Keylogger/virus help

[KrayonZ]

I was recently downloading something off Limewire and well it had a key logger in it.. Nortan picked it up and said it deleted it but that did nothing.

I ran Ad-aware professional and Nortan antivirus

they pickup stuff but im not sure if their doing anything.

When i press Alt+ctrl+del and click on task manager, the task manager wont come up, so i went through the help menu-> searched for "task manager" and clicked on "Open Task manager" but it says:

The program could not start
The operating system could not start this program. This may happen if,

Your computer is on a Network :Note it is'nt
You need to install the necessary programs :Note huh??
You need to install the necessary software :Note: Huh??
You need to re-install the program file note: I never installed anything??
You are running on Windows XP 64-bit edition Note: ughh noo..
You need to access an active directory snap-in Note: Riiight?.. wtf?


When i Start the computer This comes up:
Application error cannot start VCClient.exe



Im also getting billions of popups everytime i key in words as im typing in this and in MSN.

I am now currently running the free online scan at www.trendmicro.com and hopefully that will pickup something.

Is their anything or anyone that can help me please?

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions exactly.

Then, go and read both these threads by RBS. Follow all the instructions exactly.

How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

Then see. How to post your Hijackthis log-file as an ATTACHMENT.

Only post your HJT log, after doing the above.

Regards Howard :wave: :wave:

 

[KrayonZ]

Ok here is the hijackthis .txt in the attachment.. i wouldnt have a friggen clue what it means sorry.. if anyone could point out please do

 

[howard_hopkinso]

Go and follow the instructions HERE.

Then, once you`ve done that, follow the rest of these instructions.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel. Uninstall anything to do with(if there).

C:\Program Files\OptusNet Dial-up Internet

Close control panel.

Open your task manager, by pressing the ctrl/alt/delete keys together. Click on the processes tab and end process for(if there).

DSC.exe
newfrn.exe
keyboard2.exe
mousepad2.exe
newname2.exe
stub_113_4_0_4_0.exe
VCClient.exe
VCMain.exe

Close task manager.

Click start/run and type regsvr32 /u C:\WINDOWS\DH.dll and press the enter key.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard2.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad2.exe
O4 - HKLM\..\Run: [newname] C:\\newname2.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe

O4 - HKCU\..\Run: [zurz] C:\stub_113_4_0_4_0.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/ Only fix this, if it doesn`t belong to either your pc manufacturer, or your ISP provider.

Fix all 016 DPF entries.

O17 - HKLM\System\CCS\Services\Tcpip\..\{28432A50-096E-40A8-9257-BA261DA1DC10}: NameServer = 203.2.75.132 198.142.0.51 Only fix this entry, if it doesn`t belong to your ISP.

O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Click on the fix checked button.

Close HJT.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Locate the above 023 entry and double click on it. If it is running, select stop. Set the startup type to disabled. Click apply/ok.

Locate and delete the following bold files(if there).

C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\DH.dll
C:\\keyboard2.exe
C:\\mousepad2.exe
C:\\newname2.exe
C:\WINDOWS\newfrn.exe
C:\stub_113_4_0_4_0.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard

 

[KrayonZ]

Ok i did everything their, and so far soo good

Except Task manager wont work

I try Alt+ctrl+del Right clicking the task bar

but still nothing

Btw the attachment is my new hijackthis .txt after doing all of the above

 

[Tedster]

what does norton identify it as?

 

[howard_hopkinso]

I can`t see anything bad in your HJT log.

I try Alt+ctrl+del Right clicking the task bar

The correct sequence of keys is ctrl/alt/delete keys.

Click start/run and type taskmgr.exe into the run box and press the enter key.

Does that make the task manager appear?

Regards Howard

 

[KrayonZ]

yeah i meant to type ctrl/alt/delete , But alt/ctrl/delete also works aswell for me

Btw when i did start/run typed taskmgr.exe and pressed start this came up.


"another program is curently using this file."

 

[howard_hopkinso]

Try it from safe mode.

Also, look in your add remove programmes in your control panel for anything related to surfsidekick, or Vcclient. If you find anything, uninstall it.

Regards Howard

 

[KrayonZ]

Task manager works in "safe Mode" just wonder why it wont work normally...

btw i checked for any programs and none.

 

[howard_hopkinso]

All the instructions I gave you in reply #4, were meant to be carried out in safe mode.

Regards Howard

 

[KrayonZ]

ohh yeh yehh i did them in safe mode

 

[KrayonZ]

Start/run Msconfig

Then disabled something called "outlook" in the startup part
and all is fine

Thanks howard!

 

[howard_hopkinso]

That`s good news.

Thanks for letting us know.

Regards Howard