coolwwwsearch locked regedit & taskmgr, creating popups

[Holly K]

I have run Adaware, Spybot, McAfee VirusScan, cswShredder, AboutBuster, and several other recommended things. Running XP. I am getting regular popups in lower left saying I need to clean up my machine, they take me to antispywarebox.com. Regedit and task manager open but everything is greyed out and nothing can be clicked. Same if I open msconfig and try to access the start programs. It has put about:blank as internet home page. HijackThis attached. I hope someone can help, this is way over my head.
Thank you, Holly

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is infected by quite a collection of nasties.

Go HERE and follow the instructions exactly.

Post a fresh HJT log into this thread, only after doing the above.

Regards Howard :wave: :wave:

 

[Vigilante]

Here is what I see:

The running process:
C:\WINDOWS\system32\qjrkvy.exe

Looks to be a culprit.

When cleaning, make sure all your tools are up to date. Then enter SAFE MODE. Then run and clean with each program. You might also add Crap Cleaner to the list (http://www.ccleaner.com) and perhaps Ewido since the others can't do it alone (http://www.ewido.net/en/download.

Once in safe mode, remove these entries from HJT:

F2 - REG:system.ini: UserInit=userinit.exe <- this can be good OR bad. Should be fine without though, most systems don't show this in HJT, so it's likely bad.
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

There are others that "could" be removed, but not bad ones, if I caught everything.

Once in Safe Mode, and those entries deleted, and AA, SB, and Ewido have been run. Check HJT again to see if any of those returned. Or post your HJT log here again. Also note that if you aren't 100% clean and you go back to Normal Mode, it could just infect you again. It is important to be clean before going back to Normal Mode. So try to be sure all those programs turn up clean.

Also, visit the Security forum and look at the stickies, they handle a LOT of this stuff, you are infected with various kinds of adware and spyware still.

Lastly, if you go in Safe Mode With Networking, you can still post your log here, but also you can run a virus scan from www.bitdefender.com (link on left), and/or housecall.trendmicro.com.

Good luck.

 

[howard_hopkinso]

Hi Vig. For future reference.

These are the nasties in that log.

users32.exe
qjrkvy.exe
adobepnl.dll
runsrv32.exe
susp.exe

Simply having HJT fix these won`t cut it.

It is very important that Holly K follows the instructions I have given.

Regards Howard

 

[Vigilante]

You got your post in before I submitted

Yes those are baddies. And following instructions are important That's why I said to read all the stickies.

 

[howard_hopkinso]

You got your post in before I submitted

Sorry mate, I didn`t realise our posts had crossed lol.

Regards Howard