hi_jack_this_log

[solotekk]

cheers..........




[file cleanup - saving space - attachment deleted by admin]

[solotekk]

i need to send you a few print screens so you can see this new error that appeared this morning when AVG was auto scanning. the file has a ? in front of the file name. Is there an alternate way to send you this zip file? Let me know.
thanks

[evilfantasy]

OK, one step closer to a remedy.


 
Copy this file path C:\Program Files\Tenable\Nessus\plugins\plugin.tar.gz (highlight and press ctrl+C)

Go to www.viruschief.com

Paste the file path in the window under Quick Scan: (press ctrl+V on the keyboard to paste)

Click Scan.

You will see a message:
ENG: It can take up to 1 minute before your scan starts, please wait!
GER: Es kann bis zu einer Minute dauern bis Ihr Scan startet, bitte warten!

Once the scan is complete, copy the text in the window under BB Code and paste it into the next post.

You can go ahead and post that log now then continue on with the rest of the steps.

----------

Next go to this file C:\Program Files\BitLord\Downloads\CYBER CD\Professional Spy\Investigating Tools\KEYKEY\keykey.exe. Look for an uninstaller and run it if it is there ( if it will run).


Restart the computer in Safe mode

In Safe Mode:

Click Start > Run.

1. Type regedit

Then click OK.

2. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

3. In the right plane, delete the values:

"SL Loader"="loadwin.exe"
"KK Loader"="%System%\loadkk.exe"

4. Navigate to the key:

HKEY_LOCAL_MACHINE\Software

5. In the left plane, delete the subkey:

ScreenLogger

6. Navigate to the key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

7. In the left plane, delete the subkey:

KeyKey

8. Exit the Registry Editor.

9. Restart the computer in normal mode.

----------

Run ATF Cleaner.

----------

Next run the Symantec W32.Esbot Removal Tool

Download the tool and folow the instructions.

-----------

We will try to not have to run another online scan due to the connection issues.


Please download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

----------

Then make sure the AVG is update, boot to safe mode and run a full system scan with it.

----------

Next post
DR. Web log
New HijackThis log


Also let me kkow how the computer is now.

[solotekk]

------ C:\Program Files\BitLord\Downloads\CYBER CD\Professional Spy\Investigating Tools\KEYKEY\keykey.exe. Look for an uninstaller and run it if it is there ( if it will run).--------

there is no uninstaller for the file keykey.exe.
Should I delete the folder KEYKEY?

[evilfantasy]

Yes manual removal is the next step, only you will also have to delete the registry keys as well.

Restart in safe mode to delete the files/folder.

In safe mode delete the following keys.

Click Start > Run.

   1. Type regedit

      Then click OK.

   2. Navigate to the key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

   3. In the right plane, delete the values:

      "SL Loader"="loadwin.exe"
      "KK Loader"="%System%\loadkk.exe"

   4. Navigate to the key:

      HKEY_LOCAL_MACHINE\Software

   5. In the left plane, delete the subkey:

      ScreenLogger

   6. Navigate to the key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

   7. In the left plane, delete the subkey:

      KeyKey

   8. Exit the Registry Editor.

   9. Restart the computer in normal mode.

[solotekk]

Here is the bb code.




Antivir: Nothing found
ArcaVir: Nothing found
Avast: Nothing found
AVG: Nothing found
BitDefender: Trojan.Arcbomb.ZIP
ClamAV: Nothing found
F-Prot: Nothing found
Norman: Nothing found
Rising: Nothing found
VirusBlokAda32: Nothing found
VirusBuster: Nothing found

Report overview
Scanned by viruschief.com

[evilfantasy]

Lets run that file through jottiscan and see what all it detected by it.

http://virusscan.jotti.org/

[solotekk]

here is what http://virusscan.jotti.org/ scan found:

Scan taken on 10 Jan 2008 04:12:45 (GMT) 
A-Squared  Found nothing
AntiVir  Found HEUR/Exploit.HTML 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found nothing
Fortinet  Found nothing
Ikarus  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found DoS/42zip 
Rising Antivirus  Found nothing
Sophos Antivirus  Found nothing
VirusBuster  Found nothing
VBA32  Found nothing
   

[evilfantasy]

I am leaning toward a false positive on that file.

Is this or was this a company machine that would have has monitoring software installed to ensure the user was doing their job?

C:\Program Files\Tenable\Nessus\plugins\plugin.tar.gz
http://www.nessus.org/nessus/

[solotekk]

the drweb cureit link is blank.

is there an alternative method?
 

[evilfantasy]

I am having the worst time with links lately.

Use this direct download. ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

[solotekk]

Is this or was this a company machine that would have has monitoring software installed to ensure the user was doing their job?


No, but my client did have another person working on this before I was hired. I'm not sure exactly what that person did either, (installed,uninstalled, or repaired.)

Why do you ask?

[evilfantasy]

Nessus is some sort of security software. It could have been corrupted by virus but I am leaning toward a false positive. I didn't read much on the web site so I am not clear on exactly what type of security it is. Antivirus reports what it sees as suspicious. Therefore if some sort of legitimate monitoring software is put on a computer the AV will report it because of the way it works is not normal to other programs.

And if it were company software I wouldn't want to see you take it out and possibly jeopardize your clients standing with the company. But if it is a personla computer and not known what it is or why it's there.........

It is your call on that one. It is at C:\Program Files\Tenable\Nessus\plugins\plugin.tar.gz
There may be an uninstaller in there or in add/remove programs.

[solotekk]

ok, I looked in both places, and am unable to find an uninstaller...hmmm......

Any suggestions?

thanks...

[evilfantasy]

Manually deleting everything you can find.