Help with Malware please!

Hello there

I wonder if you would be able to help me with my computer problems.

My computer is running really slowly, both on and off the internet (I have a broadband connection). Pages take a long time to load up and it is like going back to dial-up. I am running Windows XP with service pack 2.

I wonder if the problems may be related to the fact that my son moved back home a few months ago and has been using my PC to download music to his mobile telephone/MP3 player – certainly the problems started around then.

Also, I don’t know if this is the same problem or different, but I have had a couple of e-mail messages from people I have never heard of to say that they had received a suspect e-mail from me. Can you help?

I have followed the steps 1 through 6B in the ‘READ AND RUN FIRST SECTION’ and I attach the relevant logs. Some spyware was found and also some dialers, 1 of which is still there, I think, as Panda found it.

I am not sure how to proceed next – it seems from the reports that although malware has been found, it has not yet been deleted. I don’t know how to do this (Panda activescan offered to delete things for a fee – I haven’t done this yet, just saved a log)

Should I be going on to the HijackThis section or should I be trying to fix some of the problems still on my PC?

Thanks for your help.

Hazel

PS 2 more attachments to follow in next post

 

Help with Malware 2 - logs

Hello

Sorry if I should not have started another thread. I need to send the other 2 log files and was not sure how to do this other than start another thread.

Here are the runkey and newfiles scan.

Hazel

 

Re: Help with Malware 2 - logs

hazelmason,

I have merged your threads and moved them here from the Welcome Center. I will assist you in cleaning your computer, however I will need a Hijack This log to continue.

 

Pplease find attached the HijackThis log

 

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the winsflt.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move winsflt.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file winsflt.dll is already in the remove section, then just click FINISH.)

After you complete this, reboot and attach a fresh HJT log. If in your HJT log you still this the entry below, reboot into Safe Mode and run this same procedure. Afterwards reboot back to normal mode and attach a fresh HJT log.

 

Thanks - have attached the latest HJT log - didn't have to use Safe Mode.

Hazel

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GSISETUP] C:\DOCUME~1\HAZEL\LOCALS~1\Temp\GsiInst.exe INSTALL C:\DOCUME~1\HAZEL\LOCALS~1\Temp\.\V205Res 13
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [GetMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:GetMP3:t
O4 - HKCU\..\Run: [CoolMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:CoolMP3:t
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t
O4 - HKCU\..\Run: [Free Internet Window Washer] C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start

Again, make sure ALL browser windows are closed when you click FIX.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Next, run CCleaner to clean up cookies and temp files.

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hello there

I attach the latest HJT log.

I noticed the following things:

1)Did not see the following text in the scan log to select:
C:\DOCUME~1\HAZEL\LOCALS~1\Temp\GsiInst.exe INSTALL C:\DOCUME~1\HAZEL\LOCALS~1\Temp\.\V205Res 13

2)Whilst trying to reset the web settings, my virus checker (F-Secure) kept interfering – I was unable to switch it off but think I managed to get it to allow the changes (the Home Page has changed) However, it keeps flashing a message on screen which says ‘Active Protection has allowed the change of your Local Page to C:\WINDOWS\System32\blank.htm’
3)Changing the Security settings – the ‘Default’ buttons were greyed out and I had to slide the security level down until they were able to be selected – I then selected the ‘Default’ settings
4)System Restore – The button on my computer just said ‘Turn off system restore’ (which I selected) and it did not prompt me to restart but I did that anyway.

As far as running goes, I think the internet has sped up a bit, once the computer has loaded and connected to the Internet. However, it still takes about 10 minutes initially, after switching the computer on, before all the icons etc. come onto the screen, with the ‘egg-timer’ stopped. There is a gap of around 30 seconds between double-clicking a button (eg. My Computer or Word) and the program loading up.

Other things not associated with your instructions:
1)Just before I contacted you (but after my problems had started), I started getting an intermittent message to say ‘System low on Virtual memory’. Do I have too many programs loaded up? Should I uninstall what I don’t use?
2)I notice on the HJT log there are references to web pages and search pages for Internet Explorer relating to BT. I do not use BT any more (but Virgin.net) and only need a simple web page with as much as the page clear as possible so as to see as much of the screen as possible. I don’t need search boxes or anything on view as I can access Google if I wish.
3)I never use ‘Messenger’, I think it got downloaded with all the BT stuff. I notice in the HJT log there were references to it.

Thank you again.

Hazel

 

Looks good, are you having any further malware problems?

 

No, I think that's done the job.
Many thanks.

Hazel

PS Re problems with slow running when not on inernet, shaould I go oto one of the other forums for help?

 

Yes, because I don't think it's malware related.