Help Please: Cannot rid Popups

Discussion in 'Malware Help (A Specialist Will Reply)' started by firetrucker, May 20, 2006.

  1. firetrucker

    firetrucker Private E-2

    I've followed the posted suggestions, but I keep getting pop-ups. I ran Ccleaner, MS Windows Malicious Software Removal Tool, AdAware, Spybot, Windows Defender, then bitdefender. I couldn't get Panda to run. And I'm still getting popups. I've attached the bitdefender file as well as hijack this log.

    I think there are two files causing problems (guard.tmp, dmonwv.dll) but could be something beyond those. As long as I am connected to the internet, I keep getting more issues. I've been fighting this several days now...just when I think I've got it backed into a corner (only 1 or 2 problem files left per spybot) it explodes and I'll find another 50+ malicious files.

    I have a Dell Dimension 4600 Desktop. 2.8GHz P4, XP SP2, 512 MB RAM

    Any help would be very much appreciated! Thanks! - Brian
     

    Attached Files:

    firetrucker, May 20, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You have a bunch of problems! Let's begin by working on two of them which are the most difficult. Look 2 Me VX2 infection and a Qoologic infection.

    Run the below procedures.

    Look2Me VX2 Removal attach the requested log afterwards!

    Download FindQool by LonnyRJones
    • Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
    • Open the folder and run Qlocate.bat
    • attach the contents of the txt.log which will open when the scan is finished.
    FindQool is not a removal procedure. It is a scan that helps us to locate hidden files and registry keys so we can work up a fix for the Qoologic infection.

    You forgot to uninstall Viewpoint Toolbar during step 0 of the READ ME. Uninstall it now!

    Now run the below scan with Ewido and attach the Ewido log:

    Running Ewido Anti-Malware


    Finally, attach a new HijackThis log so that we can work up a full cleanup procedure for Qoologic an anything else that remains.
     
    Last edited: May 20, 2006
    chaslang, May 20, 2006
    #2
  3. firetrucker

    firetrucker Private E-2

    Don't know if that should make me feel better, but at least I know it wasn't something simple, so somehow it does. Thanks for your help!

    I've followed your instructions and attached the generated logs below. I really appreciate all your help!
     

    Attached Files:

    firetrucker, May 20, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay looks like Look2ME Destroyer worked ok!

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\defender20.exe
    C:\WINDOWS\errorhandler.exe
    C:\WINDOWS\sys10-266327390.exe
    C:\Program Files\Common Files\svchostsys\svchostsys.exe
    C:\WINDOWS\system32\dmonwv.dll
    C:\WINDOWS\system32\fnskp.dat
    C:\WINDOWS\system32\ypdhda.exe
    C:\WINDOWS\system32\pyuld.exe
    C:\WINDOWS\system32\fwdhuic.dll
    C:\WINDOWS\system32\bubpnfr.exe
    C:\WINDOWS\system32\wiafbdrv.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rxpij.exe

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\WINDOWS\errorhandler.exe
    C:\WINDOWS\sys10-266327390.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480
    C:\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Common Files\svchostsys\svchostsys.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pyuld.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bubpnfr.exe
    O4 - HKLM\..\Run: [defender] C:\\defender20.exe
    O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
    O4 - HKLM\..\Run: [sys10-266327390] C:\WINDOWS\sys10-266327390.exe
    O4 - HKCU\..\Run: [wiafbdrv] C:\WINDOWS\system32\wiafbdrv.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
    O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
    O18 - Protocol: bw+0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {B17DB0FE-840C-4C15-819D-732F110E8B9D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\Program Files\Common Files\svchostsys <--- delete the whole folder
    C:\Program Files\EQAdvice <--- delete the whole folder
    C:\defender20.exe
    C:\WINDOWS\errorhandler.exe
    C:\WINDOWS\sys10-266327390.exe
    C:\WINDOWS\system32\dmonwv.dll
    C:\WINDOWS\system32\fnskp.dat
    C:\WINDOWS\system32\ypdhda.exe
    C:\WINDOWS\system32\pyuld.exe
    C:\WINDOWS\system32\fwdhuic.dll
    C:\WINDOWS\system32\bubpnfr.exe
    C:\WINDOWS\system32\wiafbdrv.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rxpij.exe

    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!
     
    chaslang, May 20, 2006
    #4
  5. firetrucker

    firetrucker Private E-2

    Ok. Here are the new logs. Things seem to be working much better. Haven't had any unwanted popups since I ran those last fixes - about the last half hour or so. Here are the logs. Hopefully I'm clean now.......

    Thanks for the help and detailed instructions!
     

    Attached Files:

    firetrucker, May 20, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds better but a few items are still hanging around from the last procedure. They probably were not fixed due to Windows Defender and/or Ewido blocking the fixes. Uninstall both Ewido and Windows Defender and then do the below.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [yhhydx] C:\WINDOWS\system32\ypdhda.exe reg_run
    O4 - HKCU\..\Run: [ueoae] C:\WINDOWS\system32\ypdhda.exe reg_run

    After clicking Fix, exit HJT.:
    Make sure the below two files have been deleted:
    C:\WINDOWS\system32\ypdhda.exe
    C:\WINDOWS\system32\ypdhda.exe

    Now reboot in normal mode and post a new HJT log.
     
    chaslang, May 21, 2006
    #6
  7. firetrucker

    firetrucker Private E-2

    Ok.....here's the new hijack this log.
     

    Attached Files:

    firetrucker, May 22, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, May 22, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds