So my email etc. got hacked couple days ago, I tried 5 differend programs and avast! was only one able to find keylogger
Anyways I seem to have problem removing it. It appears that everytime I turn my pc on with internet cable plugged, this JS:ShellCode[expl] comes back. If I start pc without internet connection, it doesn’t come. Even if I plug cable in later, it won’t come until restart.
I don’t understand much about programs/viruses/computers after all, so I thought that one of you guys could help me
My guess would be that location of the virus is
C:\program files(x86)\F-Secure\FSAUA\content\aquawin32\1307117436\cran.cvd
and I’m using F-Secure’s firewall, but before buying new one (or downloading) I would really like to know is this the real reason for that and what I can do about it.
I’m using Windows 7 btw.
Well a quick google search confirms my suspicions, that this relates to f-secure’s virus signatures. So it looks like you not only have f-secure’s firewall but have/had its anti-virus also ?
It alos looks like that virus signature file is unencrypted, so another anti-virus scanner looking specifically for virus signatures would find them in this file.
See this topic, http://forum.f-secure.com/topic.asp?TOPIC_ID=11509.
So was this avast that alerted on this file ?
Yes I still have F-Secure running and avast! was only program able to find it (tried atleast F-Secure, Malwarebytes and ad-aware)
But I can’t ignore the fact, that my email and facebook got hacked twice in a 20min period, which strongly suggest that there is a real virus/keylogger there. Of course it can be still hiding in some other file, but with scan times I have run in last couple days, it is very unlikely
Detection is a result of having installed two AV programs
Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638
Then I’m really confused :<
So my email, facebook, steam, WoW account hacks were just something else?
If you think you have something in there… let Essexboy have a look inside
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI
Essexboy will be notified when logs are posted…
Okay I’ll do that
Thanks guys, like i said, I don’t know much about these things
You’re welcome.
The next decision is which AV to keep as two resident AVs can conflict, aside from this detection of the f-secure’s unencrypted virus signatures.
You can also check out these other anti-spy/malware scanners:
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
-
- MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
.
- MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
You can attach the log using the Additional Options, link in the Reply window.
Here is Mbam log for Essexboy
And here is OTS (they didn’t fit in same post >.<)
you did not update Malwarebytes before you scanned, always do as MBAM release up to 10 updates a day
you have programversion 1.50.1.1100 and latest is 1.51.0.1200
your signature is 6753 latest is 6775
There is a backdoor trojan on your system - I will remove that now, but would like a second opinion programme to run
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY -> dvmexp.idx -> C:\dvmexp.idx
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
THEN
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
OTS log here
ComboFix log here->
That looks OK now - are you experiencing any problems ?
Not really. Only problem was two days ago, when my WoW account, FB and Email were hacked two times in 20min period. I haven’t log any of them so far from this computer. So is my computer clean now?
I’m curious, do you know why any of the AV programs didn’t spot that trojan?
Anyways you are my hero <3
Fortunately that was an inactive dropper - so it would not be detected until it ran
You will need to reset your passwords from the affected sites to ensure that they belong to you again
But that is the one that got my password, ye?
WoW account, FB and Email you will need to reset the passwords on these acoounts and then monitor them for a day or so
Okay, did that already Thanks mate