1. ashpash@i12.com

    ashpash@i12.com Private E-2

    I have the above running in my processes, showing up in CCleaners startup list (C:\WINDOWS\Temp|kpwn1.exe) and also listed in my HijackThis log/scan:eek: . I have looked everywhere for info on this and cannot find anything. Has anyone come across this file or know anything about it?

    Thanks.
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    It appears to be a temp file because of its location however it's not legit and doesnt need to be running.

    [​IMG] Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    • Make sure you check version numbers and get all updates.
    [​IMG] Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    [​IMG]After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

    [​IMG] Downloading, Installing, and Running HijackThis

    [​IMG] When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
    • Bitdefender
    • Panda Scan
    • HijackThis
     
  3. ashpash@i12.com

    ashpash@i12.com Private E-2

    Thanks bjgarrick,

    Followed all the instructions to the letter and found a few surprises!! I have attached the logs requested and the following were found:
    BitDefender - Trojan - SillDl.Ai
    PandaActive - Kill2Me
    CounterSpy - Win32.agentVP
    CWShredder - Look2Me

    I run Adaware and Spybot every week and have SpywareGuard running (updated every week also) and cant understand how these slipped through. I use Avast Anti Virus also. I have checked and that file I was requesting knowledge about is still running.

    Thanks.
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


    kpwn1.exe

    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    O4 - HKLM\..\Run: [kpwn1.exe] C:\WINDOWS\Temp\kpwn1.exe

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    C:\WINDOWS\Temp Delete everything in this folder!

    Next, run CCleaner to clean up cookies and temp files.

    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:


    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
    After you complete the above reboot once more and then scan with HijackThis and attach the new log.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
  5. ashpash@i12.com

    ashpash@i12.com Private E-2

    All done and attached is the log. I have looked in the running tasks and no longer see this file. I think I am free of problems now but if there is anything in the log that suggests otherwise please letme know. I have followed all the recommendations for staying free of future problems...even giving up Maxthon for Firefox:)

    Thanks for your help, it is MUCH appreciated.
     

    Attached Files:

  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Are you familiar with Kirby Alarm?

    One more thing I forgot to request...

    Please download HOSTER and then follow the below steps.
    • Unzip HOSTER to a convenient folder such as C:\Hoster

    • Run Hoster.exe, click Restore Original Hosts and then click OK.

    • Click the X to exit the program.
     
  7. ashpash@i12.com

    ashpash@i12.com Private E-2

    Kirby Alarm is an alarm program to notify me of things to do, like download updates for AdAware on a weekly basis or pay the Rent on the 1st of the month...is there a problem with it that you know of?

    I'm off to run Hoster now...what does this do exactly?

    Thanks again.
     
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I was curious as to what this was because I've never heard of it. Just wanted to make sure you knew what it was.

    This will reset your HOSTS file to the default entries. You had two entries that were nasty and needed removed, this will do that for you.
     
  9. ashpash@i12.com

    ashpash@i12.com Private E-2

    Excellent, thanks very much for all your help :)
     
  10. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  11. ashpash@i12.com

    ashpash@i12.com Private E-2

    Me again....it seems I have spoken too soon. There was nothing showing yesterday after a reboot but this morning when I started up my PC CounterSpy came up with the following message:

    "An attempt is being made to add a program to your startup registry. Startup programs are loaded automatically when Windows boots up.

    Name: c:\windows\temp\kpwn1.exe

    Advice: Since it is not known if this is spyware you should analyze it before deciding to allow it."

    I blocked it from the startup but it is running in the processes and I cant kill it it normal bootup. Any suggestions??
     
  12. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download RegSrch.zip

    Unzip the archive to your desktop and double click on the VBS file.
    (If your AntiVirus alerts, allow the script to run.

    Now enter kpwn1.exe and post back with the results in this thread (call it regsrch.txt). Also attach a fresh HJT log.
     
  13. ashpash@i12.com

    ashpash@i12.com Private E-2

    I seem to have an even worse problem now. I seem be infected with BraveSentry, 7.tmp and 1.tmp and others. I keep getting a pop up message on my task bar stating:

    Windows security centre has detected Spyware/Adware infection.
    It is strongly recommended to use special anti spyware tools to prevent data loss.
    Click here to install the latest protection tools.

    It pops up every minute or so. I am doing a complete clean up from start to finish, following the READ ME FIRST post. I cannot fully clean the problem I think as Spybot tells me it cant delete something as its running, I have continued with the clean up and will let you know the results. Oh and I tried restoring to the clean restore point but didnt solve the problem.

    Thanks.
     
  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please do not run anything else unless I request it. I can't help you if you do not help me. The more you do to remove things, the more it changes things making what I request useless.

    Now, complete my last post and attach the log with a fresh HJT log.
     
  15. ashpash@i12.com

    ashpash@i12.com Private E-2

    I'm so sorry, I will only follow your instructions from now on. I ran the VBS file and got this message back No instances of "kpwn1.exe" found. I have attached my HJT log as requested. Just to let you know I have had some notices from CounterSpy. I have had a notices saying that xpudate.exe, kpwn2.exe and kpwn3.exe has been added to my startup list, do I want to allow or block this? I have blocked it. Hope this is the correct action.

    Thanks.
     

    Attached Files:

  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    That log looks ok, go back to post #12 and attach this log.
     
  17. ashpash@i12.com

    ashpash@i12.com Private E-2

    Done that but no log comes up, just the message that no instances are found. BTW I have a blue screen now and no way to change the desktop wallpaper, and that popup message still keeps popping up. I haven tried to fix it though.
     
  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  19. ashpash@i12.com

    ashpash@i12.com Private E-2

    I cannot run the smitRem.exe.file. I get the message

    "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item".

    Should I try to run it in Safe Mode?
     
  20. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes!

    Be sure you have Administrator privileges before running this utility.
     
  21. ashpash@i12.com

    ashpash@i12.com Private E-2

    OK, I followed those instructions and have attached the text files as instructed.

    As soon as I rebooted I got Messages from CounterSpy and Avast.
    CounterSpy - c:\Windows|xpupdate and kpwn1.exe wants to added to the startup. I blocked them.

    Avast - Came up with the following files to move to the chest, c:\Program Files\Brave Sentry\Brave Sentry.exe, c:\Program Files\Brave Sentry\Brave Sentryo.dll, c:\Program Files\Brave Sentry\Brave Sentry2.dll and c:\Program Files\Brave Sentry\Brave Sentry3.dll which I moved to the chest.

    I now have a black screen with the message "Your computer is in danger. Windows security centre has detected Spyware/Adware infection.
    It is strongly recommended to use special anti spyware tools to prevent data loss." That message is also popping up from my task bar every minute or so. I leave it alone.
     

    Attached Files:

  22. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    C:\Program Files\BraveSentry Delete this whole folder if it exist!

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:\WINDOWS\xpupdate.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\desktop.html into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    Once your done with the above and have rebooted back to normal mode, please see the below threads. Also please attach a fresh HJT log. You will have to double post due to attachment limits.
    Once you have followed each thread you should attach these three logs to your next post.
    • WinPFind.txt
    • runkey.txt
    • newfiles.txt
     
  23. ashpash@i12.com

    ashpash@i12.com Private E-2

    What is PocketKillBox and where woull I find this?
     
  24. ashpash@i12.com

    ashpash@i12.com Private E-2

    Ignore last post, I have found it.
     
  25. ashpash@i12.com

    ashpash@i12.com Private E-2

    All done, attached are the text files.
     

    Attached Files:

  26. ashpash@i12.com

    ashpash@i12.com Private E-2

    A fresh HJT log as requested.
     

    Attached Files:

  27. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please look in Add/Remove Programs for the following and uninstall them if found:

    Counter Spy

    SpywareGuard

    (Uninstall these so they will not block anything we try to fix. You can reinstall once this has been removed.)

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial.

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

    Next, run CCleaner to clean up cookies and temp files.

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

    ** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    Once you have completed this post and have rebooted attach a fresh HJT log with a GetRunKey and ShowNew log to confirm your clean.
     
  28. ashpash@i12.com

    ashpash@i12.com Private E-2

    All done, attached are the logs as requested.
     

    Attached Files:

  29. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Look in Add/Remove Programs for "Unload", are you familiar with this? If not uninstall it and procede with the rest of this fix.

    Reboot into Safe Mode!

    Be sure the viewing of hidden files and folders is enabled per the READ ME. Now navigate to each of the following directories.

    C:\WINDOWS\TEMP

    C:\Documents and Settings\Administrator\Local Settings\Temp


    Delete ALL contents in each folder!

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:/WINDOWS/Downloaded Program Files/bdupd.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:/WINDOWS/Downloaded Program Files/bdcore.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\Temp\kpwn2.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    Once you complete the above and have rebooted back to normal mode please follow the below.

    Please download RegSrch.zip

    Unzip the archive to your desktop and double click on the VBS file.
    (If your AntiVirus alerts, allow the script to run.

    Now enter kpwn2.exe and post back with the results in this thread (call it regsrch.txt).
     
  30. ashpash@i12.com

    ashpash@i12.com Private E-2

    There is no "Unload" in Add/Remove Programs, should I continue with the rest of the instructions?
     
  31. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes!
     
  32. ashpash@i12.com

    ashpash@i12.com Private E-2

    All done, 2 instances found, attaches the RegSrch.txt.
     

    Attached Files:

  33. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Before we do anything else, I would like you to run the scan below.

    Click on the link below and run the online scan...

    Kaspersky Anti-Virus Online Scan

    • Click on "Kaspersky Online Scanner"
    • Click Accept to procede...
    • If you get a popup askiing if you want to Install Kaspersky's ActiveX Control, click Yes to install it.
    • If you get a Security Warning popup asking if you want to install and run kavwebscan_unicode.cab, click Yes to install it.
    • After all updates are downloaded, click NEXT to continue...( Note it will take awhile to download these updates based on your connection speed).
    • Click Scan Settings and select extended and make sure both boxes are checked at the bottom, Click OK to continue.
    • Now click on My Computer and let it run!
    • This scan may take a while but it is very thorough. After the scan is complete save the log as a txt file and attach it to your next post.
     
  34. ashpash@i12.com

    ashpash@i12.com Private E-2

    Scan complete and log attached. I really appreciate all this help btw.
     

    Attached Files:

  35. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let's try this for the last time hopefully.

    Delete the folder C:\!KillBox and then procede.

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    (Be sure you check the box "End Explorer Shell While Killing File")

    Now, Copy and Paste C:\WINDOWS\Temp\kpwn2.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    Once you complete this post, attach one last GetRunKey and ShowNew logs so we can confirm this baddie is gone.
     
  36. ashpash@i12.com

    ashpash@i12.com Private E-2

    Should I do all this in SafeMode?
     
  37. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yeah, it would be best.
     
  38. ashpash@i12.com

    ashpash@i12.com Private E-2

    All done and attached. I have noticed that the C:\!KillBox is back. Is that because I ran PoketKillBox?
     

    Attached Files:

  39. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes, remove it once more and your ok. The log looks good this time, it appears as if it's gone.

    Are you having any current problems?
     
  40. ashpash@i12.com

    ashpash@i12.com Private E-2

    Ok, will do. There are no obvious problems and everything apears to be working well now. What was it? I tried to find info on it but there doesn't appear to be any. Can't thank you enough for all the help you've given me. Now I'm off the read the info on how not to get infected again.

    Thanks again.
     
  41. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    It's just another one of those baddies that appear, can't really tell you a name because there are so many now days.

    You should see this article on How to Protect yourself from malware!

    Surf Safely!:)
     
  42. ashpash@i12.com

    ashpash@i12.com Private E-2

    Thanks, I will and a big hug from me to you ;)
     
  43. ashpash@i12.com

    ashpash@i12.com Private E-2

    Just a quick message from Avast. It popped up and said it found a Trojan Win 32;Trojan-Gen {UPX!} in C:\RECYCLER\S-1-5-21-1960408961-1979792683-839522115-500. I have sent it to the chest but if I look in that file there is a file still there. Any thoughts? Sorry to bug you again but this happened when I was tidying up all the tools and logs that were used in fixing this mess. I was just zipping them together just in case they were needed in the future.
     
  44. ashpash@i12.com

    ashpash@i12.com Private E-2

    Sorry the file in the chest is called Dc10.exe but the other file listed above is still there.
     
  45. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Show hidden files and folders and system files, reboot into Safe Mode and delete everything in the folder C:\RECYCLER
     
  46. ashpash@i12.com

    ashpash@i12.com Private E-2

    Did that and all was well and still appears to be. However, today Mozilla froze up and I went to the running processes to clear it as it said it was still running, and I noticed that "kpwn1.exe" is back in the running processes :eek: I could end it and I haven't noticed any problems with my system but we worked so hard on getting rid of it and it's still there. I haven't downloaded anything and havent been to any dubious sites so it's not likely I have picked it up again imho.

    Any thoughts?
     
  47. ashpash@i12.com

    ashpash@i12.com Private E-2

    Spoke too soon....sorry! I cant delete that C:|RECYCLERS file as I get a "Cannot delete RECYCLERS: Access is denied. Make sure the disk is not full or write protected or file is not in use" I did do this in safe mode and cant get rid of it.
     
  48. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Did you follow the "How To Protect" thread?

    Go back to post #12 and attach that log, also attach a fresh ShowNew,, GetRunKey log. Be sure you download them again as they were recently updated.
     
  49. ashpash@i12.com

    ashpash@i12.com Private E-2

    The first thing I did after you fixed me up was to follow the instructions in the "How to Protect" thread. I have hardly used my computer and have only really checked my e-mail as I have been really busy with other things. I didnt even know it was back until Mozilla forze up on me.

    I redownloaded them and have attached the logs.
     

    Attached Files:

  50. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I would like for you to manually locate the file and ZIP it, upload it here as an attachment so I can take a look at the file.

    Also, I would like you to upload it to the site below and see what it comes up with. Let me know the results.

    Jotti's malware scan 2.99
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds