Need your help again, (another PC)

Please don't do this! Just put additional logs in a second message.

Most of what A-squared found was just due to using online gambling sites and cookies. If you (or others) keep using gambling sites you will sooner or later get junk on your PC from them.

You may not be having malware problems. You could just be having end user problems in the form of what is being downloaded and installed on the PC. Things like

• Online Casino/Poker games
• Kontiki Secure downloader
• Zango
• Toolbars

I will give you somethings to do below but you need to be more cautious on how your PCs are used. If you keep coming here for malwar removal help over and over with the same PCs, it would mean you are not following instructions in the How to protect yourself thread.


I suggest that you uninstall the below.
eMule
eMusic - 50 Free MP3 offer
StreamerOne Beta 0.4
WildGames
William Hill Poker

I don't believe in over clocking. Use the below at your own risk.
SysTool Overclocking Utility

What is the below? Is it for a game? Why does it need to load everytime your PC starts up?
O4 - HKLM\..\Run: [PKR Pal] "./\pkrpal.exe" -osboot


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.1.181.0\ZangoSA.exe"
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Users\roy\Desktop\WH GBP Casino.lnk (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Users\roy\Desktop\WH GBP Casino.lnk (HKCU)
After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

Driver::
KService
 
Folder::
C:\Users\roy\AppData\Roaming\iWin
C:\ProgramData\Kontiki
C:\Program Files\Kontiki
C:\Program Files\Zango
 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=-
"QuickTime Task"=-
"SunJavaUpdateSched"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PKR Pal]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\TEMP\
C:\Users\roy\AppData\Local\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

In this forum none are recommended. I guess you missed that step in the How to protect yourself thread in the past.

Don't know but it should not be required to always run when you start your PC. Anything like that for a game should be questioned.

Just more questionable items that were installed like PPStream and DivoCodec. As you can see from Avast complaining about them, it would be better to uninstall those. Your logs are clean other than these questionable items.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
2. • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
5. If you are running Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
6. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Yes we know that people do this all the time. All we are saying is that using P2P and torrent downloading is not safe. Some of the tools are even bundled with malware. In the end you are the one that has to decide the if it is worth the risk. We will not recommend any of these tools in the Malware Forum.

You're welcome.