[dvk01]

first go to add/remove programs & uninstall ALL of these:

SeekmoToolbarWebTools

then

WinPFind3 Fix -


Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {35845E32-35D9-46BB-9240-258AB96391C5} [HKLM] -> %System32%\byxywvu.dll []
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> ddabc -> %System32%\ddabc.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {5CBE2611-C31B-401F-89BC-4CBB25E853D7} [HKLM] -> %ProgramFiles%\SeekmoToolbar\Bin\4.8.4.0\SkHostIE.dll [Seekmo Toolbar]
YY -> {A240C884-5361-4FC9-B756-3E0AED3794C0} [HKLM] -> %System32%\lqywlcgx.dll [Reg Data - Value does not exist]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YY -> {0EBACAF2-E0F9-47A9-98CF-0ECCE30B654C} [HKLM] -> %ProgramFiles%\SeekmoToolbar\Bin\4.8.4.0\SkHostIE.dll [Seekmo Information Window]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YY -> {0EBACAF2-E0F9-47A9-98CF-0ECCE30B654C} [HKLM] -> %ProgramFiles%\SeekmoToolbar\Bin\4.8.4.0\SkHostIE.dll [Seekmo Information Window]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> {5CBE2611-C31B-401F-89BC-4CBB25E853D7} [HKLM] -> %ProgramFiles%\SeekmoToolbar\Bin\4.8.4.0\SkHostIE.dll [Seekmo Toolbar]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\{5CBE2611-C31B-401F-89BC-4CBB25E853D7} [HKLM] -> %ProgramFiles%\SeekmoToolbar\Bin\4.8.4.0\SkHostIE.dll [Seekmo Toolbar]
YN -> WebBrowser\\{FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} [HKLM] -> [Coupons]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YY -> LimeShop Preferences -> %ProgramFiles%\LimeShop\System\Temp\limeshop_script0.htm
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List\\C:\WINDOWS\System32\a.exe -> C:\WINDOWS\System32\a.exe:*:ENABLED:0
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List\\C:\DOCUME~1\striker\LOCALS~1\Temp\bl4ck.com -> C:\DOCUME~1\striker\LOCALS~1\Temp\bl4ck.com:*:ENABLED:0
< Security Settings > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List\\C:\WINDOWS\System32\a.exe -> C:\WINDOWS\System32\a.exe:*:ENABLED:0
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List\\C:\DOCUME~1\striker\LOCALS~1\Temp\bl4ck.com -> C:\DOCUME~1\striker\LOCALS~1\Temp\bl4ck.com:*:ENABLED:0
[Files/Folders - Created Within 30 days]
NY -> SwSys1.bmp -> %SystemRoot%\SwSys1.bmp
NY -> SwSys2.bmp -> %SystemRoot%\SwSys2.bmp
NY -> cbadd.tmp2 -> %System32%\cbadd.tmp2
NY -> lqywlcgx.dll -> %System32%\lqywlcgx.dll
NY -> npqss.bakt -> %System32%\npqss.bakt
NY -> npqss.ini -> %System32%\npqss.ini
NY -> qgcoqisx.dll -> %System32%\qgcoqisx.dll
NY -> svvwa.ini -> %System32%\svvwa.ini
NY -> SeekmoToolbar -> %UserAppData%\SeekmoToolbar
[ Extra Files ]
C:\WINDOWS\System32\a.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

when it reboots


Post the following back here:

a new WinPFind3U report
the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[striker0204]

I did make my spyware scanner scan for 7 am everyday, and i think it causes my startup to load really slow. its about 30mbs ram. i dont know. heres the latest log.

[striker0204]

omg. i got key logged out of one of my accounts. what else do i need to do?

[dvk01]

what do you mean , you got keylogged out of an account

[striker0204]

I have a "steam account" www.steampowered.com its a popular gaming client. And somehow i got key logged. I remember a few days back, that i downloaded a .exe of a program related to steam, and i my account has been stolen.

[dvk01]

so any of the steam entries could be suspect

OK lets do this & check them


* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

You must use IE for the scan to work

[striker0204]

i couldn't upload some types of files, so i uploaded the files to a separate folder on some extra web space i have.


Go here:

http://striker.prohosts.org/uploads/techguy/
http://striker.prohosts.org/uploads/techguy/

All 3 logs are in that DIR.

[dvk01]

next

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below including the " Files to delete:" line, to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\Documents and Settings\striker\Desktop\Hacks\Yahoo\downloads\SBC_Cr4ck3r_v2.zip
C:\Documents and Settings\striker\Desktop\Hacks\Yahoo\programs\SBC-BT Cracker 2.exe
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

when it reboots

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under "Downloads/SpySweeper" to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory Objects
  • Sweep Windows Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.

[striker0204]

wow, my god. im downloading the web sweeper now, but how did you learn all this? School or what?

[striker0204]

ok, here is each log.

[striker0204]

ohh, and alot of your spy sweeper instructions varied from the actual program. I did my best to figure out what you meant. i think there might have been an update on the program with a different interface.

[dvk01]

I can't see any signs in spysweeper of any known keyloggers

I think we need to carefully examine all the files you downloaded recently to do with steam


please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

any of the recently downloaded steam files or add ons

[striker0204]

i have reinstalled steam. DELETED EVERYTHING. there are no "NEW FILES".

[dvk01]

hopefully you got rid of the keylogger then

run sdfix again please to check something

[striker0204]

ok.