PSWBanker

Welcome to Majorgeeks!

Many malwares have various guises, so best way to see whats going on is to run the below and attach the requested logs so our malware experts can diagnose and issue you some cleanup steps.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

This is a valid registry key. You should not be touching it and neither should your Cox Security Software which is wrong.


Your logs are clean but I do have a few things you should do as given below. Some are necessary updates and security issues and some are for performance improvements.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

After clicking Fix, exit HJT.

 

Yes!

Does that same registry key exist on your laptop? Have you checked?

 

That is correct! You should check to see if Cox Security is giving more information. Perhaps they believe they are finding something under the registry key. What you gave is just the main key. There are values and subkeys under the HKEY_CURRENT_USER\software\microsoft\ms setup (acme) too. Is it complaing about only the main key or something under it?

Typically this key will look like the below when exported to a file:

 

You should run a full scan and save a proper log and attach it here. That is assuming their software has the ability to create proper and useful logs.

To export a the registry key so you can see information like I posted, you would:

• use the Registry Editor to navigate to HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)
• then click File, Export, and save the information to a file.

You could then either put the resultant .reg file into a ZIP file to attach it here or you could rename the .reg file to have a .txt extension which can be directly attached. If you do this on both PCs we could easily look at them to see if there is any difference.

 

I guess Cox is a poor excuse for a security program. They may have even deleted part of the registry key entries. Let's fix them and see what happens. We will make your Desktop exactly the same as your laptop.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

They are wrong. You even see it on your other PC and it is not detected as a problem so i'm not sure what they are detecting but this registry key is not PSWBanker. You can either ignore it or you can get a better set of protection tools.