I have been trying to remove a virus inside my C:/ drive. The boot scan found 3 seperate trojans that I have deleted but the 2 remaining infections can’t be disinfected with BitDefender, Trend Micro or avast. The other places don’t even pick them up. I have tried removing them in the folder & in the uninstall area of my control menu. So after we try everything, is there anything left to try?
Oh I try did try my run → cmd SFC/scannow and the windows popup hangs with no activity for long periods.
Any advice once this road is where I am?
Thanks for any help.

The items I’m trying to remove are:
C:\Program Files\Web_Rebates\WebRebates1.exe: infected with Adware.Rebates
C:\Program Files\Web_Rebates\WebRebates1.exe: disinfection failed

and one named ‘Web_Rebates0.exe’ also but for some reason it isn’t reported on this exam with the scanner.
yaz :-X

running WinXP home ed. with I.E 6.0 on CPQ

The rebate won’t show here, does anything here look evil?
yaz

Logfile of HijackThis v1.98.2
Scan saved at 8:58:18 PM, on 10/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\myCIO\Agent\myagttry.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CoffeeCup Software\CoffeeCup Free Zip Wizard\wrapper.exe
C:\Program Files\CoffeeCup Software\CoffeeCup Free Zip Wizard\cczip.exe
C:\WINDOWS\system32\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/s

earch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumer

fav&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/s

earch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.ya

hoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by Compaq
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} -

C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO -

{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: ADP UrlCatcher Class -

{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -

C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no

file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button

Support\StartEAK.exe
O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft

Works\WksSb.exe /AllUsers
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM..\Run: [AttuneClientEngine]

C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM..\Run: [OneTouch Monitor] C:\Program Files\Visioneer

OneTouch\OneTouchMon.exe
O4 - HKLM..\Run: [CMPDPSRV]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM..\Run: [WebRebates0] "C:\Program

Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq

Advisor\bin\compaq-rba.exe -z
O4 - HKCU..\Run: [MoneyAgent] "c:\Program Files\Microsoft

Money\System\Money Express.exe"
O4 - HKCU..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe

[I apologise for doing this here, I can’t get into my hp tonite]

-quiet
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program

Files\MGI\MGI PhotoSuite III SE\Temp\MGI00000.html
O8 - Extra context menu item: Web Rebates - file://C:\Program

Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -

C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd}

• C:\PROGRA~1\ICQ\ICQ.exe
  O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -

C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite -

{B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program

Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {5622B188-2505-40F8-BF3C-54F4E9311C4E} -

C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storer

edir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Chat - http://cs7.chat.yahoo.com/c381/chat.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} -

http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) -

http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_file.php?bt=ie&p=48c347740e8f5c90be3817

5e52b8a764f9088180cf867b07efef0da67587cbcfe07d5eda93b070b3e1f5f4b

23f7ec81a88639e10093bff8917f19d0c3b2daa1576:9088c9d39de8432b43b6ed

f749c9050f
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetu

p1.0.0.6.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory

Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} -

http://store.yahoo.net/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/hous

ecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline

Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam

Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -

http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI

Registry Information Class) -

http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo

Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class)

• https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
  O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) -

http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5)

• http://chat.msn.com/bin/msnchat45.cab
  O17 -

HKLM\System\CCS\Services\Tcpip..{78D1B744-C926-4F79-9E4A-9DE18F066C

F2}: NameServer = 209.244.0.3 209.244.0.4
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} -

C:\WINDOWS\myCIO\Agent\myRmProt2.8.0.201.dll

There are a lot of things that need to be fixed, and things not required.

Visit this site for an on-line analysis of your Hijackthis file [b]http://hijackthis.de/index.php[/b]

Or, visit Eddy’s HiJackThis Info and Analysis page, HiJackThis log file analyzer and follow the directions there and get back to us if you need more help…