Spyware trouble again!!!

A7X311

:banghead: hi i have spyware on my computer and i used Trend pc-cillin, ad-aware, and spy sweeper. it's still on my computer! it won't let me have a windows background other than a blue screen talking about spyware and it gives me popups all the time. please help me!!! here's my hijack this log....

Logfile of HijackThis v1.99.1
Scan saved at 4:48:42 PM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{642FD16C-05B7-1033-1109-010710030001}\Update.exe
C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe
C:\PROGRAM FILES\COMMON FILES\??PPATCH\W?CRTUPD.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\J-MO\LOCALS~1\Temp\Rar$EX00.999\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pwoyt.exe
F2 - REG:system.ini: UserInit=userinit.exe,brvderc.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Lmbtsz] C:\Program Files\Common Files\??pPatch\w?crtupd.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\en0ql1d51.dll (file missing)
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

skywalker45

Yuck. That log is pretty nasty, but we'll get you cleaned up. You are currently running Hijack This from here:

C:\DOCUME~1\J-MO\LOCALS~1\Temp\Rar$EX00.999\HijackThis.exe


This is a temporary directory. Please drag the file HijackThis.exe out of the above folder and onto your desktop. Once you do that run Hijack This again and post a new log.

A7X311

thank you very much for responding so quickly, here is the new HJT log thanks again!!!

Logfile of HijackThis v1.99.1
Scan saved at 8:10:05 AM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Common Files\{642FD16C-05B7-1033-1109-010710030001}\Update.exe
C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\MSIEXEC.EXE
C:\PROGRAM FILES\COMMON FILES\??PPATCH\W?CRTUPD.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pwoyt.exe
F2 - REG:system.ini: UserInit=userinit.exe,brvderc.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Lmbtsz] C:\Program Files\Common Files\??pPatch\w?crtupd.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\en0ql1d51.dll (file missing)
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

skywalker45

I won't lie to you. You have many bad infections! We can get rid of all of them but it will take several steps so I hope you have the patience. First thing I need you to do is to download some programs that we will use later. Do not use any of these programs until instructed. Just download them only.

Please download Ewido Anti-Malware from my signature below. Leave the install program on your desktop. Do not install or run the program yet.

Please download VundoFix.exe to your desktop. Do not run it yet. Just leave it on your desktop.

Please download Look2Me-Destroyer.exe to your desktop. Again do not use the program yet. Just leave it on your desktop.

You have a Qoologic infection that we need to deal with first. Follow the instructions below to remove this malware first:

Please download Qoofix by RubbeR DuckY from one of the following locations:

http://www.malwarebytes.org/Qoofix.zip or
http://www.besttechie.net/tools/Qoofix.zip

1. Unzip all files to a convenient location such as C:\Qoofix.
2. Go to the folder you unzipped all files and run Qoofix.exe.
3. Click Begin Removal and wait for the scan to finish.
4. If an infection has been found, select yes to restart your computer.
5. Post back with a new HijackThis log and the contents of the Qoofix logfile.

Note: If you have problems with the Qoofix logfile, open it manually from its own folder -> C:\Qoofix.

Tutorial by BestTechie here: http://www.besttechie.net/forums/index.php?showtopic=9051

A7X311

ok, i did everything and it all went well, so here are both the hijack this log and the qoofix log....

Logfile of HijackThis v1.99.1
Scan saved at 12:15:59 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\{642FD16C-05B7-1033-1109-010710030001}\Update.exe
C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe
C:\Program Files\Common Files\??pPatch\w?crtupd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [yecmtj] C:\WINDOWS\system32\ynxutl.exe reg_run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Lmbtsz] C:\Program Files\Common Files\??pPatch\w?crtupd.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\en0ql1d51.dll (file missing)
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


and the qoofix....

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [9/16/2006] at [12:08:01 PM]

---

Terminated module: fuxuktn.dll found in Qoofix.exe (3144)
Terminated module: fuxuktn.dll found in ynxutl.exe (1748)
Terminated module: fuxuktn.dll found in explorer.exe (2008)
Terminated module: fuxuktn.dll found in pwoyt.exe (2040)
Terminated module: fuxuktn.dll found in pwoyt.exe (148)
Terminated module: fuxuktn.dll found in pwoyt.exe (156)
Terminated module: fuxuktn.dll found in hpwuSchd2.exe (2716)
Terminated module: fuxuktn.dll found in w?crtupd.exe (2860)
Terminated module: fuxuktn.dll found in hpqtra08.exe (3016)
Terminated module: fuxuktn.dll found in hpqste08.exe (1832)
Terminated module: fuxuktn.dll found in iexplore.exe (2588)
Terminated module: fuxuktn.dll found in YTBSDK.exe (3444)

---

C:\WINDOWS\system32\brvderc.exe will be deleted on reboot!
C:\WINDOWS\system32\fkmxf.dat will be deleted on reboot!
C:\WINDOWS\system32\fuxuktn.dll will be deleted on reboot!
C:\WINDOWS\system32\pwoyt.exe will be deleted on reboot!
C:\WINDOWS\system32\ynxutl.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rukva.exe will be deleted on reboot!

User prompted YES to reboot, system now rebooting...

---

Scan COMPLETED SUCCESSFULLY on [9/16/2006] at [12:09:18 PM]

Note: Some registry keys may have been removed.

skywalker45

Good Job! Qoologic is out of there. Next we need to work on the Look2Me infection. Follow the steps below:

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it. (It should be on your desktop)
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.<--Before you do this step read my instructions at the end of this post.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

We're on our way to a clean machine. Thank you for your patience. After you have followed the above instructions please visit the link below and run the Purity Scan uninstaller. Do this before posting the new Hijack This log and the Look2Me Destroyer log.

http://www.purityscan.com/uninstall.html

Skywalker

A7X311

ok, everything went wll again

hijack this....


Logfile of HijackThis v1.99.1
Scan saved at 3:35:35 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\{642FD16C-05B7-1033-1109-010710030001}\Update.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [yecmtj] C:\WINDOWS\system32\ynxutl.exe reg_run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


and look2me...


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 9/16/2006 3:25:01 PM

Infected! C:\WINDOWS\system32\en0ql1d51.dll
Infected! C:\System Volume Information\_restore{FAD1D20F-FC85-475A-904F-812B3C21432C}\RP74\A0016801.dll
Infected! C:\System Volume Information\_restore{FAD1D20F-FC85-475A-904F-812B3C21432C}\RP74\A0017801.dll
Infected! C:\WINDOWS\system32\jt4807hue.dll
Infected! C:\WINDOWS\system32\vea.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{FAD1D20F-FC85-475A-904F-812B3C21432C}\RP74\A0016801.dll
C:\System Volume Information\_restore{FAD1D20F-FC85-475A-904F-812B3C21432C}\RP74\A0016801.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAD1D20F-FC85-475A-904F-812B3C21432C}\RP74\A0017801.dll
C:\System Volume Information\_restore{FAD1D20F-FC85-475A-904F-812B3C21432C}\RP74\A0017801.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jt4807hue.dll
C:\WINDOWS\system32\jt4807hue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\vea.dll
C:\WINDOWS\system32\vea.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{81593329-BEED-4280-859B-EADE4ABC41CC}"
HKCR\Clsid\{81593329-BEED-4280-859B-EADE4ABC41CC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

skywalker45

Great Job! Both Look2Me and Purity Scan are gone....Have you done this before;)

Anyway next step is to deal with Vundo. Follow the instructions below:

• Double-click VundoFix.exe to run it. (It should be on your desktop)
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If this goes OK we'll move on to installing, updating and running Ewido.

A7X311

yes actually i have done this before, but it was for my work computer and i didn't use the same software though, except for ewida, i did use that. anyways we're still doin good, here is the new HJT log...


Logfile of HijackThis v1.99.1
Scan saved at 4:44:53 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\{642FD16C-05B7-1033-1109-010710030001}\Update.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [yecmtj] C:\WINDOWS\system32\ynxutl.exe reg_run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


and vundofix...



VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 4:20:36 PM 9/16/2006

Listing files found while scanning....

C:\WINDOWS\system32\urqom.dll
C:\WINDOWS\system32\moqru.ini
C:\WINDOWS\system32\moqru.bak1
C:\WINDOWS\system32\moqru.bak2
C:\WINDOWS\system32\moqru.ini2
C:\WINDOWS\system32\ffvxkldl.exe
C:\WINDOWS\system32\rtllwkxk.exe
C:\WINDOWS\system32\rvmrooxe.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\urqom.dll
C:\WINDOWS\system32\urqom.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\moqru.ini
C:\WINDOWS\system32\moqru.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.bak1
C:\WINDOWS\system32\moqru.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.bak2
C:\WINDOWS\system32\moqru.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.ini2
C:\WINDOWS\system32\moqru.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ffvxkldl.exe
C:\WINDOWS\system32\ffvxkldl.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtllwkxk.exe
C:\WINDOWS\system32\rtllwkxk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rvmrooxe.exe
C:\WINDOWS\system32\rvmrooxe.exe Has been deleted!

Performing Repairs to the registry.
Done!


there was one file that could not be delelted though
thanks again!!!

skywalker45

Yes I see the one file didn't go. Unfortunately it's the one we need gone. Oh, well. We'll worry about it later. There's a lot more going on here so I think it's time to whip out Ewido. You might want to print these instructions as you will not have access to the internet for part of this fix. Follow the instructions below:

• Install Ewido Anti-Malware
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
• Launch ewido, there should be a big "E" icon on your desktop, double-click it.
• The program will prompt you to update click the "OK" button
• The program will now go to the main screen
  
  After installing you will need to update ewido to the latest definition files.
  
  
• On the left hand side of the main screen click update
• Click on Start
  
  The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
  
  Once the updates are installed do the following:
  
  
  
• If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  
• Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
  
• Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
  
• Click on scanner
• Click on Settings
  • Under "How to scan" all boxes should be selected
  • Under "Possibly unwanted software" all boxes should be selected
  • Under "What to scan" select scan every file
  • Click OK
• Click on Complete system scan
• Let the program scan the machine
  
• If ewido finds anything, it will pop up a notification. Please check the box that says Perform Action with all Infections.
  
• Click Save report
• Save the report to your desktop
• Exit ewido

Post back with the log from Ewido and a fresh Hijack This log.

A7X311

ok here's the thing, i started my computer up in safe mode. i ran ewido. i saved a report before i deleted anything because i forgot, so i scanned anyway, well after the scan i hit apply all changes at the bottom and it deleted some and then it froze up for 30 min and i had to shut the computer down, so then i ran another scan and did the same thing and it still froze. it seemed like surf sidekick was the one it got stuck on, but i don't know what to do. all i can post you is the one i saved so it wil show you what i found and then i can post a new HJT log

HJT.....

Logfile of HijackThis v1.99.1
Scan saved at 8:41:24 PM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRAM FILES\COMMON FILES\{642FD16C-05B7-1033-1109-010710030001}\UPDATE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\PROGRAM FILES\HP\DIGITAL IMAGING\PRODUCT ASSISTANT\BIN\HPRBUPDATE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [yecmtj] C:\WINDOWS\system32\ynxutl.exe reg_run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



ewido...

---

ewido anti-spyware - Scan Report

---

+ Created at: 9:44:45 AM 9/17/2006

+ Scan result:



C:\Program Files\Common Files\{642FD16C-05B7-1033-1109-010710030001}\Update.exe -> Adware.Agent : No action taken.
C:\WINDOWS\thiselt.exe -> Adware.Agent : No action taken.
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : No action taken.
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : No action taken.
C:\WINDOWS\cfg32r.dll -> Adware.BookedSpace : No action taken.
C:\Program Files\Batty2\Batty2.dll -> Adware.CASClient : No action taken.
C:\Program Files\Batty2\Batty2.exe -> Adware.CASClient : No action taken.
C:\Program Files\CMFibula\CMFibula.exe -> Adware.CASClient : No action taken.
C:\WINDOWS\system32\BattyRun2.dll -> Adware.CASClient : No action taken.
C:\WINDOWS\em.ocx -> Adware.MediaMotor : No action taken.
C:\Program Files\Cowabanga\Cowabanga.exe -> Adware.MediaTicket : No action taken.
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : No action taken.
C:\Program Files\PSCloner\PSCloner.exe -> Adware.PurityScan : No action taken.
C:\WINDOWS\MirarSetup_876057.exe -> Adware.SaveNow : No action taken.
C:\Program Files\Deskbar\deskbar.dll -> Adware.Softomate : No action taken.
C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : No action taken.
C:\Program Files\SurfSideKick 3\Ssk.exe -> Adware.SurfSide : No action taken.
C:\Program Files\SurfSideKick 3\SskBho.dll -> Adware.SurfSide : No action taken.
C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : No action taken.
C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : No action taken.
[204] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
[252] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
[264] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
[420] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
[488] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
[544] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
[840] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
C:\Program Files\InetGet2\eltadperf.exe -> Backdoor.Small : No action taken.
C:\drsmartload45a45s.exe -> Downloader.Adload.ds : No action taken.
C:\drsmartload46a46s.exe -> Downloader.Adload.ds : No action taken.
C:\drsmartload849a849s.exe -> Downloader.Adload.ds : No action taken.
C:\drsmartload.exe -> Downloader.Adload.fg : No action taken.
C:\nwnmff_18.exe -> Downloader.Adload.fg : No action taken.
C:\kybrdff_18.exe -> Downloader.Adload.fk : No action taken.
C:\topaff.exe -> Downloader.Agent.aqx : No action taken.
C:\WINDOWS\system32\aaa00000.dll -> Downloader.Agent.awb : No action taken.
C:\WINDOWS\system32\nnv56631.dll -> Downloader.Agent.awb : No action taken.
C:\WINDOWS\system32\crunner\cproc.exe -> Downloader.Agent.c : No action taken.
C:\WINDOWS\srvvkyotlp.exe -> Downloader.Dyfuca.ey : No action taken.
C:\814.exe -> Downloader.Dyfuca.fb : No action taken.
C:\WINDOWS\system32\w0905163.dll -> Downloader.Small : No action taken.
C:\WINDOWS\system32\w091db82.dll -> Downloader.Small : No action taken.
C:\WINDOWS\system32\w09228a7.dll -> Downloader.Small : No action taken.
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : No action taken.
C:\ac3_0003.exe -> Downloader.Small.cyh : No action taken.
C:\Program Files\Common Files\kqfq\kqfqp.exe -> Downloader.TSUpdate.f : No action taken.
C:\Program Files\Common Files\kqfq\kqfqa.exe -> Downloader.TSUpdate.l : No action taken.
C:\Program Files\Common Files\kqfq\kqfqm.exe -> Downloader.TSUpdate.n : No action taken.
C:\Program Files\Common Files\misc002\141.exe -> Downloader.TSUpdate.o : No action taken.
C:\Program Files\Common Files\kqfq\kqfql.exe -> Downloader.TSUpdate.r : No action taken.
C:\WINDOWS\system32\ldAEE6.tmp -> Downloader.Zlob.li : No action taken.
C:\803_104.exe -> Dropper.Mudrop.bq : No action taken.
C:\Program Files\Internet Explorer\mejehavet.html -> Hijacker.Small.jf : No action taken.
C:\Program Files\Windows NT\polokix.html -> Hijacker.Small.jf : No action taken.
C:\WINDOWS\system32\mssearchnet.exe -> Hijacker.SpyAxe : No action taken.
C:\WINDOWS\system32\nvctrl.exe -> Hijacker.SpyAxe : No action taken.
C:\WINDOWS\ulaaede.exe -> Hijacker.VB.ij : No action taken.
C:\VundoFix Backups\ffvxkldl.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.i : No action taken.
C:\VundoFix Backups\rvmrooxe.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.i : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\WINDOWS\system32\lich.exe -> Trojan.LowZones.dm : No action taken.
C:\ntzl.exe -> Trojan.LowZones.dm : No action taken.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.v : No action taken.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.v : No action taken.
C:\WINDOWS\system32\1024 -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld10CC.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld1874.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld1A59.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld1CD4.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld26F1.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld2F46.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld2FD7.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld31D5.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld355B.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld38C2.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld3AC.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld3C30.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld4C5D.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld4D10.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld4DF3.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld4EBC.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld4EE4.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld4EEC.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld50D1.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld56C3.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld5877.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld5AE3.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld5C6.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld5E7E.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld6B48.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld6BA7.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld6ECE.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld7696.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld76BF.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld7D07.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld7D87.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld8461.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld900D.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld906C.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld9876.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld9956.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ld9BC5.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldA3FD.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldAA12.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldC357.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldC4F7.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldCAF8.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldCCE8.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldCFB9.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldD0E6.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldD3FD.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldD51.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldDA30.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldEA8A.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldEA8F.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldF0D3.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldFBC7.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldFC34.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\1024\ldFF00.tmp -> Trojan.Small : No action taken.
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : No action taken.
C:\WINDOWS\system32\stickrep.dll -> Trojan.Small : No action taken.
C:\WINDOWS\uninstDsk.exe -> Trojan.Small.ev : No action taken.
C:\VundoFix Backups\rtllwkxk.exe.bad -> Trojan.Small.ju : No action taken.
C:\WINDOWS\sys028085540416.exe -> Trojan.VB.tg : No action taken.
C:\WINDOWS\uni_ehhhh.exe -> Trojan.VB.tg : No action taken.
C:\WINDOWS\uninst104.exe -> Trojan.VB.tg : No action taken.
C:\WINDOWS\system32\msvcrl.dll -> Worm.Locksky.ao : No action taken.


::Report end

i don't know why it is freezing up but let me know if anything can be done about this. thank you

skywalker45

I knew this might be a tough one, but never give up. Also I should apologize because I gave you an older set of instructions for setting up Ewido. Please read the instructions at the end of this post to set up the new Ewido correctly. I can't say for sure what happened with Ewido but let's try a different approach. Before you do any of this please physically disconnect your PC from the internet. You will also need to use safe mode for part of this so please print these instructions:

Click Start--->Run. In the run box type appwiz.cpl

A window will open showing currently installed programs. Find the programs Surf Sidekick 3and Toolbar888 in the list. If found please click the remove button. If you cannot find them don't worry, just move on to the next step.

We need to make sure you can view all hidden files and folders, explained below:

• Click "Start".
• Click "My Computer".
• Select the "Tools" menu and click "Folder Options".
• Select the "View" tab.
• Under the "Hidden files and folders" heading, select "Show hidden files and folders".
• Uncheck the "Hide protected operating system files (recommended)" option.
• Click "Yes" to confirm.
• Uncheck the "Hide file extensions for known file types".
• Click "OK".

Next run a full scan with Ewido again using the options outlined below:

• Open Ewido.
• Select the Scanner
  icon at the top of the screen, then select the Settings
  tab.
• Once in the Settings screen click on Recommended
  actions and then select Quarantine.
• Under Reports Select Automatically generate report after every scan
  
• Un-Select Only if threats were found
• Close ewido anti-spyware and reboot your computer into safe mode.
• Lauch ewido-anti-spyware by double-clicking the icon on your
  desktop.
  IMPORTANT: Do not open any other
  windows or programs while ewido is scanning, it may interfere
  with the scanning proccess.
• Select the Scanner icon at the top and then the
  Scan tab then click on "Complete System Scan"
• Ewido will now begin the scanning process, be patient this
  may take a little time.
• Ewido will list any infections found on the left hand side.
  When the scan has finished, it should automatically set the
  recommended action to Quarantine--if not click on
  Recommended Action and set it there. Click the Apply all
  actions button. Ewido will display "All actions have been
  applied" on the right hand side.
• Click on Save Report, then Save Report As. This will
  create a text file. Make sure you know where to find this file
  again (like on the Desktop).
• Close ewido & post that report in next reply

Next use Windows Explorer to delete the following if found:

C:\Program Files\SurfSideKick 3<---This folder.
C:\Program Files\ToolBar888<---This folder.

Reboot into normal mode and hook the internet connection up. Post the log from Ewido and a fresh Hijack This log in your next reply.
If this does not work I have another idea in mind, but let's give this one a try.

A7X311

alright, this definitely worked i was worried there fror a second. thanks!! here is the new HJT and the ewido

Logfile of HijackThis v1.99.1
Scan saved at 8:03:42 PM, on 9/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\gvflxlrm.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [yecmtj] C:\WINDOWS\system32\ynxutl.exe reg_run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

---

ewido anti-spyware - Scan Report

---

+ Created at: 7:55:08 PM 9/19/2006

+ Scan result:



C:\Program Files\Common Files\{642FD16C-05B7-1033-1109-010710030001}\Update.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\thiselt.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Program Files\Batty2\Batty2.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\Program Files\Batty2\Batty2.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\Program Files\CMFibula\CMFibula.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINDOWS\system32\BattyRun2.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Program Files\Cowabanga\Cowabanga.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Program Files\PSCloner\PSCloner.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\MirarSetup_876057.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\deskbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\VundoFix Backups\ffvxkldl.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\rvmrooxe.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end

skywalker45

That's better. The following entry wasn't in your previous logs:

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\gvflxlrm.dll

I'm going to need to research that one. In the meantime could you please run the VundoFix file again and post that log along with a fresh Hijack This log.

skywalker45

OK. Please disregard the above post for now. I believe we still have some infections from before that were not totally removed. I need you to do a couple of things. Please follow the instructions below:

NOTE: Please physically disconnect your PC from the internet while following the below instructions. This means you will need to download the file I'm asking for below before continuing.

I think there is still some active Qoologic infection going on so follow these instructions:


Download FindQool from here. Save the file to your desktop.

This is where you disconnect from the internet.

Unzip the contents right to the root C:\ directory. You will now have a folder like the one below:

C:\FindQool

Open the folder and run the program qlocate.bat. When it is finished running it will generate a log. Save the log and post it here in your next reply.

Next, I need you to run VundoFix again but follow the instructions below.

• Double-click VundoFix.exe to run it.
• Right Click inside the listbox (white box) and click Add more files?
• Copy & Paste the 2 entries below into the top 2 boxes
  
  
  • C:\WINDOWS\System32\urqom.dll
  • C:\WINDOWS\system32\moqru.*
  
  
• Click Add Files and click Close Window
• Click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on and reconnect your internet.

Along with the qlocate log please post the contents of the Vundofix.txt log and a fresh Hijack This log.

A7X311

ok, sorry it's taking so long. there was a problem with the vundofix. i couldn't find the file moqru.* i found like six moqru's but none of them had a star after the dot. however, i found urqom.dll and copied it and vundofix wouldn't let me paste it in there so all i have for you is the findqool log and the new hijack this log.

HJT....

Logfile of HijackThis v1.99.1
Scan saved at 1:23:37 AM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\gvflxlrm.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [yecmtj] C:\WINDOWS\system32\ynxutl.exe reg_run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


findqool...


Wed 09/20/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"yecmtj"="C:\\WINDOWS\\system32\\ynxutl.exe reg_run"
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ explorer.exe
userinit REG_SZ C:\WINDOWS\system32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 17/05/2006

skywalker45

Hi. Don't worry about it taking so long. We have plenty of time. You won't find a file with the name moqru.* The * is a wildcard character and is used to denote any file named moqru with any extension (i.e. .bak, .exe, .dll, etc.). Please try this again (using VundoFix) and just copy and paste the paths from the previous posts. The program will do the rest. Once you have done that I would like you to boot the PC into safe mode and use Windows Explorer to search for and delete the following:

C:\WINDOWS\system32\ynxutl.exe<----This file.

Please use the Windows search feature to look for the following file:

msiexec.exe Note: Please post back with the full path to all locations you find this file.

Reboot the PC into normal mode once more and run Hijack This again. Put a check (tick) next to the following entries (do not be concerned if some don't exist):

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\gvflxlrm.dll

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

O4 - HKLM\..\Run: [yecmtj] C:\WINDOWS\system32\ynxutl.exe reg_run
O4 - HKCU\..\Run: [Beel] "C:\DOCUME~1\J-MO\APPLIC~1\FNTS~1\msiexec.exe" -vt yazb

O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Close all other browsers/windows and click Fix Checked. Close Hijack This.

Reboot the PC one more time the post the contents of the VundoFix log and a fresh Hijack This log.

A7X311

ok, sorry again for taking so long. problems again with vundofix. when i find the files in windows explorer i right click and copy them, but when i go to paste them into vundo fix it won't let me. when i right click to paste it says all of it like edit and copy and paste, but it's all shaded back meaning i can't click it. i also couldn't find the file C:\WINDOWS\system32\ynxutl.exe in safe mode. i found the msiexec.exe file and they are located in

C:WINDOWS\prefetch\msiexec.exe

C:WINDOWS\system32\msiexec.exe

C:WINDOWS\servicepackfiles\i386\msiexec.exe

so that worked. ok and i also did the hijack this instructions, but it wouldn't delete a few of them so here is the new hijack this log and i'm sorry this computer sucks as much as it does. thanks again

Logfile of HijackThis v1.99.1
Scan saved at 1:27:11 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\qisglphg.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

skywalker45

Don't worry about all the problems. Sometimes when these infections are bundled they can be quite difficult to remove. I would like you to try to run VundoFix again but just run it normally, don't try to copy and paste the files like I asked you before. Post back with another VundoFix log and a fresh Hijack This log.

A7X311

ok here's the vundo fix log...

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 3:27:09 PM 10/15/2006

Listing files found while scanning....

C:\WINDOWS\system32\urqom.dll
C:\WINDOWS\system32\moqru.ini
C:\WINDOWS\system32\moqru.bak1
C:\WINDOWS\system32\moqru.bak2
C:\WINDOWS\system32\moqru.ini2
C:\WINDOWS\system32\moqru.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\urqom.dll
C:\WINDOWS\system32\urqom.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.ini
C:\WINDOWS\system32\moqru.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.bak1
C:\WINDOWS\system32\moqru.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.bak2
C:\WINDOWS\system32\moqru.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.ini2
C:\WINDOWS\system32\moqru.ini2 Has been deleted!

Performing Repairs to the registry.
Done!


and the hijack this log....

Logfile of HijackThis v1.99.1
Scan saved at 3:56:06 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\qisglphg.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

skywalker45

Much better now! Now run Hijack This again and put a check (tick) next to the following entries:


O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\qisglphg.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\urqom.dll (file missing)


Close all other browsers/windows and click Fix Checked. Close Hijack This.

Reboot the PC into safe mode like we did for the Ewido Scan.

Use Windows Explorer to delete the following (don't worry if it doesn't exist):

C:\WINDOWS\system32\qisglphg.dll<---This file.

Reboot into normal mode and post a fresh Hijack This log. By the way how is the PC running now?

A7X311

ok both of the files on hijack this deleted just fine, but i couldn't find that file in safe mode so here is the new hjt log...

Logfile of HijackThis v1.99.1
Scan saved at 7:05:10 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\SYSTEM32\WGATRAY.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\J-MO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


also, my computer is better, but my internet has been running real slow for about 2 weeks, and i'm not sure if it is my provider(charter) or my computer slowing this down. i used ad-aware today and it seemed to make it a tiny bit faster but it runs slower than dial up sometimes. and i've tried renewing my ip adress but that doesn't really help either. if you have any suggestions i would appreciate it. thanks

skywalker45

Yes the log looks good now. As far as internet connection speed is concerned it is probably due to congestion and your provider. I have experienced similar things over the past couple of weeks. As long as you're not having pop-ups and redirects then I'm happy if you are? You should contact your internet provider about the speed, also you could try to run a full scan with Ad-Aware again in safe mode, and maybe also Spybot, then post back and let me know if that helps.

A7X311

i can't even begin to thank you enough. i hate these *******s that put spyware out there. anyways i appreciate it and i will definitely do the scans in safe mode and then post you back and let you know. the computer is definitely better!!!