hello,

i've recently been infected with some sort of adware. the machine runs very slowly and every so often i'll get a pop-up showing an ad. iv'e run the nod32 scanner multiple times in safe mode until i got 0 threats. however, the pc remains sluggish and the pop-ups continue to appear. i ran the hijackthis program; here is the log.

thanks in advance.

Attached Files

hijackthis.log (7.0 KB, 7 views)

Hello, and welcome to PCHF.

Please download VundoFix.exe
to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please attach C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

before i did what u said, i had a friend take a look at my hjt log and he 'fixed' some of the entries. however, the symptoms continued to persist. then, i did what u said and still, the symptoms persist. here are the additional logs u requested.

Attached Files

	hijackthis.log (6.2 KB, 3 views)
	VundoFix.txt (1.6 KB, 2 views)

Rerun HJT and have it clean these..
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\mvgkpuer.dll
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\system32\efcbbba.dll
O2 - BHO: (no name) - {47E5B3A2-3E52-4C47-AF19-908144694343} - C:\WINDOWS\system32\qopom.dll (file missing)
Winlogon Notify: efcbbba


lets get rid of this one through the reg..

1. Click Start > Run.
2. Type regedit
   
   Then click OK.
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
   RunServices
4. In the right pane, delete the value:
   
   "Windows Upate" = "rundll.exe"
5. Navigate to the key:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
6. In the right pane, delete the value:
   
   "Windows Upate" = "rundll.exe"
7. Navigate to the key:
   
   HKEY_CLASSES_ROOT\txtfile\shell\open\command
8. In the right pane, delete the value:
   
   "(Default)" = "%Windir%\real.exe "%1""
9. Exit the Registry Editor.

Post a new log

i followed ur instructions best i could:
1) hjt couldnt 'fix' some of the specified files
2) "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur r entVersion\
RunServices" - this directory doesn't exist on my machine
3) ""(Default)" = "%Windir%\real.exe "%1""" - this entry does'nt exist on my machine
in any case, here is a fresh hjt log.
thanks

Attached Files

hijackthis.log (6.3 KB, 5 views)

Merlin, please read my pm.

HammadAhmad, WinFixer has been removed now, good job.

We still have another rogue program on your computer: SpywareQuake.
SpywareQuake - Symantec.com

Download SmitfraudFix http://siri.urz.free.fr/Fix/SmitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press 'Enter'. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

Note: process.exe is detected by some antivirus programs as a 'Risk Tool'. It is not a virus. If you get this detected, ignore it..

ok, i am now being forced to type this message in safe mode. one of my friends ran a program called prevx which was able to locate and delete the remaining spyware/trojan files. after what we thought was a done deal, with all the dangerous files having been deleted, we rebooted the pc. after the reboot, the system was slower than ever. explorer would freeze anytime i would stray from the home page. i was never able to stay logged in long enough to see if the pop-up ads continued. the only thing i could do was run hjt and save a log file. i tried running smitfraudfix, but everytime i clicked on it, a blank cmd prompt would pop up, and thats it, it would stare at me with a blinking cursor. any help would be greatly appreciated. ive looked at the hjt file and cant seem to find anything suspicious therein...maybe ive deleted something important? a very perplexing situation...dont know what to do; formatting is last option. please help! am only able to stay logged in safe mode w/ networking, as normal mode is very slow and freezes/ crashes often. here is latest hjt logfile from normal log-in mode. thanks...

Attached Files

hijackthis.log (5.6 KB, 3 views)