Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Popups and slow computer!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Popups and slow computer!

Unread postby ineedhelp15 » March 14th, 2007, 7:47 pm

I need some serious help, my computer is so fscked up I don't know what to do. Popups every where, it boots slowly, and nothing seems to work.

Here is the log:
Code: Select all
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:43:26 PM, on 3/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\BBLEAN~1\blackbox.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Opera\opera.exe
C:\thomas_documents\Downloads\HiJackThis_v2.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{371C17C4-E95C-464C-9B64-3FFD56FEBD76}: NameServer = 192.168.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

--
End of file 

Please help, I just downloaded and ran hijack this and posted the log straight here, as I figured doing something might screw my computer up more.

Help!

ineedhelp15
ineedhelp15
Active Member
 
Posts: 4
Joined: March 14th, 2007, 7:36 pm
Advertisement
Register to Remove

Unread postby silver » March 15th, 2007, 3:30 am

Hi ineedhelp15,

My name is silver and I'm currently looking over your log.

As I am an Undergraduate, everything that I post to you must be checked by an Admin or Moderator so there could be a small delay between posts, we appreciate your patience. I'll be back with some instructions shortly.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby silver » March 15th, 2007, 9:50 am

Hi ineedhelp15,

You do not appear to be running any antivirus software. Without antivirus software your computer is very vulnerable to infections and your computer may be reinfected before I have a chance to respond to your log.
There are several free packages available, two of the most popular are here:
AVG Antivirus: http://free.grisoft.com/doc/1
Antivir: http://www.free-av.com/
Download and install one of these programs immediately, update the definitions and set it to update automatically. Then do a full system scan and quarantine/delete anything it finds, and make a note of where the logfile is stored.

Then, please download and install HijackThis version 1.991, the version you have used is still a beta (testing) version and we want to use the latest full release:

Download the latest HJTsetup.exe from this link:
http://downloads.malwareremoval.com/HJTsetup.exe

Double-click on HJTsetup.exe to start installation
By default it will install to C:\Program Files\HijackThis
Continue to click Next in the setup dialog boxes until you are asked which additional icons you would like
Put a check by Create a desktop icon then click Next again.
Press Install and then Finish and it will automatically launch HijackThis

Once complete, please post the antivirus scan log and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby ineedhelp15 » March 15th, 2007, 3:49 pm

Hmm, antivir was installed, it scanned, and it found nothing at all (with maximum settings, maximum heuristic, etc.). Computer is still slow, with popups, and random reboots as well. Internet seems a lot slower as well. I also did an online KAV scan and NAV scan, but they didn't catch anything either :(

Code: Select all
Logfile of HijackThis v1.99.1
Scan saved at 3:44:08 PM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\BBLEAN~1\blackbox.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe


O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121622461625
O17 - HKLM\System\CCS\Services\Tcpip\..\{371C17C4-E95C-464C-9B64-3FFD56FEBD76}: NameServer = 192.168.1.1
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe


I really need help! This is driving me insane!

ineedhelp15
ineedhelp15
Active Member
 
Posts: 4
Joined: March 14th, 2007, 7:36 pm

Unread postby silver » March 16th, 2007, 9:21 am

Hi ineedhelp15,

Funny that none of those scans picked anything up, we'll try some different tools but first clean with HijackThis:

Please open HijackThis, select Do a system scan only and place a checkmark next to this line:
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Then download Rootkit Revealer from here:
http://download.sysinternals.com/Files/ ... vealer.zip

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • OK the EULAs and click the Scan button (bottom right)
  • It may take a while to scan - please don't use your computer while it's running, otherwise we get a lot of false positives in the log
  • When it's done, go up to File > Save. Choose to save it to your desktop as rootkitrevealer.txt
  • Please post the contents of rootkitrevealer.txt in your next response


Then, download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Post the log file in your next response.
It can be quite long, so please check once you have posted, and if the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Once complete, please post the Rootkit Revealer log, the WinPFind3u log along with a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby ineedhelp15 » March 18th, 2007, 12:25 pm

OMG! None of those applications run on my pc. They do nothing whenever I click on them and hijack this now refuses to run :shock:

Help!

ineedhelp15
ineedhelp15
Active Member
 
Posts: 4
Joined: March 14th, 2007, 7:36 pm

Unread postby silver » March 18th, 2007, 9:18 pm

Hi ineedhelp15,

OK first a couple of questions:
- Did you use HJT to clean the entry as above before this happened?
- Were you able to unzip Rootkit Revealer and WinPFind?
- If no, what happens when you try to do so?
- If yes, can you confirm that you get no reaction from your system when double-clicking the application, if you get any messages please let me know

Next, please try the following:

We will be using Safe Mode during which time you won't have access to the internet so please save/print out these instructions.

Download, install, and update AVG Anti-Spyware 7.5
Download the installer from this page:
http://www.ewido.net/en/download/
  • Save the installer to desktop
  • Double click the installer, select your language, and then select OK
  • Click NEXT->Do or don't read the "User License Agreement"
    Select I Agree->NEXT->INSTALL
  • AVG will now install and afterwards click FINISH
  • Click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes the status bar at the bottom will display "Update successful"
  • Close AVG Anti-Spyware 7.5. Do not run a scan yet.
Note: If for some reason you can't get AVG Antispyware to work, please boot into Safe Mode and try running a HijackThis scan anyway

Reboot your computer into Safe Mode
To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads.
Select Safe Mode at the top, on the screen that appears.
Sign in with your normal user account

Once in safe mode:
  • Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the Settings tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and Un-check Only if Threats are found
  • Click back to the Scan tab and then click on Complete System Scan.
  • This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
  • Click the Apply all actions button. AVG Anti-Spyware 7.5 will display All actions have been applied on the right hand side.
  • Click on Save Report, then Save Report As. This will create a text file. Make sure you know where to find this file again (like on the Desktop).


Now try opening HijackThis to produce a log, if successful, save it to your Desktop.

Now reboot your computer normally and post the AVG Antispyware log along with a new HijackThis log if you were able to produce one and let me know about the answers to those questions.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby ineedhelp15 » March 20th, 2007, 8:46 pm

This is ridiculus! So I downloaded everything, and it unzips fine. However, when i double-click on the .exe, it simply refuses to start up. This same thing occurs in safe mode :evil:

This problem is for hijackthis, winpfind, rootkit revealer, and the setup for avg anti-spyware

This is simply awful. I am so tempted to just say screw winblows and try another operating system.

Please help :!:

ineedhelp15
ineedhelp15
Active Member
 
Posts: 4
Joined: March 14th, 2007, 7:36 pm

Unread postby silver » March 21st, 2007, 10:40 am

Hi ineedhelp15,

I can understand your frustration, it looks like you've been hit pretty bad! Please try another couple of tools to see if we can get some information out of your system:

Download Silentrunners from here:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip it to the desktop then double-click on Silent Runners.vbs to start the program. If you get any kind of warning message about scripts, please choose to allow the script to run.
Say Yes to skip the supplementary scan.
A logfile called Startup Programs... will appear on your desktop, wait for the message box telling you the scan is complete before opening it, and post a copy of this in your next response.

Then download Gmer to your Desktop from here:
http://www.gmer.net/gmer.zip
  • Unzip the program onto your Desktop
  • Disconnect from internet and close all running programs and save any work you have open
  • Double click gmer.exe, let the gmer.sys driver load if asked
  • If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say OK
  • If no warning....Check that the Rootkit tab is selected and click the Scan button - don't change any settings before you do so
  • Once the scan is complete, click the Copy button
  • Open Notepad and hit Ctrl+v to paste the log and then save the log to your desktop


Please give HJT one more try, and once complete, post any of the SilentRunners, GMER and HJT logs you were able to produce.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby silver » March 31st, 2007, 12:28 am

Hi ineedhelp15,

How are you getting on?

If the instructions are unclear or something isn't working, please let me know before proceeding.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby NonSuch » April 8th, 2007, 2:49 am

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware