virtumondo

While I look thru your logs you need to correct a couple things that you did not do in the READ ME.

First you have AVG7 Antivirus and McAfee installed. Make up your mind which your want to keep and uninstall the other immediately before doing anything else.


Also uninstall the below old Sun Java versions as requested:
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 3

I also suggest that you uninstall Mozilla Firefox (2.0.0.6) which is out of date. And then install the current version from the below link:
Mozilla Firefox

 

After completing the instructions in my previous message, continue with the below.


You did not put your PC into normal startup mode with MSconfig as requested in step 1 of the READ ME. You must do this now and stay in normal startup mode.

Is the below from something you installed? If not then delete this folder.
C:\Documents and Settings\helen\Application Data\VideoEgg

In the root folder of your C drive you will find about 500 or more files looking like the below tmp file. Delete ALL of them now.

Code:

pos3e3.tmp 3 Mar 2008 10033 "pos3E3.tmp"
pos3e4.tmp 3 Mar 2008 10033 "pos3E4.tmp"
pos3e6.tmp 3 Mar 2008 8033 "pos3E6.tmp"
pos3ff.tmp 3 Mar 2008 14033 "pos3FF.tmp"
pos400.tmp 3 Mar 2008 10033 "pos400.tmp"
pos401.tmp 3 Mar 2008 6033 "pos401.tmp"
pos402.tmp 3 Mar 2008 14033 "pos402.tmp"

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0330AEF1-BEC2-411B-A412-2A446347F058} - (no file)
O2 - BHO: (no name) - {0D9810E7-A78F-4667-95B8-97D20EED5115} - (no file)
O2 - BHO: (no name) - {10A76C00-8DC7-4B9A-9445-BA64862C5481} - (no file)
O2 - BHO: (no name) - {28B2A92D-2101-431E-B1AB-052153C2AAC6} - (no file)
O2 - BHO: (no name) - {33075A0E-F4F8-4940-9AEB-82AD8BFB90CD} - C:\WINDOWS\ssqrstur.dll (file missing)
O2 - BHO: (no name) - {46353FAF-9247-4522-9034-610A5865B383} - (no file)
O2 - BHO: (no name) - {4C26489A-3195-4881-AC27-853107352ED1} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9FCFA0AE-8FB0-470E-BF78-F64B9F1B9A16} - (no file)
O2 - BHO: (no name) - {A082D633-6443-42A1-A841-D1FD8DF691E1} - (no file)
O2 - BHO: (no name) - {A50D2A00-E76D-4791-857C-E357308CAAD6} - (no file)
O2 - BHO: (no name) - {b2cab164-d0aa-4840-9511-90f7e0b0c3f7} - (no file)
O2 - BHO: (no name) - {C4761869-6493-423E-B911-1586720F10C5} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: (no name) - {F52B7EE7-57BD-4B5A-8E18-A2949248280A} - (no file)
O2 - BHO: (no name) - {F85F3D4F-E370-4A54-B881-C2B616F12EFB} - (no file)
O4 - HKLM\..\Run: [fccaxvsrol] Rundll32.exe "C:\WINDOWS\system32\gebywwxu.dll",s
O4 - HKLM\..\Run: [xxwtqqnkhe] Rundll32.exe "C:\WINDOWS\ssqrstur.dll",s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ac31d9fd] rundll32.exe "C:\WINDOWS\system32\oaosjpiy.dll",b
O4 - HKLM\..\Run: [BMaf02ea61] Rundll32.exe "C:\WINDOWS\system32\wbaqmger.dll",s
O8 - Extra context menu item: &Search - ?p=ZKxdm053YYIE

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\helen\Local Settings\Temp\

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Okay just continue on with the next steps.

 

You appear to have not properly done what I asked you to do in message # 4 before doing message # 5. You still have AVG7.5 and McAfee installed. You must uninstall AVG 7.5 now since you appear to use McAfee.

Based on your logs it looks like someone may have started deleting files related to AVG 7.5, but that is not how you uninstall and leaves all kinds of issues behind. Which is probably the reason I still see both. So goto Add/Remove programs and uninstall AVG7.5 right now. This may or may not work properly since someone deleted files and folders for it. If it does not work, you will have to reinstall it, reboot, and then uninstall it. In reality the proper method would be to all uninstall McAfee before reinstalling AVG. This is the reason why we specify never to install more than one antivirus program. It can cause all kinds of problems.

It also appears that you did not reinstall FireFox from the link I gave to you. You should do this now if you use FireFox.

We still have malware to remove.



Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
O2 - BHO: (no name) - {33075A0E-F4F8-4940-9AEB-82AD8BFB90CD} - C:\WINDOWS\ssqrstur.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [fccaxvsrol] Rundll32.exe "C:\WINDOWS\system32\gebywwxu.dll",s

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

You're logs are clean. If you are not having any other malware problems, it is time to do our final steps:

2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you run Avenger, you can delete all files related to Avenger now.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
8. If you are running Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome.

It may be that McAfee is your main reason for this; however I will give you a few things to try first.

First I have a question. Are you using a dial-up connection? I'm wondering about seeing NetWaiting loading at startup.


Uninstall the below:
Ad-Aware 2007 <-- not that effective and wastes too many system resources having a service running full time.
Norton Security Scan
SUPERAntiSpyware Free Edition <-- we are finished with this anyway
Windows Defender <-- the version for Win XP is not very good and slows PCs down

After doing all of the above. Are things any better?


Another question! Why do you always need the below running? Do you always use Ares 100% of the time? Why do you need this service ( AresChatServer )? Are you really using the ChatRoom?

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

 

You forgot to answer my question about NetWaiting.

No you have not according to your last logs. It is still installed and it is running. Let's remove it manually.

Now Copy the bold text below to notepad. Save it as FixME.reg to your desktop. Be sure the "Save as" type is set to "all files". Then Click Start, Run, and enter regedit and click OK. This will open the Registry Editor.

In the Registry Editor click File and Import. Navigate to the FixME.reg patch you saved on your Desktop and double click on it. Click OK at the prompt to add to the registry. Do you get a success message for this?

Then reboot and after reboot, delete the below folder:
C:\Program Files\Windows Defender

First I suggest that you check within the program to see if there is an option/setting to disable that feature. If not, we can manually disable the service but I have no idea what effect it will have on the rest of the program. Let me know if you wish to try this.

Also is there any improvement from what we have done thus far?

 

What about on other websites? What about using another browser? Which browser are you currently using?

 

Try this Mozilla FireFox and tell me if your pages load slowly with it.

 

Then it is probably just due to what addons you have on IE.

 

This is not a topic for the malware forum since it is not malware. The concepy was covered in step 1 of the READ ME where it gave you the below link:

Dealing with Startup Processes

I will give you a few quick tips though but you will need to reinstall MGtools if you already deleted it per previous instructions.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Ares Chatroom server
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteAresChatServer into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now uninstall NetWaiting since you said you do not use it.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

After clicking Fix, exit HJT.



Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Your last MGlogs.zip file is incomplete. You need to make sure you allow the program to run thru to completion before closing the command prompt window.

Anyway how are things running?

 

You don't need to run MGtools.exe again. I said run C:\MGtools\GetLogs.bat by double clicking on it. You need to run Windows Explorer (not Internet Explorer) by right clicking Start and selecting Explore. Then navigate to the above folder and file and double click it. Then just wait for it to finish running. The download page for MGtools ( Using MGtools ) gives a snapshot of what it will look like when finished.

 

Why did you install Online Armor? You already had McAfee installed and it has its own firewall. Uninstll Online Armor now unless you plan on totally dumping all of McAfee. I also suggest that you uninstall A-Squared. After doing this, reboot. Then please explain what malware problems you are having if any since I don't see any malware.

 

The main item that is slowing down startup is more than likely all the stuff McAfee is loading at startup. You don't have a lot of other programs loading.