Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop Ups!


  • This topic is locked This topic is locked

#1
odirish

odirish

    Member

  • Member
  • PipPip
  • 59 posts
I have verizon online protection, yet I am getting a gazillion popups. I don't know what to do.
I saw a thread about toolbar 888, I also have that. I'm not sure how I got it though. Thank you for any advice.

Mary Ann
  • 0

Advertisements


#2
odirish

odirish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I saw where someone else is having problems also, so I am following directions for that. Hope this is ok.

Mary Ann
Logfile of HijackThis v1.99.1
Scan saved at 8:42:08 PM, on 1/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\{AC7688FF-018E-1033-1104-990203260001}\Update.exe
C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\SMANTE~1\chkntfs.exe
C:\Documents and Settings\odirish\Application Data\S?mantec\?hkdsk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {721A9A4B-7AFE-565E-8973-7F129342E195} - C:\WINDOWS\System32\kqit.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: - {5cf66fa8-0340-4c89-918c-1ccae81a76e4} - C:\WINDOWS\System32\luk.dll
O2 - BHO: (no name) - {721A9A4B-7AFE-565E-8973-7F129342E195} - C:\WINDOWS\System32\kqit.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C768~1\Bar888.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C768~1\Bar888.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\dc6_startupmon.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\ers_startupmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [{AC7688FF-018E-1033-1104-990203260001}] "C:\Program Files\Common Files\{AC7688FF-018E-1033-1104-990203260001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKLM\..\Run: [{AC7688FF-018F-1033-1104-990203260001}] "C:\Program Files\Common Files\{AC7688FF-018F-1033-1104-990203260001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ptre] "C:\PROGRA~1\COMMON~1\SMANTE~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [iqmw] C:\Program Files\Common Files\iqmw\iqmwm.exe
O4 - HKCU\..\Run: [Quqlqmez] C:\Documents and Settings\odirish\Application Data\S?mantec\?hkdsk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#3
silencedmessage

silencedmessage

    Member

  • Member
  • PipPipPip
  • 987 posts
Hi Odirish,

Welcome to GeeksToGo! My name is Silenced Message, and I will be helping you deal with your malware problems. Please be patient as all of my posts are approved by our experts here. :whistling: I will get back to you with instructions as soon as possible!


-Silenced Message
  • 0

#4
silencedmessage

silencedmessage

    Member

  • Member
  • PipPipPip
  • 987 posts
Hi again Odirish,

Welcome back! You have a few different infections here, so I ask that you please stick with this topic and follow my directions to the word. :whistling:

You may want to print out these directions or save them using a word processor (notepad, word... etc) for later reference since the following steps require a reboot.

1. Download ComboFix.exe using either of these links:

BleepingComputer

Techsupportforum.com

2. Double click on combofix.exe & follow the prompts to allow the tool to run.

3. When it has finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


NEXT

I would like you to re-name HijackThis.
To do this, go to Start > My Computer > Local Drive C: > Program Files > HijackThis
In the HijackThis folder, right-click on hijackthis.exe (it may not have the .exe extension) and select rename. Please name it hjt.exe or anything but hijackthis.exe.

With those steps done, please do a new scan with HijackThis and paste the contents into your next reply.

So, in your next reply, please post the following:
  • The Combofix log (you can find it at C:\ComboFix.txt
  • A New HijackThis log
Let me know how everything goes!

-Silenced Message
  • 0

#5
odirish

odirish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I hope I did this right :whistling:

odirish - 07-01-07 13:44:50.60 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\odirish\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\scmt16.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\Common Files\{AC7688FF-018F-1033-1104-990203260001}
C:\Program Files\Common Files\{3C7688FF-018E-1033-1104-990203260001}
C:\Program Files\Common Files\{AC7688FF-018E-1033-1104-990203260001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\odirish\Application Data\SMANTE~1
C:\QooBox\Purity\Documents and Settings\odirish\Application Data\SMANTE~1\?hkdsk.exe
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\chkntfs.exe
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))


2007-01-06 20:41 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-06 20:17 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Free
2007-01-06 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-01-06 20:16 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-01-06 20:16 <DIR> d-------- C:\My Downloads
2007-01-05 11:59 <DIR> d-------- C:\23.73.105
2007-01-04 17:27 <DIR> d-------- C:\Program Files\Ipwindows
2007-01-04 16:29 <DIR> d-------- C:\Program Files\DriveCleaner Free
2007-01-01 16:39 57,856 --a------ C:\WINDOWS\system32\kqit.dll
2007-01-01 16:39 2 --a------ C:\WINDOWS\system32\wapicc.exe
2007-01-01 16:39 <DIR> d-------- C:\Program Files\Outerinfo
2007-01-01 08:24 <DIR> d-------- C:\WINDOWS\iqmw
2007-01-01 08:24 <DIR> d-------- C:\Program Files\Common Files\iqmw
2006-12-31 03:28 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2006-12-31 03:27 2,116 --a------ C:\15242624.exe
2006-12-28 15:04 2,124 --a------ C:\WINDOWS\uwkygool.exe
2006-12-28 15:04 <DIR> d-------- C:\WINDOWS\pss
2006-12-28 12:50 <DIR> d-------- C:\Documents and Settings\odirish\Application Data\Corel Photo Album
2006-12-28 12:45 88 -r-hs---- C:\WINDOWS\system32\A0ADE11170.sys
2006-12-28 12:45 3,350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-12-28 12:36 <DIR> d-------- C:\Program Files\Corel
2006-12-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-07 14:02 -------- d-------- C:\Program Files\Common Files
2007-01-07 01:14 -------- d-------- C:\Program Files\SwiftSwitch
2007-01-06 20:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-12-29 21:22 -------- d-------- C:\Program Files\Outlook Express
2006-12-02 16:57 -------- d-------- C:\Program Files\Viewpoint
2006-12-02 16:34 -------- d-------- C:\Program Files\Common Files\Viewpoint
2006-11-29 06:29 20992 --a------ C:\WINDOWS\1.exe
2006-11-26 22:31 285 --a------ C:\WINDOWS\counter.exe
2006-11-26 02:11 -------- d-------- C:\Program Files\Java
2006-11-24 20:10 -------- d-------- C:\Program Files\MSN Games
2006-11-23 11:26 -------- d-------- C:\Program Files\Google
2006-11-14 13:59 -------- d-------- C:\Program Files\Common Files\Real
2006-11-09 22:59 -------- d-------- C:\Program Files\Common Files\Companion Wizard
2006-11-09 22:54 0 --a------ C:\Program Files\Common Files\err.log
2006-11-09 07:39 -------- d-------- C:\Program Files\SupportSoft
2006-10-29 23:34 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-10-27 18:42 9817 --a------ C:\WINDOWS\system32\z1860.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Ptre"="\"C:\\PROGRA~1\\COMMON~1\\SMANTE~1\\chkntfs.exe\" -vt yazb"
"iqmw"="C:\\Program Files\\Common Files\\iqmw\\iqmwm.exe"
"Quqlqmez"="C:\\Documents and Settings\\odirish\\Application Data\\S?mantec\\?hkdsk.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DC6_check"="\"C:\\Program Files\\Common Files\\dc6_startupmon.exe\""
"ERS_check"="\"C:\\Program Files\\Common Files\\ers_startupmon.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
@=""
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"{AC7688FF-018E-1033-1104-990203260001}"="\"C:\\Program Files\\Common Files\\{AC7688FF-018E-1033-1104-990203260001}\\Update.exe\" te-110-12-0000213"
"SDR6_Check"="\"C:\\Program Files\\Common Files\\DriveCleaner Free\\udcsdr.exe\""
"PAS_Check"="\"C:\\Program Files\\Common Files\\DriveCleaner Free\\udcpas.exe\""
"{AC7688FF-018F-1033-1104-990203260001}"="\"C:\\Program Files\\Common Files\\{AC7688FF-018F-1033-1104-990203260001}\\Update.exe\" te-110-12-0000213"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.psecu.com...tements500.jpg"
"SubscribedURL"="http://www.psecu.com...tements500.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,6a,02,00,00,e1,00,00,00,d1,01,00,00,d2,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,e1,00,00,00,d1,01,00,00,d2,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,73,05,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,40,75,24,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-07 14:05:55.93
C:\ComboFix.txt ... 07-01-07 14:05
Logfile of HijackThis v1.99.1
Scan saved at 2:20:29 PM, on 1/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\hjt.exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {721A9A4B-7AFE-565E-8973-7F129342E195} - C:\WINDOWS\System32\kqit.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: - {5cf66fa8-0340-4c89-918c-1ccae81a76e4} - C:\WINDOWS\System32\luk.dll
O2 - BHO: (no name) - {721A9A4B-7AFE-565E-8973-7F129342E195} - C:\WINDOWS\System32\kqit.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C768~1\Bar888.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C768~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\dc6_startupmon.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\ers_startupmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [{AC7688FF-018E-1033-1104-990203260001}] "C:\Program Files\Common Files\{AC7688FF-018E-1033-1104-990203260001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKLM\..\Run: [{AC7688FF-018F-1033-1104-990203260001}] "C:\Program Files\Common Files\{AC7688FF-018F-1033-1104-990203260001}\Update.exe" te-110-12-0000213
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ptre] "C:\PROGRA~1\COMMON~1\SMANTE~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [iqmw] C:\Program Files\Common Files\iqmw\iqmwm.exe
O4 - HKCU\..\Run: [Quqlqmez] C:\Documents and Settings\odirish\Application Data\S?mantec\?hkdsk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Mary Ann
  • 0

#6
silencedmessage

silencedmessage

    Member

  • Member
  • PipPipPip
  • 987 posts
Hi again Mary Ann!

You did just fine! Keep it up and we will have you clean in no time!

There was one thing you did wrong, which was probably my fault, I should have been more clear with my instructions. You renamed the folder that HijackThis was in, and not the program itself! That is an easy mistake to make. :blink:

Please go to Start > My Computer > Local Disk C: > Program Files > HJT.exe

INSIDE the HJT.exe folder, you will see HijackThis. The icon has a few sticks of dynamite. I need you to right click on that, and select rename, then rename THAT to hjt.exe (or anything else). :help:

You may want to print out a copy of these directions or save them (using notepad) since the following steps require a reboot.

First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



Please go to Start > Run > type in notepad and click OK.
Copy the contents of the code block below into notepad.
@echo off
sc stop COM+ Messages
sc delete COM+ Messages
DEL C:\23.73.105
DEL C:\Program Files\Ipwindows
DEL C:\Program Files\DriveCleaner Free
DEL C:\WINDOWS\system32\kqit.dll
DEL C:\WINDOWS\system32\wapicc.exe
DEL C:\Program Files\Outerinfo
DEL C:\WINDOWS\iqmw
DEL C:\Program Files\Common Files\iqmw
DEL C:\WINDOWS\system32\svchosts.exe
DEL C:\15242624.exe
DEL C:\WINDOWS\uwkygool.exe
DEL C:\Program Files\Viewpoint
DEL C:\Program Files\Common Files\Viewpoint
DEL C:\1.exe
DEL C:\WINDOWS\counter.exe
DEL C:\WINDOWS\system32\z1860.exe
DEL C:\WINDOWS\System32\ntos.exe
DEL C:\WINDOWS\System32\luk.dll
DEL C:\Program Files\Common Files\dc6_startupmon.exe
DEL C:\Program Files\Common Files\ers_startupmon.exe
DEL C:\Program Files\Common Files\iqmw
DEL C:\Documents and Settings\odirish\Desktop\fixme.bat
Go to File > Save as...
In the File Name: field, type "fixme.bat" <---make sure to include the quotes ""
Click on the desktop button on the left side of the box, then click save.

DO NOT DOUBLE CLICK THE FILE WE JUST CREATED UNTIL INSTRUCTED!!!



Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Viewpoint <-- or Viewpoint Media Player.. anything with Viewpoint in the name

Please note any other programs that you don't recognize in that list in your next response


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {721A9A4B-7AFE-565E-8973-7F129342E195} - C:\WINDOWS\System32\kqit.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: - {5cf66fa8-0340-4c89-918c-1ccae81a76e4} - C:\WINDOWS\System32\luk.dll
O2 - BHO: (no name) - {721A9A4B-7AFE-565E-8973-7F129342E195} - C:\WINDOWS\System32\kqit.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C768~1\Bar888.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C768~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\dc6_startupmon.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\ers_startupmon.exe"
O4 - HKLM\..\Run: [{AC7688FF-018E-1033-1104-990203260001}] "C:\Program Files\Common Files\{AC7688FF-018E-1033-1104-990203260001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKLM\..\Run: [{AC7688FF-018F-1033-1104-990203260001}] "C:\Program Files\Common Files\{AC7688FF-018F-1033-1104-990203260001}\Update.exe" te-110-12-0000213
O4 - HKCU\..\Run: [Ptre] "C:\PROGRA~1\COMMON~1\SMANTE~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [iqmw] C:\Program Files\Common Files\iqmw\iqmwm.exe
O4 - HKCU\..\Run: [Quqlqmez] C:\Documents and Settings\odirish\Application Data\S?mantec\?hkdsk.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.



Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.



Locate the file you saved to your desktop earlier named fixme.bat. The icon should have what looks like a little gear on it. :whistling: Double click this file. A dos window will open briefly, and then disappear, this is normal.
  • IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
This may seem like a lot, but I am sure you can do it! We should be getting close Mary Ann!!

In your next post, Please include the following:
  • AVG Anti-Spyware Report
  • A new HijackThis log (hjt.exe log)
-Silenced Message
  • 0

#7
odirish

odirish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I wasn't able to scan in Safe mode because my login was not there, so I did it in Normal Mode. here is my report. I hope I did this ok, I didn't understand why I needed to open fixme.bat

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:46:16 PM 1/7/2007

+ Scan result:



C:\Program Files\Common Files\Companion Wizard\WapCHK.dll -> Adware.Companion : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq336.tmp -> Adware.CoolSavings : Cleaned with backup (quarantined).
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup (quarantined).
C:\Documents and Settings\odirish\My Documents\installdrivecleanerstart.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP231\A0027838.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027952.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027953.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028206.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028207.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028470.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028471.exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027968.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028222.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028486.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028703.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027961.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028215.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028479.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028741.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027949.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027950.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027969.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027970.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028203.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028204.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028223.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028224.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028467.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028468.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028487.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028488.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028696.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028697.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028704.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028705.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\iqmw\iqmwd\iqmwc.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027962.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028216.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028480.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Companion Wizard\compwiz.exe -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP179\A0018207.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP179\A0018208.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP181\A0018280.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\vspf -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP195\A0020690.exe -> Downloader.Agent.bbp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP217\A0026522.exe -> Downloader.Agent.bbp : Cleaned with backup (quarantined).
C:\WINDOWS\1.exe -> Downloader.Agent.bbp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028765.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027966.exe -> Downloader.PurityScan.dy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028220.exe -> Downloader.PurityScan.dy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028484.exe -> Downloader.PurityScan.dy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028693.exe -> Downloader.PurityScan.dy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027980.exe -> Downloader.Tiny.eu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028234.exe -> Downloader.Tiny.eu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028495.exe -> Downloader.Tiny.eu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028767.exe -> Downloader.Tiny.eu : Cleaned with backup (quarantined).
C:\Program Files\Common Files\iqmw\iqmwp.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP231\A0027852.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027940.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028194.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028458.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\iqmw\iqmwd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\Program Files\Common Files\iqmw\iqmwa.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP231\A0027851.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027941.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028195.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028459.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP231\A0027850.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP177\A0018093.dll -> Logger.BZub.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP177\A0018094.dll -> Logger.BZub.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP216\A0022433.dll -> Logger.BZub.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP177\A0018092.exe -> Logger.BZub.nbc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP177\A0018095.exe -> Logger.BZub.nbc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP177\A0018096.exe -> Logger.BZub.nbc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028740.dll -> Logger.Small.ee : Cleaned with backup (quarantined).
C:\Program Files\hjt.exe\backups\backup-20070107-212404-568.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Fr1dg3\Application Data\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028769.exe -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22B.tmp -> TrackingCookie.247realmedia : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq185.tmp -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC1.tmp -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1177238915-507921405-1708537768-1010\Dc17.txt -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp -> TrackingCookie.Adserver : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq186.tmp -> TrackingCookie.Advertising : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq235.tmp -> TrackingCookie.Advertising : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC2.tmp -> TrackingCookie.Advertising : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4DB.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB1.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-1177238915-507921405-1708537768-1010\Dc3.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC3.tmp -> TrackingCookie.Bfast : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F7.tmp -> TrackingCookie.Bluestreak : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5FC.tmp -> TrackingCookie.Bridgetrack : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5FB.tmp -> TrackingCookie.Burstnet : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22E.tmp -> TrackingCookie.Casalemedia : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB2.tmp -> TrackingCookie.Casalemedia : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22F.tmp -> TrackingCookie.Centrport : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5FD.tmp -> TrackingCookie.Com : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq187.tmp -> TrackingCookie.Coremetrics : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4FA.tmp -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB3.tmp -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-1177238915-507921405-1708537768-1010\Dc5.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB4.tmp -> TrackingCookie.Falkag : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC5.tmp -> TrackingCookie.Falkag : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq230.tmp -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4FB.tmp -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq189.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq231.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq232.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4FC.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq600.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC4.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC6.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18A.tmp -> TrackingCookie.Hitslink : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4DC.tmp -> TrackingCookie.Hitslink : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18B.tmp -> TrackingCookie.Linksynergy : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq601.tmp -> TrackingCookie.Linksynergy : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18C.tmp -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-1177238915-507921405-1708537768-1010\Dc7.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq501.tmp -> TrackingCookie.Onestat : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4FE.tmp -> TrackingCookie.Pointroll : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq602.tmp -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\S-1-5-21-1177238915-507921405-1708537768-1010\Dc14.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq233.tmp -> TrackingCookie.Questionmarket : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq188.tmp -> TrackingCookie.Ru4 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5FF.tmp -> TrackingCookie.Ru4 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq500.tmp -> TrackingCookie.Serving-sys : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq604.tmp -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18D.tmp -> TrackingCookie.Tacoda : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq236.tmp -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq605.tmp -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq502.tmp -> TrackingCookie.Tribalfusion : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB5.tmp -> TrackingCookie.Tribalfusion : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq606.tmp -> TrackingCookie.Valueclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq238.tmp -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq503.tmp -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22C.tmp -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F5.tmp -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-1177238915-507921405-1708537768-1010\Dc2.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18E.tmp -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq239.tmp -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP234\A0027955.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP235\A0028209.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028473.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028764.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 10:50:30 PM, on 1/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\hjt.exe\hjt.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Wow!! I could never do all this on my own. :whistling:
P.S. Love the Leprechaun..We're hugh N.D. fans

Mary Ann

Edited by odirish, 07 January 2007 - 10:00 PM.

  • 0

#8
odirish

odirish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I logged on this morning and had another popup, so I did a scan, copied it to here and went back and quarantined it.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:04:46 PM 1/8/2007

+ Scan result:



C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028776.dll -> Adware.Companion : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028778.ocx -> Adware.Coupons : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028774.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028775.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028777.dll -> Adware.TargetServer : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028773.exe -> Adware.WinAntiVirus : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028772.exe -> Downloader.Agent.bbp : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028771.exe -> Downloader.TSUpdate.f : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028770.exe -> Downloader.TSUpdate.l : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028780.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : No action taken.
C:\System Volume Information\_restore{8C4EC5B1-7C19-4D76-ACE2-07C30EA8A853}\RP236\A0028779.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.


::Report end
  • 0

#9
silencedmessage

silencedmessage

    Member

  • Member
  • PipPipPip
  • 987 posts
Hi Mary Ann,

You do an excellent job! The reason you clicked the fixme.bat was because instead of looking for all of the files and folders that needed to be deleted, I thought it might be easier for us to make a file that would do it for us! Simply put, that file got rid of a ton of bad stuff. :rofl: We are almost there already! There are a few more things I would like you to do, and then a final check just to be sure you are clean. :whistling:

I wasn't able to scan in Safe mode because my login was not there, so I did it in Normal Mode.

That is fine. The reason for going into safemode to do the scan was so that way there was less of a chance of a file not being able to be quarantined. Everything that it found went without a problem though! However, although it is normally not advised, in the following instructions, you may log into any account that is there as long as it has administrative privileges. :)

You may want to either print out a copy of these directions or save them (using notepad) for future refrence since the following steps require a reboot.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\ntos.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After that, please Reboot into safemode. Restart the computer and as soon as it starts to boot, tap F8 repeatedly until you reach a menu that gives you the option of using "safe mode".

Using windows Explorer (to get there right-click on start then select explore, Please delete the following folders:
C:\Program Files\Common Files\DriveCleaner Free
C:\Program Files\Common Files\iqmw

Please boot back into "normal windows", do a scan with HijackThis, and post the new log back here. Also, could you please tell me how the computer is running now? (are there any more problems, pop-ups, basically is it like it was before?) :blink:

Also, please post a new combofix log. Remember not to click the window while its running or it may stall!!

P.S. Love the Leprechaun..We're hugh N.D. fans

:help: I love the Leprechaun just because its a leprechaun :rofl:

In your next reply, please post the following:
  • New HijackThis log
  • New ComboFix log
Keep up the great work Mary Ann!!!

-Silenced Message
  • 0

#10
odirish

odirish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I don't understand. I downloaded the killbox and opened it. I clicked Delete on Reboot and the Click on All Files button. I don't know if this ir right or not, but I typed in the box C:\Windows|System32\ntos.exe
it syas to return to killbox and go to file menu that is where I am confused, I'll try again.

Mary Ann
  • 0

Advertisements


#11
odirish

odirish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:56:50 PM, on 1/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hjt.exe\hjt.exe.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

odirish - 07-01-08 14:59:52.73 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\odirish\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\odirish\Application Data\SMANTE~1
C:\QooBox\Purity\Documents and Settings\odirish\Application Data\SMANTE~1\?hkdsk.exe
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\chkntfs.exe
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2006-12-08 to 2007-01-08 ))))))))))))))))))))))))))))))))))


2007-01-08 14:36 <DIR> d-------- C:\!KillBox
2007-01-07 21:01 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-07 21:00 <DIR> d-------- C:\Program Files\Grisoft
2007-01-06 20:41 <DIR> d-------- C:\Program Files\hjt.exe
2007-01-06 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-01-06 20:16 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-01-06 20:16 <DIR> d-------- C:\My Downloads
2007-01-05 11:59 <DIR> d-------- C:\23.73.105
2007-01-04 17:27 <DIR> d-------- C:\Program Files\Ipwindows
2007-01-04 16:29 <DIR> d-------- C:\Program Files\DriveCleaner Free
2007-01-01 16:39 <DIR> d-------- C:\Program Files\Outerinfo
2007-01-01 08:24 <DIR> d-------- C:\WINDOWS\iqmw
2006-12-28 15:04 <DIR> d-------- C:\WINDOWS\pss
2006-12-28 12:50 <DIR> d-------- C:\Documents and Settings\odirish\Application Data\Corel Photo Album
2006-12-28 12:45 88 -r-hs---- C:\WINDOWS\system32\A0ADE11170.sys
2006-12-28 12:45 3,350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-12-28 12:36 <DIR> d-------- C:\Program Files\Corel
2006-12-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-08 14:49 -------- d-------- C:\Program Files\Common Files
2007-01-07 22:44 -------- d-------- C:\Program Files\Common Files\Companion Wizard
2007-01-07 15:41 -------- d-------- C:\Program Files\SwiftSwitch
2007-01-06 20:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-12-29 21:22 -------- d-------- C:\Program Files\Outlook Express
2006-12-02 16:57 -------- d-------- C:\Program Files\Viewpoint
2006-12-02 16:34 -------- d-------- C:\Program Files\Common Files\Viewpoint
2006-11-26 02:11 -------- d-------- C:\Program Files\Java
2006-11-24 20:10 -------- d-------- C:\Program Files\MSN Games
2006-11-23 11:26 -------- d-------- C:\Program Files\Google
2006-11-14 13:59 -------- d-------- C:\Program Files\Common Files\Real
2006-11-09 22:54 0 --a------ C:\Program Files\Common Files\err.log
2006-11-09 07:39 -------- d-------- C:\Program Files\SupportSoft
2006-10-29 23:34 774144 --a------ C:\Program Files\RngInterstitial.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
@=""
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.psecu.com...tements500.jpg"
"SubscribedURL"="http://www.psecu.com...tements500.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,6a,02,00,00,e1,00,00,00,d1,01,00,00,d2,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,e1,00,00,00,d1,01,00,00,d2,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,73,05,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,40,75,24,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-08 15:02:26.44
C:\ComboFix.txt ... 07-01-08 15:02
C:\ComboFix2.txt ... 07-01-07 14:05

I think it is running alot better. I had only 1 popup this morning. I ran the virus scan and quarantined a few thing (11 I think) I have a copy of it in an earlier post this morning. Thank you so much for your help on this. I almost forgot, I DID NOT recieve any PendingFilerenameOperations prompt.

Mary Ann

Edited by odirish, 08 January 2007 - 02:12 PM.

  • 0

#12
silencedmessage

silencedmessage

    Member

  • Member
  • PipPipPip
  • 987 posts
Hi again Mary Ann,

Sorry I could not get back to you yesterday, real life interfered.

I don't understand. I downloaded the killbox and opened it. I clicked Delete on Reboot and the Click on All Files button. I don't know if this ir right or not, but I typed in the box C:\Windows|System32\ntos.exe
it syas to return to killbox and go to file menu that is where I am confused, I'll try again.

From the description you gave later, it appears you figured this out? Please let me know. :blink:

I think it is running alot better. I had only 1 popup this morning. I ran the virus scan and quarantined a few thing (11 I think) I have a copy of it in an earlier post this morning. Thank you so much for your help on this. I almost forgot, I DID NOT recieve any PendingFilerenameOperations prompt.

Thanks for the info! There are a couple of things that are being a little persistent here, so we are going to have to deal with them in another way. You have done great so far! Please continue to stick with this, and we will get you all cleared up! :whistling:

You may want to print out a copy of these directions or save them using a word processor (notepad) since the following steps require a reboot.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\System32\ntos.exe

Folders to Delete:
C:\23.73.105
C:\Program Files\Ipwindows
C:\Program Files\DriveCleaner Free
C:\Program Files\Outerinfo
C:\WINDOWS\iqmw
C:\Program Files\Viewpoint
C:\Program Files\Common Files\Viewpoint


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


You will need to show hidden and system files to do the next step. We will rehide them later.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\A0ADE11170.sys
  • Click on the submit button
  • Please post the results in your next reply.
In your next reply, please provide the following logs:
  • Avenger.txt (C:\avenger.txt)
  • The results from the file scan
  • A new HijackThis log
We are getting close, we got a lot of it, but there is still some cleaning up to do. Stick with this and we will have you clean very soon!

-Silenced Message
  • 0

#13
odirish

odirish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I'm nervous :whistling: I will add the information as I do it.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\iirdtqvb

*******************

Script file located at: \??\C:\Documents and Settings\xrmqlkbp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\System32\ntos.exe not found!
Deletion of file C:\WINDOWS\System32\ntos.exe failed!

Could not process line:
C:\WINDOWS\System32\ntos.exe
Status: 0xc0000034

Folder C:\23.73.105 deleted successfully.
Folder C:\Program Files\Ipwindows deleted successfully.
Folder C:\Program Files\DriveCleaner Free deleted successfully.
Folder C:\Program Files\Outerinfo deleted successfully.
Folder C:\WINDOWS\iqmw deleted successfully.
Folder C:\Program Files\Viewpoint deleted successfully.
Folder C:\Program Files\Common Files\Viewpoint deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 5:38:06 PM, on 1/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\hjt.exe\hjt.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

This last line is from Jotti's malware scan
I went back and closed the hidden windows as recommended. Is that ok? This computer seems to be running very slow. Is that due to the spyware or something different?


Mary Ann

Edited by odirish, 10 January 2007 - 05:15 PM.

  • 0

#14
silencedmessage

silencedmessage

    Member

  • Member
  • PipPipPip
  • 987 posts
Hi again Mary Anne,

I'm nervous :whistling:

We have made great progress from before. There is just one thing that is sticking around. I have a couple more ideas, and I am currently talking to some of the top experts about this right now to get some more opinions. We WILL get this!

This computer seems to be running very slow. Is that due to the spyware or something different?

I believe this is due to a conflict between Yahoo anti-virus and AVG Anti-Spyware. Right now, you have the real-time protection of AVG Anti-Spyware enabled. I should have included instructions to disable that when I had you download it, my apologies. :help:

1. Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
2. In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
3. If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
4. Reply 'no' and set it to 'inactive'.

I would recommend that you keep this program as an "on demand" scanner. After thirty days, the active guard will not be available anymore and you will have to update it manually, but it can still be used after the trial period is over.

A brief explanation of On-Demand Scanners:
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine.


We need to delete a file:
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\A0ADE11170.sys


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.


Let's try this too:

Please Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.



This GMER scan should tell us why the fix for that one file has not worked yet :blink:

Just hang in there Mary Ann, you have done an amazing job this far, and we are really close! We will get this thing yet!

-Silenced Message
  • 0

#15
odirish

odirish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I can't download GMER. It says cannot find server.

Mary Ann
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP