I dont know what else to do.

Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.

 

Please go to Add/Remove programs and uninstall the following software:

• Messenger Plus! Live
• Java(TM) 6 Update 20

Your zipped log is missing the Hijackthis log. Use Windows Explorer (My Computer) to navigate to C:\MGtoools\analyse.exe and double click on it to run it. Do you see a license agreement? If yes, you must click the Accept button Twice.

Do a System scan only and save a log file. Attach this log as well as other logs I may request at the end of the fix.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Folder::
c:\documents and settings\All Users\Application Data\STOPzilla!
c:\program files\Common Files\iS3

File::
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\config\systemprofile\Application Data\ovczpx.dat
C:\WINDOWS\system32\2456979063.dat
C:\WINDOWS\system32\tmp42034.FOT
C:\WINDOWS\system32\tmp4D234.FOT
C:\WINDOWS\system32\tmp89654.FOT
C:\WINDOWS\system32\tmpBB134.FOT
C:\WINDOWS\system32\tmpFE034.FOT
C:\Documents and Settings\Administrator\Local Settings\Temp\71.tmp

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the HJT log.

Let me know how things are running, please.

 

A slow computer is not always due to malware:

Please explain what operations are slow! For example answer the below:

• Is boot up slow?
• Is shutdown slow?
• Is browsing/surfing slow?
• Is downloading slow?
• Is running any application?
• Is it also slow in safe boot mode?
• Also are any process showing in Task Manager to be using a lot of CPU time?
• Anything else slow?

...Reviewing your last set of logs now.

 

Have you recently downloaded any fonts lately? I am seeing the below in your logs, they could be legit but I just want to be sure they aren't something weird.

• C:\WINDOWS\system32\tmp42034.FOT
• C:\WINDOWS\system32\tmp4D234.FOT
• C:\WINDOWS\system32\tmp89654.FOT
• C:\WINDOWS\system32\tmpBB134.FOT
• C:\WINDOWS\system32\tmpFE034.FOT

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  C:\WINDOWS\system32\tmp42034.FOT

• At the upload site, click the browse button.
• Use Windows Explorer to navigate to the file(s) we need scanned and click "submit file"
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Then do the same for the below files and also let me know the results:

Code:

C:\WINDOWS\system32\tmpFE034.FOT
C:\WINDOWS\system32\tmpBB134.FOT

Your last combofix log was incomplete, please ensure that you do indeed let it run to completion and leave the keyboard and mouse alone until it has finished running.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
C:\WINDOWS\System32\drivers\kgpcpy.cfg
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Use windows explorer to delete leftovers from avast!

• C:\Documents and Settings\All Users\Application Data\Alwil Software

I see you were very recently using avg but that it is uninstalled now but has left behind remnants. I suggest you run the Official AVG Removal Tool

Make sure you also delete any AVG folders in Program Files and Documents & Settings/Application Data directories.

Now Run Ccleaner.

Then install some anti virus and do a complete scan with it for your own peace of mind.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. Also include the jotti results.

 

We will get to addressing this shortly. In the meantime, what about attaching fresh logs after following my previous instructions?

and answering my questions about the fonts.

 

Yes, attach the remaining log and we can continue.

 

J2SE Runtime Environment 5.0 Update 6 <--- uninstall this

Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Don't forget to install antivirus when we are finished here!!

 

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Now run CCleaner.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

This still occuring? If so I'll ask Chaslang about it and he will for sure be able to help.

 

Yes this is not a malware problem. Normally this happens when the desktop.ini file in your Startup folder is not set to be a hidden-system file. You need to change the attributes on the below files to be hidden and system.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini


To do this, you can copy and paste the below commands into a command prompt window or alternatively just

attrib +s +h C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

attrib +s +h C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

 

You can access the hidden files by going to the control panel, click on folders, and under the view tab is where you can check the box to not view hidden files and folders.

 

Not the issue and not what we are trying to do.

 

Put quotes around the file paths so the commands look like below:

attrib +s +h "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini"

attrib +s +h "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini"


Did that work okay? If yes, see if you still have the popup you have been having trouble with.

 

You're welcome.

Glad to hear you found your problem.

Make sure you have completed the final instructions Kestrel13! gave you back in msg # 15.