1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

CABELA~1.exe

Discussion in 'Malware and Virus Removal Archive' started by Encorepilot, 2007/08/26.

  1. 2007/08/26
    Encorepilot

    Encorepilot Inactive Thread Starter

    Joined:
    2007/08/26
    Messages:
    8
    Likes Received:
    0
    Hello,

    I am having problems with my computer (kids were playing games). It started with pop-up adds. Then it was BS 2.0 (Brave Sentry). I downloaded CCleaner, Spybot, smitfraudfix, smitrem, and ewido (icon calls it avgas?) Anyhow, I ran programs in Safe Mode and it appears that I got rid of Brave Sentry. But, when I start my computer I get a window "Open File Security Warning" CABELA~1.exe followed by a window "Window Installer" "Preparing to Install ", then another window "PhotoGallery ". I tried to open the computer again in safe mode, but all I get is a black screen with Safe Mode at top and bottom, but nothing else, no icons or start menu. Also, I cannot open Firewall under control panel.

    I appreciate any help I can get,

    Thanks,

    Encorepilot
     
    Encorepilot,
    #1
  2. 2007/08/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS Encorepilot :)

    Note: You must be logged onto an account with administrator privileges to complete the following.

    Download Deckard's System Scanner (dss.exe) to your desktop.
    Close all applications and windows.
    Double-click on dss.exe to run it and follow the prompts.
    When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

    Post the contents of main.txt only for now.

    If you have HijackThis, it will use it to create a HijackThis log. If you do not, it will automatically download and install HijackThis. Please keep your internet connection active and allow access through your firewall if applicable.

    I would also like to see the logs from SmitfraudFix, smitRem and AVGAS
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2007/08/26
    Encorepilot

    Encorepilot Inactive Thread Starter

    Joined:
    2007/08/26
    Messages:
    8
    Likes Received:
    0
    well, I just turned the computer on to follow your instructions and when I selected internet explorer (after about a 5 min. delay) I get a blue screen with white font that states

    "A problem has been detected and windows has been shut down to prevent damage to your computer.

    If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

    Check to be sure ou have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

    Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disalbe components, restart your computer, press F8 to select Advanced Startup options, and then select Safe Mode.

    Technical information:

    Stop: 0x0000008E (0xc0000005, 0xFF73DE94, 0xEF7DDB74, 0x0000000)

    Beginning dump of physical memory
    Physical memory dump complete.
    Contact your system administrator or technical support group for further assistance.
     
    Encorepilot,
    #3
  5. 2007/08/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Have you got a way to transfer the required files between computers?
     
    noahdfear,
    #4
  6. 2007/08/26
    Encorepilot

    Encorepilot Inactive Thread Starter

    Joined:
    2007/08/26
    Messages:
    8
    Likes Received:
    0
    I have a laptop sitting next to the sick machine, and I also have a 2.0 GB Flash Drive (that I have never used before). All I lack is expertise.

    Thanks,

    encorepilot
     
    Encorepilot,
    #5
  7. 2007/08/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Download HijackThis from the following link and save it to the flash drive (it will appear in My Computer when inserted).
    http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

    Download Deckards System Scanner from the link I posted above and save it to the flash drive.

    Fire up the other machine and insert the flash drive, then copy/paste the two files from the flash drive to the desktop. Double click the HijackThis setup file on the desktop to install it. No need to run a scan at this time, so just close HijackThis if it opens.

    Now double the dss.exe file on the desktop to run it. When it's complete, it will open two files, one of which is minimized. Close them both. Navigate to C:\Deckard\System Scanner\foldername-concurrent-with-date-and-time and copy the main.txt file to the flash drive.

    Move the flash drive to your laptop and open main.txt, then copy it's contents and paste it here in a reply.
     
    noahdfear,
    #6
  8. 2007/08/27
    Encorepilot

    Encorepilot Inactive Thread Starter

    Joined:
    2007/08/26
    Messages:
    8
    Likes Received:
    0
    I have followed your instructions, Deckard's System Scanner is running. It is going very slow. CPU is at 99-100%. At this rate it may take a bit before the log is generated. Do you know a way to increase the speed?

    Thanks,

    Encorepilot
     
    Encorepilot,
    #7
  9. 2007/08/27
    Encorepilot

    Encorepilot Inactive Thread Starter

    Joined:
    2007/08/26
    Messages:
    8
    Likes Received:
    0
    The Deckards system scanner stopped. The scanner window is still open, but is blank. I opened Windows task manager and choose the Processes tab. Image name "qttask.exe is using 99% CPU. I selected it and clicked End Process, but nothing happened.

    Thanks,

    encorepilot
     
    Encorepilot,
    #8
  10. 2007/08/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Go ahead and close Deckards for now. Run a scan with HijackThis and save the log, then post it here.
     
    noahdfear,
    #9
  11. 2007/08/27
    Encorepilot

    Encorepilot Inactive Thread Starter

    Joined:
    2007/08/26
    Messages:
    8
    Likes Received:
    0
    Please disregard the first part of my last post. Scanner was still running. Here are the results......I really appreciate your advise....

    Thanks,

    encorepilot


    Deckard's System Scanner v20070826.66
    Run by Shawna Colyer on 2007-08-27 14:43:33
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    69: 2007-08-27 19:49:12 UTC - RP562 - Deckard's System Scanner Restore Point
    68: 2007-08-26 14:00:41 UTC - RP561 - System Checkpoint
    67: 2007-08-25 13:37:46 UTC - RP560 - System Checkpoint
    66: 2007-08-24 10:51:05 UTC - RP559 - System Checkpoint
    65: 2007-08-15 21:28:58 UTC - RP558 - Removed MyWay Search Assistant


    -- First Restore Point --
    1: 2007-06-03 13:51:24 UTC - RP494 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.

    Total Physical Memory: 254 MiB (512 MiB recommended).


    -- HijackThis Clone ------------------------------------------------------------

    Emulating logfile of HijackThis v1.99.1
    Scan saved at 2007-08-27 15:07:07
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\TEMP\winE.tmp.exe
    C:\WINDOWS\mgrs.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\Program Files\WinPop\winpop.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
    C:\Documents and Settings\Shawna Colyer\Desktop\dss.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
    R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\tuvtspm.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\ebuevncg.dll
    O2 - BHO: (no name) - {EE999EA0-A76D-446D-998C-ECCFF1325DE1} - C:\WINDOWS\system32\awvtq.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKEY_LOCAL_MACHINE\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
    O4 - HKEY_LOCAL_MACHINE\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\knummblf.dll ",forkonce
    O4 - HKEY_LOCAL_MACHINE\..\Run: [avp] C:\WINDOWS\TEMP\winE.tmp.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [smgr] mgrs.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKEY_LOCAL_MACHINE\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
    O4 - HKCU\..\Run: [CabelasGrandSlamHunting2.exe] C:\DOWNLO~1\CABELA~1.EXE /r
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)
    O9 - Extra 'Tools' menuitem: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
    O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: https://turbotax.com (HKCU)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) - http://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} () - http://a.download.toontown.com/sv1.0.28.9/ttinst.cab
    O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
    O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O20 - Winlogon Notify: awvtq - C:\WINDOWS\system32\awvtq.dll
    O20 - Winlogon Notify: tuvtspm - C:\WINDOWS\system32\tuvtspm.dll
    O20 - Winlogon Notify: winfvj32 - C:\WINDOWS\system32\winfvj32.dll
    O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
    O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 core - c:\windows\system32\drivers\core.sys
    R1 smtpdrv - c:\windows\system32\drivers\smtpdrv.sys <Not Verified; NT Kernel Resources; NDIS packet redirector driver>
    R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
    R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>

    S3 SQTECH905C (DDC9000-P) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
    S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    S2 Net Agent - c:\windows\dls0523pmw.exe (file missing)


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Files created between 2007-07-27 and 2007-08-27 -----------------------------

    2007-08-26 21:54:23 0 d-------- C:\Documents and Settings\Shawna Colyer\Application Data\Grisoft
    2007-08-26 21:51:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-08-26 20:37:26 11776 --a------ C:\WINDOWS\mgrs.exe
    2007-08-26 20:05:07 0 d-------- C:\Documents and Settings\Shawna Colyer\Application Data\?ppPatch
    2007-08-26 20:04:33 0 --a------ C:\Documents and Settings\Shawna Colyer\Application Data\Install.dat
    2007-08-26 20:04:27 0 d-------- C:\Program Files\gpszuvsp
    2007-08-26 20:04:04 43542 --a------ C:\WINDOWS\system32\gebcbxw.dll
    2007-08-26 19:55:17 94208 --a------ C:\WINDOWS\system32\MailSpectre.exe
    2007-08-26 19:55:17 18176 --a------ C:\WINDOWS\system32\drivers\smtpdrv.sys <Not Verified; NT Kernel Resources; NDIS packet redirector driver>
    2007-08-26 08:32:06 125504 --a------ C:\WINDOWS\system32\knummblf.dll
    2007-08-25 11:00:16 125504 --a------ C:\WINDOWS\system32\mwwwvlgf.dll
    2007-08-24 13:40:15 125504 --a------ C:\WINDOWS\system32\atqdbxoq.dll
    2007-08-24 07:17:36 0 dr-h----- C:\Documents and Settings\Shawna Colyer\Recent
    2007-08-23 22:49:02 0 d-------- C:\Program Files\CCleaner
    2007-08-23 22:14:32 6543 ---hs---- C:\WINDOWS\system32\qtvwa.ini2
    2007-08-23 20:43:20 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
    2007-08-23 20:43:20 51200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-08-23 20:43:19 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
    2007-08-23 20:28:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-08-23 20:06:46 3340 --a------ C:\WINDOWS\system32\tmp.reg
    2007-08-23 19:54:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
    2007-08-23 19:54:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
    2007-08-23 19:54:52 0 dr------- C:\Documents and Settings\Administrator\Favorites
    2007-08-23 19:54:52 0 d-------- C:\Documents and Settings\Administrator\Desktop
    2007-08-23 19:54:52 0 d---s---- C:\Documents and Settings\Administrator\Cookies
    2007-08-23 19:54:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
    2007-08-23 19:54:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-08-23 19:54:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
    2007-08-23 19:54:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2007-08-23 19:54:51 0 d--h----- C:\Documents and Settings\Administrator\Templates
    2007-08-23 19:54:51 0 dr------- C:\Documents and Settings\Administrator\Start Menu
    2007-08-23 19:54:51 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
    2007-08-23 19:54:51 0 dr-h----- C:\Documents and Settings\Administrator\Recent
    2007-08-23 19:54:51 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
    2007-08-23 19:54:51 0 d--h----- C:\Documents and Settings\Administrator\NetHood
    2007-08-23 19:54:51 0 dr------- C:\Documents and Settings\Administrator\My Documents
    2007-08-23 19:54:51 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
    2007-08-23 19:54:49 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
    2007-08-23 19:21:34 125504 --a------ C:\WINDOWS\system32\ihdudvlv.dll
    2007-08-16 13:19:02 69184 --a------ C:\WINDOWS\system32\ebuevncg.dll
    2007-08-16 13:17:56 0 d-------- C:\Program Files\Ultimate Cleaner
    2007-08-16 13:14:10 10240 --a------ C:\WINDOWS\system32\hlpsrv.exe <Not Verified; NoName Corp.; NNC module>
    2007-08-16 13:13:22 1600223 ---hs---- C:\WINDOWS\system32\qtvwa.bak2
    2007-08-15 16:43:43 1600801 ---hs---- C:\WINDOWS\system32\qtvwa.bak1
    2007-08-15 16:43:30 43542 --a------ C:\WINDOWS\system32\qomkjhg.dll
    2007-08-15 16:43:15 243296 --a------ C:\WINDOWS\system32\awvtq.dll
    2007-08-15 16:43:14 932 --a------ C:\WINDOWS\system32\winpfz32.sys
    2007-08-15 16:42:37 169984 --a------ C:\WINDOWS\system32\hyzfqun.dll
    2007-08-15 16:36:20 26171 --a------ C:\WINDOWS\system32\ddcdaxv.dll
    2007-08-15 16:36:17 30770 --a------ C:\WINDOWS\system32\is67718.exe
    2007-08-15 16:36:03 8782 --a------ C:\WINDOWS\system32\waverevenue.exe
    2007-08-15 16:35:55 86056 --a------ C:\WINDOWS\system32\install.exe
    2007-08-15 16:35:49 4040 --a------ C:\WINDOWS\system32\skna455101.exe
    2007-08-15 16:35:40 4040 --a------ C:\WINDOWS\system32\Setup155.exe
    2007-08-15 16:35:01 0 d-------- C:\Documents and Settings\LocalService\Start Menu
    2007-08-15 16:34:44 43542 --a------ C:\WINDOWS\system32\tuvtspm.dll
    2007-08-15 16:34:39 0 d-------- C:\WINDOWS\system32\tmps9
    2007-08-15 16:34:38 0 d-------- C:\WINDOWS\system32\V1
    2007-08-15 16:34:37 0 d-------- C:\WINDOWS\system32\chkconfig
    2007-08-15 16:34:36 0 d-------- C:\WINDOWS\system32\H1
    2007-08-15 16:34:36 30208 --a------ C:\WINDOWS\csrss.exe <Not Verified; TSoft; csrss>
    2007-08-15 16:34:30 57348 --a------ C:\WINDOWS\system32\dwdsrngt.exe <Not Verified; ; Browser Driver>
    2007-08-15 16:34:12 0 d-------- C:\WINDOWS\system32\f06WtR
    2007-08-15 16:34:11 0 d-------- C:\Temp
    2007-08-15 16:34:07 9769 --a------ C:\WINDOWS\xpyia0578.exe
    2007-08-15 15:31:20 34816 --a------ C:\WINDOWS\rau001978.exe
    2007-08-15 15:31:16 224283 --a------ C:\WINDOWS\Setup167.exe
    2007-08-13 11:51:06 146432 ---hs---- C:\Program Files\Common Files\Yazzle1022OinAdmin.exe
    2007-08-09 19:59:17 0 d-------- C:\Program Files\WinPop
    2007-08-07 15:30:01 163840 --a------ C:\Program Files\TTX.exe
    2007-08-05 18:56:25 0 d-------- C:\Downloads
    2007-08-01 16:43:30 0 d-------- C:\WINDOWS\.jagex_cache_32


    -- Find3M Report ---------------------------------------------------------------

    2007-08-26 20:05:08 0 d-------- C:\Documents and Settings\Shawna Colyer\Application Data\?ppPatch
    2007-08-26 20:04:31 0 d-------- C:\Program Files\Common Files
    2007-08-16 14:22:51 0 d-------- C:\Program Files\NHJ Photo Manager
    2007-08-15 16:28:40 0 d-------- C:\Program Files\MUSICMATCH
    2007-08-10 11:18:40 23446 --a------ C:\Documents and Settings\Shawna Colyer\Application Data\wklnhst.dat
    2007-07-29 17:53:48 39424 -ra------ C:\WINDOWS\retadpu72.exe
    2007-07-25 03:41:18 446976 --a------ C:\WINDOWS\b135.exe
    2007-07-24 09:07:14 441 --a------ C:\WINDOWS\PowerReg.dat
    2007-07-19 13:09:16 53248 --a------ C:\WINDOWS\uni_eh45.exe <Not Verified; ; uni_eh45.exe>
    2007-07-19 13:05:42 53248 --a------ C:\WINDOWS\uninst1017.exe <Not Verified; ; uninst1017>
    2007-06-05 07:51:40 123544 --a------ C:\WINDOWS\b136.exe


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown



    -- End of Deckard's System Scanner: finished at 2007-08-27 17:19:53 ------------
     
    Encorepilot,
    #10
  12. 2007/08/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Great! :)

    Hang in there ....... have to run an errand and will be back in a bit. ;)
     
    noahdfear,
    #11
  13. 2007/08/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    What I'd like to do is see if we can get things whacked down good enough that you can get online with that machine long enough to download some other tools, which will make it much easier for you.

    Download VundoFix by Atribune, then transfer it to the desktop of the infected machine. Don't run it yet.

    Scan again with HijackThis and place a check next to the following entries, then click Fix Checked.

    O4 - HKEY_LOCAL_MACHINE\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKEY_LOCAL_MACHINE\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\knummblf.dll ",forkonce
    O4 - HKEY_LOCAL_MACHINE\..\Run: [avp] C:\WINDOWS\TEMP\winE.tmp.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [smgr] mgrs.exe
    O4 - HKEY_LOCAL_MACHINE\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
    O4 - HKCU\..\Run: [CabelasGrandSlamHunting2.exe] C:\DOWNLO~1\CABELA~1.EXE /r
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
    O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

    Close HijackThis.

    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • See if it will now stay online and post the contents of C:\vundofix.txt and a new HiJackThis log to this topic.
    Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
     
    noahdfear,
    #12
  14. 2007/08/27
    Encorepilot

    Encorepilot Inactive Thread Starter

    Joined:
    2007/08/26
    Messages:
    8
    Likes Received:
    0
    I was able to do the scans in safe mode. While in safe mode I clicked on control panel, add remove programs and found a program called Outerinfo. I did not remove try to remove it. Again, I really appreciate you taking your valuable time to annalyze my logfiles.

    encorepilot

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:01:34 PM, on 8/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5181087E-F844-4636-9E60-3162563D86C5} - C:\WINDOWS\system32\awvtq.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\tuvtspm.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\winE.tmp.exe
    O4 - HKLM\..\Run: [smgr] mgrs.exe
    O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.toontown.com/sv1.0.28.9/ttinst.cab
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O20 - Winlogon Notify: tuvtspm - C:\WINDOWS\SYSTEM32\tuvtspm.dll
    O20 - Winlogon Notify: winfvj32 - C:\WINDOWS\SYSTEM32\winfvj32.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 5328 bytes

    VundoFix V6.5.7

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Scan started at 8:35:19 PM 8/27/2007

    Listing files found while scanning....


    VundoFix V6.5.7

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Scan started at 9:23:44 PM 8/27/2007

    Listing files found while scanning....

    C:\windows\system32\atqdbxoq.dll
    C:\WINDOWS\system32\awvtq.dll
    C:\windows\system32\btfgqfln.ini
    C:\windows\system32\ddcdaxv.dll
    C:\WINDOWS\system32\ebuevncg.dll
    C:\windows\system32\fglvwwwm.ini
    C:\windows\system32\ihdudvlv.dll
    C:\windows\system32\mwwwvlgf.dll
    C:\windows\system32\nlfqgftb.dll
    C:\windows\system32\qoxbdqta.ini
    C:\WINDOWS\system32\qtvwa.bak1
    C:\WINDOWS\system32\qtvwa.bak2
    C:\WINDOWS\system32\qtvwa.ini
    C:\WINDOWS\system32\qtvwa.ini2
    C:\WINDOWS\system32\qtvwa.tmp
    C:\windows\system32\vlvdudhi.ini

    Beginning removal...

    Attempting to delete C:\windows\system32\atqdbxoq.dll
    C:\windows\system32\atqdbxoq.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\awvtq.dll
    C:\WINDOWS\system32\awvtq.dll Could not be deleted.

    Attempting to delete C:\windows\system32\btfgqfln.ini
    C:\windows\system32\btfgqfln.ini Has been deleted!

    Attempting to delete C:\windows\system32\ddcdaxv.dll
    C:\windows\system32\ddcdaxv.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ebuevncg.dll
    C:\WINDOWS\system32\ebuevncg.dll Has been deleted!

    Attempting to delete C:\windows\system32\fglvwwwm.ini
    C:\windows\system32\fglvwwwm.ini Has been deleted!

    Attempting to delete C:\windows\system32\ihdudvlv.dll
    C:\windows\system32\ihdudvlv.dll Has been deleted!

    Attempting to delete C:\windows\system32\mwwwvlgf.dll
    C:\windows\system32\mwwwvlgf.dll Has been deleted!

    Attempting to delete C:\windows\system32\nlfqgftb.dll
    C:\windows\system32\nlfqgftb.dll Has been deleted!

    Attempting to delete C:\windows\system32\qoxbdqta.ini
    C:\windows\system32\qoxbdqta.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qtvwa.bak1
    C:\WINDOWS\system32\qtvwa.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qtvwa.bak2
    C:\WINDOWS\system32\qtvwa.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qtvwa.ini
    C:\WINDOWS\system32\qtvwa.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qtvwa.ini2
    C:\WINDOWS\system32\qtvwa.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qtvwa.tmp
    C:\WINDOWS\system32\qtvwa.tmp Has been deleted!

    Attempting to delete C:\windows\system32\vlvdudhi.ini
    C:\windows\system32\vlvdudhi.ini Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.7

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Scan started at 9:36:17 PM 8/27/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\awvtq.dll
    C:\WINDOWS\system32\qtvwa.ini

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\awvtq.dll
    C:\WINDOWS\system32\awvtq.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qtvwa.ini
    C:\WINDOWS\system32\qtvwa.ini Has been deleted!

    Performing Repairs to the registry.
    Done!
     
    Encorepilot,
    #13
  15. 2007/08/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Quite a list to do. Please do everything as instructed, and in the order given.

    In normal mode, go to Add/Remove Programs, look for any of these and uninstall them:

    Cowabanga
    MediaTickets
    Oin
    Outerinfo
    Purityscan by Oin
    Snowballwars by Oin
    Tizzletalk
    Yazzle by Oin
    Zolero
    or anything similar with Oin or Outerinfo in it
    C:\Program Files\WinPop
    C:\Program Files\TTX.exe
    C:\Program Files\Ultimate Cleaner


    Download and run this uninstaller:
    http://www.outerinfo.com/OiUninstaller.exe

    Tutorial for the uninstaller if needed

    Don't allow any reboots if prompted!

    Download ATF Cleaner by Atribune and save it to the Desktop.
    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin


    The rest are optional - if you want it to remove everything check "Select All ".
    Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

    Reboot into safe mode.


    Scan again with HijackThis and place a check next to the following entries, close all other programs and windows, then click Fix Checked.

    O2 - BHO: (no name) - {5181087E-F844-4636-9E60-3162563D86C5} - C:\WINDOWS\system32\awvtq.dll (file missing)
    O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\tuvtspm.dll
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\winE.tmp.exe
    O4 - HKLM\..\Run: [smgr] mgrs.exe
    O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O20 - Winlogon Notify: tuvtspm - C:\WINDOWS\SYSTEM32\tuvtspm.dll
    O20 - Winlogon Notify: winfvj32 - C:\WINDOWS\SYSTEM32\winfvj32.dll

    Close HijackThis.

    Delete the following folders if present. Let me know if you're unable to delete any of them.

    C:\Program Files\gpszuvsp
    C:\Program Files\Ultimate Cleaner
    C:\Program Files\WinPop
    C:\WINDOWS\system32\chkconfig
    C:\WINDOWS\system32\f06WtR
    C:\WINDOWS\system32\H1
    C:\WINDOWS\system32\tmps9
    C:\WINDOWS\system32\V1


    Download the Killbox from here and save it to the desktop.
    Copy the bolded list below by highlighting and pressing Ctrl+C (you may need to save the list to a text file, then transfer it to the PC, open and copy the list)


    C:\WINDOWS\csrss.exe
    C:\WINDOWS\mgrs.exe
    C:\WINDOWS\PowerReg.dat
    C:\WINDOWS\rau001978.exe
    C:\WINDOWS\retadpu72.exe
    C:\WINDOWS\Setup167.exe
    C:\WINDOWS\system32\drivers\smtpdrv.sys
    C:\WINDOWS\system32\dwdsrngt.exe
    C:\WINDOWS\system32\gebcbxw.dll
    C:\WINDOWS\system32\hlpsrv.exe
    C:\WINDOWS\system32\hyzfqun.dll
    C:\WINDOWS\system32\install.exe
    C:\WINDOWS\system32\is67718.exe
    C:\WINDOWS\system32\knummblf.dll
    C:\WINDOWS\system32\ldcore.dll
    C:\WINDOWS\system32\MailSpectre.exe
    C:\WINDOWS\system32\qomkjhg.dll
    C:\WINDOWS\system32\Setup155.exe
    C:\WINDOWS\system32\skna455101.exe
    C:\WINDOWS\system32\tuvtspm.dll
    C:\WINDOWS\system32\waverevenue.exe
    C:\WINDOWS\SYSTEM32\winfvj32.dll
    C:\WINDOWS\system32\winpfz32.sys
    C:\WINDOWS\uni_eh45.exe
    C:\WINDOWS\uninst1017.exe
    C:\WINDOWS\xpyia0578.exe
    C:\Program Files\Common Files\Yazzle1022OinAdmin.exe
    C:\Program Files\TTX.exe
    C:\WINDOWS\.jagex_cache_32
    C:\WINDOWS\b135.exe
    C:\WINDOWS\b136.exe


    Double-click the KillBox icon on the desktop to open it
    Select the box Delete on Reboot
    Then click the All Files button.
    Click File and choose Paste from Clipboard.
    Click the red x [Delete File] button.
    Click Yes at the Delete on Reboot prompt. Click Yes at the Pending Operations prompt.

    If the computer does not reboot on it's own, restart it yourself. You should be able to boot normally, and get online. If so;

    • Start AVG Anti-Spyware then click the Update tab at the top. Under Manual Update click Start update.
    • After the update finishes (the status bar at the bottom will display "Update successful "), click on the Scanner tab at the top.
    • Click the "Settings" tab and change the recommended action to Quarantine.
    • Click Automatically generate report after every scan.
    • Go back to the "Scan" tab and click "Complete System Scan ". This scan can take quite a while to run, so sit back and wait.
    • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
    • Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
    • Click on "Save Report ", then "Save Report As ". Save the report where you know you can find it again (like on the Desktop) and take note of the name.
    • Close AVG Anti-Spyware and reboot.

    Post the contents of the AVG-AS report, a fresh HijackThis log and a new Deckards scan report.
     
    noahdfear,
    #14
  16. 2007/08/28
    Encorepilot

    Encorepilot Inactive Thread Starter

    Joined:
    2007/08/26
    Messages:
    8
    Likes Received:
    0
    noahdfear,

    I worked with the computer until late last night. I found Outerinfo in the add/remove list. But, when I chose to remove it I got a window that said unable that I would have to use OiUninstaller.exe. So per your instructions I saved OiUnistaller.exe to my desktop, but when I click on it nothing happens. I shut the computer down and restarted in safe mode and was still unable to get OiUninstaller.exe to run. I can open internet explorer, but it's so slow that I can't do anything. In task manager it still says my cpu is 100% because of qttask.exe (should I be concerned with this?) Guess I'm stuck again...Thanks, encorepilot
     
    Encorepilot,
    #15
  17. 2007/08/28
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Go ahead and continue on with the rest. Fix this entry with HijackThis too.

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
     
    noahdfear,
    #16

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...