TR Forums

soo i was downloading a patch for my assassins creed revelations
i was curious where it ws being downloaded so i looked it up and found it in my temp folder
C:\Users\R*****\AppData\Local\Temp
then i noticed somthing more i saw screenshots of my desktop every 15 min or so
it started since i turned it on today morning after about 4 months or so
any one else have this thing the screenshot goes by the name of MY-PC - 28-08-12-9.34.39-PM.gif

shud i be worried?

Probably yes.

Download sysinternals suite, launch process explorer, find which process has an open handle with the common part of the name. Check if it's signed by trusted 3rd party, proceed from there.

Madman wrote:

Probably yes.

Download sysinternals suite, launch process explorer, find which process has an open handle with the common part of the name. Check if it's signed by trusted 3rd party, proceed from there.

i have downloaded got a bunch of exe's in a zip file not sure what to open now

EDIT i got process explorer what do i search for

Either check for unsigned processes, you can add view signature column, and check verify image signatures, or press the search and type the common part of the filename to try and find which process has them open.

Another option is to launch process monitor to see which process touches thouse files. It will need some filtration though.

Once you know the source of the problem, google what it is, or ask here, someone might know.

That is almost definitely some sort of malware/spyware.

Have you run a Malwarebytes scan lately?

just brew it! wrote:

That is almost definitely some sort of malware/spyware.

Have you run a Malwarebytes scan lately?

i do have norton internet security but i shall also use malwarebytes scan

i found the culprit its AOE.exe dnt kno wt it is but i will delete it
located in C:\Users\MECOMPS\AppData\Roaming

killadark wrote:

i found the culprit its AOE.exe dnt kno wt it is but i will delete it
located in C:\Users\MECOMPS\AppData\Roaming

found out what made that file its was smartsteam.exe a software i downloaded for offline coop of some games removed it problem solved

You still need to do a malware scan. If you had one, there's a good chance you've got more. Once they're in, they often invite their buddies over to play...

Edit: I'm unfamiliar with Smartsteam. How confident are you that it didn't contain malware?

just brew it! wrote:

You still need to do a malware scan. If you had one, there's a good chance you've got more. Once they're in, they often invite their buddies over to play...

yep jus ran malwarebytes found 19 and AOE.exe is a keylogger F*** ME will have to change some passwords now

I would also pay VERY close attention to any financial accounts you use/access online (bank, credit cards, PayPal, etc.), watching for any suspicious activity.

just brew it! wrote:

I would also pay VERY close attention to any financial accounts you use/access online (bank, credit cards, PayPal, etc.), watching for any suspicious activity.

Change back passwords immediately. It is easier to get money back from credit card companies than it is to a bank dealing with cash.

If I was you, I would buy a new hard drive and start from clean. Scan all of the old data for viruses and copy it across into the new system.

That's just me, but I don't like to mess around when it comes to a security compromise.

Kill it with fire

You'll probably want to scan with a couple other tools, though I'm honestly not sure what's worthwhile anymore. Some companies like Trend and Mcafee offered free online scans, while there are some other anti-malware tools that are probably worth checking out, too. Definitely update and run a Norton scan.

While a new hard drive isn't necessary, reinstalling WIndows could be a consideration.

Yea, better change all the passwords, BUT only do it after cleaning up your PC completely, or do it from different PC/laptop. MBAM and Norton Antivirus might not detect everything, so... You should probably try out other tools as well - for example Avira makes a free bootable CD with antivirus scanner on it, you might try it out: http://www.avira.com/en/download/produc ... cue-system
Kaspersky also has a similar rescue CD, though it's not being updated frequently, however you may also try it:
http://support.kaspersky.com/viruses/rescuedisk
Of course, the only way to be completely sure is to just back up your old HDD and re-format it, or get a new HDD and keep the old one as a spare or backup destination

...and at least one AV vendor identifies smartsteam.exe as a "Trojan Program that is used for stealing bank information and users passwords". Seriously. Not. Good.

Admittedly, AverScanner/Greatis isn't one of the better known/respected AV vendors so I'm not sure how reliable the information is. But when dealing with bank or credit card accounts (or any other sensitive data, for that matter) it is best to err on the side of caution. (And note that I am NOT recommending for or against buying their tool to remove it, I have no idea whether it is any good.)

This should also serve as a vivid example of why installing software from untrusted sources is a REALLY BAD IDEA. (The phrase "a software i downloaded for offline coop of some games" sets off all sorts of alarm bells... DANGER, WILL ROBINSON!)

just brew it! wrote:

I would also pay VERY close attention to any financial accounts you use/access online (bank, credit cards, PayPal, etc.), watching for any suspicious activity.

well im quite happy i dint access any of my financial a/c through this pc yet only the regular gmail,facebook, yahoo and steam

killadark wrote:

just brew it! wrote:

I would also pay VERY close attention to any financial accounts you use/access online (bank, credit cards, PayPal, etc.), watching for any suspicious activity.

well im quite happy i dint access any of my financial a/c through this pc yet only the regular gmail,facebook, yahoo and steam

That's fortunate. But it may not be that simple. If you have any OTHER accounts where they have a record of your gmail or yahoo address, someone could've used your gmail or yahoo credentials to do a password reset.

Trust nothing at this point.

And if you find an account which seems to have a password that is different from what you think it should be, you may have a problem...