thought I removed all viruses, but still have popups

Hi,
A few days ago my computer (a dell inspiron 700m, 1.6 GHz processor, 752 RAM, running Windows XP) got a lot of infections (sorry, I can't remember what they all were, I do know the hardest to get rid of was command service) but I think I've gotten rid of most (or maybe all) of them by following instructions on this and other forums. Spybot is not finding any problems now, but Ad-Aware is still finding 12 or 13 problems every time I run it; most of them are cookies, though. However, I'm still getting pop-ups. It's not a lot at all, so I'm not sure if that's a virus or if it's just normal sometimes, but I usually use Mozilla, and I never got pop-ups before I had this infection.

It's not a major problem, but I wanted to get some expert advice on whether it looks like I've managed to get rid of everything.

I haven't gotten rid of system restore yet because I wanted to confirm that I've destroyed all the infections first.

I've attached a Hijack This log (hope I did this right; sorry if not!).

Thanks so much for your help!

 

OK, you have a Qoologic infection.

Disable Spybot's TeaTimer function, it will interfer with any fixes I give you.

Do the following:

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

In addtion follow the directions for:
Qoologic/Winsync/Kavsvc
Using GetRunKey

That would be 7 logs:
- BitDefender Online
- Panda ActiveScan
- txt.log from FindQool
- Log.txt from RKFiles Tool
- WinPFind.txt
- hijackthis.log

It will take 2 posts to post all the logs.

 

Ok.

I ran CCleaner and cleaned up what it found.

I ran Microsoft Windows malicious software removal and cleaned what it found.

I ran Ad-Aware; it found 4 problems and removed them.

I ran Spybot; it found Smitfraud and removed it.

I ran Microsoft Windows Defender; it said it fixed 2 files.

Then I rebooted in Safe mode with networking and ran Bitdefender; the log for that is attached.

Then I tried to run Panda Activescan. It scanned through 14,465 files and then froze. I tried again and left it running over night; again, it froze after the same number of files. I rebooted into normal mode and tried again, and the same thing happened. So I was never able to run that scan.

So I went on and ran FindQool, RKTool, and WinPFind. The first two are attached to this post; WinPFind will be on the next post.

Then I rebooted into normal mode, and Windows Defender found Qoologic and asked if I wanted to remove it. I said yes. Then Windows Defender asked to reboot. I said yes. It rebooted into normal mode again, and then the same window (with Qoologic found) came up again, so that time I just ignored it.

Then I realized that I'd forgotten to run Hijack This, so I ran that scan. I'll attach that to the next post.

Then I ran GetrunKey. It's also on the next post.

Hope I didn't screw up the order of these scans too much. The instructions for all of them are a little confusing since they're on so many different pages.

Thank you! What next?

 

Here are the last three scans: WinPFind, Hijack This, and GetrunKey.

Thanks.

 

txt.log from FindQool, did not attach I need that log. Without it I won't be able to find the hiddden files from Qoologic.

 

It's report.txt on my first post.

 

Download
- Pocket Killbox

Empty your Housecall Quarantine folder

You have several infected Email attachments in Outlook. You are going to have to go through those one by one and deleted them; then empty your Outlook deleted items folder.

You have a couple of infected System Restore points. We'll remove those after we have removed all the infections.

You have an infected backup; C:\WINDOWS\backup\S\51128000.DAT. We will delete this as part of the fix.

Questions about a few programs:

Follow the directions for Running Hoster.

Save the contents of the below quote box to natepad and save as FixReg.reg to your Desktop:

Close Notepad. Double-click FixReg.reg and answer 'YES'.

Do the following:

Start -> Run
type regedit
click 'OK'

Registry Editor will open. Navigate to the following Registry Key.

Scan with HijackThis and fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Ok.

Regarding the programs you questioned:
*I hadn't been able to get Kodak Software to stop starting every time it boots, but I removed it from the start menu now.
* Weather.exe was some stupid weather program, and I have no idea how it got on my computer; I think I must have accidentally clicked on a popup when I was trying to click on something else. Anyway, I deleted it.
* I have no idea what the deal is with hpdj.exe.

I followed all your instructions.

When I got to fixing those files with Hijack This, I did NOT fix
O20 - Winlogon Notify: Media Center - C:\WINDOWS\system32\guard.tmp (file missing)
because it wasn't there. The closest match was
020 - Winlogon Notify: Media Center - C:\Windows\

Not wanting to delete something I shouldn't, I did nothing with that file.

I ran Killbox as instructed. The interface wasn't exactly as you described; when I clicked the red X, I never got a box to confirm file deletion, just a box saying file would be deleted on reboot and did I want to reboot now. I said no until the end and then rebooted after the last file. Killbox had no problem rebooting. Then I went into Safe mode as instructed.

I deleted the following files with Windows Explorer:
* C:\Program Files\Windows
* C:\WINDOWS\SYSTEM32\prnbb.dat

The following files were not there:
* C:\WINDOWS\defender1.exe
* C:\WINDOWS\sys02206767261.exe
* C:\WINDOWS\backup\S\51128000.DAT
* C:\WINDOWS\system32\guard.tmp
* C:\WINDOWS\system32\prnbb.dat
* C:\WINDOWS\system32\ktyxpp.exe
* C:\WINDOWS\system32\bdpcp.exe
* C:\WINDOWS\system32\qbyxgxc.dll
* C:\WINDOWS\system32\lywgauq.exe

I followed the rest of your instructions. I am running Windows XP, so I deleted the contents of Prefatch.

When I rebooted into normal mode, I got a message from Windows Defender that I still have the Adware-Qoologic file. :-(

My Hijack This log is attached.

 

OK, you did fine.

Run FindQool and WinPFind again. I need the logs from both of those tools.

After you post the logs, I'll give you some instructions to manually remove Qoologic.

 

Thanks. Here are the new logs.

 

Download and Install:
- Registrar Lite

Make sure that you have enabled viewing of Hidden, System FIles & Folders as per the thread titled How to view hidden, system files & folders!.

Run Registrar Lite navigate to the following Registry Keys; and take the action note for each:

Scan with HijackThis and fix the following lines:

Now run Pocket kill box and delete these files:

Let Pocket Killbox reboot; making sure you boot to Safe Mode.

Open Windows Explorer; navigate to and delete the following:

REBOOT

Post a fresh HijackThis log.

 

Wow...I just can't do anything the easy way this week...!

I ran register lite, no problem. I couldn't find these keys:
gikqq = C:\WINDOWS\system32\ktyxpp.exe reg_run
jldppn = C:\WINDOWS\system32\ktyxpp.exe reg_run
gikqq = C:\WINDOWS\system32\ktyxpp.exe reg_run

I DID delete these keys:
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,lywgauq.exe
Shell = Explorer.exe, C:\WINDOWS\system32\bdpcp.exe

I am evidentally having a stupid week; I didn't realize I was only supposed to delete the value and not the entire key for those. Obviously that caused problems later, but in the meantime...

I ran Hijack This and fixed these lines:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bdpcp.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O20 - Winlogon Notify: Media Center - C:\WINDOWS\

This line was not there:
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lywgauq.exe

I then ran Pocket Killbox and deleted all the files as you instructed. However, when I tried to reboot, I couldn't, because obviously I had deleted the entire userinit key. AAAH...at that point my husband, who is a computer geek, took over...he reinstalled windows in a different folder (WINNT) and was able to recover my registry...I'm not entirely sure of all the methods he used. He deleted the bdpcp.exe and lywgauq.exe registry values and files but said they keep coming back to the registry.

I then rebooted in safe mode and deleted this file:
C:\WINDOWS\system32\prnbb.dat

These files were no longer there:
C:\WINDOWS\system32\ktyxpp.exe
C:\WINDOWS\system32\bdpcp.exe
C:\WINDOWS\system32\qbyxgxc.dll
C:\WINDOWS\system32\lywgauq.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dblyv.exe
C:\Program Files\Weather

I rebooted in normal mode, and windows defender told me I still have Adware-Qoologic...

Sorry! Tell me what to do now...please give me very detailed instructions so I don't do anything else stupid...

Here's my last Hijack This log.

 

Oh, I forgot to tell you that my husband also ran Ad-Aware. It found and fixed 13 problems. Although I think they're the same problems that it has repeatedly fixed that keep coming back.

 

Those keys are there, because your logs shown them. Rerun the fix I posted in post #11. The Key is what is before the = sign Those keys and files have to be deleted or the infection will just keep coming back.

 

Ok!

It took me a while to do this again because every time I tried, I couldn't find the files. However, I figured that since the virus is still there they would show up eventually, which they did--or some of them, anyway. Here are my results:

I was finally able to delete these in Registrar Lite:
gikqq = C:\WINDOWS\system32\ktyxpp.exe reg_run
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,lywgauq.exe (just the value)
Shell = Explorer.exe, C:\WINDOWS\system32\bdpcp.exe (just the value)

I still was not able to find these in Registrar Lite:
jldppn = C:\WINDOWS\system32\ktyxpp.exe reg_run
gikqq = C:\WINDOWS\system32\ktyxpp.exe reg_run

With Hijack This, I fixed these lines:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bdpcp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lywgauq.exe

Weather.exe, of course, was no longer there because I deleted it already. The 020 line wasn't there either.

I deleted all the files listed with Pocket Killbox and rebooted in safe mode.

In Windows Explorer, I couldn't find any of the files except for this one:
C:\WINDOWS\system32\lywgauq.exe
I deleted that one.

The others, as far as I can tell, weren't there.

I rebooted and ran Hijack This again and saw that the two F2 lines (with bdpcp.exe and lywgauq.exe) were still there. That annoyed me, so I fixed them again and rebooted again. I think that fix might have worked, because they don't seem to be there now. But it looks like ktyxpp.exe is still there...?

Bit by bit I'm getting rid of these things, but it's like pulling teeth...I'm thinking maybe I'll wait a few days and then look again in the registry for the ktyxpp.exe keys; I expect they'll reappear there. (?)

On the bright side, Windows Defender didn't give me a warning when I rebooted this time, so maybe I've gotten some of it off.

Here's my Hijack This log.

Thank you! Any advice on how to find these files that won't show up in the registry keys?

 

Make sure you have done the following:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Copy the contents of the below quote box to Notepad, Save As FixReg.reg to your desktop. Do not run it just yet, we will do that later in safe mode.

REBOOT to Safe Mode.

Now locate FixReg.reg on your Desktop, Double-click it and answer 'Yes', when asked if you want to merge with the Registry.

Next using the search function in the Start Menu; search for and delete all instances of ktyxpp.exe that are found. Use the instructions in Searching for Hidden Files on WinXP.

NOTE: Make sure you have enabled viewing of hidden system files and folders.

REBOOT

Post a fresh HijackThis log.

 

That was easy!

How do I look now?

 

It's gone. Your log is clean.

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Hooray! Thank you!!!!!!