TechSpot

coolwwwsearch locked regedit & taskmgr, creating popups

By Holly K
Jun 11, 2006
  1. I have run Adaware, Spybot, McAfee VirusScan, cswShredder, AboutBuster, and several other recommended things. Running XP. I am getting regular popups in lower left saying I need to clean up my machine, they take me to antispywarebox.com. Regedit and task manager open but everything is greyed out and nothing can be clicked. Same if I open msconfig and try to access the start programs. It has put about:blank as internet home page. HijackThis attached. I hope someone can help, this is way over my head.
    Thank you, Holly
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected by quite a collection of nasties.

    Go HERE and follow the instructions exactly.

    Post a fresh HJT log into this thread, only after doing the above.

    Regards Howard :wave: :wave:
     
  3. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Here is what I see:

    The running process:
    C:\WINDOWS\system32\qjrkvy.exe

    Looks to be a culprit.

    When cleaning, make sure all your tools are up to date. Then enter SAFE MODE. Then run and clean with each program. You might also add Crap Cleaner to the list (http://www.ccleaner.com) and perhaps Ewido since the others can't do it alone (http://www.ewido.net/en/download).

    Once in safe mode, remove these entries from HJT:

    F2 - REG:system.ini: UserInit=userinit.exe <- this can be good OR bad. Should be fine without though, most systems don't show this in HJT, so it's likely bad.
    O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
    O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
    O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
    O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll
    O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
    O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
    O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
    O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
    O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
    O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
    O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

    There are others that "could" be removed, but not bad ones, if I caught everything.

    Once in Safe Mode, and those entries deleted, and AA, SB, and Ewido have been run. Check HJT again to see if any of those returned. Or post your HJT log here again. Also note that if you aren't 100% clean and you go back to Normal Mode, it could just infect you again. It is important to be clean before going back to Normal Mode. So try to be sure all those programs turn up clean.

    Also, visit the Security forum and look at the stickies, they handle a LOT of this stuff, you are infected with various kinds of adware and spyware still.

    Lastly, if you go in Safe Mode With Networking, you can still post your log here, but also you can run a virus scan from www.bitdefender.com (link on left), and/or housecall.trendmicro.com.

    Good luck.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hi Vig. For future reference.

    These are the nasties in that log.

    users32.exe
    qjrkvy.exe
    adobepnl.dll
    runsrv32.exe
    susp.exe

    Simply having HJT fix these won`t cut it.

    It is very important that Holly K follows the instructions I have given.

    Regards Howard :)
     
  5. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    You got your post in before I submitted :)

    Yes those are baddies. And following instructions are important :) That's why I said to read all the stickies.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Sorry mate, I didn`t realise our posts had crossed lol.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...