Help newbie with malware problem

ok, so my computer is utterly slow as of late. I can barely type up this message because of the lag. Today, i was unable to play my game (SWG) and i went on the forums to get this sorted out, and a player told me i have a malware problem and i should come here looking for help. I looked at several threads and ran my comp in safe mode, basically followed the basics of protecting you're comp.. ran adaware, spybot, spy sweeper, stinger, CClean ... all of that. And form ad-aware there were several Malware's located, and i deleted them all, however i still have this problem. So i downloaded hi-jack this ... and ran it and ill leave my log file with you to see if you can figure anything out.

any help is appreciated, thanks.

 

Just to quickly add to what M.A. said - You have a load of bad crap as well as a Stopguard-related infection.

You are also running HijackThis Improperly! It needs to be in its own, safe folder - C:\Program Files\HijackThis

You should follow M.A.'s instruction and run through the Cleanup Tutorial and do the Alernative Scans portion as well!

Post back with the results and one of the experts here should be able to help you.

Best luck
PP

 

sorry.. ive never been here before, can u point me in the direction of the clean up tutorial?

 

Here it is:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

Note the steps that you can and cannot complete. Please make sure that you are in Safe Mode with System Restore OFF and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

If you have any questions, just ask - It's not as daunting as it looks

Definitely do the Alternative scans. After that, you will probably need our help removing a few toughies like the StopGuard/Virtumundo infection.

Also, remember to move HJT to its own folder.

Best
PP

 

ok, i just went in safe mode again and did more scans and the alternates... a squared picked up 13 malwares, this is my hijackthis file now. (problem still occurs)

 

Hi HumanDrone,

Here is my generic fix for Stopguard-related malware infections.
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and END it, if possible:
tlrm.exe

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete mcsvc.exe ( or any mcsvc or cvscm entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\TYLERR~1\LOCALS~1\Temp\cvscm.dat

O4 - HKLM\..\Run: [*mcsvc] C:\WINDOWS\addins\mcsvc.exe

O4 - HKLM\..\RunOnce: [*mcsvc] C:\WINDOWS\addins\mcsvc.exe rerun

O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe –FastScan -- This is listed as a Rogue - - -> http://www.spywarewarrior.com/rogue_anti-spyware.htm

O4 - HKCU\..\Run: [Subs] C:\Documents and Settings\Tyler Richardson\Application Data\tlrm.exe ---> Looks like a Trojan. If it is something you want, leave it alone.

O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe - - - -> Google provides one of the best popup blockers with its toolbar. I suggest that you use it instead of this.

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\addins\mcsvc.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they still remain:
C:\Documents and Settings\Tyler Richardson\Application Data\tlrm.exe
C:\WINDOWS\addins\mcsvc.exe

THEN:
Use Windows Explorer to run a search of your computer for:
mcsvc
cvscm

and DELETE the related files. (We especially want to get rid of mcsvc.ini & mcsvc.dat & mcsvc.bak AND cvscm.ini & cvscm.dat & cvscm.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let us know of any problems that you may have encountered with the above instructions.

AFTER you get cleaned up, you ought to take a spin to Windows Updates and get updated. Make sure your machine is clean first.

Best luck
PP

 

well i can run my game again, and that i thank you for.

however, my comp is still a little slower than it should be... and when i was following you're instructions, i could not find any mcsvc or cvscm anywhere when searching, i did remove it from addins though. Anyways i've attached a new log file.

 

Looks like you got some of it.

Use Add or Remove Programs to Uninstall BullsEye Network.

Then:
Scan with HijackThis and Check the Boxes for the following:

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\TYLERR~1\LOCALS~1\Temp\cvscm.dat

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE the following if they remain:

C:\Program Files\BullsEye Network
C:\WINDOWS\System32\msbe.dll
C:\DOCUME~1\TYLERR~1\LOCALS~1\Temp\cvscm.dat
C:\WINDOWS\System32\nvms.dll

Then:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then:
Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let us know of any problems you may have encountered with the above instructions and how your computer is running now.

Best luck
PP