Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help with Antivirus XP and Malware cleaning!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help with Antivirus XP and Malware cleaning!

Unread postby 556 » August 31st, 2008, 12:20 pm

Hi,

My thread was just discontinued for what it said was lack of response. There was a large list for me to complete and it has taken me some time with my work schedule this past week and it took a good amount of time for me to run through the steps given.

I'm still working through the fix's and most definitely need help as I have not completed everything yet.

This is the list I've been working through and I'm to the point of booting up in "Safe Mode" (step 14) but I can't seem to do a safe mode boot up. There are definitely still issues and my computer started running slower when I installed the "Spybot S&D".

I would really appreciate the continued help. This week had been a very busy one at work or I'd have worked through this more quickly and I really do need the help in a big way.

I"m also including the Hijack This log file I just ran incase you need to reference this now.

Many thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:37 AM, on 8/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] "C:\Program Files\Trojan Remover\Trjscan.exe" /boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: SpeedPlexer.lnk = C:\Program Files\SpeedPlexer\SpeedPlexer.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.e-constructionloans.com/scripts/tdserver.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7592856390
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} -
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www2.gotomeeting.com/default/ap ... 2mdlax.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerd ... CTIVEX.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9274 bytes



Many thanks in advance.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

I noticed that your "Adobe Reader" is out of date.
You may want to download the latest version, Adobe® Reader® 9.

Step 3

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
Detects and removes malware ( viruses, worms, trojans, etc. )
Detects and removes grayware and spyware
Restores damage caused by malware to your system.
Notifies about vulnerabilities in installed programs and connected network services.
Multi-platform support for: Windows, Linux, Solaris.
Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 4

Please download Spybot-S&D.
Please check this link, Using Spybot- Search and Destroy To Remove Spyware From Your Computer, for instructions on how to download, install and use Spybot-S&D. Run this program as soon as possible.

Step 5

Please download Ad-Aware 2008.
Please check this link, Ad-Aware 2007/ 2008 for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 6

I recommend using Spyware Blaster.
Please download SpywareBlaster. SpywareBlaster helps to:
Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster.

Step 7

ATF-Cleaner features include:
Cleaning of all user temp folders, administrator only can use this feature.
Cleaning of the Java cache, which seems to be harboring more and more malware.
Cleaning the cache, cookies, history, download history, visited links and saved passwords. You have the option of checking no if you want to save your passwords.
Please download the ATF-Cleaner by Atribune.
Instructions:
Double-click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch (Windows XP) only
Java Cache
The rest are optional - if you want to remove them all, check Select All.
Click the Empty Selected button.
When you get the Done Cleaning message, click OK.
If you use the Firefox browser:
Click Firefox at the top and choose: Select All.
Click the Empty Selected button.
When you get the Done Cleaning message, click OK.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use the Opera browser:
Click Opera at the top and choose: Select All.
Click the Empty Selected button.
When you get the Done Cleaning message, click OK.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
If needed, Tutorial on ATF Cleaner with pictures.
Do not run it yet.

Step 8

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Step 9

The three poker sites listed below are blacklisted on several online websites. Before you choose poker sites, you may want to check the websites below to see if your online poker game is blacklisted.
CASINOMEISTER'S ROGUE PIT
Blacklisted Casinos
Evil Online Casinos
Online Casino Blacklist

Uninstall the following programs.

UltimateBet
PartyPoker.com
Absolute Poker

To uninstall UltimateBet.

Click Start > Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight UltimateBet, click Remove.
Close the Add or Remove Programs and the Control Panel windows.
Using Windows Explorer (Windows key+e), search for the UltimateBet folder. If the program folder is still there, select/highlight the UltimateBet folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
Follow Steps 1through 5 for Absolute Poker and PartyPoker.
Close Windows Explorer.
Step 10

Use ctrl + alt + del (Three keys together) to get task manager. Find these processes and end task them.
OR
Use the Process Manager in HijackThis:
Open HijackThis.
Click Open the Misc Tools Section
Click Open Process manager, find these programs and kill process the following running processes (Do not worry if they are not there.)
pphcehoj0er71.exe
UltimateBet.exe

Step 11

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.

Please disable the following programs:

We need to disable Spy Sweeper. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.

Open Spy Sweeper
Click Options
Click Program Options
Uncheck Load at windows startup.
Click Shields
Uncheck everything.
Uncheck Home Page Shield.
Uncheck Automatically restore default without notification.
Don't forget to reinstate Spy Sweeper when your machine is clean by rechecking everything you unchecked above.

SUPERAntiSpyware

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.

Right click on the icon in your System Tray.
Click Exit
Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.
Step 12

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll

O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} – https://cld.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 13

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 14

Reboot to Safe Mode ( without networking support !). If you don’t know how to boot in Safe Mode, use this tutorial, How To Start Windows in Safe Mode.

Step 15

NOTE: To avoid the risk of any of the files or folders not being found due to their having the Hidden attribute, go to My Computer (Windows key+e) Tools > Folder Options > View. Under Advanced Settings > Files and Folders > Hidden files and folders, first make sure that Show hidden files and folders has a dot in the circle before it which indicates that hidden files and folders are visible. If needed, see this tutorial, How to see hidden files in Windows.

Step 16

Using Windows Explorer, (My Computer (Windows key+e) search for and DELETE the following Files/folders indicated in BLUE. (Do not worry if they are not there):

C:\Documents and Settings\All Users\Start Menu\Programs\ Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\ Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\ Antivirus XP 2008.lnk
C:\Program Files\ rhcahoj0er71
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\user\Application Data\rhcahoj0er71
C:\TempEI4\EI40_\msxml4.cab Not the legitimate Temp folder.
C:\WINDOWS\system32\ __c001E5F.dat
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\ D.tmp
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\pphcehoj0er71.exe

Step 13

Reboot to Normal Mode.

Step 14

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 15

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.
556
Active Member
 
Posts: 8
Joined: August 21st, 2008, 9:53 pm
Advertisement
Register to Remove

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby suebaby41 » August 31st, 2008, 12:45 pm

OK. Let's see where we are.

Sorry about closing your post but it is Malware Removal Forum's policy to close a post when there has been no reply in five days so please keep this in mind. Even if you have not completed all the steps, before the five days deadline, please post a reply to let me know where you are and to keep the post open. Thanks.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby suebaby41 » August 31st, 2008, 8:15 pm

This is the list I've been working through and I'm to the point of booting up in "Safe Mode" (step 14) but I can't seem to do a safe mode boot up. There are definitely still issues and my computer started running slower when I installed the "Spybot S&D".


See if you are able to boot into Last Known Good Configuration.

Tell me more about your computer such as model, amount of RAM, etc.

Uninstall Spybot S&D to see if that is causing your problems.

Step 1

I do not see any obvious signs of malware. You have a lot of unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Step 2

HijackThis may report (no file) wrongly in some areas, but not in the 02 group. The file is missing. Did you recently uninstall Windows Live Messenger? If so, did you use the Add or Remove Programs to uninstall it?

To restore it, the program, Windows Live Messenger, needs to be reinstalled. Windows is looking for a BHO that is not there.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

If you intentionally uninstalled Windows Live Messenger and want to get rid of the entry, try running HijackThis in Safe Mode (if you are able to boot into Safe Mode). Click Fix Checked to have HijackThis fix the entry you checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Step 3

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Please post a new HijackThis log. How is your computer behaving now? Are you able to boot into Safe Mode?
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby 556 » August 31st, 2008, 11:34 pm

I don't know how to boot into the last known good configuration.

I can't seem to find an option to boot in safe mode at all. Using the F5 or F8 key when booting up doesn't do it. I've been reading online that the Windows XP programs can have some issues in being able to boot in safe mode. I'm not sure what to believe but I can't seem to do that so I have to find out how.

My computer and system information is listed as follows:

Windows XP Pro 2002
Service Pack 3
Intel
Pentium (R) 4 CPU 3.00GHz
2.99 GHz
1GB RAM

I think you could have touched on something about the unnecessary programs that run in the background although I didn't have these types of delays in starting up before the Antivirus XP 08 hit me. It is currently taking a long time to be able to

Also, since the Antivirus XP 08 invaded my my screen stays on all the time without going dark unless I turn it or the computer off. This didn't happend prior to the invasion. There is no screen saver that apprears to be active. Also my wall paper is still changed if that makes a difference. I"m guessing it indicates something.

* I did not uninstall windows messenger live. If I did it was unintentional. I am getting some messages from people that I don't know and never heard of that would like to ad me to their instant messenger list or friends list or something. I just click no each time.

I uninstalled the SpyBot S&D. I"m booting up a bit more quickly and logging in noticably faster.

I haven't done the other steps you listed yet since I can't run in safe mode.

I'll wait for you to advise me further.

Thank you again ;)
556
Active Member
 
Posts: 8
Joined: August 21st, 2008, 9:53 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby suebaby41 » September 1st, 2008, 2:21 am

To repair Safe Mode, do a repair install which will not effect the programs and files on your computer.

Note: You may want to disconnect from the Internet during the installation. Disconnecting from the Internet during the installation helps protect you from malicious users. You may also want to enable the firewall in Internet Explorer.

Internet Explorer 7 Service Pack 3

If you have Internet Explorer 7 installed on your computer, you must uninstall Internet Explorer 7 before you perform a repair install or in-place upgrade.

How Do You Perform A Reinstallation Of Windows XP? Microsoft Instructions (Sometimes Called A Repair Installation)

  1. Configure your computer to start from the CD-ROM drive. For more information about how to do this, refer to your computer's documentation or contact your computer manufacturer.
  2. Insert your Windows XP Setup CD, and restart your computer.
  3. When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD.
  4. When you see the Welcome To Setup screen, you will see the options below under This portion of the Setup program prepares Microsoft Windows XP to run on your computer:
    • To setup Windows XP now, press ENTER.
    • To repair a Windows XP installation using Recovery Console, press R.
    • To quit Setup without installing Windows XP, press F3.
  5. Press Enter to start the Windows Setup.
  6. Do NOT choose the option to press "R" to use the "Recovery Console".
  7. In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.
  8. Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.
  9. Follow the instructions on the screen to complete Setup.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
917964 - How to perform a repair installation of Windows XP if Internet Explorer 7 is installed
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby 556 » September 3rd, 2008, 1:04 am

I"m working on this. And will get back to you as soon as I'm finished with the steps you gave me to work on.

Thank you Thank you :profileleft:
556
Active Member
 
Posts: 8
Joined: August 21st, 2008, 9:53 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby suebaby41 » September 3rd, 2008, 12:04 pm

Remember to make a reply before the 5 day deadline. Malware Removal Forum's policy is to close threads where no reply has been made in 5 days.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby 556 » September 6th, 2008, 2:18 am

Suebaby,

I'm still working on this. Will reply again in a day or so when I have been able to finish the list. Trying to boot in safe mode or last known good configuration just would not work.

I've got my Windows XP disc now and will get back to you as soon as I have results. Should be soon.

Thanks for being patient with me. It's been a tough week.
556
Active Member
 
Posts: 8
Joined: August 21st, 2008, 9:53 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby 556 » September 11th, 2008, 3:09 am

Still Working on this.
556
Active Member
 
Posts: 8
Joined: August 21st, 2008, 9:53 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby suebaby41 » September 11th, 2008, 8:01 am

Have you tried this program? I use it because I have trouble hitting the F8 key at just the right time.
BootSafe Benefits:
  • Supports booting into Safe Mode - (Minimal, Networking and Repair).
  • Easily boot back to Normal Mode.
  • Supports Windows 98, 98SE, ME, 2000 and XP.
  • No installation required, no setup, just download and run - it is that simple!
  • Simple to use, fast to download and FREE!
  1. Please download BootSafe.exe (116k) and save it to your Desktop (or any location of your choice).
    Alternate Link
  2. Double click the BootSafe icon to start the program.
  3. Select which Safe Mode you wish to boot - Minimal, Networking (typical), or Repair.
  4. Click the Reboot button
  5. After you have booted into Safe Mode, you can perform any actions needed, such as scanning for viruses, spyware, adware, malware or repairing a system component.

To return to Normal Mode, simply run BootSafe again. Select the Normal Restart option.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Need help with Antivirus XP and Malware cleaning!

Unread postby NonSuch » September 16th, 2008, 1:54 pm

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware