Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
This is the sequence. I logged onto my World of Warcraft account yesterday and all my gold was stolen, which means someone hacked my account. THen my system found some viruses in my Warcraft III system directory. I recently returned from a massive LAN party in RHode Island (Digital Overload) so it's likely i picked it up there.
I tried deleting the Warcraft III file directory, but it won't let me (Saying the files are in use - even in safe mode). I use AVG free, zone alarm firewall (Free one) and run various anti-spyware programs all the time (adaware, cwshreader). I've never had a problem in my life with a virus/spyware that I couldn't fix. I Think this one is deeper though, into my registry. I am clueless about that aspect.
After deleting most of the Warcraft III files, AVG doesn't find the virus anymore, but it says that my shell32.dll, ntoskrnl.exe, and hosts files have changed.
Here is my HJT log. I couldn't remember if you want me to run it in safemode or not. Any flags? Ideas?
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:04:14 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
I see you're running the new Trend Micro HijackThis! beta version. We in the forums prefer at this time not to use it, until they have ironed out all the wrinkles, so would you please download the older version, 1.99.1 and run a new log.
Please download HijackThis! SetUp from here. Save the file to your desktop.
Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.
Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.
Logfile of HijackThis v1.99.1
Scan saved at 6:13:20 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Click the [Scan your PC] button. ( You may have to disable any pop up blockers)
Then press the green [Check Now] button.
Enter your country and state along with a valid email address.
Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.
Click on Kaspersky Online Scanner icon.
Accept the Kaspersky agreement and the program will load.
You will then be prompted to install an ActiveX component from Kaspersky, click Yes
The program will then begin downloading the latest definition files. This will take a good while, even with hi-speed Internet access.
Once the files have been downloaded click on Next
Now click on [Scan Settings] button.
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under the Please select a target to scan:
Select My Computer
The program will begin the scanning process.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Then click on the [Save as Text] button
Save the file to your desktop.
Copy and paste that information in your next post for me to review.
I have a kaspersky log at home, i'll post it tonight, however, I can't get Panda scan to work. After about 2-3 minutes into the scan, IE closes by itself - no errors, nothing. It just shuts down all of my IE screens. And i can't use firefox for Panda. Any ideas?
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 04, 2007 7:26:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/04/2007
Kaspersky Anti-Virus database records: 275132
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 70691
Number of viruses found 1
Number of infected objects 6 / 0
Number of suspicious objects 0
Duration of the scan process 00:32:20
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007040420070405\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\messages.zip/Sent/Fwd_ PayPal Account Security Measures.eml/[From RACHAEL COTTER ][Date Fri, 22 Apr 2005 14:53:40 -0400 (EDT)]/UNNAMED/[From "PayPal" ][Date Thu, 21 Apr 05 22:40:18 GMT]/html Infected: Trojan-Spy.HTML.Paylap.bj skipped
C:\Documents and Settings\Administrator\My Documents\messages.zip/Sent/Fwd_ PayPal Account Security Measures.eml/[From RACHAEL COTTER ][Date Fri, 22 Apr 2005 14:53:40 -0400 (EDT)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.bj skipped
C:\Documents and Settings\Administrator\My Documents\messages.zip/Sent/Fwd_ PayPal Account Security Measures.eml Infected: Trojan-Spy.HTML.Paylap.bj skipped
C:\Documents and Settings\Administrator\My Documents\messages.zip/Sent/Fwd_ PayPal Flagged Account.eml/[From RACHAEL COTTER ][Date Wed, 13 Apr 2005 12:14:06 -0400 (EDT)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.bj skipped
C:\Documents and Settings\Administrator\My Documents\messages.zip/Sent/Fwd_ PayPal Flagged Account.eml Infected: Trojan-Spy.HTML.Paylap.bj skipped
C:\Documents and Settings\Administrator\My Documents\messages.zip ZIP: infected - 5 skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9A1FFAC2-46C2-47FE-96CA-BC95A23EEF91}\RP111\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd6285.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\_nvidia_xxx_.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Alcohol\Alcohol 120\StarWind\logs\starwind.2007-04-04.18-04-12.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{9A1FFAC2-46C2-47FE-96CA-BC95A23EEF91}\RP111\change.log Object is locked skipped
Scan process completed.
Note: Complete removal of the malware listed below failed! If you require general hints and tips to solve the problem, please click here. Malware specific information is available from the relevant malware section.
TROJ_GENERIC.CON
1 Infections
Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
This is the Trend Micro generic detection for low-threat Trojans.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.
This is the Trend Micro generic detection for low-threat Trojans.
Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_MALWARE
0 Infections
Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.
Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
Detected signatures
EICAR signature
0 Signatures
The detected signature is not a security risk; it is designed to test antivirus scanners. The listed files are not infected. They only contain the EICAR signature.
Take no action on signatures on the machineDelete signatures. Warning! Deleting this column will remove all associated signature files.EICAR filesThis will display all file paths of the above signatureReasonno accessnot supported
Detected grayware/spyware
Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem, please click here. Grayware specific information is available from the relevant grayware section.
ADW_SAVENOW.AT
1 Infections
Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware arrives on a system either downloaded from the Internet or dropped by other malware.
It displays pop-up advertisements on the affected system every ...
Aliasnames: no more aliase names known
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
This adware arrives on a system either downloaded from the Internet or dropped by other malware.
It displays pop-up advertisements on the affected system every time certain Web sites are visited.
Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_GRAYWARE
0 Infections
Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
HTTP cookies
2 Detected
Cookies are generally used to save user-specific data from Internet transactions with a Web server via a browser. The cookies listed below are "profiling cookies" that are only used to monitor your Internet usage.
Cleanup options Remove all detected cookies
Select individual action for each detected cookie
Keep this cookieRemove this cookieCookiesThe cookies displayed here are classified as potentially malicious.ReasonThis column indicates the reason why cleanup failed.The system denied access to the cookieThe current pattern does not support removal
Detected vulnerabilities
TITLE_OF_VULNERABILITY
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.
Port: is accessible
Transfering more information about this port...
An error occured while trying to retrieve more information about this port. There is currently no more information available.
Standard services over this port: Unknown
Malware exploiting this port: Unknown
Clean now » Removes all infections found on your machine, according to the options selected.
You need a ticket
If you want to use HouseCall to remove viruses and other malware, you need a valid ticket from Trend Micro. A ticket consists of a unique, multi-character code called the ticket code, which is used to identify the ticket.
Do you already have a ticket? Yes, I have a valid ticket
If you already have a valid ticket, please select this option and enter the ticket code into the specified text box. Please make sure to use the correct format (a-z and 0-9).
Please enter your ticket code here.
Did you misplace your ticket code?
No, I do not have a valid ticket
If you do not have a valid ticket yet, please select this option and click "Next" to request a new ticket. Alternatively, you can click here for further information about tickets.
Next » Use specified ticket or request new ticket
Use account information to find valid ticket
If you already have a HouseCall ticket, but can not locate the relevant ticket code at the moment, you can enter the following account information to retrieve your ticket code.
HouseCall will send you the ticket code by e-mail.
Title
Given name
Family name
E-mail address
« Back Next » Finds a valid ticket for the specified account and sends the corresponding ticket code by e-mail
New ticket - personal information
Before you can request a ticket, we kindly ask you to provide some information for creating your personal account.
If you already have an account, entering the data will open this account and will not create a new account.
Title
Given name
Family name
E-mail address
Please send me more information about Trend Micro.
« Back Next » Creates a new account or opens an existing account.
New ticket - reservation (Step 1 of 2)
Trend Micro HouseCall is a cost-efficient and easy-to-use solution to clean your computer from various security threats. From the list below, please sekect a ticket that meets your requirements. Please read the product description and the price carefully.
Transfering Data...
Description_of_TicketType
Payment is effected by the provider mentioned below. For further information about the payment process, please click the associated information "link".
Transfering Data...
PaymentProviderName
PaymentProviderDescription
More information is available here.
If you want to purchase a ticket in Trend Micro HouseCall, you need to accept the terms of the license agreement first.
Yes, I accept the terms of the license agreement
« Back Next » Reserves the selected ticket for your account
New ticket - payment (Step 2 of 2)
New ticket
Current ticket - overview:
Activated on Not yet activated
Expires on No limitations
Available usages No limitations
Applying the ticket to remove viruses and other malware from your computer will deduct one usage from your ticket. If you have a ticket with a limited number of usages, this will reduce the number of potential usages by one.
"One ticket usage" is valid for a maximum of 24 hours and ends with the removal of the malware detected by HouseCall on your PC.
Apply now » Deducts one usage from the selected ticket and starts the cleanup process
BackNext
yeah. that's what I originally thought, but I uploaded the patch, and changed my wow password a few times since, and someone stole my gold again. So i think it's something else.
I don't see anything in those results to indicate a problem, but I'm also not in any way shape or manner, up on how games can be infected\hacked and so forth. I suppose that's a risk you take with online gaming and I'd wager there will be more and more malware writers trying to compromise system in this manner.
For months, hackers--most likely in China and Russia, according to security watchers--have been surreptitiously installing keylogging software on WoW players' Windows computers, hijacking their accounts and selling off their often valuable in-game assets.
And the problem doesn't show any signs of going away.
