"vxvc" keystrokes & other lovely problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bwnvideo, Oct 13, 2008.

  1. bwnvideo

    bwnvideo Private E-2

    Here's the 3 problems I'm having:
    1. Computer is slow, seems to run things in background often, not sure if that's just normal proper stuff running or not
    2. "vxvc" keystrokes appear when I return to computer after leaving for a while, mostly in Outlook subject field; I don't know if there's some kind of malware trying to execute some type of program or what but it appears again and again and I never typed it in
    3. I get an "Access Denied" type of error message when I make any changes to msconfig and click OK to get out of it; not sure what that means or how to fix it

    I don't know exactly what I was doing at the time the keystroke issue started happening; I tried downloading an Elite Antikeylogger program but it doesn't seem to be doing anything. The slowness of the computer I'm not sure if that's just normal and I'm impatient more nowadays or if it's indicative of a real problem; and finally, of course, the Access Service Denied thing that happens when I try to make msconfig changes that's been happening for about a year I guess; the "vxvc" keystrokes started earlier this year.

    Logs attached.

    Thanks!
     

    Attached Files:

  2. bwnvideo

    bwnvideo Private E-2

    Here's the 4th log.
     

    Attached Files:

  3. bwnvideo

    bwnvideo Private E-2

    Oh yeah, it also sometimes types "Rrnvxvc" in the Recipient field and "nvxvc" in the content of the email itself...but then never apparently actually sends it.

    Typically, it's done as if it's a reply to the last selected message.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Much of this is due to what you are running and we will get to some of this below where I will have you uninstall a few things.
    Try using another keyboard and see if there is any change.


    Do you use CinemaNow Media Manager ? I'm not saying it is malware. I'm just think about your slow PC problem.

    Did you purchase the below? If not, uninstall all of them?
    Uniblue PowerSuite
    Uniblue RegistryBooster 2
    Uniblue SpeedUpMyPC 3
    Uniblue SpyEraser
    Uniblue System Tweaker

    Also uninstall the below:
    Ad-Aware
    Elite Antikeylogger 3.0 [build 123]
    PrevxCSI
    Windows Defender


    Now the biggest problem!!!!! Your Desktop is totally cluttered with too much junk! 984 files on your Desktop!!!!! This will slow your PC down and it provides an easy hiding place for malware. In addition it makes it much much harder to find anything on your Desktop. You need to take immediate action on this and delete anything that is not needed and move anything that you do need somewhere else that is safe and more permanent and is not on your Desktop. When you finish, only link (.lnk files) and shortcuts to run necessary programs should remain. DO NOT download and save files to your Desktop except for temporary purposes.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O15 - Trusted Zone: http://*.bwnvideo.com
    O15 - Trusted Zone: http://www.ebonymeat.com

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. bwnvideo

    bwnvideo Private E-2

    Thanks so much!

    Yeah, I have CinemaNow.

    To answer your question about these: ?* Uniblue PowerSuite Uniblue RegistryBooster 2 Uniblue SpeedUpMyPC 3 Uniblue SpyEraser Uniblue System Tweaker -- yes, I bought those as a suite.

    On these: *Also uninstall the below:*
    Ad-Aware
    Elite Antikeylogger 3.0 [build 123]
    PrevxCSI
    Windows Defender

    I tried uninstalling Elite Antikeylogger and it failed; tried it in Ccleaner too and failed again something about the 'install' program not being present or something.

    On the others there Ad-Aware and PrevxCSI I bought or downloaded those the first is Lavasoft's I believe; aren't those appropriate antispam, antivirus programs why am I deleting them? Or are they known bad for some reason?

    On Windows Defender, that's the Microsoft program right -- that's bad??

    Moving on from there, I moved the entire Desktop content of files except for links off to another drive; I didn't know it made a difference where I put files on the computer as far as slowing it down; I've had the desktop 'hidden' so you don't even see the files on the desktop but I guess it doesn't matter so I did that.

    Windows Messenger removed, as described.

    On the Trusted Zone deal, I got rid of ebonymeat but on bwnvideo that's my site bwnvideo shouldn't I leave that as trusted or is there a reason that I should get rid of it anyway?

    The rest, I did. Logs attached. ;-) Thanks, how's it look and what can I do to get rid of Elite? Is that also a program you know to be bad because it sounded like it would be the exact solution to by apparent keylogging thing but I never really saw it do anything...
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The main reason I'm having you uninstall some items is because you said your PC was slow and some of these will definitely slow your PC down.

    In addition, the free Ad-Aware is not worth using as it is very ineffective at finding and removing real malware of any significance. You are much better off keep SUPERAntispyware and Malwarebytes around for backup scanners.

    Yes it is from Microsoft but Windows Defender in Windows XP is a poor program and is not worth having.

    Does PrevxCSI provide you with active realtime protection/blocking of malware or is it only a scanner. What about UniBlue's SpyEraser?

    If you do not need it in your Trusted Zone to do whatever you do with your website ( and odds are you don't need it) then remove it. If your website picked up an infection and it were the kind that can spread via connections to it, then you would be giving the infection full priviledges to do anything it wants on your PC.

    It is not bad! You just don't need it and since you now cannot even uninstall it after installing it, I would question whether the program was designed properly. Anything you install, should be able to be uninstalled. Does the program still work? Do you really want to keep installed?


    You did not tell me how things are working. Your logs are clean.
     
  7. bwnvideo

    bwnvideo Private E-2

    Actually, I paid for AdAware it's not the free version but I went ahead and got rid of it as well as PrevX and Windows Defender. I think PrevX was a scanner. UniBlue I also bought and it comes with 3 programs including a registry scanner that seems to find stuff each time and an optimizer and a virus scanner I think; I left it.

    Did the Trusted Zone even with my own site, as advised.

    Any idea how to get rid of Elite when it won't remove itself?

    Things are working much, much better already much faster.

    By the way, any thoughts on how to get the msconfig to accept changes without giving me the lovely 'access denied' message?

    And secondly, Windows repeatedly asks me to update with the little yellow exclamation mark in the tray but it always fails and then keeps asking over and over again. It's trying to update something I don't even use I think PowerPoint or something; I had the option off at one point for those programs so it wouldn't keep asking but then a message pops up saying are you sure you want to leave these off you might need them. LOL
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All registry scanners always find things since many programs are constantly changing the registry. You really don't need a paid program to fix this and in most cases, you don't need to fix them anyway. They are rarely real problems and in some cases could even cause problems by blindly fixing what they say since they could be wrong. The PC I'm typing on right now has never run a registry cleaner in 4 years and runs just fine. ;) And yes if I run one it will find many hundreds of issues which as far as I'm concerned are minor to nothing at all.


    Try using the below and let me know if it works.

    Your Uninstaller! 2008


    Exactly what changes are you trying to make to MSconfig and are you sure your protection programs are not blocking them. Are you still really having this problem? Did you read the below from step 1 of the READ & RUN ME?

    Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). I want to see the current status on your PC.

    Then attach the below logs:
    • C:\MGlogs.zip

    I suuggest you post problems with Windows Update in the Software Forum. There are many many reasons for issues with Windows Update.
     
  9. bwnvideo

    bwnvideo Private E-2

    Thanks, that uninstaller worked.

    It's anything I try to change there in msconfig that causes the problem; it isn't even anything important it's just the fact that it does it at all that concerns me because it never happened before and maybe there's a reason I should look into; for now, I notice it when I'm temporarily turning off all startups or something to restart without anything loading to test things. But yes, I'm still having that problem.

    Ran it, and it's attached.

    I posted the WUpdate thing in the software forum, thanks.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have anyking of HP PhotoSmart type all in one printer/scanner/fax printer? If so, what model? Seems like many people have had this problem with MSConfig due to a certain service from HP running.

    Also others have had this problem, and uninstall McAfee and the problem went away. You could have McAfee blocking registry changes.

    See message # 39 in the below thread relating to McAfee. Also the rest of the thread is discussing this issue in general that people have like you and many thought the printer software was the problem.

    http://www.techspot.com/vb/topic42578-2.html


    What have you done to your PC since the first log was posted? I understand you uninstalled a few things as advised by be but you seem to be missing many other things. Many services for McAfee and other programs are no longer running. Have you been using some other tool to disable startups including services??

    Your running process list used to look like the below:
    And now it looks like this:
    What happened to all the processes other than things from Ad-Aware, Elite AntiKeylogger, Windows Defender, Prevx CSI that I suggested uninstalling.
     
    Last edited: Oct 20, 2008
  11. bwnvideo

    bwnvideo Private E-2

    I just got an HP printer and I have several photosmart printers but no combo type; though I did have an Epson combo.

    I don't know what happened to those listings but when I look under msconfig now where it used to have dozens of things under startups and services now it has almost nothing in either except for Microsoft services; I don't know how that happened that's really really weird isn't it? I'm not running any other programs and did nothing except what you said, aside from not deleting a couple programs.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's still possible that it is related. However let's try the McAfee approach first. Uninstall McAfee, reboot and then run the below registry patch.

    Copy the bold text below to notepad. Save it as fixMSC.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Any change to your ability to run MSconfig now?

    Reinstall McAfee now.
     
  13. bwnvideo

    bwnvideo Private E-2

    I uninstalled McAfee and tried it after that and it stopped giving the error message even before doing the other step; but I went ahead and did that step as well and it seems okay now; I'll re-install McAfee now and see what's up.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  15. bwnvideo

    bwnvideo Private E-2

    Well, but what about finding out what happened to all the files that were being booted up into msconfig before and have now all vanished? How did we do that?

    One particular thing from that earlier list that's now not booting is the SQL thing that Outlook needs for its Business Contact Manager add-on that I've got installed...? I didn't do anything besides the steps listed and now I'm missing all those from the original loading.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They were not "booted up into MSconfig". They had nothing to do with MSconfig. They were just startup processes. Nothing that I asked you to do removed them. And the logs from all the tools also show you that they did not remove them. Perhaps it had something to do with Absolute Startup Manager that you previously had running.




    You have few choices:
    1. Try the registry patch further down towards the end that will attempt to put back some items that I saw in your first logs that were not in the later logs. But it will not put back all the services that you somehow removed. Perhaps this is somehow related to whateve was done with Uniblue PowerSuite, Uniblue RegistryBooster 2, Uniblue SpeedUpMyPC 3, Uniblue SpyEraser, Uniblue System Tweaker.
    2. if you have not disable System Restore yet, then use System Restore to go back to a point in time where you first posted in this thread to see if items come back
    3. your other choice is to reinstall any software you are missing.
    Here is the registry patch to try for item 1 above.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
    Last edited: Oct 26, 2008
  17. bwnvideo

    bwnvideo Private E-2

    Aside from Shuttle Helper, I'm probably better off without that stuff loading at bootup, it just slows things down I bet; the exception is the SQL thing that Outlook needs cuz without it I can't use my Business Contact Manager for Outlook...is that there somewhere in the earlier listing?
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The Shuttle Helper startup was in my last patch. I think you also need the Act! startup. You could just use the below for just these two startup processes assuming the software is still installed.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    However you first log also showed the below service which you will need.

    O23 - Service: Contour Shuttle Device Engine (ShuttleEngine) - Unknown owner - C:\WINDOWS\system32\ShuttleEngine.exe

    Click Start, Run and enter services.msc and click OK. This will bring up the Windows Services form. Look in the list for the Contour Shuttle Device Engine name and if found double click it. Set the startup type to automatic and under Service status: click the Start button if it is stopped.

    Did this help?

    You previously also had the below services which you may or may not need
     
  19. bwnvideo

    bwnvideo Private E-2

    ACT I can do without, I don't use it anymore although I may sometimes need to back into it but I assume I can just launch it at that time...

    I did the Contour Shuttle msc thing and that worked; as for having it start, I just stick in STARTUP is that okay?
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to use the fixME.reg patch. Just leave out the line for Act! if you are sure it is not required.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds