Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

KeyLogger/Virus infection


  • Please log in to reply

#16
Zolika4

Zolika4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
And here are the other two logs from OTL. This time with registry entries at all

Attached Files


  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
< MD5 for: AUTOCHK.EXE >
[2008/01/20 19:24:45 | 000,642,560 | ---- | M] () MD5=86F6DBFE95509C0832C687E0B2DA1D83 -- C:\Windows\System32\autochk.exe

The checksum doesn't have any hits when I google it which is a bad sign.
There's just the one on your PC so we can't replace it easily. I think you can just remove it tho. Seems like it will complain about the file being missing but will still boot.

Is your other PC also a vista? I've got a vista sp2 here but my wife is sleeping right in the room with the vista now so I don't want to wake her. When she gets up from her nap I will attach a replacement.

Ron
  • 0

#18
Zolika4

Zolika4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Yes mine is a vista as well. Okay. I have all day. No school today. Thank you. I really appreciate it once again.
  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Download the attached file. Then right click on it and Extract All. You should get a chkdsk.exe file. You can try and just copy it to C:\windows\system32\ I don't think the file should be in use so it should work. If not I can let OTL do it for us. Just need to know where the file is so if you can't save it to System32\ then save it to C:\

Ron
  • 0

#20
Zolika4

Zolika4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Okay thank you! I added your file into my System32 folder. Everything worked out well. The only problem was that I had to take ownership of the file first before I could delete it, but that's okay. It's out now, and your file is in. I restarted my computer, everything seems fine. I also deleted the autochk.exe file in the same folder. When I restarted my computer I got a black screen that said "cannot find autochk.exe file --- skipping autochk process." My question to you is what does autochk.exe do? Does it matter if I have it or not? Is it possible to get a new one? I don't want to put it back into my system32 folder because AVG found that file to be corrupted as well.
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
I gave you the wrong file. Try again with this one
  • 0

#22
Zolika4

Zolika4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Okay thank you. I have but it into the system32 folder. So far so good. My computer is updating as we speak. I will post a reply once I can restart my computer.

EDIT: Okay, so I restarted my computer =). Everything seems to be alright now. I am gonna go through the process just one last time. I'll post all the logs in my next reply. And if don't find anything, then that means you're a saint.

Edited by Zolika4, 11 November 2011 - 11:40 PM.

  • 0

#23
Zolika4

Zolika4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Okay, I have done all the scans. Here are the files attached. Some errors did occur though. The first one was that aswMBR found "dragwait.exe" to be hidden. The other one was that MBRCheck found the laptops MBR to be either infected or not normal. Anyway, I'm sure you can find all that information in the logs provided. This really seems like a never ending process =P

Attached Files


  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
I don't see anything bad in your logs. dragwait.exe is from ASUS. Part of an ASUS encryption program and it has been causing anti-virus scanners a lot of grief because it doesn't want to be looked at but it's not malware.

The MBR on this one is much better than the other one even if MBRcheck doesn't recognize it. It is well known on the Internet and had previously been checked 0/43 by virustotal. When I open it in a hex editor I can see the usual Invalid Partition text which was missing on the other one.

It does look like this one came with Symantec and it didn't remove all of its stuff so you will need to download, save and run the uninstaller
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
  • Right-click on the downloaded file and Run As Administrator to start the program.
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

I doubt it will find anything. I would download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows. I don't like to update it unless you actually use it as Windows sneaks in a ton of Windows Live stuff when they upgrade and I have no use for Windows Live.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.


Ron
  • 0

#25
Zolika4

Zolika4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi. I finished the scans earlier yesterday. My girlfriend accidentally deleted the log file though, so I can't put anything in the reply. The only things that the scan found were related to ASUS Security Manager, and AVG. A couple other hardware related things came up too. So I guess you helped my rid the storm. I thank you very much. You have no idea how important you are to me now. Is there anyway of telling the community of just how helpful you were?
  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
I think for some strange reason the more friends I have in my profile the better my rating is so if you want to "friend me" feel free.

I think we can clean up now.

We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 27 or 7 update 0). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP