Hello, do you see a bad pattern there in the AVG Anti Spyware log? Cracks, along with P2P programs, are leading causes of infected machines.
If those crack zip files still remain on your system, I strongly recommend you delete the lot of them. Frankly, I'd consider nuking the entire My Downloads folder.
I know that last set of scans took some time, but we're not done yet. You've got signs of worms and backdoors on your system.
Your popups should be resolved, though.
I'll advise you on the tools to keep or discard once we're done.
----------------------------------------------------------------------------------------------
CLEAR & RESET SYSTEM RESTORE'S CACHE
Go to Start >> Run - type or copy/paste
control sysdm.cpl,,4 & press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK
---------------------------------------------------------------------------------------------
Windows Defender
Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
- Open Windows Defender.
- Click on Tools>Options.
- Scroll down and uncheck "Use real-time protection (recommended)".
- After you uncheck this, click on the Save button and close Windows Defender.
----------------------------------------------------------------------------------------------
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist
(make sure you do not miss any) and click
Fix Checked
O4 - HKCU\..\Run: [Dvd Dash] C:\DOCUME~1\bob\APPLIC~1\SUPPOR~1\drvwarnhide.exe
Close HijackThis now.
---------------------------------------------------------------------------------------------
Go to Start>Run and copy/paste the following:
sc delete "Service Cvas"
Then press Enter.
Again,
Go to Start>Run and copy/paste the following:
sc delete "Email AV"
Then press Enter.
---------------------------------------------------------------------------------------------
Copy and paste the following into Notepad (don't forget to copy and paste
REGEDIT4):
Quote:
REGEDIT4
[-hkey_current_user\software\Fun Web Products]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]
|
Save the file as "
delete.reg". Make sure to save it with the quotes. It should look like this:
Close Notepad.
Double click on the
delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.
---------------------------------------------------------------------------------------------
* Download
Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe We'll use this in safe mode.
Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.
---------------------------------------------------------------------------------------------
Delete the following if they exist:
c:\windows\system32\in10b6s.dll
c:\windows\videoc.ocx
C:\WINDOWS\email-av.exe
C:\WINDOWS\csvas.exe
C:\tdd.exe
---------------------------------------------------------------------------------------------
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
- After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
---------------------------------------------------------------------------------------------
Once back in normal mode, please do this:
Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
---------------------------------------------------------------------------------------------
Please download
SmitfraudFix (by
S!Ri) to your Desktop.
Double-click
smitfraudfix.exe to start the tool.
Select option
#1 -
Search by typing
1 and press
"Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!
Please return with results from:
DrWeb
HJT
SmitfraudFix (C:\rapport.txt)