[drmull]

Hello - I had just gotten my system rocking with the help of this forum when I got hit with some sort of adware problem. It seems to be related to Dsi (dp-him) running at startup and putting bad stuff all over the place. I don't have a hijacked browser or Vx2 (as far as I know) but just those recurring popups telling me my PC's infected and opening a site about about anti-spyware. I can see the process running in Task Manager (qjrkvy.exe) but it prevents me from ending the process by greying out the Task Manager screen!

I've run AdAware and SpySweeper & deleted every single registry entry, exe, and dll shown and emptied the prefetch & temp file folders. In safe mode the system is now clean according to these programs.


In case this doesn't solve the problem & I still get desktop popups, etc. - will a repair install of WinXP replace the corrupted registry with a new, uninfected one??

WinCrazy & Gerryf guided me through a repair install before - I feel OK about doing it again.

BTW - If I clean the registry under my profile, do I have to restart under every name on my system and clean those too?? Does each user have a different registry??

THANKS

[Advertisements]

Determination: Bad

QJRKVY.EXE
AUTOMATED MALWARE PROFILE, ANALYSIS, REMOVAL AND SIGNATURE INFORMATION:
DEFINITION OF: QJRKVY.EXE

Safety Rating: Known Malware, do not run

Malware Family: Part of Malware group - Adware DailyToolbar

Malware Form: EXPLOIT

Protection: Prevx1 will protect, disinfect, cleanup and remove QJRKVY.EXE

Non Prevx Users: New users may cleanup and remove QJRKVY.EXE for free using the regular Prevx1
download

First seen: Jun 6 2006 (GMT)

Last seen: Today (GMT)

File Size: 13,312 bytes

MALWARE ASSESSMENT: PREVX 4 AXES OF EVIL METHODOLOGY

1. COVERT ANALYSIS OF: QJRKVY.EXE

File Names Used: 210

Paths Used: 21

Common File Name: QJRKVY.EXE

Common Path: %WINDIR%\SYSTEM32\

Vendor Information: No Vendor details specified

Version Information: 1.00

QJRKVY.EXE may use 210 or more path and file names, these are the most common:

1 :%windir%\system32\!!!!\WINFLASH.DLL

2 :%WINDIR%\SYSTEM32\WINFLASH.DLL

3 :%WINDIR%\SYSTEM32\XXX_QJRKVY.EXE

4 :?:\system volume informat...tore{?sid?}\rp{folder}\A0074927.EXE

File Name Structure: Common

File and Path Structure: Suspicious, unusually high number of file and path combinations

2. RELATIONSHIP ANALYSIS OF: QJRKVY.EXE

Malicious Objects Created: 1 objects

Malicious Creators: 2

Malware Run Keys: None

Self Persists:

Antivirus Detection: No third party antivirus detection observed

Anti-Spyware Detection: No third party anti-spyware detection observed

3. ACTIVITY ANALYSIS OF: QJRKVY.EXE

The following behaviors have been observed for this object:

Installs programs.

Runs other programs.

Hijacks running processes.

Creates known malware.

4. PROPAGATION ANALYSIS OF: QJRKVY.EXE

Malware Group Propagation Rate: Epidemic levels

Malware Group: Adware DailyToolbar

Copyright Prevx Limited 2005, 2006

http://fileinfo.prev...QJRKVY.EXE.html

Please follow the procedures outlined here: Malware Removal Guide

You will need a PC which can connect to the internet

Run all the programmes as advised then post a current Hijack This Log in a new topic in the Malware Forum

For the purpose of accurate malware analysis, Hijack This Logs are only dealt with in the Malware Forum. Posting them anywhere else will result in a delayed response

If you are unable to run any of the programmes, please ask for advice in the Malware Forum

[Retired Tech]

Determination: Bad

QJRKVY.EXE
AUTOMATED MALWARE PROFILE, ANALYSIS, REMOVAL AND SIGNATURE INFORMATION:
DEFINITION OF: QJRKVY.EXE

Safety Rating: Known Malware, do not run

Malware Family: Part of Malware group - Adware DailyToolbar

Malware Form: EXPLOIT

Protection: Prevx1 will protect, disinfect, cleanup and remove QJRKVY.EXE

Non Prevx Users: New users may cleanup and remove QJRKVY.EXE for free using the regular Prevx1
download

First seen: Jun 6 2006 (GMT)

Last seen: Today (GMT)

File Size: 13,312 bytes

MALWARE ASSESSMENT: PREVX 4 AXES OF EVIL METHODOLOGY

1. COVERT ANALYSIS OF: QJRKVY.EXE

File Names Used: 210

Paths Used: 21

Common File Name: QJRKVY.EXE

Common Path: %WINDIR%\SYSTEM32\

Vendor Information: No Vendor details specified

Version Information: 1.00

QJRKVY.EXE may use 210 or more path and file names, these are the most common:

1 :%windir%\system32\!!!!\WINFLASH.DLL

2 :%WINDIR%\SYSTEM32\WINFLASH.DLL

3 :%WINDIR%\SYSTEM32\XXX_QJRKVY.EXE

4 :?:\system volume informat...tore{?sid?}\rp{folder}\A0074927.EXE

File Name Structure: Common

File and Path Structure: Suspicious, unusually high number of file and path combinations

2. RELATIONSHIP ANALYSIS OF: QJRKVY.EXE

Malicious Objects Created: 1 objects

Malicious Creators: 2

Malware Run Keys: None

Self Persists:

Antivirus Detection: No third party antivirus detection observed

Anti-Spyware Detection: No third party anti-spyware detection observed

3. ACTIVITY ANALYSIS OF: QJRKVY.EXE

The following behaviors have been observed for this object:

Installs programs.

Runs other programs.

Hijacks running processes.

Creates known malware.

4. PROPAGATION ANALYSIS OF: QJRKVY.EXE

Malware Group Propagation Rate: Epidemic levels

Malware Group: Adware DailyToolbar

Copyright Prevx Limited 2005, 2006

http://fileinfo.prev...QJRKVY.EXE.html

Please follow the procedures outlined here: Malware Removal Guide

You will need a PC which can connect to the internet

Run all the programmes as advised then post a current Hijack This Log in a new topic in the Malware Forum

For the purpose of accurate malware analysis, Hijack This Logs are only dealt with in the Malware Forum. Posting them anywhere else will result in a delayed response

If you are unable to run any of the programmes, please ask for advice in the Malware Forum

[drmull]

I followed the product advice on this site and downloaded the trials of Trojan Hunter and Ewido. I already use AdAware and SpySweeper.

Trojan Hunter really did find a few things the others didn't (not false positives). Ewido found a couple of registry items the others missed.

After getting clean results from all 4 programs I restarted in normal mode. It's been 30 minutes and everything seems OK! I re-ran the scans in normal mode and they all show clean.

The Ewido & TrojanHunter guards are both enabled. Hopefully I'll stay clean. I guess I'll be buying these 2 programs!

Thanks to GeeksToGo for the excellent product recommendations.

[max_volume]

This reply may be as they sometimes say , " a day late and a dollar short", as far as a suggestion and or, comment., howvever concerning your concern about each of the systems users, having thier own registry, I would guess that the Registry would only be one, (Registries tend to be very very large or so I have heard) thus, allowing each user access the Registry , according, to thier preferences and user habits, in which the system or system restore should keep track of. If I may hubly suggest a program called "a-squared", I consider this one to be one of the very best freeware versions , pertaining to spyware removal, please check it out. The only catch is you must submit your e-mail address , in order for them to e-mail you back a activation code inorder to install said, freeware version from them, that you just downloaded. Do not worry , they will not continue to bug you (Spam etc , etc ) or sell you out to anyone else. Check out this link & see for yourself http://www.emsisoft.com/en/, another really great site for other freeware of this type is www.javacoolsoftware.com , inparticular Spywareblaster & mrublaster , ( I use these too). I hope might be of some help to you, atleast, it is something worth looking at. Good luck.
Best wishes & regards,
Max