Is The Webmaster's Ultimate Reseller Package 2010 a scam that contains virus?

The zip files has been downloaded to my external HDD. Is my laptop and my external HDD safe as long as I don't open any of the zip files? Should I use Media Viper and completely wipe them away, all the zip files? And stand the loss of this The Webmaster's Ultimate Reseller Package 2010?

My feeling was that it was scam from the look of the web site, but after searching everywhere (on the product title, the seller, the company) I didn't find any warnings. Also, Quackit seemed to be a non-scam site, and the link was placed on that site. But now, I begin to suspect that Quackit perhaps is not outright scam but perhaps not reliable when it comes to placing the link on its site in the first place.

I had CPU running up to 100 % for a third zip file, but this time it happened in the middle of the download, not when 99 % had been downloaded like with the first two files. And this file was also completely downloaded (not put in quarantine by Eset). But now, I have CPU running high quite often, even when not downloading.

Malwarebytes found 249 infiltrations and I removed them all. But most of them were related to Sogou (a Chinese IME for writing Chinese), none of what I could see was related to the downloaded zip-files.

Now, Eset Smart Security is searching and has found 6 infiltrations, but there is no red marked infiltrations when I browse through the search results (always earlier the found infiltrations have been red-marked, now there is noone red-marked even though Eset says it has found 6 infiltrations).

Can I choose to search my external HDD with Malwarebytes? Or can I only search internal drive with Malwarebytes?

Ok, now I found this one red-marked in Eset:

autorun.cdd, zip, password-protected file.

It's located in C:\Documents and Settings\Myname\Local Settings\Temp\RarSFX0\autorun.cdd

More search results from Eset:

Win32/PSW.Agent.NISPYNT tr
WIN32/PSW.LdPinch.KNRLSYV trojan

My CPU is constantly on 100 % during a long-time (2 hours).

I have to avoid a reinstall to every cost, it would be a catastrophe! I think this trojan registers my keystrokes and steals passwords, right? When I type now, the cursor is moving slowly, more slow than normal.

What should I do? Use ComboFix? I just have to get rid of this trojan immediately!

The first zip file I downloaded to my external HDD should be no problem because Eset detected and quarantined it. But the other two files were not detected: scripts.zip and I think Stock Photos.zip also was infected because CPU run to 100 % during a long-time in the middle of downloading.

I suppose one thing I shouldn't do now is to login to any site, using my username and password

CPU is constantly on 100 %, what is happening! Cursor is slow. Is the trojan searching all my files for passwords and login details now? Should I turn off the computer?

SuperAntiSpyware (free edition) found 18 (!!!) of this (so far...):

Trojan.Agent/Gen-Nullo[Short]

The damage is already done, so the most urgent is to find everything that has been infected.
I'm really getting anxious about this: searching on google, I found several other similar cases and they all seem to have no option than to reinstall. I have important translation jobs I must get done tomorrow and the next few days.

Do you think there is any, small chance I can find all infections and avoid a reinstall? For instance, first eliminate all infections found by SuperAntiSpyware, then use Combofix?

My cursor is so slow when I type so probably Mr. Paul J. Meyer sits somewhere and reads my keystrokes. Is there any risk that the trojan already have found login information that is stored on my laptop? So far, I have not logged in to any site with my user-id:s and passwords.

Second thing, IF all infections are found, is it possible to use the downloaded zip-files if I search them through several times with all possible AV-tools and Spyware tools?

Both my cursor and the whole system is very very slow now.

Should I stop the scanning now that SuperAntiSpyware is doing and remove the 18 Trojans? And then resume scanning with SuperAntiSpyware?

I actually received a reply from [Some Name] (the email that was on the Thank You page), and he said he will have a look at it as the material "should not have contained any virus". Anyway, I sent a reply and am waiting for his second reply to see what explanation I get.

Thats good news indeed that you got a reply. Fingers crossed that this was not at fault but you still got some issues to resolve. How is that going.

Still no second reply but it has only passed an hour since I sent my second e-mail.

If this [Some Name] is sincere and somebody else has placed the virus at that site, still what could he do to resolve this? Essentially, with the seller there are two issues: Can I even use the purchased software securely, how can I trust that if they tell me they've removed the Trojans and then use it? And two, the seller can hardly help me with the current infection already present on my system, can they?

I just received a reply from Webresell.net and [Some Name]:

Hello hermesalpha,

I've done Microsoft Forefront scans of those files and found absolutely nothing.

I also checked out seanbluestone.com and found nothing. I don't have Eset. Maybe you can send me the scan logs?

Could it be possible that your malaware is coming from another source? Did you download anything else recently?

[Some Name]
Webresell.net

This is my reply that I just returned to him:

Hi [Some Name],

I think there has to be one of two things that must have happened:

1. The files were infected (which might not be the case now that you tell me the results of your scans)
2. Something happened during the download at the download location

I am absolutely sure it come from no other location, I was working on a translation at the same time as I downloaded all the zip files from the Thank you page. The first zip files went fine, no problems.

Then, ebooks.zip after 99 % had been downloaded CPU run up to 100 % constantly and after a while Eset Smart Security told me the ebooks.zip contained several threats (which perhaps were being transferred to my computer when I accepted download and maybe are not in the zip files themselves).

Exactly the same thing with scripts.zip as with ebooks.zip.

Stock Photos.zip: Was completely downloaded without Eset stopping it, but CPU run up to 100 % in the middle of the download, and very long time when downloaded 99 % before it actually was completed. I still haven't the scripts.zip and ebooks.zip, impossible for me to download. Wonder if you could e-mail these to me, using VPN? Or upload on a server I have access to? Or use the service www.sendthisfile.com?

Regarding this infection I have now (now, my CPU is going up and down each 20 second and the cursor have started to be slow again so probably there is a keylogger in my computer), what should I do? I am 100 % certain my computer was infected when I downloaded from the Thank you page. Can you give me some ideas about what possibly could have happened?

Regards,

hermesalpha

In the event that [Some Name] and the people behind Webresell.net are not the ones that has caused this infection, who could it else have been? I was working on a translation job at the same time as I downloaded the many zip files from the Thank you page. Is it possible that the people at the hotel here in China are the ones who have something with this to do? Many people here don't like Westerners (I live in the old area of Guangzhou) and I've experienced many pecularities with my internet connection, when I can't connect for some reason I phone to the reception and within 5-10 minutes (or immediately) I can connect again. The local police here wanted to have better control of which web sites the hotel guests visited so each hotel guests now have a login userid and password (this was not the case earlier when I lived here). For example, what do they do after I've called the reception and tell them I can't connect?

aleqhart, after reading the reply from [Some Name], do you think it's more probable that the current infection is not a targeted attack but a broad spectrum of malware? Would this be "less evil" damage to my system than a targeted attack?

Should I send the log files to him, from my Combofix and Hijackthis scans?

If I send the scan logs to [Some Name], is there any risk with doing this?

I mean, if he would be the person behind the infection and already has a degree of control over my computer via the planted virus, would I give him more control if I send him the Combofix and Hijackthis scan logs?

Is this problem related to the infection?:

I logged in to My account at SDL Trados (https://oos.sdl.com/asp/products/ssl/account/default.asp).
That worked fine.

I then chose "Submit your technical query" because I needed support with my CAT-tool. Whereupon I received this error message (I have never received this error message before and I have always been able to submit my technical queries without problems):

"Caught exception: Access denied!".

To confuse the keylogger, I open Notepad and type letters and numbers randomly, then copy and paste one or two letters and numbers at a time into my login fields. Will this deceive the keylogger?

No, every 20 second the CPU runs to 100 %, then pause for 20 seconds, run to 100 % again (have done this since morning, 7 hours, but I have to wait for replies on my postings this morning about what to do, I also have to finish a translation job before Monday so I will try a system restore after I've scanned in safe mode).

The cursor was fine when I started the computer this morning, then for about an hour it was very slow again, after that the cursor is fine, it's quick, only the CPU running to 100 % every 20 second, quite irritating because I hear the sound of it all the time.

I run these six tools yesterday (not in safe mode though, because I don't know how to switch off Eset Smart Security in safe mode: ComboFix keeps telling me Eset is turned on when in safe mode even when I have turned it off!).

When I am in safe mode, can I use msconfig and choose Services/Disable all? Is there any risk with doing this?

Haven't tried Hitman Pro yet, should I use that also?

Can I use them in any order? For example, first Combofix, then Malwarebytes then Superantispyware?

Unfortunately I didn't read your last posting until too late: I turned off services in safe mode and didn't succeed to turn off Eset Smart Security while ComboFix was scanning. So I had to reinstall everything, I am still downloading and installing all updates (takes ages..., each reboot Windows Update finds new updates).

To avoid this ever happen again (I will need to work 24 hours now to get the translations handed in before deadline tomorrow Monday), I will install as much as I can and then use Acronis True Image Home 2011 (their latest version, will purchase it when I've finished the installations).

To your knowledge, is the best idea to save the image to D:? What about if I ever would get the same kind of infection? Is there any risk that it can spread onto D: and the image, making it useless? Or if the internal HDD would get damaged?

Also, can I make a first image quite soon and later I make a new image that will replace the first one on D:? I tried that a long time ago with Symantec's Ghost, but each image was saved separately so for each new image I made it didn't replace the old one but just added this new alongside the old one. Which, of course, took a lot of unnecessary space.

Can the virus have survived? Still CPU goes up and down each 20 second like before! I used White Canyon's WipeDrive and chose the most secure alternative: wipe with confirmation three times.

Is it really possible the virus still is there?

And I can't access this website: http://www.proz.com/

The cursor and the laptop is very quick, but I really wonder when CPU follows exactly the same pattern as when I had virus before the reinstallation this morning: running up to 100 % each 20 second.

Ok, I think it's time to leave China!:

Just reinstalled the whole operative system, then installed new software again. Installed the Chinese IM software QQ (the international version that is in English). And now I got the explanation why the laptop immediately was behaving a bit strange: a Trojan.Dropper in C:\Program Files\Tencent\QQIntl\Bin\Selfupdate.exe (the QQ installation!).

Could be a false positive. But after reinstall (did u do a format before reinstall?) it could be a real problem.

I have this seller's all products: www.whitecanyon.com

I used their WipeDrive to completely remove anything on my internal HDD. I used the most secure alternative: 3 overwrites with 3 confirmations. And then reinstalled everything on the wiped HDD.

No, it's not false alarm, something is very wrong. I will list all small issues I have now below, please have a look and see if you can see any pattern that definitely will be related to the same virus I had before:

1. A strange "do-re-mi"-sound, not very often but it plays through my laptop's speakers. This is exactly the same sound as I had before I wiped the HDD and reinstalled!
2. CPU runs up to 100 % every 20 second, just like before reinstallation (not yet today though, but yesterday even after the reinstallation, although without any decrease in performance: both changing windows and the cursor movements were very quick all the time).
3. I can not access www.proz.com (a site for translators that I really need access to). I received the message that "The server closed the connection". The same regardless of which browser I use.
4. I can't use Skype, can't login. Also regardless of which browser I use. I need Skype to communicate with my British customer.
5. I don't know if I dare to use the Chinese IM QQ anymore (I recall now that on an earlier occasion, it found a Trojan also in the download). This is one means of communication with a third potential Chinese customer, but I'm not sure I will dare to use it if I risk virus infections.

Actually, one thing I consider is that the second CD-ROM I use from HP, perhaps I install the wrong stuff from it. There are three sections with a lot of checkboxes on when I use that CD-ROM (immediately after I've installed Windows XP), a lot of drivers.

I've just ridden out the first storm (managed to get the finished translation to the customer, but an hour late), but now this week I really don't know how to manage because the laptop and the internet connection are as inpredictable as they possibly can be. I only have two steady customers (one Chinese and one British) and they are the backbone in my business now, without them I can't expand my business and I would revert the business to nothing without them, they have to be able to trust I can use internet and return jobs in time.
I'm really fighting to survive, but the odds have turned really really bad...

In the long run, I will purchase a new laptop with Intel Core 2 Duo processor and larger RAM (some of the problem is probably related to the slow processor I have). But for now, I need to find a solution and to find all viruses.

I was planning of making a backup image once I've reinstalled but now it seems like I already have virus! So, I can't continue reinstalling all the time, I get nowhere!

I e-mailed my logs from Hijackthis and Combofix to [Some Name] yesterday, still no reply.

A sixth issue:

6. It takes ages to install Google Chrome (it says on the download page it should take a few seconds, have taken at least 5 minutes now!). The internet connection is slow here in China and perhaps the hotel's firewall and other settings for this network makes it even slower. I have a login so I don't know how and what the hotel management and police filter what web sites I can go to. But really strange that I couldn't access www.proz.com today (have never happened before), which is a website for translators.

rockiroads,

What do you mean with "did u do a format before reinstall"?

I never did any system restore, nor did I format anything, only used WipeDrive to wipe three times and confirm three times, the hard disk should have been like a desert after that, nothing left on it. After that, I just installed the Windows XP Pro.

format meaning just a clean install, which is what you did with wipedrive. just wondering if that s/w was clean then there couldnt be any other virus/spyware crept in so thinking it might of been a false positive but your still having issues.

I tried everything that was suggested but made a mistake so I had to reinstall everything. After the reinstall I still have problems with high CPU (but performance is not affected). So I suspect there must be an issue either with the local (filtered) network here at the hotel in China, or an issue with drivers or hardware on my laptop.

There may very well be an issue with the Chinese servers, both in the hotel and also at ISP level.  If memory serve me right, there are some rather interesting issues emanating from the direction of China and to be honest with you nothing would really surprise me about China.

You may like to take a look at this :

http://news.bbc.co.uk/2/hi/8455712.stm

http://www.redherring.com/home/26359

Wishing you all the best

like the article from the been. funny how google like to spy on people themselves lol and they have the cheek to complain about china. still can't be surprised this stuff happens in china, being a communist state they dont like critics!

do you still get high cpu usage in safemode?

maybe have a look at a utility like filemon to see whats going on http://en.wikipedia.org/wiki/FileMon