5 Trojans keep taking me to partypoker.com Need help cleaning out

[brenda31]

Please help.  
My Avast cleaner (avast 4.7) keeps telling me I have infected files and to move them to the chest.  I move them to the chest however IE pops up randomly taking me to www.partypoker.com and some other singles site.  I have ran ad aware and have deleted what came up.  I've also ran spybot twice and I continue to get the following.  
           Smitfraud-C.Toolbar888                          1 entries
           Winsoftware.WinAntiVirusPro2006            1 entries
           Winsoftware                  1 entries
           ZenoSearch                    3 entries

Avast 4.7 tells me I have
Name of file
C:\Documents and Settings\...\dqgubvpq.exe           Infection Win32:Agent-HZS [Trj]
C:\Documents and Settings\...\[PECompact]            Infection Win32:Agent-HDR [Trj]
C:\System Volume Information\...\A0040516.exe   Infection Win32: Trojan-gen {other}
C:\System Volume Information\...\A0041388.dll   Infection Win32:VBStat-C[Trj]
C:\\WINDOWS/system32\fojtipub.exe          Infection:  Win32:Agent-HZS [Trj]

I had been able to get online and check email but now I cannot even sign in.  
How can I correct this problem?
Thanks.

[sasin44]

classic eg of browser hijacking..if u want quick and good advice pease post ur hijackthis log..so the people at avast can tell u wat to do next...
http://www.softpedia.com/progDownload/HijackThis-Download-5034.html

since u already run ad aware and spy bot search and destroy try
AVG anti-spyware   http://www.filehippo.com/download_ewido/
 
i have found it more effective in cases of IE hijacking

[mauserme]

Hi brenda31.  Welcome to the form.

Please post a ComboFix log first, then a HijackThis log.

Download ComboFix from Here or Here to your Desktop.
 
Double click combofix.exe and follow the prompts.
 
When finished, it shall produce a log for you. Post that log and a HiJackthis log (instructionS below) in your next reply
 
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.



Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

.
Both of these logs will be long and will require more than a single post to fit all the information.  Use as many posts as required.

[brenda31]

C:\WINDOWS\system32\cayjqija.dll
C:\WINDOWS\system32\ewscknwt.dll
C:\WINDOWS\system32\gjidsoiv.dll
C:\WINDOWS\system32\kimmrbbf.dll
C:\WINDOWS\system32\ajiqjyac.ini
C:\WINDOWS\system32\twnkcswe.ini
C:\WINDOWS\system32\viosdijg.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\pmnlk.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\svhost.exe


(((((((((((((((((((((((((   Files Created from 2007-05-20 to 2007-06-20  )))))))))))))))))))))))))))))))


2007-06-19 19:58   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-19 04:05   192,602   --a------   C:\WINDOWS\system32\kwinlodt.exe
2007-06-18 13:35   932   --a------   C:\WINDOWS\system32\winpfz32.sys
2007-06-18 13:31   191,006   --a------   C:\WINDOWS\system32\nkdsregs.exe
2007-06-17 00:21   <DIR>   d--------   C:\Program Files\svhost
2007-06-17 00:20   <DIR>   d--------   C:\Program Files\poolsv
2007-06-17 00:16   36,352   --a------   C:\WINDOWS\poolsv.exe
2007-06-17 00:14   0   -rahs----   C:\MSDOS.SYS
2007-06-17 00:14   0   -rahs----   C:\IO.SYS
2007-06-15 23:45   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-15 23:29   <DIR>   d--------   C:\Program Files\Yahoo!
2007-06-14 13:01   <DIR>   d--------   C:\DOCUME~1\BRENDA~1\APPLIC~1\Snapfish
2007-06-13 16:24   <DIR>   d--------   C:\DOCUME~1\BRENDA~1\APPLIC~1\IMVU

[brenda31]

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 07:09:46   --------   d-----w   C:\Program Files\Messenger
2007-06-09 05:52:17   --------   d-----w   C:\DOCUME~1\BRENDA~1\APPLIC~1\AdobeUM
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-05-14 22:17:57   --------   d-----w   C:\DOCUME~1\BRENDA~1\APPLIC~1\Viewpoint
2007-05-09 12:14:32   --------   d-----w   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 03:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 16:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]
{7FE07CC5-E966-49EB-9D62-EB3B69656283}=C:\Program Files\Messenger\meqot43855.dll [2007-06-14 06:54]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 05:36]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 18:04]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 11:28]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-29 08:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[brenda31]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER


Contents of the 'Scheduled Tasks' folder
2007-05-14 12:29:00  C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-20 01:22:41  C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 20:21:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???|?p? ???B????hLC?

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-19 20:26:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 20:25

   --- E O F ---
((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cayjqija.dll
C:\WINDOWS\system32\ewscknwt.dll
C:\WINDOWS\system32\gjidsoiv.dll
C:\WINDOWS\system32\kimmrbbf.dll
C:\WINDOWS\system32\ajiqjyac.ini
C:\WINDOWS\system32\twnkcswe.ini
C:\WINDOWS\system32\viosdijg.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\pmnlk.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\svhost.exe


(((((((((((((((((((((((((   Files Created from 2007-05-20 to 2007-06-20  )))))))))))))))))))))))))))))))

[brenda31]

Logfile of HijackThis v1.99.1
Scan saved at 20:52, on 2007-06-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLC4030\WLService.exe
C:\Program Files\Airlink101\AWLC4030\WLanCfgAG.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\ComboFix\catchme.cfexe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

[brenda31]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7FE07CC5-E966-49EB-9D62-EB3B69656283} - C:\Program Files\Messenger\meqot43855.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Brenda Mayorga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176249475250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176249440859
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Super G Wireless Cardbus Service - Unknown owner - C:\Program Files\Airlink101\AWLC4030\WLService.exe

[brenda31]

I've posted both the ComboFix log and the Hijack this log.  Will this have fixed the problem or what else should I do?  I have noticed that I have yet to be redirected to the partypoker site.  Thank you!

[mauserme]

There's quite a lot going on in your logs.  Its getting a little late for me and I would rather delve deeper after a nights sleep.

For now, open HijackThis again and click to Run a System Scan Only.  When it finishes place a check mark next to these lines:

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Brenda Mayorga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.drivecleaner.com

O15 - Trusted Zone: *.errorprotector.com

O15 - Trusted Zone: *.errorsafe.com

O15 - Trusted Zone: *.systemdoctor.com

O15 - Trusted Zone: *.winantispyware.com

O15 - Trusted Zone: *.winantivirus.com

O15 - Trusted Zone: *.winfixer.com

Then close all other windows, including your browser, and click Fix Checked.

Next, install the free version of SuperAntiSpware and run a complete scan.  Quarantine anything found and save the log.  Then post the log in your next response

http://www.superantispyware.com/


Also, you have an old-ish version of Java that should be updated.  The current version can be downloaded here

http://www.java.com/en/download/manual.jsp

After updating Java open Add/Remove Programs in the Conrol Panel and uninstall any versions of Java older than 6.1 (don't skip this step - some older version are exploitable and the update process will not remove them).

[mauserme]

I see a worm or two in your ComboFix log that may still be present. 

Download OTMoveIt  by OldTimer and save it to your desktop but don't run it just yet.  Depending on the results of SuperAntiSpyware we may use this to manually remove some files.

[brenda31]

I downloaded and ran SuperAntiSpyware and it did not find anything.  I hope that's good news.  Thanks again for your help. 

[brenda31]

Oh man.  I reran SUPERAntiSpyware because I had a popup asking about updates and I now have a bunch of things popping up.  I'll post them as soon as the spyware finishes scanning my files.   

[brenda31]

This is the most recent SUPERAntiSpyware Scan Log.  I ran one last night and had a whole lot more pop up.  I will post that log in a few.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2007 at 04:37 PM

Application Version : 3.8.1002

Core Rules Database Version : 3258
Trace Rules Database Version: 1269

Scan type       : Complete Scan
Total Scan Time : 00:45:18

Memory items scanned      : 516
Memory threats detected   : 0
Registry items scanned    : 5710
Registry threats detected : 0
File items scanned        : 27004
File threats detected     : 43

Adware.Tracking Cookie
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@2o7[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atdmt[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adopt.specificclick[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@112.2o7[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@bs.serving-sys[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tacoda[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adinterax[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@serving-sys[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tribalfusion[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@fastclick[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@advertising[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@edge.ru4[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@burstnet[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ad.xplusone[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@doubleclick[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@specificclick[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@mediaplex[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.pointroll[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@www.burstnet[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adopt.euroclick[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adserving.cpxinteractive[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.cluster01.oasis.zmh.zope[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@zedo[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@questionmarket[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@toplist[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ad[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@realmedia[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@cgi-bin[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@revenue[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@N763.networksite.www.msn[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@trafficmp[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@perf.overture[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@anad.tacoda[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@revsci[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@anat.tacoda[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atwola[1].txt
   C:\Documents and Settings\Antonio Escalante Jr\Cookies\antonio escalante jr@2o7[2].txt
   C:\Documents and Settings\Antonio Escalante Jr\Cookies\antonio escalante jr@advertising[2].txt
   C:\Documents and Settings\Antonio Escalante Jr\Cookies\antonio escalante jr@atdmt[1].txt
   C:\Documents and Settings\Antonio Escalante Jr\Cookies\antonio escalante jr@doubleclick[1].txt

Trojan.ZQuest
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP211\A0041689.DLL

Trojan.ZenoSearch
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP211\A0041691.EXE

[brenda31]

My earlier scan log  at 6-20-2007  - 01:15:13  showed

Adaware.Clickspring/Outer Info Network
Adaware.Clickspring/Yazzle
Adaware.Tracking Cookie
Adaware.Unknown Origin
Trojan.Downloader-Gen
Trojan.Downloader-Gen/Blah
Trojan.Downloader-Gen/SVHost
Trojan.ZenoSearch
Unclassified.Unknown Origin

What should I do now with both scan logs?