:arrowr: First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
:arrowr: Please download to and run all requested tools from your Desktop.
:arrowr: Perform everything in the correct order. Sometimes one step requires the previous one.
:arrowr: If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
:arrowr: Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
:arrowr: Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
:arrowr: If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:arrowr: Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
:arrowr: My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
:arrowr: Back up important files before we start.

Now, let's get started, shall we?

Please do the below steps

STEP 1

Please download AdwCleaner from here and save it to your desktop.

:arrowr: Click the green 'Download now @bleepingcomputer' button.
:arrowr: Run AdwCleaner and select Scan
:arrowr: Once the Scan is done, select Clean
:arrowr: Once done it will ask to reboot, please allow the reboot.
:arrowr: On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
:arrowr: Please copy/paste the contents of the log in your next reply.

STEP 2


Please download Farbar Recovery Scan Tool and save it to your desktop.

:arrowr: Double-click to run it. When the tool opens click Yes to the disclaimer.
:arrowr: Make sure the Addition.txt button is ticked.
:arrowr: Press Scan button.
:arrowr: It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
:arrowr: The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.

========================================================

Things I need to see in your next post:

  • AdwCleaner[C#].txt
  • FRST.txt
  • Addition.txt
 
#3 ·
Hi Tolga,
Thank you very much for your help. Here are the logs.
I use Firefox as my browser exclusively. I have not used / opened Internet Explorer in many years. The Addition.txt file looks scary in that regard. Is there a way to get rid of IE permanently?
Thanks a lot, No-Know

# AdwCleaner v6.043 - Logfile created 17/02/2017 at 23:43:50
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-13.1 [Server]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : Falko - FALKOPC
# Running from : C:\Documents and Settings\Falko\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [779 Bytes] - [17/02/2017 23:43:50]
C:\AdwCleaner\AdwCleaner[S0].txt - [1171 Bytes] - [17/02/2017 23:43:31]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [924 Bytes] ##########
 

Attachments

#4 ·
Hello No-Know,

You're Welcome.

Please do the following.

:arrowr: Open Notepad (Start > All Programs > Accessories > Notepad).
:arrowr: Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
:arrowr: Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1214440339-308236825-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} 
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} 
S3 catchme; \??\C:\DOCUME~1\Falko\LOCALS~1\Temp\catchme.sys [X]
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
:arrowr: Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
:arrowr: Click the Fix button just once, and wait.
:arrowr: If you receive a message that a reboot is required, please make sure you allow it to restart normally.
:arrowr: The tool will complete its run after the restart.
:arrowr: When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
#5 ·
Thanks a lot.
Starting FRST there was a message: Failed to update (3)
Here is the log:

Fix result of Farbar Recovery Scan Tool (x86) Version: 15-02-2017 02
Ran by Falko (18-02-2017 17:52:52) Run:1
Running from C:\Documents and Settings\Falko\Desktop
Loaded Profiles: Falko (Available Profiles: Falko & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1214440339-308236825-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
S3 catchme; \??\C:\DOCUME~1\Falko\LOCALS~1\Temp\catchme.sys [X]
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
*****************

Error: (0) Failed to create a restore point.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => moved successfully
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => moved successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
"C:\WINDOWS\system32\GroupPolicy\Machine" => not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKU\S-1-5-21-1214440339-308236825-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} => key removed successfully.
HKCR\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} => key not found.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} => key removed successfully.
HKCR\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} => key not found.
HKLM\System\CurrentControlSet\Services\catchme => key removed successfully.
catchme => service removed successfully.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-1214440339-308236825-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-1214440339-308236825-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.


========= End of RemoveProxy: =========


========= bitsadmin /reset /allusers =========

'bitsadmin' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 9713 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 286052 B
Java, Flash, Steam htmlcache => 54013 B
Windows/system/dllcache/drivers => 87192 B
Edge => 0 B
Chrome => 0 B
Firefox => 394617404 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 16610 B
All Users => 0 B
systemprofile => 65762 B
LocalService => 360 B
NetworkService => 360 B
Falko => 30410590 B
Administrator => 119585 B

RecycleBin => 115489 B
EmptyTemp: => 406.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:55:08 ====
 
#6 ·
Hello No-Know,

Please do the below steps.

STEP 1

Launch Malwarebytes Anti-Malware


:arrowr: On the Settings tab > Detection and Protection subtab, Detection Options section, tick the box Scan for rootkits.
:arrowr: Click on the Scan tab, then click on Start Scan.
:arrowr: A check for database updates will be performed.
:arrowr: After the update check completes, a scan will begin.
:arrowr: With some infections, you may see this message box.
:arrowr: 'Could not load DDA driver'
:arrowr: Click Yes to this message, to allow the driver to load after a restart.
:arrowr: Allow the computer to restart. Continue with the rest of these instructions.
:arrowr: When the scan is complete, click 'Remove Selected'.
:arrowr: In most cases, a restart will be required and a prompt will be shown.
:arrowr: Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

:arrowr: After the restart once you are back at your desktop, open MBAM once more.
:arrowr: Click on the History tab > Application Logs.
:arrowr: Double click on the scan log which shows the Date and time of the scan just performed.
:arrowr: Click Export.
:arrowr: Click Text file (*.txt)
:arrowr: In the Save File dialog box which appears, click on Desktop.
:arrowr: In the File name: box type a name for your scan log.
:arrowr: A message box named File Saved should appear stating "Your file has been successfully exported".
:arrowr: Click Ok
:arrowr: Attach that saved log to your next reply.

STEP 2

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.

:arrowr: You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
:arrowr: Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts.
:arrowr: Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
:arrowr: At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
:arrowr: When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
:arrowr: Tick the option Enable detection of potentially unwanted applications
:arrowr: Click on Advanced settings
:arrowr: Make sure that the option Clean threats automatically is unticked.
:arrowr: Ensure these options are ticked:
  • Enable detection of potentially unsafe applications
  • Enable detection of suspicious applications
  • Scan archives
  • Enable Anti-Stealth technology
:arrowr: Click Scan
:arrowr: Wait for the scan to finish.
:arrowr: When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
:arrowr: Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
:arrowr: Please copy/paste the contents of the log in your next reply.
:arrowr: To close ESET Online Scanner, select Do not clean then Finish
 
#7 ·
Hi,
I had to restart the computer manually when Malwarebytes was finished.
Here are the logs:

C:\Documents and Settings\All Users\Documents\uTorrent3.4.2.33023.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Documents and Settings\Falko\My Documents\Downloads\Essentials\IsoBusterPro2.3.0.1.zip a variant of Win32/Keygen.AF potentially unsafe application
C:\Documents and Settings\Falko\My Documents\Downloads\Essentials\Nero8.3.2.1UltraMicro.rar a variant of Win32/Keygen.DS potentially unsafe application
C:\Downloads\AllTechFree.NetAdobeUniversalPatcher1.06.rar a variant of Win32/HackTool.Patcher.CH potentially unsafe application
C:\Downloads\ImgBurn2.5.8.0.exe Win32/OpenCandy potentially unsafe application
C:\Downloads\KMS_VL_ALL_6.0.zip Win32/HackKMS.R potentially unsafe application,a variant of MSIL/HackTool.TunMirror.A potentially unsafe application
C:\Downloads\SLICToolKit3.2.rar Win32/HackTool.SLICMod.C potentially unsafe application
C:\Downloads\Essentials\Acronis True Image Home 11.0.8053\KeyGen.rar a variant of Win32/Keygen.QU potentially unsafe application
C:\Downloads\Newsbin\a.b.boneless\ADOBE CS5 Master Collection Multilanguage\ADOBE CS5 Master Collection Multilanguage.part01.rar a variant of Win32/Keygen.BH potentially unsafe application
C:\Downloads\Newsbin\acadm2013_x32.par2\acadm2013_x32.rar a variant of Win32/Keygen.HA potentially unsafe application
C:\Downloads\Newsbin\acadm2013_x64.par2\acadm2013_x64.rar a variant of Win32/Keygen.HA potentially unsafe application
C:\Downloads\Newsbin\Adobe CS5.5 Master Collection.nfo\Adobe CS5.5 Master Collection.part001.rar a variant of Win32/TrojanDropper.Delf.NWA trojan
C:\Downloads\Newsbin\AutoCad 2011 32&64 Bit\AutoCad 2011 32&64 Bit.part001.rar Win32/Keygen.BL potentially unsafe application,a variant of Win32/Keygen.BL potentially unsafe application
C:\Downloads\Newsbin\AUTODESK.AUTOCAD.MECHANICAL.V2013.WIN32-ISO.nfo\AUTODESK.AUTOCAD.MECHANICAL.V2013.WIN32-ISO.part01.rar Win32/Runner.NAG trojan
C:\Downloads\Newsbin\AUTODESK.AUTOCAD.MECHANICAL.V2015.WIN32-ISO.par2\AUTODESK.AUTOCAD.MECHANICAL.V2015.WIN32-ISO.part01.rar a variant of Win32/Keygen.HA potentially unsafe application
C:\Downloads\Newsbin\AUTODESK.AUTOCAD.MECHANICAL.V2015.WIN64-ISO.par2\AUTODESK.AUTOCAD.MECHANICAL.V2015.WIN64-ISO.part01.rar a variant of Win32/Keygen.HA potentially unsafe application
C:\Downloads\Newsbin\Microsoft Windows 7 Professional Edition With SP1 x64-ZWTiSO.nfo\Microsoft Windows 7 Professional Edition With SP1 x64-ZWTiSO.part01.rar Win32/HackKMS.A potentially unsafe application
C:\Downloads\Newsbin\Microsoft.Windows.8.Enterprise.x64-iNDiSO [GodFather].par2\Microsoft.Windows.8.Enterprise.x64-iNDiSO [GodFather]\Activator\windows8activator.exe Win32/HackTool.SLICMod.C potentially unsafe application,a variant of Win32/HackKMS.T potentially unsafe application,a variant of MSIL/HackTool.WinActivator.A potentially unsafe application,a variant of Win32/HackTool.WinActivator.J potentially unsafe application,a variant of Win32/HackKMS.M potentially unsafe application
C:\Downloads\Newsbin\Windows 8.1 Professional x86 Integrated December 2013.part01.rar\KMSpico Install.zip MSIL/HackTool.IdleKMS.B potentially unsafe application,a variant of MSIL/HackTool.IdleKMS.B potentially unsafe application
C:\Downloads\Newsbin\Win_Ent_8.1_64BIT.part01.rar\Win_Ent_8.1_64BIT.ISO a variant of MSIL/Injector.DJU trojan
C:\Downloads\Progz\PC\Internet\Internet Tools\Download Managers\uTorrent3.4.2.33023.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Downloads\Progz\PC\Multimedia & Image Tools\Video Tools\TV Tools & Descramblers\SopCast3.9.2.zip a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
 

Attachments

#10 ·
Hello No-Know,

Please re-run ESet Online Scanner.

:arrowr: When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
:arrowr: Tick the option Enable detection of potentially unwanted applications
:arrowr: Click on Advanced settings
:arrowr: Make sure that the option Clean threats automatically is unticked.
:arrowr: Ensure these options are ticked:
  • Enable detection of potentially unsafe applications
  • Enable detection of suspicious applications
  • Scan archives
  • Enable Anti-Stealth technology
:arrowr: Click Scan
:arrowr: Wait for the scan to finish.
:arrowr: When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
:arrowr: Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
:arrowr: Please copy/paste the contents of the log in your next reply.
 
#11 ·
Hi Tolga,
Thanks for getting back. Prior to your response I took the liberty to delete the files that were tagged in the first Eset scan.
The second scan came back with "No threats found" and no option to save the results as a file.
Thanks, No-Know
 
#12 ·
Hello No-Know,

Please do the following.

:arrowr: Download CKScanner by askey127 from Here
:arrowr: Right-click and Run as Administrator CKScanner.exe then click Search For Files
:arrowr: After a couple minutes or less, when some text appears in the box, click Save List To File.
:arrowr:A message box will verify the file saved. It is important that you run the program just once..
:arrowr: Double-click the CKFiles.txt icon on your desktop, give permission if asked, and copy/paste the contents in your next reply.
 
#13 ·
Hi Tolga,
Thanks for your help. I ran CKScanner, but there were a few problems. First, I couldn't run as administrator ("empty password" error or something like that - I don't have an admin password). I ran it as default (first CKScanner option). Then I got the message "Failed to create MainKey", but the program ran and showed the results. However, I wasn't able to save the log: "Cannot create file ckfile.txt".

This is what the log showed (typed manually):

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\downloads\kmspico9.3.3links.txt
c:\downloads\kmspico9.3.3password2014.zip
c:\downloads\kmspico9.3.3passwordelite.rar
scanner sequence 3.DI.11.AAAPHZ
----EOF----
 
#17 ·
Hello No-Know,

You're welcome. Your reports are clear. Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.

  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.
Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows XP

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.



  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows XP here (Please scroll down.)
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top