partypoker and other add pop up

Hi,

my PC was infected by the file located in c:\windows\dGhobw\command.exe.

I manage to remove it using various tools like Look2Me removal etc.

Right now when I scan with spybot, hijack this and microsoft Malicious Software Removal Tool the result is clean.

I have even ran the Qoofix and VundoFix. But i am stll getting popups, especially from partypoker. i am at lost at the moment.

Please assist.

Thanks

 

Post thw logs from Bitdefender Online and Panda ActiveScan

 

Hi

I was only able to complete bitdefender scan. When I ran the panda active scan my pc keep rebooting in the middle.

Please advice on my next steps. As even after the bitdefender scan and removal infected files the popups still appears.

Thank

 

HijackThis is not in the location specified. Right-click on the underlined text and Save Link as to your Desktop. Move_HijackThis.vbs

Double-click Move_HijackThis.vbs on your Desktop. This script will move HijackThis to the proper location. DO THIS before you continue with my instructions. Once HijackThis has been moved to C:\Program Files\HJT rename hijackthis.exe to analyse.exe.

Your HijackThis log is very incomplete, if you are editing it don't.

Post an unedited, fresh HijackThis log from Normal mode.

 

Hi,

When I right click and try to save the File or open it I get a file not found. Is the link right?

I have moved my hijack to Programs Flies\HJT manually and rerun it and the result is the same.

No I am not editing my HijackThis log file. If I do we won't beable to fix the problem.

 

You did not rename hijackthis.exe to analyse.exe. This is very important, there are infections that hide from hijackthis and detect its running by name.

Do so now and post a fresh HijackTHis log.

 

Hi,

I did. I have both files. One name analyse.exe and the other hijackthis.exe

And I ran it again using analyse.exe and below is the fresh log file.

 

Using Add or Remove Programs in the Control Panel; uninstall the following:

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Hi,

When I click on the remove/change for search bar in add and remove programs. Nothing happens. Is there a mannual way to get rid of this?

Or can I continue if this is not removed?

Lastly, When can I get a copy of the Pocket Killbox? Or what is Pocket Killbox?

Thank you

 

Hi,

I am unable to uninstall the search bar from the add remove programs. Do I continue with the rest of the steps or must this remove occur before I can continue?

Thank you

 

Hi,

Below are my actions

>>Using Add or Remove Programs in the Control Panel; uninstall the following:
Search Bar

Failed. Unable to remove


>>Now run Pocket Killbox:
>>Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

No error message was obtain here.


>>Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Most of the files were not found at the speficify location. Presume deleted. But on later inpection found it located at c:!KillBox

Do I manually delete the files here?

Did all steps as instructed. Reboot to normal mood but popups still appears. Below is the latest hijack log file

Thank you

 

Hi,

Ah... what happen? I am waiting for any help

 

Hi

I am still waiting for your next advice?

More info. I discover that there was a bloodhound virus in my Norton anti virus quarantine. I removed that mannually. Right now my anto virus is unable to complete a scan of my PC. I believe it goes into some infinite loop.

Please advice

 

Hi,

Thank you for your uninstaller. I managed to uninstall the search bar and ran autofix and remove another corrupted software :- yahoo.

I ran hijack again and this line keeps reappearing even after removing it.

>>O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Right now I still get the popups. below is a copy of my latest hijack.log.

I am going to run the bitdefender scan again.

Thank you

 

Hi

Each time I do a bitdefender scan I get this same result

C:\Documents and Settings\..Local Settings\Temporary Internet Files\Content.IE5\SPGL4107\popup[1].htm
C:\Documents and Settings\......\Content.IE5\..\send_car_int[1].htm


Detected with: Application.JS.ForcePopup.A
Infected with: Exploit.Html.Codebase.Exec.Gen

And there are also lots of popups.

How do I permenatly remove all this virus?

Thank you

 

Hi,

bitdefender scan was not able to complete as the PC reboots. And popups reappears.

Please assist. I am waiting for any advice.

Thank you

 

Hi,

I ran bitdefender in save mode and obtain the below results.

I than ran the panda scan in normal mode. Below is also the log files

I also ran the windows defender in normal mode and the scan is clean.

I have remove all the files in the cookies directory. What about the rest of the files?

What is this line that keeps appearing in my hijack logs even after fixing it
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

What is my next steps not do I reboot? or must I disable the system restore before I reboot.

Please advice. Waiting for your advice

 

Hi,,

Ps :
I have also ran Spybot in save mode
>>Also please install and configure and run Spybot Search & Destroy as requested in the READ ME.

And it reports no error

Thank you

 

Hi,

I forgot to post this2 files. GetRunKeys and ShowNew.

Can someone just work with me to resolve this than me guessing and deleting stuff from the cache and cookies directory? I am still getting those popups. But I think we have made some progress.

Thank you.

 

Hi,

I am still waiting for your advice.

 

hi,

Please reply on my next steps to take

 

Helo,

Please help

 

Hi,

thanks for yor reply.

I have deleted the below files

>F:\disk\01\yanhan001\NaomiÖ®÷ÈÁ¦»¤Ê¿.txt
>C:\WINDOWS\keyboard1.dat
>C:....CD\ccoud.dll.bak

Yes I am still getting ad popsup and come from various places.

Strange thing is after eachtime I scan and clear the
1. Internet Temporary directory
2. Cookies directory

when I reboots. The same stuff get back there and bitdefender always reports this
C:\Documents and Settings\..Local Settings\Temporary Internet Files\Content.IE5\SPGL4107\popup[1].htm
C:\Documents and Settings\......\Content.IE5\..\send_car_int[1].htm

Detected with: Application.JS.ForcePopup.A
Infected with: Exploit.Html.Codebase.Exec.Gen

It is like something is installing it self on reboot and adware, and the rest of the software is unable to clean it.

Thank you.