Thanks for the response. I understand that you guys are up to your eyeballs in this stuff. I was able to find a self help section over at Tom Coyotes website and was able to get this off. It was the OIN popup virus, I used a thing called hosts.zip, Oiuninstaller and Combofix, along with AVG virus scan. If it wouldn't be too much trouble maybe you could review my HJT logs, etc. to make sure there is nothing that I am missing. If it is something I should have them do, just let me know. Thanks. Chris
Chris - 06-11-20 11:45:02.46 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\Chris\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Cowabanga
C:\Program Files\Common Files\{80FAD9F7-0D3F-1033-1011-040610040001}
C:\WINDOWS\Q2hyaXM
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Chris\My Documents\STEM32~1
C:\QooBox\Purity\Documents and Settings\Chris\My Documents\STEM32~1\d?xplore_exe.vir
C:\QooBox\Purity\Program Files\YMBOLS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\WNSXS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\WNSXS~1\WNSXS~1
((((((((((((((((((((((((((((((( Files Created from 2006-10-20 to 2006-11-20 ))))))))))))))))))))))))))))))))))
2006-11-19 10:31 69 --a-s---- C:\WINDOWS\test.bat
2006-11-13 08:13 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-11-13 08:13 <DIR> d-------- C:\Program Files\Grisoft
2006-11-12 21:40 <DIR> d-------- C:\Program Files\Enigma Software Group
2006-11-12 16:41 <DIR> d-------- C:\WINDOWS\oqqm
2006-11-12 16:41 <DIR> d-------- C:\Program Files\Common Files\oqqm
2006-11-10 21:45 <DIR> d-------- C:\Scenario
2006-10-30 22:18 <DIR> d-------- C:\temp
2006-10-23 13:54 <DIR> d-------- C:\Program Files\Craftsman
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-20 11:45 -------- d-------- C:\Program Files\Common Files
2006-11-20 11:43 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-20 08:53 -------- d-------- C:\Program Files\Internet Explorer
2006-11-20 08:52 -------- d-------- C:\Program Files\eFax Messenger 4.0
2006-11-20 08:52 -------- d-------- C:\Program Files\eFax Messenger 3.5
2006-11-20 08:34 -------- d-------- C:\Program Files\Audio Converter
2006-11-20 07:58 -------- d-------- C:\Program Files\WinZip
2006-11-20 07:58 -------- d-------- C:\Program Files\WinRAR
2006-11-19 21:21 -------- d-------- C:\Program Files\Lavasoft
2006-11-19 21:21 -------- d-------- C:\Documents and Settings\Chris\Application Data\Lavasoft
2006-11-14 22:57 -------- d-------- C:\Program Files\PokerStars
2006-11-14 08:42 -------- d-------- C:\Program Files\CleanUp!
2006-11-13 10:06 -------- d-------- C:\Program Files\Java
2006-11-13 09:51 -------- d-------- C:\Program Files\Setup
2006-11-13 09:51 -------- d-------- C:\Program Files\DSplayer_WhenUSave_Installer
2006-11-10 15:53 -------- d-------- C:\Documents and Settings\Chris\Application Data\IGN_DLM
2006-11-02 19:57 -------- d-------- C:\Program Files\Tweak-XP Pro 4
2006-10-29 21:54 -------- d-------- C:\Program Files\Bodog Poker
2006-10-16 21:44 -------- d-------- C:\Program Files\Poker Indicator
2006-10-15 15:38 -------- d-------- C:\Documents and Settings\Chris\Application Data\CyberLink
2006-10-15 15:33 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-15 15:33 -------- d-------- C:\Program Files\CyberLink
2006-10-14 20:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-10-14 20:15 249856 --------- C:\WINDOWS\Setup1.exe
2006-10-12 17:14 -------- d-------- C:\Documents and Settings\Chris\Application Data\IDMComp
2006-10-12 17:13 -------- d-------- C:\Program Files\IDM Computer Solutions
2006-10-10 18:19 -------- d-------- C:\Program Files\EA GAMES
2006-10-10 18:19 -------- d-------- C:\Documents and Settings\Chris\Application Data\InstallShield
2006-10-10 13:35 -------- d-------- C:\Documents and Settings\Chris\Application Data\funkitron
2006-10-09 12:20 -------- d-------- C:\Program Files\Inspiration 7.5
2006-10-09 12:19 -------- d-------- C:\Documents and Settings\Chris\Application Data\Inspiration Software
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"IAAnotif"="\"C:\\Program Files\\Intel\\Intel Application Accelerator\\iaanotif.exe\""
"CTSysVol"="\"C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe\" /r"
"CTHelper"="CTHELPER.EXE"
"CTDVDDET"="\"C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:df,00,00,00
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoLogoff"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20061120-075535-609
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXM\command.exe (file missing)
backup-20061120-075535-332
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
http://download.abac...abasetup162.cabbackup-20061120-075535-389
R3 - URLSearchHook: (no name) - {109E0811-94D0-C300-D7F3-CD693EAEDCC5} - C:\WINDOWS\system32\ydfwaji.dll (file missing)
backup-20061120-075535-834
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061120-075535-866
O4 - HKCU\..\Run: [Vnmrj] C:\Program Files\?ymbols\w?crtupd.exe
backup-20061120-075535-229
O2 - BHO: (no name) - {109E0811-94D0-C300-D7F3-CD693EAEDCC5} - C:\WINDOWS\system32\ydfwaji.dll (file missing)
backup-20061120-075535-133
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\system32\WNSXS~1\winlogon.exe" -vt ndrv
backup-20061112-192507-766
R3 - URLSearchHook: (no name) - {A7174C16-D188-865B-8BA6-D828EA73349C} - C:\WINDOWS\system32\hmubvjn.dll
backup-20061112-192507-755
O4 - HKCU\..\Run: [Jibsll] C:\Documents and Settings\Chris\My Documents\??stem32\d?xplore.exe
backup-20061112-192507-545
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061112-192507-941
O2 - BHO: (no name) - {A7174C16-D188-865B-8BA6-D828EA73349C} - C:\WINDOWS\system32\hmubvjn.dll
backup-20060912-214425-506
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20060912-214425-423
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
backup-20060725-001255-521
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
backup-20051108-120831-579
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
backup-20051108-120831-615
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
backup-20051108-120831-196
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
backup-20051105-151906-434
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
backup-20051105-151746-694
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20051105-145147-574
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -
http://66.29.7.159/t...free_access.cabbackup-20051105-145147-399
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20051105-145147-179
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
backup-20051105-145147-482
R3 - Default URLSearchHook is missing
Completion time: 06-11-20 11:52:34.78
C:\ComboFix.txt ... 06-11-20 11:52
Logfile of HijackThis v1.99.1
Scan saved at 1:36:29 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://support.micro...ult.aspx?pr=drxO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell....iler/SysPro.CABO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.t...all/xscan60.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -
http://www.fileplane...DC_2.3.1.99.cabO16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} -
http://housecall65.t...ivex/hcImpl.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
Thanks again