Help with removing Outerinfo

Hello everyone,

I need some assistance removing Outerinfo pop-ups (aka PurityScan, Oinadserver or OIN). If you could help me out and walk me through the process, I’d appreciate it very much. It’s been popping up like crazy and it’s taken over my desktop screen. Rather annoying…

But thanks in advance if you could help me :).

Hi

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


purity

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

I hope I did it right. It didn’t look like much happened, but here are the results of OTMoveIt2:

[Custom Input]
< purity >

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03302008_090325

ETA: The dss txt pages were too long to post, so I’m going to attach them. Btw, thanks so much for your help once again :).

You’re welcome. When you said purity, I thought we could knock some out ahead of time. Give me a few minutes to look at the logs. BRB

Lol Good deal. I was just scared I didn’t do it right. You’re truly awesome for helping so many people out :D.

Lot’s of things here. You are using service pack 1. Do not attempt to install sevice pack 2 untill the machine is clean.

We’ll start with this

  • Download and run this removal tool for 180 Search

http://securityresponse.symantec.com/avcenter/Fix180Sh.exe

Please download ComboFix from Here or Here to your Desktop.

Do Not Run It Yet, we will run it a little differently.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

  • Go to add remove programs and uninstall the following if present

Rabio
180Search assistant
Yazzle
QdrDrive
QdrModule

  • Open HJT, run a system scan only, check mark these lines if present

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {3712b7f2-1dd2-11b2-a814-d414ee082346} - C:\WINDOWS\nkvchwjs.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BndBlock5 BHO Class - {82EA1A55-9CBC-404b-9D0C-E8BFB7EAAE9B} - C:\Program Files\QdrDrive\QdrDrive10.dll (file missing)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM..\Run: [pgdqjady] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\pgdqjady.dll”

Close all other browsers/windows, click fix, close HJT.

** Now for combofix

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: [b]“CFscript.txt”[b] . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\sbwltbxa.exe C:\WINDOWS\nkvchwjs.dll C:\WINDOWS\bolgxafm.exe C:\Program Files\Common Files\Yazzle1552OinAdmin.exe C:\Program Files\QdrDrive\QdrDrive10.dll C:\Program Files\QdrModule\QdrModule12.exe

Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\QdrDrive
C:\Program Files\QdrModule

This will start ComboFix .Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Attaching the logs is fine. DSS should have install hijackthis for you.

Thanks

Okay, I’ve hit a major snag. I’m currently on my desktop instead. I did everything as directed so far. I made the CFscript.txt and dragged it onto the ComboFix icon, turned off my antivirus and all that other good stuff. Then ComboFix started to run, but it’s stopped. It says (somewhat paraphrased here):

Scanning for infected files…
Scan time should take no more than 10 minutes
However, for badly infected systems it could easily double

ComboFix has changed your clock settings
Do not change it back, it will be restored later

Delete Files/Folders:
blinking cursor

It’s stayed like this for some time now. And my desktop is gone; the taskbar, all of the icons. The wallpaper has restored itself though, and the nasty green screen from the malware is gone. Should I wait it out or are there other courses of action that I should take?

If there is any type of hard drive activity, blinking light, sound from the hard drive, combofix is still running, Do not stop it Give it about 40-50 minutes. if CF has stalled completely, reboot, all desktop items will come back.

It’s definitely been an hour now, and it doesn’t sound like anything is going on. No fan running, no crackles of it doing any work. I guess I’ll reboot then. What should I do after that?

ETA: I tried running ComboFix again with the CFscript.txt and it still isn’t doing anything. No blinking lights, nothing. Is there anything else I need to turn off or anything else I should do before running it?

No don’t re-run CF. Run DSS and post that log. There will only be a main log this time.

Thanks

Here it is. Thanks again for your help. I’d be completely lost right now.

We’ll just use a different tool for now. Delete combofix.exe from you desktop, we may get another copy later.

  • Open HJT, run a system scan only, check mark these lines if present

[b]F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {3712b7f2-1dd2-11b2-a814-d414ee082346} - C:\WINDOWS\nkvchwjs.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BndBlock5 BHO Class - {82EA1A55-9CBC-404b-9D0C-E8BFB7EAAE9B} - C:\Program Files\QdrDrive\QdrDrive10.dll (file missing)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM..\Run: [pgdqjady] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\pgdqjady.dll”
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} (xpreload.xpreloader) - ms-its:mhtml:file://c:\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.oc[/b]

Close all other browsers/windows, click fix, close HJT.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\Program Files\180solutions
C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\nkvchwjs.dll
C:\WINDOWS\bolgxafm.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\QdrDrive\QdrDrive10.dll
C:\Program Files\QdrModule\QdrModule12.exe
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\QdrDrive
C:\Program Files\QdrModule
C:\Program Files\180search
C:\WINDOWS\voiceip.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\bokja.exe
2C:\WINDOWS\System32\WER8274.DLL
C:\WINDOWS\System32\MSIXU.DLL
C:\WINDOWS\bjam.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search.dll
C:\Program Files\seekmo
C:\WINDOWS\180ax.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\saiemod.dll
:\WINDOWS\System32\shdocpe.dll
C:\WINDOWS\System32\ntnut32.exe
C:\WINDOWS\shdocpl.dll
2C:\WINDOWS\shdocpe.dll
C:\WINDOWS\ntnut.exe
C:\Program Files\Sysmnt
C:\WINDOWS\winsb.dll
C:\WINDOWS\browserad.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\changeurl_30.dll

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Do this and post back the OTMOVEIT2 results while I look for more.

edit: a new DSS log too, please.

Okay, HJT stuff went just fine, but when I did the OTMoveIt2, it stalled when it was trying to move C:\WINDOWS\nkvchwjs.dll. Now it’s frozen and the window for OTMoveIt2 is completely white/blank. I’m waiting to see if it can jump over this hurdle, but just fyi in case I need to do something about that.

ETA: 10+ minutes later and it still hasn’t done anything since. Le sigh.

ok, that may also be the file that stalled CF. Send me another DSS log so I can see what has been removed so far.

Thanks

That’s what I thought too. Here’s the new dss file.

We’ll see if we can get some of this with this tool.

Please download The Avenger by Swandog46 to your Desktop.

1.[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Copy and paste the all the text in the above quote box into the main window…
[*]Click Execute
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log

Avenger log and DSS log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP


Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file “C:\WINDOWS\system32\sbwltbxa.exe” not found!
Deletion of file “C:\WINDOWS\system32\sbwltbxa.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

File “C:\WINDOWS\nkvchwjs.dll” deleted successfully.
File “C:\WINDOWS\bolgxafm.exe” deleted successfully.

Error: file “C:\Program Files\Common Files\Yazzle1552OinAdmin.exe” not found!
Deletion of file “C:\Program Files\Common Files\Yazzle1552OinAdmin.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

Error: could not open file “C:\Program Files\QdrDrive\QdrDrive10.dll”
Deletion of file “C:\Program Files\QdrDrive\QdrDrive10.dll” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
→ bad path / the parent directory does not exist

Error: could not open file “C:\Program Files\QdrModule\QdrModule12.exe”
Deletion of file “C:\Program Files\QdrModule\QdrModule12.exe” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
→ bad path / the parent directory does not exist

File “C:\WINDOWS\stcloader.exe” deleted successfully.
File “C:\WINDOWS\swin32.dll” deleted successfully.
File “C:\WINDOWS\cdsm32.dll” deleted successfully.
File “C:\WINDOWS\mssvr.exe” deleted successfully.
File “C:\WINDOWS\mspphe.dll” deleted successfully.
File “C:\WINDOWS\bokja.exe” deleted successfully.
File “C:\WINDOWS\System32\WER8274.DLL” deleted successfully.
File “C:\WINDOWS\System32\MSIXU.DLL” deleted successfully.
File “C:\WINDOWS\bjam.dll” deleted successfully.
File “C:\WINDOWS\2020search2.dll” deleted successfully.

Completed script processing.


Finished! Terminate.

Ok, we’ll go back to OTMOVEIT2 and remove some more.

In OTMOVEIT2 use this, the same way you did before


C:\Program Files\180solutions
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\QdrDrive\QdrDrive10.dll
C:\Program Files\QdrModule\QdrModule12.exe
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\QdrDrive
C:\Program Files\QdrModule
C:\Program Files\180search
C:\WINDOWS\voiceip.dll
C:\WINDOWS\2020search.dll
C:\Program Files\seekmo
C:\WINDOWS\180ax.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\saiemod.dll
:\WINDOWS\System32\shdocpe.dll
C:\WINDOWS\System32\ntnut32.exe
C:\WINDOWS\shdocpl.dll
2C:\WINDOWS\shdocpe.dll
C:\WINDOWS\ntnut.exe
C:\Program Files\Sysmnt
C:\WINDOWS\winsb.dll
C:\WINDOWS\browserad.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\changeurl_30.dll

Then download combfix again, follow the instructions for the security programs.

This time double click it to run it.

Post the combofix log, OTMOVEIT2 results and a Hijackthis log

thanks

Okay, here they are: OTMoveIt2 and then ComboFix and HJT as attachments…

[Custom Input]
< C:\Program Files\180solutions >
C:\Program Files\180solutions moved successfully.
< C:\Program Files\Common Files\Yazzle1552OinAdmin.exe >
File/Folder C:\Program Files\Common Files\Yazzle1552OinAdmin.exe not found.
< C:\Program Files\QdrDrive\QdrDrive10.dll >
File/Folder C:\Program Files\QdrDrive\QdrDrive10.dll not found.
< C:\Program Files\QdrModule\QdrModule12.exe >
File/Folder C:\Program Files\QdrModule\QdrModule12.exe not found.
< C:\Documents and Settings\All Users\Application Data\Rabio >
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer moved successfully.
C:\Documents and Settings\All Users\Application Data\Rabio moved successfully.
< C:\Program Files\QdrDrive >
File/Folder C:\Program Files\QdrDrive not found.
< C:\Program Files\QdrModule >
File/Folder C:\Program Files\QdrModule not found.
< C:\Program Files\180search >
File/Folder C:\Program Files\180search not found.
< C:\WINDOWS\voiceip.dll >
LoadLibrary failed for C:\WINDOWS\voiceip.dll
C:\WINDOWS\voiceip.dll NOT unregistered.
C:\WINDOWS\voiceip.dll moved successfully.
< C:\WINDOWS\2020search.dll >
LoadLibrary failed for C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search.dll NOT unregistered.
C:\WINDOWS\2020search.dll moved successfully.
< C:\Program Files\seekmo >
C:\Program Files\seekmo moved successfully.
< C:\WINDOWS\180ax.exe >
C:\WINDOWS\180ax.exe moved successfully.
< C:\WINDOWS\updatetc.exe >
C:\WINDOWS\updatetc.exe moved successfully.
< C:\WINDOWS\salm.exe >
C:\WINDOWS\salm.exe moved successfully.
< C:\WINDOWS\saiemod.dll >
LoadLibrary failed for C:\WINDOWS\saiemod.dll
C:\WINDOWS\saiemod.dll NOT unregistered.
C:\WINDOWS\saiemod.dll moved successfully.
< :\WINDOWS\System32\shdocpe.dll >
File/Folder :\WINDOWS\System32\shdocpe.dll not found.
< C:\WINDOWS\System32\ntnut32.exe >
C:\WINDOWS\System32\ntnut32.exe moved successfully.
< C:\WINDOWS\shdocpl.dll >
LoadLibrary failed for C:\WINDOWS\shdocpl.dll
C:\WINDOWS\shdocpl.dll NOT unregistered.
C:\WINDOWS\shdocpl.dll moved successfully.
< 2C:\WINDOWS\shdocpe.dll >
File/Folder 2C:\WINDOWS\shdocpe.dll not found.
< C:\WINDOWS\ntnut.exe >
C:\WINDOWS\ntnut.exe moved successfully.
< C:\Program Files\Sysmnt >
C:\Program Files\Sysmnt moved successfully.
< C:\WINDOWS\winsb.dll >
LoadLibrary failed for C:\WINDOWS\winsb.dll
C:\WINDOWS\winsb.dll NOT unregistered.
C:\WINDOWS\winsb.dll moved successfully.
< C:\WINDOWS\browserad.dll >
LoadLibrary failed for C:\WINDOWS\browserad.dll
C:\WINDOWS\browserad.dll NOT unregistered.
C:\WINDOWS\browserad.dll moved successfully.
< C:\WINDOWS\aviwrap32.dll >
LoadLibrary failed for C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\aviwrap32.dll NOT unregistered.
C:\WINDOWS\aviwrap32.dll moved successfully.
< C:\WINDOWS\avisynthex32.dll >
LoadLibrary failed for C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avisynthex32.dll NOT unregistered.
C:\WINDOWS\avisynthex32.dll moved successfully.
< C:\WINDOWS\avifile32.dll >
LoadLibrary failed for C:\WINDOWS\avifile32.dll
C:\WINDOWS\avifile32.dll NOT unregistered.
C:\WINDOWS\avifile32.dll moved successfully.
< C:\WINDOWS\autodisc32.dll >
LoadLibrary failed for C:\WINDOWS\autodisc32.dll
C:\WINDOWS\autodisc32.dll NOT unregistered.
C:\WINDOWS\autodisc32.dll moved successfully.
< C:\WINDOWS\audiosrv32.dll >
LoadLibrary failed for C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\audiosrv32.dll NOT unregistered.
C:\WINDOWS\audiosrv32.dll moved successfully.
< C:\WINDOWS\ati2dvag32.dll >
LoadLibrary failed for C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\ati2dvag32.dll NOT unregistered.
C:\WINDOWS\ati2dvag32.dll moved successfully.
< C:\WINDOWS\ati2dvaa32.dll >
LoadLibrary failed for C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvaa32.dll NOT unregistered.
C:\WINDOWS\ati2dvaa32.dll moved successfully.
< C:\WINDOWS\athprxy32.dll >
LoadLibrary failed for C:\WINDOWS\athprxy32.dll
C:\WINDOWS\athprxy32.dll NOT unregistered.
C:\WINDOWS\athprxy32.dll moved successfully.
< C:\WINDOWS\asycfilt32.dll >
LoadLibrary failed for C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asycfilt32.dll NOT unregistered.
C:\WINDOWS\asycfilt32.dll moved successfully.
< C:\WINDOWS\asferror32.dll >
LoadLibrary failed for C:\WINDOWS\asferror32.dll
C:\WINDOWS\asferror32.dll NOT unregistered.
C:\WINDOWS\asferror32.dll moved successfully.
< C:\WINDOWS\apphelp32.dll >
LoadLibrary failed for C:\WINDOWS\apphelp32.dll
C:\WINDOWS\apphelp32.dll NOT unregistered.
C:\WINDOWS\apphelp32.dll moved successfully.
< C:\WINDOWS\changeurl_30.dll >
LoadLibrary failed for C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\changeurl_30.dll NOT unregistered.
C:\WINDOWS\changeurl_30.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03302008_164959

Now we’re getting somewhere.

I missed one to uninstall, please do so now if it’s present in add/remove

zango

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\Documents and Settings\All Users\Application Data\pgdqjady.dll C:\WINDOWS\shdocpe.dll C:\WINDOWS\system32\MSNSA32.dll C:\WINDOWS\123messenger.per C:\WINDOWS\didduid.ini C:\WINDOWS\system32\shdocpe.dll C:\WINDOWS\msapasrc.dll C:\WINDOWS\system32\SIPSPI32.dll C:\WINDOWS\system32\default.htm

DirLook::
C:\Program Files\PianoFX
C:\WINDOWS\Vbox

Registry::
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{00000250-0320-4dd4-be4f-7566d2314352}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{13197ace-6851-45c3-a7ff-c281324d5489}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{15651c7c-e812-44a2-a9ac-b467a2233e7d}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{4e1075f4-eec4-4a86-add7-cd5f52858c31}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{5dafd089-24b1-4c5e-bd42-8ca72550717b}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{622cc208-b014-4fe0-801b-874a5e5e403a}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{965a592f-8efa-4250-8630-7960230792f1}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{9c5b2f29-1f46-4639-a6b4-828942301d3e}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{cf021f40-3e14-23a5-cba2-717765728274}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{fc3a74e5-f281-4f10-ae1e-733078684f3c}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{ffff0001-0002-101a-a3c9-08002b2f49fb}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
“n5w93LxQu4”=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“QdrModule12”=-

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

We’ll use OTMOVEIT2 for some folders.

C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\system32*.tmp
C:\WINDOWS\FLEOK

Please post the combofix log, OTMOVEIT2 results and a new HJT log.

Thanks, and let me know how it’s going on your end.