Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

computer running slow and avsystemcare popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

computer running slow and avsystemcare popups

Unread postby debs43 » September 2nd, 2007, 5:14 pm

could anyone pleas check my log as m computer is running slow and i keep getting popups fo avsystemcare thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:06:01, on 02/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware390\bin\Starware390.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Starware Jokes Toolbar - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware390\bin\Starware390.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Toki Toki Boom - http://download2.games.yahoo.com/games/ ... /vto_x.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3304175961
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://javadl-esd.sun.com/update/1.4.2/ ... s-i586.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://riverbelle.microgaming.com/freeplay/FlashAX.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4153 bytes

thank you
debs43
Active Member
 
Posts: 11
Joined: September 2nd, 2007, 4:43 pm
Advertisement
Register to Remove

Unread postby DFW » September 3rd, 2007, 2:48 am

Hello and wecome . My name is DFW and I will be assisting you with your malware issues .

Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby debs43 » September 3rd, 2007, 5:01 am

thank you for your reply

at the moment each page of the internet that loads takes about 2 minutes to appear.

regards

deb
debs43
Active Member
 
Posts: 11
Joined: September 2nd, 2007, 4:43 pm

Unread postby DFW » September 3rd, 2007, 6:10 pm

Hi deds43



You are not running a Antivirus Program

I can’t see any evidence of antivirus software in your Log, you are extremely vulnerable without a AV.
A good Antivirus that is free to download and use is AVG from here

http://www.majorgeeks.com/AVG_Free_Edition_d886.html

Download AVG to your Desktop, then double click to run the installer, follow the instructions to install and update, then continue with the next steps below..




Please go to Control Panel, Then Add/Remove Programs and remove Starware390. Its adware.


Open up Hijackthis
Click on do a system scan only.
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware390\bin\Starware390.dll
O3 - Toolbar: Starware Jokes Toolbar - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware390\bin\Starware390.dll
O4 - Startup: PowerReg Scheduler V3.exe


Then close all windows except Hijackthis and click Fix Checked




  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    Go to start menu, click on run and copy and paste text below
    Code: Select all
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic, along with a new HijackThis log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby debs43 » September 3rd, 2007, 6:41 pm

here is the blacklight log

09/03/07 23:25:22 [Info]: BlackLight Engine 1.0.64 initialized
09/03/07 23:25:22 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/03/07 23:25:23 [Note]: 7019 4
09/03/07 23:25:23 [Note]: 7005 0
09/03/07 23:25:26 [Note]: 7006 0
09/03/07 23:25:26 [Note]: 7022 0
09/03/07 23:25:26 [Note]: 7011 1412
09/03/07 23:25:27 [Note]: 7026 0
09/03/07 23:25:27 [Note]: 7026 0
09/03/07 23:25:29 [Note]: FSRAW library version 1.7.1022
09/03/07 23:36:52 [Note]: 7007 0


new hijackthis logLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41:04, on 03/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Toki Toki Boom - http://download2.games.yahoo.com/games/ ... /vto_x.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3304175961
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://javadl-esd.sun.com/update/1.4.2/ ... s-i586.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://riverbelle.microgaming.com/freeplay/FlashAX.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 3881 bytes


thanks
debs43
Active Member
 
Posts: 11
Joined: September 2nd, 2007, 4:43 pm

Unread postby DFW » September 4th, 2007, 4:22 am

Hi deds43

Did you download and install the AVG ANTIVIRUS, dont see it in your log, but I do see AVG ANTISPYWARE.


You are not running a Antivirus Program

I can’t see any evidence of antivirus software in your Log, you are extremely vulnerable without a AV.
A good Antivirus that is free to download and use is AVG from here

AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.


Download AVG to your Desktop, then double click to run the installer, follow the instructions to install and update, then continue with the next steps below..


With no Antivirus your going to get infected, just as fast as we clean you.



Update your AVG Antispyware, and set it as below.


  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now
    change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.







Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources.
It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s.[/b]

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.






We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Run AVG AntiSpyware in safemode


  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button This must done before saving the report
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
      Image
  • Right-click the AVG Tray Icon and select Exit.
  • Now copy the report back to this topic.




Restart into normal mode and run this scan.


Kaspersky Online Scanner .

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence,
click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log, AVG AS Log and a description of how your PC is behaving.

.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby debs43 » September 4th, 2007, 9:53 am

when downloading kaspersky i get a box popup saying files needed

the file '002E080D9.key' on (UNKNOWN) is needed

Type the path where the file is located, and then click OK.

then a browse window appears,

i dont know what to do next thanks
debs43
Active Member
 
Posts: 11
Joined: September 2nd, 2007, 4:43 pm

Unread postby debs43 » September 4th, 2007, 11:02 am

kaspersky failed to load message

failed to load kaspersky online scanner activex control

you must have administrative rights to this computer
you must also have IE security settings to the medium level


dont know what to do next thanks
debs43
Active Member
 
Posts: 11
Joined: September 2nd, 2007, 4:43 pm

Unread postby DFW » September 4th, 2007, 3:15 pm

Hi deds43


It appears they may be a temporary problem with Kaspersky Online Scanner, I tried it and got
the same problem, I take it you ran the fix up to the Kaspersky Online Scanner

Try this one, and post the AVG Log a new HJT Log and the PANDA Log


PANDA ONLINE SCAN


Click HERE to Run ActiveScan online virus scan:

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby debs43 » September 4th, 2007, 6:10 pm

here are the logs requested

hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:03:20, on 04/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Toki Toki Boom - http://download2.games.yahoo.com/games/ ... /vto_x.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3304175961
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://javadl-esd.sun.com/update/1.4.2/ ... s-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://riverbelle.microgaming.com/freeplay/FlashAX.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 4546 bytes

avg log


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:11:31 04/09/2007

+ Scan result:



C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP158\A0294475.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP158\A0294476.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP165\A0359206.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP166\A0359227.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP153\A0280163.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP153\A0280165.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP161\A0315953.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP161\A0316001.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E943E717-B7FE-4087-A68B-F54774062516}\RP161\A0316003.exe -> Adware.Trymedia : Cleaned with backup (quarantined).


::Report end


activescan

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15-3.inf
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@2o7[2].txt
Spyware:Cookie/7search Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@7search[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@atdmt[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@c5.zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@mediaplex[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@tradedoubler[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\aaron\Cookies\aaron@zedo[2].txt
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\aaron\Local Settings\Temporary Internet Files\Content.IE5\L6WGS3WN\BurgerRushSetup-dm[1].exe
Adware:Adware/Trymedia Not disinfected C:\Downloads\BurgerRushSetup-dm[1].exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070903-232048-520-PowerReg Scheduler V3.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR.vir[contents.rdf]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR.vir[menu.xul]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR.vir[toolbarembed.html]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S.vir
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\CHESS.F3S.vir
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\REVERSI.F3S.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

thanks again
debs43
Active Member
 
Posts: 11
Joined: September 2nd, 2007, 4:43 pm

Unread postby DFW » September 5th, 2007, 8:09 am

Reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.



Delete suspect files/folders
Using Windows Explorer, browse for the following files/folders and delete as instructed :

c:\windows\downloaded program files\f3initialsetup1.0.0.15-3.inf <<<<<file

C:\Documents and Settings\aaron\Local Settings\Temporary Internet Files\Content.IE5\L6WGS3WN <<<<<<folder

C:\qoobox <<<<<<folder

C:\Downloads\BurgerRushSetup-dm[1].exe <<<<<file



Post back to confirm you found and deleted files and the folders, and a description of how your PC is behaving
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby debs43 » September 5th, 2007, 8:38 am

i have deleted the second two on your list but cannot find the first two, popups seem to have gone but computer taking an age to load each page still,
debs43
Active Member
 
Posts: 11
Joined: September 2nd, 2007, 4:43 pm

Unread postby DFW » September 5th, 2007, 9:45 am

You do have a lot of bad cookies, that showed in the panda log, Do you have all you Usernames and Passwords for each
forum/web site you visit,
I would make a note of them so we clear out all those cookies.



Run ATF Cleaner, once you have a copy or you know all needed password and users names

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All

Click the Empty Selected button.



Now lets try and find those files once more please, just too make sure, double click each folder to open.
Go to your C drive, then windows folder, now find downloaded program files folder, it will have the e on it,in blue for Internet Explorer,
Double click and find and delete f3initialsetup1.0.0.15-3.inf


Go to your C drive, then Documents and Settings folder, find aaron folder, now go to Local Settings folder, and find Temporary Internet Files folder,
now Content.IE5 folder, now find L6WGS3WN folder, and delete it.


Are you still finding web pages load slowly, and please post a new HJT Log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby debs43 » September 5th, 2007, 11:42 am

f3initialsetup.1.0.015-3inf still not showing

temp internet is empty
debs43
Active Member
 
Posts: 11
Joined: September 2nd, 2007, 4:43 pm

Unread postby DFW » September 5th, 2007, 12:39 pm

Good, as long as you are still showing hidden files don't worry about f3initialsetup1.0.0.15-3.inf.


Are you still finding web pages load slowly, and please post a new HJT Log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware