comp. bogged down

Run this procedure: WareOut Removal


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>;localhost
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O17 - HKLM\System\CCS\Services\Tcpip\..\{71E14568-8BF3-47AE-87D9-35C7D2145D6B}: NameServer = 85.255.113.126,85.255.112.105

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now locate the below file and delete it if found:
C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url

Now please download the current version of ShowNew which was just updated to fix a bug! Use it from now on.

Now attach the below new logs and tell me how the above steps went.

1. FixWareOut log
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Do you mean when your PC first starts up or do you mean anytime you load any process?

Please check to see if the below file exists. If found, delete it:

C:\Windows\system32\cstgm.exe


Did you elect not to fix the below line? Do you need it for something?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>;localhost

 

What does the ad say?

First make sure they do not appear in Add/Remove programs. If they do then uninstall them. If they don't appear in Add/Remove programs, just have HJT fix the lines.

 

Sounds like you just have something loading a wallpaper image file before loading you regular background. This may be due to something you downloaded and installed. Have you been downloading using P2P or Torrent programs?

Try doing the below but I'm not sure this will address this issue.

• Right click on your Desktop and select Properties.
• Then click the Desktop tab and then the Customize Desktop button.
• Now in the next window that comes up click the Web tab.
• Make sure at the bottom that Lock desktop items is unchecked.
• Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too.
• Then click OK. Apply. OK.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Any change?

 

The changes we are making are only temporary to see if we can locate what is causing your problem. While somethings that we may have to run may cause your background/wallpaper to disappear, you will be able to set them back to what you want later.

 

Sorry! I forgot that! Use these steps:

• Right click on your Desktop and select Properties.
• Now in the next window that comes up click the Web tab.
• Make sure Show Web content of my Active Desktop is unchecked
• Then in the box below delete all items but My Current Home Page and make sure it is unchecked too.
• Then click OK. Apply. OK.

Then continue on with the registry patch.

 

Download Registry Search (see the link titled
RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter wallpaper in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Attach this file to your next reply.
• Be patient! It takes a little while for this to run.

 

Try the below!


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Any change?

 

I forgot something! If the previous fixME.reg patch does not work. Try the below patch.


Now Copy the bold text below to notepad. Save it as fixWP.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

Did you also run the other fixME.reg patch first?

 

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!