Advert Window popup problem

You need to remove (delete) these two files:

C:\windows\system32\dxvid.exe
C:\program files\infxp\infxp\infxp.exe

Please copy the text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select Do a system scan only. Look for the below lines (you may not always find both of them) and select them but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /nocomm
O4 - HKLM\..\Run: [dxvid] c:\windows\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [mplay64] c:\program files\common files\system\mplay64.exe /noerrorinfo
O4 - HKLM\..\Run: [gdimx] c:\windows\system32\gdimx.exe /nocomm
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)

After clicking Fix, exit HJT.

Attach new logs for:
GetRunKeys
ShowNew
HJT

 

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

* First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

* Please reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

* Still in Safe mode,

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

* Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
* Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
* AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
* Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the C:\rapport.txt, the AVG Anti-Spyware report scan and a new hijackthis log, please.

 

I'm not seeing any indication that you have run Spybot as per the Read and Run Instructions.

Go to add remove programes in your control panel. Uninstall anything to do with (if there):

Macrogaming

Click start/run and type "regsvr32 /u C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll" without the quotes into the run box and press the enter key.


Run HijackThis and select Do a system scan only. Look for the below lines (you may not always find both of them) and select them but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [infxp] c:\program files\infxp\infxp.exe /nocomm
O4 - HKLM\..\Run: [ravideo] c:\windows\system32\ravideo.exe /nocomm
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

After clicking Fix, exit HJT

Locate and delete the following bold files(if there).

C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
C:\program files\infxp
C:\windows\system32\ravideo.exe


Please attach new logs for:
GetRun
ShowNew
HJT

And tell me how things are running.

 

Yes, you need to uninstall all but one anti-virus. We are finished with Counterspy and it's your choice as to which of the others to keeps (noting that Norton is a real resource hog and may be difficult to uninstall. (Norton Removal Tool).

As a final clean up ..run HJT and remove these two items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://edit.europe.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http%3a//bt
.yahoo.com/%3f

attach new logs for:
ShowNew
GetRun

 

You are looking good.
Delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
C:\Documents and Settings\username\Local Settings\Cookies\

You will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

No Problem ....Please be sure to read the sticky called How to Protect yourself from malware!