Help Please, Adware Virus, I Can't Uninstall It,
I'm not that up on computers, so I really would appreciate any help
I've somehow got the following virus on my computer and I can't get rid of it and so I keep getting this and other windows coming up. Its called AV System Care, Bit Defender says it's infected with:
Adware.Winantivirus.Q and it keeps opening a window trying to scan my computer. Below is one of the windows but others come up that I haven't been able to copy and paste here for you to see. If someone could help that would be great, I can't uninstall it and I just keep getting these windows come up and loads of advertising window which I've been told is all tied in with this AV System Care thing. I googled it and on a forum it said a program called 'Hijack This' would clear it, I downloaded it but it didn't get rid of it all and I've still got a program file for AV System Care, so I really don't know what to do now. If you can help could you try and explain it simply as I'm not up on the technical side.
Thanking you in advance, below is one of the windows that keep popping up:
FREE AntiVirus Scan
Free system scan for viruses and malicious software.
After the scan is complete, we will provide you with results of the scan, along with quarantine and removal options.
TasksErrors
Tasks Status Connection Received
Virus Scan Scanning Local Area Network 3,678 kb
Typical Scan Results
Comments
-
Try this. Restart your PC in safe mode, and try to uninstall it in that way. If you can't, open registy editor by going to START -> Run, type in Regedit and hit enter. In that windows, browse to the following locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run
and then
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run
Each time, search any refference to that program. Delete any value that points to that program's components. Restart your computer and try to uninstall the software in the usual way. If you can't get ride of it in this manner, download SuperAntiSpyware from here. It is free. Make a complete scan with it in safe mode.
Andrei0 -
Many thanks Andrei and Niels
Niels, just a quick question you say after i have downloaded do an update, do you mean an update on the program I've just downloaded?
Sorry, I'm not that great with computers and the technical side
Thanking you again
balasblue0 -
Hi Neils
Sorry another quick question, clicked on your link to download but couldn't see which one to actually download, on the bottom of the page I clicked on 'downloads' but there were quite a few so I'm not sure which one I should download, sorry to be a nuisance, I appreciate your help
carol
(balasblue)0 -
Hi Niels
Sorry meant to have also asked, should I disable Bit Defender when I do this download and scan as when I tried another one it tended to stop it working properly I think?
Thanks
Carol
(Balasblue)0 -
Hello balasblue (Carol)
is the direct download link. Once installed start the program you don't have to close BitDefender realtime protection. Once the program is started press on check for updates,check for updates when there are available you have to press on download. If nothing is available press on close. After that press on scan. Let the program delete everything that is detected.
Regards
Niels0 -
Hi Niels
Many thanks for your patience, will give this a go and let you know.
thanks again
Carol
(balasblue)0 -
Hi Neils
Tried clicking on your link in your last reply to me, but explorer says webpage cannot be found. Sorry can you give me the link again please.
Many thanks
Carol
(balasblue)0 -
Hi Neils
You kindly posted me a link to a majorgeeks download for the AVSystemcare virus I've got, tried clicking your link that you posted in your reply to me but I just get 'webpage cannot be found'.
Would you kindly give it to me again
Thanks for your patience
Carol
(balasblue)0 -
Hello balasblue
I've merged your second topic with your original.
That is due that they updated the program and removed the older version.
I will navigate you further. I suggest that you use my first link. Afterwards you must click on one of the downloadlinks that are located under free downloads from: click one of them. Wait do not click on advertisement. After some time you will get the download screen.
Regards
Niels0 -
Hi Niels
Thanks for that, will have a go tonight if I get time and will let you know, I think I'll need a couple of stiff whiskey's first, my poor old grey brain cells are working overtime0 -
Hello balasblue
I will wait for your reply. So take your time.
Did you also already downloaded superantispyware as Andrei suggested? Here is the direct download link. Install it,start the program press on check for updates. After that is finished reboot your pc and press several times on the F8 button before the windows loading screen choose safe mode and press enter. Now log in with your account. Start superantispyware,scan your computer and choose perform complete scan and press on next. Let the program take action.
Regards
Niels0 -
Hi Niels
I'm having a problem running the program it's fine until it goes to delete them, then Bit Defender starts going mad about all these AV System Care things trying to infect my computer, I keep clicking the ok button and then the rogue remover says it can't remove all the programs, then my computer freezes and the only way to get out of it is to manually turn it off, I can't escape out of it at all when it freezes. Should I disable all Bit Defenders modules, anti spy, anti virus etc and then run the rogue remover??
I haven't download the one Andrei suggested as I'm such a thicko with the technical side etc I wasn't sure if I would be able to do it. I'm afraid I need to have it in very simple terms that I can follow. I'm slowly getting better but don't really understand when it starts to get into the deep workings and computer language, Sorry. If I'm feeling brave I'll have a go, it just that sometimes things crop up and I don't know how to escape out of that particular window or whatever or I'm don't know what to do next to get back to normal.
Thanks again, could you let me know if I should turn Bit Defender off
Carol0 -
Hello balasblue
It's indeed annoying that you see the BitDefender popup's. That is because BitDefender blocks access to these files that is also the reason why rogueremover fails to remove the files.
I suggest that you perform a scan with rogue remover in safe mode. Did you understand the instructions that I gave in my previous reply how to get there? If so follow them. If you perform a cold boot (= when you have shutdown your pc) then you must press immediately on the F8 button the rest of the steps are the same.
Regards
Niels0 -
Many thanks again Niels, I will have a go, probably tomorrow. Again thanks to you and to Andrei, you've been very paitent and I do apologise for my lack of knowledge. Will let you know how I go, keep your fingers crossed for me
Carol0 -
Hi Niels
Have run Rogue Remover in safe mode and it's got rid of the AV System Care, so will see how it goes. If I should get any problems would it be ok to ask your advice again?
Is it ok to leave Rogue Remover on my computer in case I need to use it again?
Once again thank you very much, I couldn't have done it without you and Andrei's help and patience.
Carol0 -
Hello balasblue
If you still have problems post them in this topic.
Yes it's ok that you leave rogue remover on your pc.
Best regards
Niels0 -
Hi Niels
Sorry need your help again. I thought Rogue Remover had got rid of AV System care, but I'm still getting the av system care scan window keep coming up and still loads of advertising associated with it. I checked in the control panel and it's still there, I tried removing it but windows says an error occurred and it may already have been removed should it delete av system care from the list, for the moment until I'd spoken to you, I clicked on NO. I checked in Program Files and AV has gone from there, so I ran rogue remover again in safe mode and it says my computer is clear, but still getting the AV systemcare scan windows keep coming up trying to get me to install.
should I delete it from the list in the control panel?
What else do you think I should do?
Really sorry to bother you again, I thought it had gone for good. Again I'd really appreciate your help.
Rogue remover I downloaded is Program Version 1.22, Database Version 149 just for your info. I also checked for updates before I ran it again today, but is says computer is clear, yet av still in control panel add/remove programs list, so I'm a bit confused.
Thank you very much for any help you can give me
Carol
(balasblue)0 -
hi Carol,
I would suggest scanning with Ad-Aware 2007 and eventually with HijackThis. Hijack this allows for a manual registry analysis and removal of malware but it requires some computer knowledge so it will be a little harder to instruct you how to use it. Ad-Aware is a program which has helped me many times with stubborn spyware infections and it's easy to use.
Please go here and click on the link on the right which says Download Latest Version. After you install the program, click Cancel when prompted to register, that way you'll use the free version of the program. Click on the Update button and when the update is completed, disable BitDefender's antivirus and anti-spyware protection. Click "Scan now" on the right in Ad-Aware, select Full scan on the left and then click Scan further down on the right. Once the scan is completed, select all found objects and click the Remove button just below. Then click Finish.
If you still have problems after that, report back and we'll help you use Hijack This, which is a very simple yet effective tool.
Good luck.0 -
Hello Bluesprite
Many thanks for your help, will have a go and report back here, I won't be able to do it tonight as got to go out, but will hopefully try it tomorrow. This AV Systemcare is really terrible and I'm always careful what I click on at websites because of these sorts of virus etc, but they still seem get into your computer, the people that do these malware things are really ******, they cause so many problems.
Again many thanks for all your patience and help, and I will post here again when I've tried it and let you know how it goes.
Carol0 -
On a related note, what browser are you using? If it's Internet Explorer 6, I recommend that you upgrade to version 7 as soon as possible, or even better start using the Firefox browser. Internet Explorer 6 is an open door for all kinds of malware.
0 -
Here's another program that you should install - it's not a scanner and can't help you get rid of infections, but its job is to prevent infections from installing by locking certain parts of the registry. The only thing you need to do is update it and then click on Enable all protection. Download it here: http://filehippo.com/download_spywareblaster/
0 -
Hello balasblue
Go to start,run,type services.msc press enter. Search for a service that has av system care in the name or messenger service. Double click on the messenger service that service should be stopped and start up type must be disabled press on apply. Do that for av system care service also.After that go to start,run,type msconfig press enter go to start up/boot and enter the name of the processes that you will find under item for start up on this website If you see an N or X or ? uncheck the start up item. Check also start,program,start up / boot and delete any strange entry. Go to start,run,type regedit press enter expand hkey_local_machine and the follow folders and subfolders: software,microsoft,windows,current version,run now you have to delete any items that you will find at the right side. You have also enter them on the website I previous mentioned. If you want to delete the reference in software when you are in the registry expand hkey_local_machine and the follow folders and subfolders: software,microsoft,windows,current version,uninstall,search for an entry that is called av systemcare click on it and press on delete. Confirm the windows message. Reboot your pc.
Best regards
Niels0 -
Hi bluesprite and Niels
Blueprite
I've downloaded both the Ad Ware and the Spywareblaster from the links you gave me and at the moment it seems to have done the trick, but if I have any more problems I'll come back to you all if I may. My Internet Explorer is version 7.0.6000.16512.
Just 2 quick questions re Spywareblaster.
1) Would it be best to update it about once a week?
2) I enabled all protection as you said, do I need to do anything else with it regularly apart from updating it?
Again thank you for all your help and patience .
Niels
Thank you for all your help, I've haven't yet tried what you put in your last post as I thought I would try the Ad Ware and Spywareblaster first. If I still have problems I'll come back here if that's alright with you. If I do I may need you to explain it a bit more as I wasn't very clear what I had to do. So I've not done it yet, thought I'd see how the other stuff goes, with luck it's cleared it.
Again thank you for all your help and patience.
You've both been so helpful and I'm sorry I've had to have things explained in such simple terms but I'm afraid I'm not as knowledgable as some of you, I'm pretty good on the computer it's just when it starts getting into deep programs and registries etc, I get a bit lost .
Thank you again. Fingers crossed it's all sorted .0 -
Hi Carol,
You don't need to do anything else with Spyware blaster than to update it, maybe once every 2 weeks, or even once a month. After you update it, click Enable all protection, which you'll see after the update is completed.
Because we weren't sure about the particular type of spyware you encountered, Niels gave you instructions how to get rid of the so called Messenger service spam, but if you have Windows XP with Service Pack 2 or Windows Vista, then you're not susceptible to that kind of spam because the Messenger service is disabled by default. You can see how it usually looks on this page: http://www.spywareguide.com/txt_messengerspam.php . If yours was different, then it was a genuine spyware and I hope it's gone for good now.0 -
Hi bluesprite
Yes I have XP service pack 2, thanks.
Just a quick question, I keep getting load of advertising pop ups. i.e. for smilies, to win mobile phones and all sorts. Is there anything I can do to stop this or is it just a case of closing the windows down, which is what I have been doing? Just wondered, as it's really annoying when these windows keep opening.
Thanks
Carol0 -
Are those popups showing while you're browsing, or even if there is no browser window open at the moment and you're doing something else? Because if it's the latter, then your system still isn't clean. If it's the former, in Internet Explorer 7, go to the Tools menu, you'll see the Popup Blocker sub-menu, click on Popup Blocker Settings there. The filter level should be set to Medium or High. If it is already set that way, I think you may have to run Hijack This, but first check the built-in popup blocker.
0 -
Hi bluesprite
I have my pop up blocker set at high. The windows that keep opening are advert windows for things like mobile phone tones from Celldorado.com and lots of others i.e. enter your mobile phone no. to win something, others are join up for free money off vouchers, bingo, all sorts.
The other windows I keep getting are this (I would have copied it and pasted it to show you but couldn't)
Windows Scan Disk
The scan shows you have malware on your C: disk
to prevent loss of data install antispyware
[/color]Scan my PC NOW aganst spyware
this is another window that comes up along with the one above
Windows Security Centre
windows security alert (with a picture of a shield)
your system has 45 threats found in your system. windows is going to be stopped to prevent damage to your computer.
click to download free SWS Anti Spyware 2007
There was a lot more in the window, I've just put the main bits here, of course I don't click on anything I just close the windows down. But I don't know if it's a genuine windows security warning or malware, perhaps you can tell me, and if it's not how I can get rid of this and the other windows from keep coming up.
Thanks again for any help you can give. By the way I'm moving house shortly so if I don't respond to any messages for a few days it's because I'm a bit busy and when I move I'm going to lose my internet connection for about 3 weeks, but hopefully I'll have some time in the next few days to try and sort this out. But if you don't see me reply to your posts that's the reason, but I'll be back when I get my connection back at the new house.
I'd be grateful for any help you can give if it's possible to stop these warning and advert windows.
Thanks
Carol0 -
Hi Carol,
I probably didn't explain well, but what I wanted to know is if you get those ads when you open certain websites, or at any time, for example even when you're reading the BitDefender forum. The reason why I ask this is because some websites are programmed to display pop ups and every single time you go to that site, you will get the pop up. It just means the pop up blocker isn't doing its job as it should. On the other hand, if you get the pop ups at any time, any website, or even when you're not browsing, that means your computer is still infected with spyware or some other malware.
Anyway, to establish that for sure, go here: http://www.filehippo.com/download_hijackthis/ and download the program. Install it and it will start automatically. Click on the first button - Do a system scan and save a log file. After a few seconds the scan will complete and a Notepad window will open with the results of the scan. Copy the whole contents and paste them here. That will help to establish if your computer is clean or there's something pestering it.0 -
Hello balasblue
Can you please say what you didn't understand in my previous post?
Have you already scanned with superantispyware as I told before? If not perform a scan with it.
It could also be a BHO (browser helper object) that is causing the problems. Go to tools,manage add-ons,enable or disable add-ons,select by show Add-ons that have been used by Internet Explorer. Now select every entry by leftclicking on it and choose disable and press on ok. But it's easier if you download hijackthis so we can see where the malware is located.
Best regards
Niels0 -
Hi Bluesprite & Niels
Sorry for delay in getting back to you, got tied up with stuff re our house move.
I did as you suggested and ran Hijach This and have pasted the results below.
Re your question as to when I get the advertising pop up windows? I get them all the time I have internet explorer open, and yes even when I'm here in the forum. e.g.
youronlinegifts.co.uk
wixawin
rewardscentre.co.uk etc loads of different ones.
Regarding this Windows Security Centre window that keeps popping up that has the windows shield emblem. (have typed a bit of what's on the 2 windows below)
Windows Scan DiskThe scan shows you have malware on your C: disk
to prevent loss of data install antispyware
Scan my PC NOW against spyware
This is another window that comes up along with the one above
Windows Security Centre
windows security alert (with a picture of a windows security shield)
your system has 45 threats found in your system. windows is going to be stopped to prevent damage to your computer.
click to download free SWS Anti Spyware 2007
When these 2 windows open Bit Defender alerts me, stops it infecting my computer and says this program is infected with:
Adware.NaviPromo.BYC
and
Adware.NaviPromo.BXQ
These security windows came up 3 times just in the short time I was typing this here at the forum, I don't know if this helps you at all.
Here's the Hijack log file, again apologies for it being a few days and thanks again for any help you can give.
Carol
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:58, on 20/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\KService\KService.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [s3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [smileycons] C:\Program Files\Smileycons\smileycons.exe
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68CDEDDE-1059-4A7E-A9BC-444989ABD99F}: NameServer = 212.139.132.57 212.139.132.56
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 8225 bytes0 -
Hi Balasblue
Hope you dont mind me butting in here but if its any consolation I have exactly the same problem and it wont go. I think I caught the virus by downloading either Sopcast or TVants software, could be wrong though!0 -
Good news....i followed your advice using Rogueremover and hijack this...took a gamble on letting it fix things for me and everything seems fine.Hopefully it will stat this way, the PC was as bad Balasblue described 10 minutes ago but it seems fine now. Thanks very much guys!!
0 -
I'll have time to analyze the log tomorrow, if Niels doesn't get around to it first. Don't try to fix anything using Hijackthis unless you know what you're doing, because you can delete important registry entries.
0 -
Hello balasblue
Start Internet Explorer.
Go to tools,Pop-up Blocker,Pop-up Blocker Settings,select remove everything.
Fix these entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab You must be very carefull when you download smileys this contains adware.
You can do that by checking the boxes and press on fix checked.
Best regards
Niels0 -
Hi Niels
I went to internet explorer pop up blocker settings and the 'Allowed Sites' window is empty, so the 'Remove All' button wasn't highlighted.
Sorry the bit after that (as below) I don't understand, where you say:
Fix these entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab You must be very carefull when you download smileys this contains adware
You can do that by checking the boxes and press on fix checked.
Where do I do this? Only there isn't anywhere in the pop up blocker settings window that has anything like this,the window is empty.
I've got 2 main areas 'Exceptions' with an area for address of website to allow & a window to show allowed sites, and the second area is 'Notifications & Filter Level' which has 2 boxes which are checked, which are:
'Play sound when a pop up is blocked'
and
'Show information bar when a pop up is blocked
Also the last sentence about checking boxes I don't understand. The only boxes I have in the pop up blocker settings window is:
'Play sound when a pop up is blocked'
and
'Show information bar when a pop up is blocked
These boxes are both ticked, there aren't any other boxes. Sorry but I don't understand where I should be looking to 'fix these entries' and 'check the boxes and press on fix checked'
Sorry again but I've got nothing in the pop up blocker so I'm a bit lost.
Thanks
Carol0 -
Hello balasblue
When you start Hijack This choose for do a system scan only you will find boxes for each entry that is listed what I wanted that you do is check the boxes before the entries I mentioned before . You have to wait till the scan ends. When you take a look at the left bottom corner you will find a button called fix checked. You have to press on that button. Confirm the message with yes.
Download superantispyware free edition. You can find it here. Install it double click on the shortcut. Now you will see an icon near your system clock which looks like a bug/insect rightclick on it and left click (with your left mouse button) on check for updates ... press on the close screen. Go back to the icon and rightclick on it but choose for Scan for Spyware, Adware, Malware,press on Scan your pc,check perform complete scan and press next. The scan will begin.
If you pop-up problem (for the rogue antispyware product) still persist follow these instructions.
For your pop-up's download smitfraud fix:
You can download it here
Copy the file to a folder on the root of your computer. Which means go to start,my computer,double click on the icon of your hard disc and rightclick on a free space choose new,new folder.
Print these instructions
Reboot your pc but press several times on the F8 button before the windows loadingscreen. Choose your user account log in. Now go to the folder where you placed SmitFraudFix double click on it type 2 on your keyboard press enter. Type Y and press enter on the following questions: Do you want to clean your registry? Replace infected file ? (but that isn't always the case). Reboot your pc again. Now post the report that you will find in the root of your hard disc or in the folder you created.
Best regards
Niels0 -
Hello, I am having the SAME problem! The AvSystem Care says that I may be infected with spyware. I have just downloaded the rogue remover, scanned, and removed all the files but I still get the same thing popping up... If anyone could help, I would GREATLY appreciate it. I am not that good at computers but not that bad Here is a link to the screenshot i took of it
0 -
I have the list of the things from the Hijackthis. I can post it when you are ready
By the way, sorry if I'm bothering any of you with this.0 -
Go ahead and post it, no need to ask for permission. You're not bothering anyone, it's the right place to get help.
0 -
Hello inSAnitY13x
Follow the same instructions that I gave to balasblue. Yes you can place a hijack this log.
Best regards
Niels0 -
Hi inSAnitY13xBalasblue here. A quick question, how did you get a screen shot of AV System Care?? I wanted to do that to show Niels & Bluesprite but didn't know how, can you tell me so I know for the future.
Thanks
Carol
(balasblue)
Niels & bluesprite
Sorry for the delay in getting back, have again been busy with house move, I am going to try and do what you posted for me Niels, I've already done the 'fix checked boxes' in Hijack This. So now I'm going to download he superantispyware you have given me the link for and do that. Will get back here with results asap.
Carol0 -
Hello balasblue
We will wait for your reaction.
You can make screenshots by pressing on the print scr (printscreen button) on your keyboard. Open paint and choose for paste now you have a screenshot or you can use specific programs.
Best regards
Niels0 -
Hi Niels
I have downloaded superantispyware and have run a scan there was 75 adware cookies, which I got it to fix. So I will see how it goes, if it still happens I will go ahead with smitfraud as per your instructions.
Thank you for telling me how to do screen shots.
Do I keep all these anti spyware tools on my computer? I've downloaded the ones below as per the posts in answer to my problem, do I just leave them on my computer?
Superantispyware
Hijack This
Rogue Remover
Spyware Blaster
Ad Ware 2007
Also out of interest, why didn't Bit Defender stop all this spyware that's infected my computer? I thought it was supposed to stop it all, but it didn't. Just wondered why not?
If I need to use smitfraud I'll come back and let you know, again it might be a few days as it looks like I'm moving on 15th Oct so things might start getting a bit hectic here and I will probably lose my internet connection for 2 weeks until it's set up again at the new house. So please be patient if I don't get back for a while.
Thanks again, I can't tell you how much I appreciate all your and everyone else's help with all this, and again my apologies if I don't always understand straight away.
Regards
Carol0 -
Hello balasblue
I recommend that you keep superantispyware and spywareblaster as backup protection for BitDefender. Rogueremover and hijackthis are tools for removing certain infections and aren't really needed. BitDefender knows lots of malware (malicious software) but not that many that specific tools know. So it's good that you have backup scanners. But BitDefender will always block the access to the infected files if they are recognised by the virus signatures or on behaviour. I am no virus researcher so this is my person opinion.
Glad that I could help you.
Best regards
Niels0 -
Here is the log:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1145442093\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\SwiftSwitch\SwiftSwitch.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145442093\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCYYYYYYMFUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181332349408
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\stdole32.dat
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Security Center wscsvcehSched (wscsvcehSched) - Unknown owner - C:\WINDOWS\system32\acctresb.exe
O24 - Desktop Component 0: (no name) - (no file)0 -
You have MyWebSearch toolbar, that's what causing troubles. It's a known spyware, so here are detailed instructions on how to get rid of it: http://www.pchell.com/support/mywebsearch.shtml
Once that's removed, see if you still have the problems and if so, run Hijack This once more and post the new logfile again.0 -
Hello inSAnitY13x
Open task manager by going to start,run,type taskmgr and leftclick on the follow processes: m3SrchMn.exe , mwsoemon.exe
Fix these entries:
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
(Fix that entry if you don't have disabled the registry editor but in most of the chances this is done by malware.)
I recommend that you download and install superantispyware and follow also the instructions that I gave how to use smitfraudfix.
After that make a fresh log.
Best regards
Niels0 -
Thanks guys! I just deleted EVERYTHING that had MWS in it and disabled those things from HJT. I really hope it works. I will try out that superantispyware thing . If it all doesn't work out I will be calling the Dell lady, but have to fork up $129.99 somehow...
EDIT: Just as I added it I got the pop up... I am really frustrated. I guess I will just ask my mom. =\0 -
Don't give up so soon, I expected that removing the toolbar will not be enough, because you have this process running: C:\WINDOWS\system32\printer.exe and it's not a part of that toolbar, it's the same stuff that balasblue had. Run hijack this again and fix these as well:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\stdole32.dat
Also, check if any of the other entries that Niels posted hasn't reappeared, especially this one:
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
After you fix these, reboot and scan with SuperAntispyware, then make a new logfile with Hijack This and post it to make sure everything's gone.0