Identified by Kaspersky as a variant of the Trojan-PSW.Win32.Delf.aow password-stealing Trojan. O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll
One or more of the identified infections is a backdoor Trojan and a key logger.
If this computer is ever used for on-line banking, I suggest you do the following immediately:
-
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
-
From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Please download the OTMoveIt2 by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\WINDOWS\system32\apiuser32.dll
.
[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.
[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
NEXT
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]
O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll
[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
FINALLY FOR NOW
Please download ComboFix from Here or Here to your Desktop.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop
[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.
Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall