1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Found Malware, but i can't delete it.

Discussion in 'Virus & Other Malware Removal' started by Bridgesii, Nov 4, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    I have a virus that affects world of warcraft. From what i have read about it, its goal is to steal account passwords, and credit card numbers. I tried to delete it in safe mode, but it just reinstalled its self. Here is the kaspersky log that shows it.

    The symptoms that i encountered that led me to investigate is that the game wasn't saving any variables that should have been saved upon my exit. Things like key bindings, or add-on's placement would be reset when i restarted the game. That told me that something was deleting the wow WTF folder in which those variables were saved.

    I can post my hijack this log too if you want, but i decided to start with kaspersky one as it identifies the problems.

    I tried running my resident anti-virus; NOD32, but he didn't pick it up. Ad-Aware plus with ad-Watch running didn't see it. And Neither did spybot. Please help!

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, November 04, 2007 5:26:44 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 5/11/2007
    Kaspersky Anti-Virus database records: 451584
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\

    Scan Statistics:
    Total number of scanned objects: 54654
    Number of viruses found: 4
    Number of infected objects: 18
    Number of suspicious objects: 0
    Duration of the scan process: 01:24:17

    Infected Object Name / Virus Name / Last Action
    C:\Backup\Backup\Unhide Password.exe/data0009 Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    C:\Backup\Backup\Unhide Password.exe/data0011 Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    C:\Backup\Backup\Unhide Password.exe NSIS: infected - 2 skipped
    C:\Backup\Unhide Password.exe/data0009 Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    C:\Backup\Unhide Password.exe/data0011 Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    C:\Backup\Unhide Password.exe NSIS: infected - 2 skipped
    C:\Backup.7z/Backup/Backup/Unhide Password.exe/data0009 Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    C:\Backup.7z/Backup/Backup/Unhide Password.exe/data0011 Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    C:\Backup.7z/Backup/Backup/Unhide Password.exe Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    C:\Backup.7z 7-Zip: infected - 3 skipped
    C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\history.dat Object is locked skipped
    C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\key3.db Object is locked skipped
    C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\77h81cik.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012007110420071105\index.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\Perflib_Perfdata_cc.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\~DF26CA.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Creative\CADI\Preset\PCI_BUS1102-5-211102-DC00.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\logs\AWProcessesLog.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\logs\CoreEngineCommunicationLog.log Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HP6DL0SC\update[1].exe Infected: Trojan-PSW.Win32.WOW.abf skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Creative\ShareDLL\CADI\CTPLang.dat Object is locked skipped
    C:\Program Files\Eset\cache\CACHE.NDB Object is locked skipped
    C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
    C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
    C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
    C:\Program Files\Yahoo!\Messenger\logs\billing_Admin.log Object is locked skipped
    C:\Program Files\Yahoo!\Messenger\logs\client_Admin.log Object is locked skipped
    C:\Program Files\Yahoo!\Messenger\logs\network_Admin.log Object is locked skipped
    C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
    C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
    C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
    C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{31D084CA-0CA6-4696-9C8A-8A65E41DC407}\RP100\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Internet Logs\DEMITRY.ldb Object is locked skipped
    C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
    C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{E13D8908-5B60-4AC8-BB97-8658D1F7517F}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C4W04T31\mouse[1].dll Infected: Trojan-PSW.Win32.OnLineGames.fkj skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\mouse.dll Infected: Trojan-PSW.Win32.OnLineGames.fkj skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\wzcsvbc.dll Infected: Trojan-PSW.Win32.WOW.abe skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_58c.dat Object is locked skipped
    C:\WINDOWS\Temp\ZLT03320.TMP Object is locked skipped
    C:\WINDOWS\Temp\ZLT04f07.TMP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\Backup.7z/Backup/Backup/Unhide Password.exe/data0009 Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    D:\Backup.7z/Backup/Backup/Unhide Password.exe/data0011 Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    D:\Backup.7z/Backup/Backup/Unhide Password.exe Infected: not-a-virus:pSWTool.Win32.Aster.55 skipped
    D:\Backup.7z 7-Zip: infected - 3 skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{31D084CA-0CA6-4696-9C8A-8A65E41DC407}\RP100\change.log Object is locked skipped

    Scan process completed.

    I would much appreciate your help in resolving this.
     
  2. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    Still no luck on it. AVG picked it up and removed it, but it just reinstalled its self moments later. Man... I really hope that what ever key logger virus thing this is hasn't picked up my credit card....
     
  3. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    Woah. I just ran avg again, and this time when i deleted the infectious files, my comp came up with that restart in 40 seconds window. The one that used to pop up with that ms blaster worm a year or two ago. Im not sure what is going on, so im not going to touch anything now until i get a response. I don't particularly want to screw up my comp again. *starts the backup of important documents*
     
  4. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    Ahh!! my post got buried. Problem still exists, I'm hesitant to try to fix it my self, as I don't have a sufficient body of knowledge on malware to know what to do safely.
     
  5. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    Well, i ran AVG and AVG spyware remover in safe mode, deleted the trojans, and then ran the scans again only to find that they are back.... I'm not sure how to remove these now. Someone please help.
     
  6. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    Wow, this forum is getting quite busy, i hope someone has time to stop by and help. If i cant get help here in the next 48 hours, im just going to reformat. I'm still un sure as to how i managed to get this little infection... I tried using recovery console to delete the 2 infected files, but they came back again the moment i booted up. I have exhausted all my knowledge.
     
  7. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    bump, seeing as it gets buried in a matter of 45 min.
     
  8. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    Just a quick bump before midterms.
     
  9. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
  10. Bridgesii

    Bridgesii Thread Starter

    Joined:
    Nov 4, 2007
    Messages:
    10
    Ok, well, i no longer need help. I fixed it my self by reformatting. Some how the virus killed my wireless internet, and i no longer had access to the internet. So, i just reformatted and now my problem is gone....
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/647812

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice