Drive Cleaner Pop Up

Welcome to Majorgeeks!

First goto Add/Remove programs and uninstall MailSkinner

Continue by downloading a tool we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F3 - REG:win.ini: load=C:\WINDOWS\system32\hvotvz\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\hvotvz\csrss.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\8.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1049.dll,InstantAccess
O4 - Startup: csrss.lnk = ?

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\hvotvz\csrss.exe
C:\WINDOWS\system32\p2esocks_1049.dll
C:\WINDOWS\system32\plmsaktug.exe
C:\WINDOWS\system32\plmsaktug.dat
C:\WINDOWS\system32\plmsaktug_nav.dat
C:\WINDOWS\system32\plmsaktug_navps.dat
C:\WINDOWS\system32\sysiasvc32.dll
C:\WINDOWS\system32\syswbsvc32.dll
c:\windows\downloaded program files\EGAUTH.inf
c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
C:\WINDOWS\eg_auth_1049.dll
C:\Documents and Settings\Sam\Application Data\winantispyware2006freeinstall[1].exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete if found:
C:\Program Files\AdwareAlert
c:\program files\MailSkinner
c:\program files\MyWebSearch
C:\WINDOWS\system32\hvotvz

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Sam\Local Settings\Temp

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if usin

 

Just continue on with the rest of the instructions!

 

Do you know what the below files are for?

C:\WINDOWS\system32\plmsaktug.exe
C:\WINDOWS\system32\plmsaktug.dat
C:\WINDOWS\system32\plmsaktug_nav.dat
C:\WINDOWS\system32\plmsaktug_navps.dat

If not then have Pocket Killbox delete them or delete them yourself if it let's you.

Now install this Your Uninstaller! 2006 and see if it can uninstall Mail Skinner.


Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now see if HJT can fix the below line again:
O4 - Startup: csrss.lnk = ?


Now attach new logs from GetRunKey, ShowNew, and HJT.

 

Yes you do have to run the cleaning procedures on the other user account especially since you are having popups on that account. You will also need to attach logs for that account. But do not attach anything for the other account yet because that would cause too much confusion. We need to focus on and fix this current account first.

You did not answer my question about what the below files are for:

I want you to scan the C:\WINDOWS\system32\plmsaktug.exe file using the below online file scanning site. Report back what it finds.

http://virusscan.jotti.org/

Just use the Browse button to locate the file on your PC and submit it. Post what it finds back here.


Also Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens enter the following:

csrss

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.

 

Exactly when does this popup! Can you attach a legible snapshot of it?

Delete this file C:\Program Files\Ccleaner.exe

It is not a good idea to store installation programs or anything else in the C:\Program Files folder except things that are installed and ready to run. Save your downloads in appropriately named downloads folders. For example for a Ccleaner download it would look like:

C:\Downloads\CCleaner Slim 1.33.382\ccsetup133_slim.exe

This way you will aways know what the file is! I even go one step further and use categories to save things in. Like:
C:\Downloads\Drive Cleaners\CCleaner Slim 1.33.382
C:\Downloads\AntiVirus\Avast
C:\Downloads\AntiVirus\AVG
C:\Downloads\AntiSpyware\Spybot
..........etc


How many other user accounts on this PC? Pickone (especially if it seems to have a malware problems) and attach the below logs for this account:

- GetRunKey
- ShowNew
- HJT

Please also run the below and attach the log from Ewido:

Running Ewido Anti-Malware

 

Run the below to remove Windows Messenger:

Disable/Remove Windows Messenger

Are you implying that you never shut this PC down and that it is on 24/7/365?

 

Did you remove Windows Messenger?

Well if you are still having popups, you are going to have to login to the other user accounts and clean them because yours shows no problems.

However let's try one more scan first! Run this and attach the log:

Using Sophos Anti-Rootkit

 

Hmmmm! It appears you have some super hidden files that the rootkit scan located.


Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\dwktgrh.dat
C:\WINDOWS\Prefetch\DWKTGRH.EXE-139ECEC7.pf
C:\WINDOWS\system32\dwktgrh.exe
C:\WINDOWS\system32\dwktgrh_nav.dat
C:\WINDOWS\system32\dwktgrh_navps.dat
C:\WINDOWS\system32\msplock32.dll
C:\WINDOWS\system32\spool\msclock32.dll
C:\Documents and Settings\Sally\Recent\msclock32.dll.lnk
C:\WINDOWS\system32\msclock32.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot run the Sophos Anti-Rootkit again and attach a new log.

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

It looks to me like you did not delete the files using Killbox as instructed. At least according to your logs! Because none of them show in the Killbox backup folder and a couple are still not deleted!

Run HijackThis and have it fix the below line:

O4 - HKLM\..\Run: [dwktgrh] c:\windows\system32\dwktgrh.exe dwktgrh

Then use Pocket Killbox per previous instructions to delete the below files which still show in your newfiles.txt log.
C:\WINDOWS\system32\dwktgrh_nav.dat
C:\WINDOWS\system32\dwktgrh_navps.dat"

Now run Sophos Anti-Rookit and attach a new log from it.

Then reboot and attach new logs from ShowNew and HJT.