[ct122592]

hi. soo my computer is infected. it has pop ups saying that somebody is trying to attack my system by sending in virus and then theres these recommended virus programs popping up for me to install. Then my wallpaper will change to red with a symbol.


i am currently using spybot search and destroy and ad adware to scan my computer everyday. it goes away and comes back a few hrs lters. so i am wondering how to get rid of it so that it wont come back again.


Logfile of HijackThis v1.99.1
Scan saved at 4:20:15 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {0180A7AF-7449-4632-A705-09CB76186F0D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D4B1AF0-833A-AFE9-4B66-888DBA2582CD} - (no file)
O2 - BHO: (no name) - {3f711da5-eed1-496b-9ac7-870af3236ef5} - (no file)
O2 - BHO: (no name) - {56125AE0-2785-4E21-A200-6646C4FFB7FC} - \
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7A8D213D-2998-4DC2-A09F-4B91903292EF} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: (no name) - {EAA38E9A-A84D-467A-9DFB-34CFEAC54F02} - \
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: gebaxxv - gebaxxv.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: mssql - {24D6EB4C-3C8C-4355-9CD5-4948138645A3} - C:\WINDOWS\mssql.dll
O21 - SSODL: syscore - {372F9833-A2A9-4597-967D-9C4B6EC4121D} - C:\WINDOWS\syscore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Pls help. thanks.

[Spencer2004]

get a good antivirus like mcafee which covers spam, adawre, viruses, hackers etc all at once, dissconnect from the intetnet, uninstall all your current protection programs, install your good antivirus of choice, update over the internet (it should be safe now mcafee is installed) then do a full system scan.

[guccijana]

hi there, ct122592 im the person you im'd from d-addicts, I asked evilfantasy to help you out if he's not busy so we'll see what he says okay!!!

[mrdaveyk]

what ever you dont download the recommended program

i have had this virus before but not so severe, i didn't get round to fixing it as it timed it just right when i bought my new computer

what anti virus have you got at the moment? Avast free home edition is good

[Axegrinder]

O2 - BHO: (no name) - {0180A7AF-7449-4632-A705-09CB76186F0D} - (no file)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {1D4B1AF0-833A-AFE9-4B66-888DBA2582CD} - (no file)
O2 - BHO: (no name) - {3f711da5-eed1-496b-9ac7-870af3236ef5} - (no file)
O2 - BHO: (no name) - {56125AE0-2785-4E21-A200-6646C4FFB7FC} - \
O2 - BHO: (no name) - {7A8D213D-2998-4DC2-A09F-4B91903292EF} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {EAA38E9A-A84D-467A-9DFB-34CFEAC54F02} - \
O20 - Winlogon Notify: gebaxxv - gebaxxv.dll (file missing)

Those all look suspiscious and should be removed (but confirm with evilfantasy or howardhopkinson first)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll <<< Is Your windows Geniune? As that is is only displayed when when a copy of windows is not genuine.

[evilfantasy]

Hello ct122592.

If you are still seeking help then please follow these instructions.

Open HijackThis and select Do a system scan only then place a check mark next to:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: (no name) - {0180A7AF-7449-4632-A705-09CB76186F0D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1D4B1AF0-833A-AFE9-4B66-888DBA2582CD} - (no file)
O2 - BHO: (no name) - {3f711da5-eed1-496b-9ac7-870af3236ef5} - (no file)
O2 - BHO: (no name) - {56125AE0-2785-4E21-A200-6646C4FFB7FC} - \
O2 - BHO: (no name) - {7A8D213D-2998-4DC2-A09F-4B91903292EF} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {EAA38E9A-A84D-467A-9DFB-34CFEAC54F02} - \
O20 - Winlogon Notify: gebaxxv - gebaxxv.dll (file missing)
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)

Now close ALL windows except for HijackThis and click Fix Checked.

----------

Please download CCleaner

• Double click on the ccsetup.exe file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location.
• Under Install Options, choose all the default settings
• Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
• If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
• Click on the "Options" icon at the left side of the window, then click on "Advanced."
  deselect "Only delete files in Windows Temp folders older than 48 hours."
• Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
• Caution: Only use the "Registry" feature if you are very familiar with the registry as it has been known to find legitimate items.
• Always back up your registry before making any changes.
• After CCleaner has completed its process, click Exit.

----------

Download SUPERAntispyware Free Edition (SAS)

• Double-click the icon on your desktop to run the installer.
• When asked to Update the program definitions, click Yes
• Next click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure only the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
• Click the Close button to leave the control center screen.
• On the main screen click Scan your computer
• On the left check C:\Fixed Drive
• On the right choose Perform Complete Scan
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK
• Make sure everything in the white box has a check next to it, then click Next
• It will quarantine what it found and if it asks if you want to reboot, click Yes
• To retrieve the removal information please do the following:
  • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
• Save the log somewhere you can easily find it. (normally the desktop)
• Click close and close again to exit the program.
• Please copy and then paste the log in your post.

----------

Please uninstall/delete the copy of HijackThis you have and download the new version and run a scan with it and post the log.

Download and rename HijackThis (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
  • Close HijackThis and rename it.
  • Go to C:\Program Files\Trend Micro\HijackThis.exe
  • Right click on HijackThis.exe and select Rename.
  • Type in sniper.exe and press Enter.
  • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
• From the desktop open HiackThis.
• If using Windows Vista, be sure to Run As Administrator
• Click on the Do a system scan and save a log file button
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the log in your post.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Even though we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

----------

Next post please add
SUPERAntiSpyware log
New HijackThis log

[ct122592]

Thanks EvilFantasy for helping.

SUPERAntispyware scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 00:51 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:37:53

Memory items scanned : 537
Memory threats detected : 0
Registry items scanned : 6842
Registry threats detected : 19
File items scanned : 6768
File threats detected : 67

Adware.Tracking Cookie
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@collective-media[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@partner2profit[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atwola[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@xiti[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adopt.specificc lick[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@html[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ar.atwola[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bridge.admarket place[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@windowsmedia[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.healthcare[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.adbrite[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@a.websponso rs[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@ad.admarket place[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@ad.reunion[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@adknowledge[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@adopt.hbmed iapro[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@adopt.hotba r[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@ads.cc21414 2[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@ath.belnk[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@atwola[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@banners[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@belnk[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@bigbanners[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@btg.btgrab[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@cts.metrics direct[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@dist.belnk[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@emarketmake rs[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@hits.clicka ndtrack[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@hurricanedi gitalmedia[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@nextag[2].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@offeroptimi zer[1].txt
C:\Documents and Settings\CatherineZ\Cookies\catherinez@server.cpms tar[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@a.websponsors[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@adknowledge[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@adopt.hbmediapro[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@adopt.hotbar[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@ads.us.e-planning[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@ar.atwola[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@ath.belnk[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@atwola[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@azjmp[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@banner3.inet-traffic[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@banner[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@belnk[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@bigbanners[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@btg.btgrab[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@cassava[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@cts.metricsdirect[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@dist.belnk[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@emarketmakers[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@exitexchange[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@interclick[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@leadgenetwork[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@linkstattrack[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@nextag[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@offeroptimizer[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@partypoker.touchc larity[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@sav.coolsavings[1].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@web-nexus[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@winfixer[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@www.azoogleads[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@www.riverbelle[2].txt
C:\Documents and Settings\CatherineZ\Local Settings\Temp\Cookies\catherinez@www.tagworld[1].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
C:\UWA7P\Quar
C:\WINDOWS\..\UWA7P

Trojan.VideoCach/Gen
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR
HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib#Version
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version

Trojan.Net-MSV/VPS
HKCR\MSVPS.MSVPSApp
HKCR\MSVPS.MSVPSApp\CLSID
HKCR\MSVPS.MSVPSApp\CurVer



i cant find hijackthis.exe, so i dont know how to do the last step. all i have is the new version of HJT installed.

[evilfantasy]

Uninstall/delete Hijackthis. It is an outdated version.

Then use the instructions I gave to install the new version.

[ct122592]

Okay thanks.

[evilfantasy]

And post a new log from the new hijackthis.