[troy021079]

Hi everyone,

This is my first post. I keep getting pop ups of different adds on my pc, they appear on every screen including the windows screen I have ran my antispyware (spybot) and my antivirus (AVG) which did get rid of something but it has not fixed the problem.

This is very annoying and any help would be appreciated as i do not know what to do next?

Troy

[Howard]

Hello and welcome to

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of troy021079 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[troy021079]

here are the logs as requested. Im still getting the popups as i type though.

The antirootkit was clear.

where to from here?

[Howard]

You have posted an AVG Antivirus log file, rather that an AVG Antispyware log file.

Also you have not renamed HJT as per the instructions. C:\Program Files\Trend Micro\crusty\HijackThis.exe<This is the file you need to rename to Crusty.exe.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Morpheus
BearShare

Close control panel.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

Quote:

File::
C:\WINDOWS\IFinst26.exe
C:\DOCUME~1\troy\APPLIC~1\SAVERE~1\RefThisAce.exe
C:\Documents and Settings\All Users\Application Data\Admin Inter 1 Mags\Draw Bore.exe
c:\docume~1\troy\applic~1\savere~1\meow bone 1.exe
Folder::
C:\DOCUME~1\troy\APPLIC~1\SAVERE~1
C:\Program Files\Morpheus
C:\VundoFix Backups
C:\Documents and Settings\troy\Application Data\BearShare
C:\Program Files\BearShare Applications
C:\Documents and Settings\All Users\Application Data\Admin Inter 1 Mags
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Manager First"=-
"1 mags 16 more"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log and an AVG Antispyware log.

Regards Howard

This thread is for the use of troy021079 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[troy021079]

I can not find combo fix again?

[Howard]

If you followed the instructions correctly, it should be on your desktop.

If you still can`t find it, redownload it to your desktop and follow the instructions.

Regards Howard

This thread is for the use of troy021079 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[troy021079]

Hopefully i have done it right now.

[Howard]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

RefThisAce.exe
IFinst26.exe
Draw Bore.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKCU\..\Run: [Manager First] C:\DOCUME~1\troy\APPLIC~1\SAVERE~1\RefThisAce.exe

O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\DOCUME~1\troy\APPLIC~1\SAVERE~1<Delete the entire folder.
C:\WINDOWS\IFinst26.exe
C:\Documents and Settings\All Users\Application Data\Admin Inter 1 Mags<Delete the entire folder

Reboot into normal mode and rehide your protected OS files.

Post fresh Combofix and HJT logs.

Regards Howard

This thread is for the use of troy021079 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[troy021079]

Maybe this time:frown:

[Howard]

Almost done mate.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\imsins.BAK

Reboot into normal mode and rehide your protected OS files.

Check to make sure that file has been deleted. If it has then you`re good to go and should do the following.

If the file is still there, then post back with a fresh Combofix log.

Click start/run and type combofix /u into the run box and hit the enter key. Note the space between combofix and forward slash. This will uninstall Combofix and all it`s folders etc.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

You may want to have a read of this thread HERE.

Regards Howard

This thread is for the use of troy021079 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[troy021079]

Ok i think i got it all. Those last files weren't there wen i rebooted.

Thank you

Troy

[Howard]

Ok, in that case I`ll mark this thread solved.

If you need this thread re-opened please contact a moderator or PM me.

Regards Howard