1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Thekeys.ws virus need help

By mattuk123
Oct 20, 2009
  1. Hi i downloaded a file from thekeys not knowing it was a virus, i am currently in the middle of coompleting the 8 step guide i am on the 4th step at the minute and i will attach the malwarebytes log... my PC is only 6 months old and i am very upset considering i am only 15 years old and im a c*ck for downloading a file from there, it wasn't even for me it was for my friend. any advice would be hugely appreciated. if necascary i will do a full hard drive wipe

    here are my malwarebytes logs

    My Spyware logs.

    And my hijack this log

    Attached Files:

  2. WinXPert

    WinXPert TS Guru Posts: 445

    If Explorer's Show all hidden and system files option is disabled download A43 (Explrorer's alternative) http://www.softpedia.com/progDownload/Windows-Portable-Applications-Portable-A43-Download-101172.html we'll use it to delete all your temporary files manually.

    Boot in Safe Mode. Launch A43. Navigate to


    and delete all files under that subdir

    delete loader.exe at C:\Windows\System32\config\systemprofile



    Let's see the logs.

    Reason I adviced you to clean your temp files is because the malware reside in your temp file folders.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    mattuk, let's back up and start here: You system has been badly infected.

    No action taken. When this is displayed in the Malwarebytes log, it means the program found malware but you didn't check the line for removal.

    Please go back and UPDATE Mbam then rescan, follow>
    [*]Make sure that everything is checked, and click Remove Selected.

    There is a similar line in Superantispyware. If you did not check that either, please follow the same> update and rescan, checking that line. Some of our newer members do not know to check for this.

    Your Host files have been hijacked and your queries are being sent to Kornet, the Korean Telecom.

    Please reopen HijackThis to 'do system scan only' and Check the following if present:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O1 - Hosts: gwgt1.joymax.com
    O4 - HKLM\..\Run: [Xcufusetubetogum] rundll32.exe "C:\Users\Matt\AppData\Local\KBDadsm.dll",Startup
    O4 - HKCU\..\Run: [{91A0C940-11F1-9AD2-8FBB-8CE69C807E86}] C:\Users\Matt\AppData\Roaming\ExplorerI.exe (Added by W32/Sdbot-VS TROJAN/backdoor).
    O4 - HKCU\..\Run: [calc] rundll32.exe C:\Windows\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0
    O4 - HKCU\..\Run: [Login Software 2009] C:\Users\Matt\AppData\Local\Temp\hza0b1yf.exe
    O4 - HKCU\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w
    O4 - HKCU\..\Run: [Xcufusetubetogum] rundll32.exe "C:\Users\Matt\AppData\Local\KBDadsm.dll",Startup
    O4 - HKCU\..\Run: [Wcuvay] rundll32.exe "C:\Users\Matt\AppData\Local\iwaferosuloroma.dll",Startup
    O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\Users\Matt\AppData\Local\Temp\debug.exe
    O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
    O4 - Startup: scandisk.lnk = ?

    Close all Windows except for HijackThis and click on "Fix Checked"

    When this has finished:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)


    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow by rescan with HjackThis.

    Please attach new logs from Malwarebytes and Superantispyware and report from Combofix.

    Paste log from HijackThsi
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...