CID pop ups and other problems

[gagik]

Hi All,
Lately, i am having some CID pop ups in my ie 7, it appeared after i have used netpumper, i uninstalled it, but pop ups are still there. I followed all steps of the forum and attaching my reports. By the way just before posting this message i began to have another problems:
1. I found out svchost.exe process in my task manager with 99% cpu and it was blocking my taskbar, i just disabled this process, so that can write to you now.
2. processes in my task manager does not show user name of most processes.
I hope you will help to solve my problems, though they can also be caused by overheating problem of my laptop lately.
THANKS IN ADVANCE
Olim

 

[howard_hopkinso]

Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

0072701169858163mcinstcleanup

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

2 that delete.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [SIZECLOCK] "C:\DOCUME~1\Olim\APPLIC~1\BIRDSO~1\2 that delete.exe"

O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://ochadms.unog.ch/qp2.cab

O16 - DPF: {09CC593B-E8A9-4491-927D-A3E33534DDD4} (InstallerObj Class) - http://www.1-click.com/common/files/installer2.cab

O20 - Winlogon Notify: winmby32 - winmby32.dll (file missing)

O23 - Service: 0072701169858163mcinstcleanup - - (no file)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\DOCUME~1\Olim\APPLIC~1\BIRDSO~1<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of gagik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gagik]

Hi Howard,
I did wveruthing and here comes fresh HJT report
THANKS
Olim

 

[momok]

Hi,

(just helping out since the log looks more or less pretty clean to me)

Run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6009\SAService.exe (file missing)


Should you have any further problems please repost in this thread.

 

[gagik]

Hi there,
i got rid of pop up problem, but now i have this problem with svchost.exe with 99% cpu and around 65000 k of memory use, it freezes taskbar and i have to disable the process, but then video or audio problems occur. now the view of taskbar also has changed and it shows all shortcuts in a row.
i am attaching my HJT log file,
Thanks
Olim

 

[howard_hopkinso]

Your HJT log is clean. However, momok told you to fix some stuff that shouldn`t be fixed.

Run AVG Antispyware and disable the resident shield.

Run HJT and click the config button, followed by the backups button. Place a tick in the little box next to these entries.

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?<This one is optional

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6009\SAService.exe (file missing)

Click the restore button and click yes. Reboot your system and post a fresh HJT log.

Regards Howard

This thread is for the use of gagik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Oh my. I'm terribly sorry.

I think I should clarify, what difference does it make when the entries with files missing are cleared?

 

[gagik]

Hi Howard,
Here is updated HJT log, I still have the same problem, but this time it dropped to 0% by itself after some time. Though I still have strange view of taskbar.
Thanks
Olim

 

[howard_hopkinso]

Your HJT log is clean, though the O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) entries seem not to have been restored. Try restoring those entries again.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

momok: Some 09 entries say file missing when in fact there are no files missing. That is due to a small bug in HJT. It`s exactly the same with 023 entries. they often say filemissing, when there are no files missing. It`s very important that you know which entries should be fixed and which should not, particularly with 023 services.

Regards Howard

This thread is for the use of gagik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Wow thanks..

May I also enquire where to find out what entries with (file missing) should and should not be fixed?

 

[howard_hopkinso]

That comes from experience I`m afraid. If you`re not sure about something, ask.

Regards Howard

This thread is for the use of gagik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gagik]

Hi Howard,
I could not find two entries you mentioned in back up list, they must have been restored, though they are missing in HJT logs, I ran several times HJT and could not find them there either.
Here comes Autoruns log file.
Thanks,
Olim

 

[howard_hopkinso]

I can`t see anything bad in your Autoruns log.

Go and read this thread HERE and see if it helps with the high cpu usage.

I`m not sure what`s causing your taskbar image problems. Could you post a pic for us?

Regards Howard

This thread is for the use of gagik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gagik]

Hi Howard,
Here is link for picture
http://rapidshare.com/files/25451977/image_of_taskbar.JPG.html

 

[howard_hopkinso]

That pic looks normal to me, unless I`m missing something?

Regards Howard

This thread is for the use of gagik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gagik]

Hi Howard,
Thanks for your help.
It seems that for now everything is fine.
olim