Help

Hi There

Was looking for some expert advice. I was looking on a website for a keygen, the website said i couldnt have the keygen until i downloaded some files! Yeh you guessed it, just like in the horror movies when the audience is screaming "dont go in there", i downloaded the files. Since then i have been having some strange things happen on the PC like mailsafe being turned of on my firewall and on a couple of occasions my firewall failing to run on startup which it always did normally.

As a result i think my stupidity is resulted in some sort of malware infecting my PC. I was wondering if you could have a look over the logs and see if there is anyhting obviously wrong with the computer other than its owner.

I have followed the "Read and Run Me First" tutorial and have installed and run HJT as per the HJT Tutorial. I have attached the run keys log, the new files log, the bit defender log, i also have the Panda active scan log and the HJT log which i will attach seperately.

Any help much appreciated.

Kind regards

David

 

Activescan log and HJT log as promised.

Thanks again

David

 

Welcome to MajorGeeks

I'm not going to preach as sadly you are now painfully aware searching for and useing warez/keygens and alike, only end up with you in this position and its not worth it in the end to have to go through the process of removing this malware.

Bitdefender is showing me that you have some infected restore points which we will fix (by flushing the old ones and creating a new one) once we have got rid of any issues on your machine currently

Your active scan log is clean, the 3 cookies is shows are of no real importance


Download
- Pocket Killbox

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 7 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Matt

Thanks for your help. Lesson learnt!

Attached is a copy of HJT log.

David

PS Apologies for not updating the Java software.

 

When you booted into safe mode were the files I asked you to delete still there to be deleted or were they all gone

 

Matt

They had gone.

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.


Post a fresh HijackThis log.

 

Matt

I'll keep saying thank you, thank you!

David

 

Hows your system running now? any better ?

 

Matt

Things seem to be working a bit better. I had a look at the programs listed on my firewall (EZ Firewall v.5.1.039.000) and noticed one called 'Killer' (c:\Documents and Settings\HP_Owner\Local settings\Temp\MSI7.tmp). I had a look for it however couldnt find the program at the location given. Not sure if its malware or not, just didnt like the sound of it!

How do i go about purging the the corrupted restore points you mentioned earlier?

Thanks again for your time and your help.

David

 

You could probably dump all your program rules for your firewall and recreate them as needed, A lot of the rules are created when you first run a program that accesss the internet. SOme of the rules will no longer be needed as the program is no longer on your computer. The file above is a tmp file but and would have probably been removed by CCleaner but your right it does sound suspicious.

Chaslang has done a few updates on ShowNew can you rerun it for me, i'd just like to check something.

 

Hi Matt

Ran the new version of ShowMe, log attached. Will remove all programs from the Firewall as suggested and see if the Killer one comes back.

Thanks again,

David

 

Ok that looks fine

Go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

 

Hi Matt

Disabled system restore points, rebooted.
Enabled system restore and rebooted again.

Cheers

David

 

Morning Matt

Had a look in the msconfig startup tab and found something running there under the command "nwiz.exe/installquiet/keeploaded/nodetect". I had a look on the web and it seems that it could be associtaed with my graphics card however there is also the potential that it could be malware, any thoughts?

Thanks again

David

 

Yes it is to do with your graphics card. You have a card with an nvidea chipset right ? Don't worry about that one.

Matt

 

Matt

Things seem to be running pretty well, thanks for your help. I was wondering a couple of things:

Do you guys get paid for helping folks like me and if not why do you do it?

Secondly i was wondering what you thought of Spyware Doctor, is it worth me spending the cash on it?

Thanks again Matt.

David

 

Cool, can you doublecheck your norton is working ok for me, specifically the popup blocker, as you HJT log says it may be having an issue, you may need to reinstal it if it is.

I wouldn't bother paying for it there are free tools available mentioned in the Protecting YourSelf from Malware

 

Hi Matt

EZ eTrust anti-virus seems to be working fine. I ran the free download version of Spyware Doctor and it picked up on quite a few things including something called Caishow which it says is some form adware enabling software?

Also this may have nothing to do with malware but the little box which tells me to replace the battery in mouse has recently started appearing and i cant turn it off, this only started yesterday and i have been through loads of batteries for the mouse already, could it just be something within msconfig?

Thanks Matt

David

 

OK ignore the bit about norton I got that in the wrong thread, sorry.


Can you post the SPyware Doctor log, Caishow is a Popup/Popunder type of adware, Not sure about the mouse, does the box go away if you put new batteries in ?

You shouldn't use MSconfig to edit startup entries on a permanent basis it should be set to normal mode for everyday running, if you have used it to edit startup it could have been hiding things from the logs we checked, Startup in normal mode and post a fresh HJT log

 

Matt

Cant get a log for the Spyware Doctor report, sorry. Changed msconfig to normal mode and it took me fifteen minutes before the PC would do anything.

I opened up task manager and there was a program called vsmon.exe which was hogging up to 60% of the CPU, not sure what it does but i think it has something to do with the firewall. Its for this reason i have been starting on a selected startup.

Attached is the latest HJT.

Thanks again.

David

 

PS Forgot to say, for the logs I had started up in Normal mode so there shouldn't be any big surprises!

 

Well can you give me any more detail on what Spyware DOctor is reporting, do any of the other scans report anything now ?

 

Hi Matt

Aplogies for the delay in getting back to you. The main thing the Spyware Doc was coming back with was something called caishow. I identified the registry keys and removed them. None of the other scans showed this up, in fact all others said everything was fine.

Since then i have aslo made another couple of changes. I have removed Spyware Doctor as it seemed to be causing the vsmon problem I mentioned before. I have also switched over to the Syware firewall recomended in your other thread. I have also changed over to using Firefox (which is great). The only downside is is that i cannot access my personal account on ebay nor can i send email (not so great)! Not really anything to do with the malware problem but any hints much appreciated.

Thanks again

David

 

DO you mean you cna't send email from an online account using firefox, and the same with ebay ?

I don't personally use firefox but I suspect its a security thing. DOes FF have a setting for trusted sites like IE does. ?

 

Hi Matt

I send my email via Outlook. Incoming isnt a problem but for some reason when i try to send email the connection times out. I have checked Sywares firewall to ensure that Outlook has permission to access the net.

With regards to ebay its a online user account which you log into over the browser. It used to work on IE but since haveing the probs with FF i have tried again using IE and now it doesnt work. Both IE and FF have ebay down as a trusted site.

David

 

Sounds like a security app is blocking something, you say you changed firewalls ? I suspect that might be the problem.

 

Matt

If i send you a new HJT log would you mind checking it to see if it is clear of malware (which was my original query!)?

Im of to lunch now but if its ok with you i'll post one later?

Cheers

David

 

Sure no problem. Post it whenever you are ready, Im on email notification for this thread anyway so when you do post it I will take a look.

ALso while your at it can you post a runkeys and shownew as these are often far more helpful to me and the other guys than HJT logs.