Gomyhit.com trustedantivirus.com popups

Hi all. I have gone through a few past threads where these names had been mentioned, I tried using HiJackThis, but I cant seem to be able to run it on my computer. I have downloaded HiJackThis from Majorgeeks.com only but whenever after installation i try to run it, no window opens or no dialog box appears. To check whether it is indeed running or not , I checked processes in task manager and the processes show HiJackThis as a running process, its size and resources used by it. But I cant seem to figure out why wont it run. Please advise how can I download HiJackThis and use it to remove spyware from my computer, I keep on getting popups from sites like gomyhit.com, trustedantivirus.com, antispywaremaster.com, etc. even when I have protection ON with spyware doctor (it is a trial version as of now). Please someone help me out, I am a complete novice in this field and really need help.

 

Hi yashica,
Welcome to Major Geeks!

Please begin by uninstalling the trial version of Spyware Doctor. Then begin as soon as possible with the instructions in the READ & RUN ME FIRST. What you're describing is typical of a variety of forms of malware, and you will begin to find some relief from these symptoms as soon as you start into the READ & RUN ME procedures. Pay attention to things like making sure that Teatimer is disabled or if you will be installing Spybot S&D for the first time, make sure that Teatimer is not installed with the program at all. We ask you to do several scans that will pick up a lot of different forms of malware and then run a set of diagnostic scans that will allow us to see what files are still leff that need to be removed. When you're finished, attach the requested logs. If there's something you can't do, go on to the next step and try to continue to the end. Be sure if you have Vista, that you run the instructions for Vista whenever you come to them and regardless of your operating system, you must have administrative capabilities to install and run these programs.

Thanks.
abri

 

Thanks for replying back to my post Abri. I went thru the Read and Run me first thread and did exactly as it said. while doing so I came across a dialog box which popped up from somewhere and that prohibited me from doing something and said that I dont have administrator privileges even though there's just mine account on my computer and it is an administrator account.
Neways I installed ccleaner and ran it as well.
Please tell me what further steps should I take in order to get rid of the popups. Another thing, each time I ran spyware doctor in the past, it was able to detect infection and delete it, but somehow it kept on recurring, and each time it shows the same, ApplicationtrackingCookies, and risk level low. I uninstalled it as you asked me to.
I have windows XP sp2, and have a Kaspersky 7.0 antivirus, but am not sure about how many or which firewalls I am using, so please guide me through that as well. I dont have Teatimer installed on my computer. I do have Malwarebytes' Anti-Malware installed on my computer, please suggest should I uninstall it coz I read in the read and run me first forum that one should not have more than one antivirus. One more thing, in the past when I was really bombarded with some virus and I finally had to format my pc, I installed F-secure from a friend but even though I have uninstalled it, and it doesnt appear in add/remove programs it still shows in the tray, and I unload it each time at boot up, so that it doesnt create any problems.
You mentioned about Spybot S&D, I will download and install it from majorgeeks site itself until you reply to this. Thanks for all the help so far and I really appreciate it.

Yashica

 

And hey, I managed to some how run HiJackThis and have attached the log files to the same, but couldn't manage to find any items as listed in some forum, something like O15:, etc. Please go through the log file, and advise suitable. Thanks.

 

Hi yashica,

Your computer's badly infected. Even if we are able to remove some of the symptoms, there will still be problems until you can make it through all the instructions. It will take several posts to fix it. Let's start here: (If you find you still have problems with the administrative rights, let me know).

Is Spyware Doctor a trial version? If so, please go to add/remove programs and uninstall it.

Then I would like for you to do the following:

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• click the Make Writeable? button.
• click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

After you complete the above, please print out the instructions, as I will have you do the following without an internet connection. After you print out the instructions, please physically disconnect your computer from the internet. Disable your antivirus / antispyware programs. Then continue with the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to F-Secure Management Agent
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Repeat this with these services:
  • Boonty Games
  • NetCom3 Service
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste FSMAinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Then repeat the same with these:
  • Boonty Games
  • Netcom3
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now: If any lines are missing, don't worry about this. Just go on until you find those entries which match and put a checkmark next to them. Remember to close your browser windows. The click on FIX.

All the 01 - Hosts items if they are still there: (these two are just examples)
O1 - Hosts: 125.91.1.20 hxxp://www.7322.com"]www.7322.com
O1 - Hosts: 61.141.31.2 hxxp://www.xiaoyouxi.com"]www.xiaoyouxi.com
O2 - BHO: Navcot Class - {116AE73A-7D10-4EC2-A46D-52CA50D5197F} - C:\WINDOWS\system32\inet.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.hwd" -atboottime
O4 - HKLM\..\Run: [mscdti] C:\WINDOWS\cdti.exe /nosrv
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...0000045.00000119&c=00000082.00000097.000001cf
O4 - HKLM\..\Policies\Explorer\Run: [PC1] .vbe
O20 - Winlogon Notify: efcASkkL - C:\WINDOWS\
O21 - SSODL: 3o9uf0l2 - {D6F81A3C-7092-B4D6-B4D6-5E7092B4D6F8} - C:\WINDOWS\system32\FMTAHOZG.dll (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: cfm - Unknown owner - C:\WINDOWS\system32\cfmom.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

After you click fix, just close hijackthis.

Now re-enable your antivirus / antispyware programs and reconnect to the internet.

Now run CCleaner at the default setting with the Windows tab as the top one.

Please go back to the READ & RUN ME FIRST and see if you can get farther with the instructions this time. If so, attach all the logs you can get.

Then let me know how everything went?

abri

 

Hi Abri, and thanks again for replying to my query, it was of great help. I didn't have any problems with administrator rights this time while carrying out the procedure you asked me to follow.
I restored the MS host files, no probs with that.
Then i disabled all three services.msc as you'd asked me to.
Next, while running HJT and deleting the NT services, after deleting FSMA and boonty games, I by mistake clicked on restart now. So when I rebooted the machine again, I deleted the netcom3 then.
Then I closed current HJT and re-ran it and performed the scan. But to my surprise, all the O1 files which appeared last time didnt come up in the scan. I deleted all other files as you'd listed. And then I ran the CCleaner. Attached is the log from another scan on HJT after fixing the previously checked entries (in aforementioned scan). I just for the sake of it checked if hidden file viewing was enabled or not, but was surprised to see it disabled, even though I didn't change the settings, after the last time I read the Read and Run me First Forum. Please advise what should me done next. Thanks again.

 

Hi yashica!

It's very important that you go through the instructions in the READ & RUN ME FIRST and run the scans we request there. When you finish, please attach the logs from the different scans. There's a list of the ones we want at the end.

abri

 

Hi Abri, sorry but I think I missed a point in your post. You see, I was mailed your reply to my last query to my e-mail address and this is it:
-----------------------
(removed info from previous posts)

---------------------------------------

So I did exactly as it said, and didnt read the actual post which actually was quite different from this one. And at the last you've written that re-enable the antivirus and reconnect to the internet. The problem is though I did all the above steps while still connected to the internet, although I closed mozilla session before fixing the checked entries. And Kaspersky 7 was enabled the whole time, please suggest what needs to be done, if this was indeed a problem. Thanks.

Yashica

 

Hi yashica,

I asked you to disconnect from the internet and disable your antivirus, because sometimes protection programs prevent a change from being made which we want you to make. From what you said, the changes you made worked so it's not important at all that you left your protection software running. It was good!

So now, just to work on making sure that everything is out of your computer, I would like for you to go through the instructions in the READ & RUN ME FIRST and attach the requested logs. This will give me the information I need to see if there are further files which need to be removed so the malware won't get going again.

Thanks.
abri

 

Hi Abri, sorry couldn't reply earlier as I was not done with the scans. So this is what all I did. Well, I had a problem with the same problem (administrator privileges) when I was doing the thing with msconfig as written in Read and Run me First.
The system stalled while shutting down after all the scanning with cf.exe. I also didn't get any log file for spybot S&D. Rest all went normally. Since the system stalled while shutting down, I did this scan again, and have saved the log for second scan.

 

Hey Abri, it wont let me upload more than 3 files. I am attaching the second log file from cf.exe. Please advise suitably as what should be the next step. Hey, another thing, all these procedures also cured a couple of other problems in my system, like at startup , I used to get error messages before like some .dd file missing etc. and that got corrected as well. There also used to be 2 windows each of notepad (named desktop.ini and some long file name is written in that, ending with shell32.dll or something like that), and 2 windows of My Documents. The windows for My Documents dont popup on start up but the notepad files still do. Is it another virus?
Thanks again Abri, you're a savior.

 

Hi yashica,

I'm glad things are starting to get better. You still have some malware files showing in Combofix which I want to have you remove manually, but I very much need the MGTools logs. Please go to Using MGTools. After you install and run the tools, please attach the MGlogs.zip which you'll find located directly under C:\ as a file (not a folder).

Thanks.
abri

 

Dear Abri, thanks for being of such great help. I have attached the mglogs.zip file and another log from running MG Tools today. Please advise for the next step. Please also tell me about the notepad pop-ups at startup of windows, with filename Desktop.ini and it reads something like @%systemRoot%\system32\shell32.dll, -21787. This might not be accurate, coz there could be a different formatting that I failed to comprehend. Thanks.

Yashica

 

Hi yashica,

You have malware on your computer and I want to complete the instructions I have for you, but the set of zipped logs you gave me called MGlogs.zip precede the previous instructions I gave you, so all the files I asked you to remove before are still showing up in them. Please make a fresh set of logs so I can finish the instructions. To do this, go to the C:\MGTools folder and open it. Find the file called GetLogs.bat and double-click on it. Wait until it has stopped running. When it's finished it will give you a message like Hit any key to close the window. Do this. Then come back here and post something brief like "here are the logs". Before you submit this message, go to the Manage Attachments button and when you get to the browse button and click on it, look for the MGlogs.zip directly under C:\ After it uploads, you can submit your post. I need the newest logs in order to give you the correct instructions. You have some very bad malware on your computer and I would like to help you get rid of it. The instructions I need for you to run are almost in order, but it becomes very confusing if the instructions don't match the logs.

If you're unable to produce the MGlogs.zip, please explain to me what is happening to prevent this.

Thanks.
abri

 

Hi Abri, I have attached the logs file as you asked. While the cmd.exe window was open and running, an error message dialog box popped up titled: ProcessDll.exe - Application Error and it read 'The application failed to initialize properly (0xc0000135). Click on OK to terminate the application'.
After clicking on OK the scan completed message came in the cmd.exe message and asked to press any key as you'd said.

 

Hi Yashica,

Thanks for the fresh logs. Please continue as follows:

1) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. Then go to C:\ and delete all the files with this structure: sqmnoopt12.sqm


2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

After you click fix, just close hijackthis.

4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Now run CCleaner at the default setting with the Windows tab as the top one.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri, thanks for the procedure. I did exactly as you asked. The ProcessDll.exe thing appeared again while getlogs.bat was running on cmd.exe. The desktop.ini file opens the same 2 windows on bootup. There's a hidden file on my computer's C:\ named boot.ini, and there's also a file named desktop.ini in the programs section (Start - All Programs - here there is desktop.ini). Is it a problem?
I've attached the files as you asked. Thanks again.

 

Hi yashica,

The procdll.txt log is missing, because you haven't downloaded the .NET Framework which is part of the Microsoft Updates. See this possible error message listed at the bottom of the instructions in Using MGTools:

You can get that download from Windows Updates whenever you want to.


Now, please do the following:

1) Run CCleaner at the default setting with the Windows tab as the one on top.


2) Next I would like for you to open Windows Explorer (right click on Start and click on Explore in the small menu that pops up)
Navigate to the C:\Windows folder and click on the folder (not the + sign) to show the files on the right side of the window. Directly under Windows there should be a file with the date May 7, 2008. You can arrange the files in ascending or descending dates by clicking at the top of the dates column. Look at the files there and see if you can find one which is 5776 kb and which ends with the letters upd.dll. It will have something before the upd.dll, but we don't know what it is, because the y with the two dots over it as you see here is not a valid part of the file name. When you find it, right-click on it and delete it.

C:\WINDOWS\
ÿupd.dll May 7 2008 5776 "ÿupd.dll"



3) Now I'm going to have you use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILES::
C:\Documents and Settings\Anil sharma\Local Settings\temp\nya.exe
C:\Documents and Settings\Anil sharma\Local Settings\temp\nso3.tmp
C:\Documents and Settings\Anil sharma\Local Settings\temp\nsw3.tmp
C:\Documents and Settings\Anil sharma\Local Settings\temp\Rar$EX00.828
C:\WINDOWS\system32:dlihost.exe
C:\WINDOWS\iexplo~1.exe
C:\WINDOWS\ptfb25~1.htm

DIRLOOK:
C:\WINDOWS\system32\28463

REGISTRY::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f011acb-584d-11dc-a7b6-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{981495a5-0abf-11dd-942b-0013208ba15e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e03a8bd-50d9-11dc-a7a7-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d88e2360-8133-11dc-a83c-0013208ba15e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc43fb76-8c2b-11d5-a783-806d6172696f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2563DA26-40A7-A641-3235-308CA13E866F}][/b]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) If you want the Windows update for .NET Framework you can do this by going to Start / Control Panel /Security Center - and look there on the left side of that window for the link to Look for updates at Windows Updates.

5) Finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Combofix log.


Let me know how things are running now?

abri

 

hi abri, thanks for replying. firstly, there's no file named yupd.dll, (i searched *upd.dll), there's also no file for 5776 kb, there's one for 56kb.
rest all went well, except that while cf.exe was rebooting the m/c, it stalled so i manually rebooted the m/c after waiting for arnd 10 mins. The logs u asked are attached.
I also downloaded dotnetframework, 3.0 from microsoft updates, shall i directly install it, or go for 2.0 first.
Hey Abri, another trouble since a couple of days. My internet's running real slow, despite being a broadband connection and web accelerator (full version, activated and its statistics show an increase in speed because of it as well, but even pages like gmail, and even majorgeeks forum take a long time to load). Please advise as to what can be wrong with this, as I checked with broadband maintenance guys and they said there's no problem with lines or server, so it must be computer.
Thanks.

 

Hi yashica,

Some files were removed by combofix, others not. Before we worry about your internet connection, let's continue as follows:

1) Can you tell me what is in the following directory? You can open the folder, but don't click on any files. You can get some information by rightclicking on the folder and seeing what it says in Properties:

C:\WINDOWS\system32\28463


2) When I asked you to look for the following file in the last instructions, it had the date May 7th in your original log but May 8th in the logs after that. Can you find it and delete it based on this new information, and keeping in mind that it will not have exactly this name? It should not be 56 kb but smaller - closer to 5 or 6 kb. Again, you may have to do a search for *upd.dll within the WINDOWS directory. Alternatively, you can do a search of all files *.* that appeared on May 8, 2008 in the WINDOWS directory. To do this, you have to use the advanced option and for the date put May 8 2008 as both the beginning and end date.

C:\WINDOWS\
ÿupd.dll May 8 2008 5776 "ÿupd.dll"



3) Also, can you find this file? You will need to do a search, again in WINDOWS, for a file called ptfb25*.htm It should begin with ptfb25 and have the date Apr 23 2008

C:\WINDOWS\
ptfb25~1.htm Apr 23 2008 0 "ÿpt.html"


If you find the above files, please delete them!


And now, please do the following:


4) Now I'm going to have you use ComboFix again. Something you did last time worked partially, so I would like for you to continue with it and just let me know if you have to reboot yourself and if you get any error message again.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL:

File::
C:\Documents and Settings\Anil sharma\Local Settings\Temp\cch~570e96cbfd6.htp
C:\Documents and Settings\Anil sharma\Local Settings\Temp\cch~570e98e2422.htp
C:\WINDOWS\ÿupd.dll
C:\WINDOWS\ptfb25~1.htm
C:\WINDOWS\ upd.dll
C:\WINDOWS\system32:dlihost.exe

DirLook::
C:\Program Files\Alwil Software

Registry:
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2563DA26-40A7-A641-3235-308CA13E866F}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

5) When you finish the above, please run CCleaner.

6) Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Combofix log.


Let me know how things are running now?

abri

 

Hi Abri, I did what you asked me to. I couldn't find any file named 28463 in system 32, I even searched for it but no file folder as such exists. Same goes for the ptfb25 file. There is a pt.htm (also created/modified on Apr 23) file though, but no file starts with ptfb25 name. I found upd.dll and thats for 6kb and created/modified on 8 May'08 so I deleted it. The cf.exe scan this time didnt restart the computer and produced the log without restarting the computer. I didnt use the machine the entire time cf.exe was running. But since it had closed all the programs and even the explorer i restarted the system manually. Then I ran ccleaner and mgtools logs are also attached. Thanks again Abri.

 

Hi yashica,

You did great with the files. Combofix got almost everything this time!

Now we have a serious problem! You have 4 antivirus programs on your computer! You may only have one! You must remove three of these right away!

For each of the following programs there is a different set of instructions for properly uninstalling it. Please choose the three you want to uninstall and follow the instructions. Be sure to leave the one you want to keep. If none of them are paid current versions, please keep Avast and remove the other three.


The four programs you have are Avast, F-Secure, Kaspersky, Symantec


Below are the removal instructions for each one. Choose which one you will keep before you start. Then if you have more than one running, disable it before you begin with the removal instructions. You need to keep the one enabled that you plan to keep on your computer.

Avast

Avast can be removed via add/remove programs. Only use the below instructions if you are unable to uninstall Avast using add/remove programs. (Again, only use the following instructions if you are unable to use add/remove programs to uninstall the program)

avast! uninstall utility

Sometimes it´s not possible to uninstall avast! the standard way - using the ADD/REMOVE PROGRAMS in control panel.

In this case, you can use our uninstallation utility aswClear.
How to uninstall our software using aswClear.exe:

1. Download aswClear.exe on to your desktop
2. Start Windows in Safe Mode
3. Open (execute) the uninstall utility
4. If you installed avast! in a different folder than the default, browse for it. (Note: Be careful! The
   
   content of any folder you choose will be deleted!)
5. Click REMOVE
6. Restart your computer

F-Secure

Q5. How do I uninstall F-Secure Internet Security 2008?

To uninstall F-Secure Internet Security 2008, do the following:

1. Click Start, and then Control Panel, and finally double-click Add or Remove Programs.
2. Scroll down to your F-Secure Internet Security 2008 program and click Change/Remove.
3. Once you are asked to restart your computer, restart it.

Kaspersky 7.0

Tutorial with pictures

Go to
How to Uninstall Kaspersky 7.0

Scroll about 1/4 of the way down the page to find the beginning of the tutorial


Symantec

You need to run two tools. The first will remove the Norton Quarantined files and the second will remove the Norton Software itself. Use the following links:

Removing Files from Norton Antivirus Quarantine

Norton Removal Tool (SymNRT)


When you have gotten rid of three of the programs, please run C:\MGtools\GetLogs.bat and attach the fresh C:\MGlogs.zip.

Let me know how this went!

abri

 

Hi Abri, I want to keep Kaspersky 7.0 as the antivirus program as I have paid for its subscription as well and heard that it gives good protection. I tried the methods you wrote for me. There's a huge problem, I cant get into safe mode. I try doing that while booting, a series of commands show but I am still taken back to the screen where I have to select the mode of startup of windows. I am not sure what the problem is.
I checked in add/remove list, and couldn't find any of the three anti-viruses there (Avast, F-secure, or Symantec). As far as I remember, I had uninstalled them all at some time in the past, but as you said it would not have done completely coz of the state of computer.
I downloaded avast cleaner and ran it in normal windows only. It showed that avast was removed, and a couple of other things like browser extensions and registry, and few more things will be removed after restarting the computer.
I can spot F-secure Internet security folder in program files in C:\ but cantrun the uninstaller given in the folder as it says (giving an error) "uninstall from add/remove programs", and I cant do that coz I cant see the program there in its list.
I remember of using norton removal tool in the past. I cant find the norton or symantec folder or mention of them in program files or in add/'remove programs, so I cant do the first step, i.e., removing files from quarantine. I've downloaded the file and can go ahead with the removal as you asked if you suggest me doing that. Should I?
Please also advise on what can be done with F-secure Internet security 2008, as I cant run the uninstaller in the folder and add/remove doesnt mention it. Also what I did with avast, was it okay or did I mess something up. Thanks

 

Hey I have tried searching for the folders but could find just for F-secure Internet security and that wont let me uninstall it from there. So should I just delete the folder directly from program files. And I cant find anything for symantec/norton. So I cant do anything about files in quarantine with it if any. Should I use the norton removal tool anyways. Thanks.

 

Hi yashica,

Please do the following:


1) First I want you to use ComboFix to remove the leftover files and folders from your previous antivirus programs.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
 
Driver::
 
FSrec
FSfilter
fsgk
 
File::
 
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.ini
C:\WINDOWS\system32\drivers\SYMEVENT.INF
C:\WINDOWS\system32\drivers\SYMEVENT.CAT
C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys
 
 
Folder::
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Program Files\Alwil Software
C:\Program Files\F-Secure Internet Security
 
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2563DA26-40A7-A641-3235-308CA13E866F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


2) When you finish the above, please go to the Alternate Scans and find the Free Onine Scanning Tools. Look for Eset and follow the instructions for running that.

3) Please attach the logs for Combofix and Eset.

Thanks.
abri