Keylogger? or false alert?

hello,


BCG1.tmp, My Xoftspy recognize this as keylogger. Soo I remove it and logs as the BCG1.tmp has been remove but when I reboot my computer "OMG" still coming back. Just the same as I remove and reboot my PC again. I try to remove it manually but it say that another person or program using it. I try SAFEMODE but Xoftspy can't find it. I perform deep scan with my Kaspersky Anti-Virus but there isn't anything problem "can't find anything treats".

Screenshot:
hxxp://img458.imageshack.us/my.php?image=untitled13rf.png

Appreciated any help!!


THANK YOU

 

Try running this http://www.f-secure.com/blacklight/

Also try this to get rid of the file http://www.softwarepatch.com/software/moveonbootdownload.html

 

Appreciate your Help!!!

I try your two software suggestion but Still coming back!!!
OMG.. I try to email xoftspy but there's no response comes from them, Maybe I'll just wait.Maybe this is a false alert. I HOPE!

THANK YOu

 

It could just be a false alert but you still seem concerned so try this if you wish to continue.Purge the restore folder. For instructions on how to purge system restore click here http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

Then Download Ewido http://www.ewido.net/en/download/ then set it up this way http://rstones12.geekstogo.com/ewidosetup.htm. Make sure you update it first.You will need this later in safe mode

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ You will need it later in safe mode

Next, boot into safemode.

Run Ewido and let it delete all that it finds.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and download Hijack This here http://www.tomcoyote.org/hjt/ then place it into a folder of it's own, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor here http://hijackthis.de/index.php?langselect=english.
Any entries that are definitely nasties, Run Hijackthis again and select "Do a system scan only", place a check by these entries.Close all open windows and browsers, and hit "Fix Checked".


This is a powerful tool that can crash your computer if used improperly so if your not sure, google the questionable results and if your still not sure, go here and see about posting your log.


http://gladiator-antivirus.com/forum/index.php?showtopic=10517

 

Is that really good advice to recommend using hijackthis.de? Most of the expert hijackthis log interpreters that I've talked to recommend avoiding that site and only rely on an expert (human) hijackthis log analyzer. I would never rely on any results I got from that site, all I get is a bunch of FPs.

 

Hi, I jsut checked it. This site ofcourse is not for every one but I found it really very interesting and useful-- really nice work.

 

spindoctor

I understand your concern but that is why i say things like 'definitely nasties'- when you click on the gold stars and there are numerous replies all saying it's trouble.I also say 'if your not sure' and 'and if your still not sure'.This is a point of reference that helps shed some light on possible infections and is helpful but i still expect the user to use some common sense.It's not like i said "Any entries that don't have a green checkmark, REMOVE".

 

Look

It's no biggie.I will resist offering that site in future help responces.And 'ronjor' i agree with that link.It can help but shouldn't be the only source of help.But it does also list true processes and legit malware.Anything questionable should be further investigated by the user.And 'aigle', here's another one for ya!.

http://www.help2go.com/component/detective/

 

Thanks. This one less informative but practically seems much more grwon up and reliable than first one. I compared results of my system on both. Interesting work!

 

Reply from Gladiator-anti-virus:

http://gladiator-antivirus.com/forum/index.php?showtopic=37635

THANK YOU FOR HELP.

 

im got the same problem and find decision. that is atwola.com temp files, they generated by advertising of your icq client or something else.. for fix that just type "127.0.0.1 ar.atwola.com" without quots in c:\windows\system32\drivers\etc\hosts for block it and for kill that run ZoneAlarm Anti-Spyware http://www.zonelabs.com/store/conte...amily.jsp?dc=12bms&ctry=&lang=en&lid=db_trial
p.s. sorry for my english

 

I have the same problem, youre solution work for a while, not with zone alarm, but kaspersky anti-hacker.
when the system reboot it deleted the files, but the fff... file came back as BCGB.tmp.