Hijackthis Log

[ericson]

Hello,
I think I have a virus...or many...any help is greatly appriciated.

As far as what is wrong,..
Popups left and right..or rather, they're being blocked but it's a war going on bewteen my tools and whatever is doing it. Further, there is general slowness with the computer (dispite the CPU not killing itself)...Internet specifically is extreamly slow.

Maybe I should have done this log from normal mode rather than safe mode...

 

[ericson]

Here is the hijack log from a normal boot

 

[kimsland]

Well this one stands out a mile
http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
It's a BHO/TOOLBAR in Internet Explorer

Please remove it (tick and fix)

Also run Startup Control Panel and remove anyy reference to it
Actually I'd suggest running RIES to reset IE to defaults

Then running a scan with:

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.

 

[xxdanielxx]

Well this one stands out a mile
http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
It's a BHO/TOOLBAR in Internet Explorer

that is from Kodak Gallery Easy Upload Manager Class it is nothing bad you can leave it. But it does look like you have a backdoor trojan. Please go to the link below and follow all the steps then post back here with the 3 logs thanks.

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[kimsland]

That's why I shouldn't check these logs

Thanks xxdanielxx, I saw the bum bum link, and thought it was strange
(I did google it too)

But anyway, they want to use these words in their software so be it.

 

[ericson]

Ok,..

kimsland
Please download Malwarebytes' Anti-Malware to your desktop.

I went the SAS route as per the option in the link from the poster below (xxdanielxx). If requested, I'll run with this tool too. Thanks!

xxdanielxx
Please go to the link below and follow all the steps then post back here with the 3 logs thanks.

Note: I have ad-aware 2007 but somehow, it's installation is messed up and I can't uninstall it. I can't install 2008 with 2007 already installed. I can't run ad-aware 2007 either since it's broken. I substituted the PC Tool's program I have, during any step reference to specifically, ad-aware 2008. (I figured, you're just recommending free tools since they're free and that this substitution would be sufficient)

Once you`ve finished these instructions, you should have 3 log files. HJT, Combofix and MBAM/SAS logs. They are the only logs we need, unless otherwise requested.

Done, and attached. Thank you for the help!

I'm yet to see anything suspicious while using the computer in normal boot mode. I'll reply if I notice anything and I'll check back in this thread to read any further suggestions you tech people have =)

Thanks for your time thus far!

 

[xxdanielxx]

look in your Lavasoft Ad-Aware folder for a file called UNWISE and run it to uninstall Ad-Aware.

For SAS make sure to delete everything it found, check the quarantine for anything and delete it.

Go to the link below and download CWShredder to your desktop then run it in safe mode it is better to run in safe mode. To boot in safe mode keep tapping the F8 key while your computer boots up.

CWShredder:
http://us.trendmicro.com/us/products/personal/CWShredder/index.html

Also download SDFix from the link below to your desktop then run it SDFix will create a folder in your C drive boot into safe mode and go to C:\SDFix and run --->RunThis.bat. Post the log it creates here.

SDFix:
http://www.bleepingcomputer.com/files/sdfix.php

One more thing do you have Itunes or quicktime installed. When you finish the above post a fresh hijackthis log

 

[Blind Dragon]

Actually, I am just going to add this to the instructions above

OTMoveit2 by OldTimer
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]purity[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[kimsland]

Copy the file paths below to the clipboard by highlighting ALL

"Purity"

Is there something missing?

 

[Blind Dragon]

nope, according to Old Timer, it will move all the variations of purityscan/clickspring adware, and all you need is to type purity and it has the ability to read Unicode and ASCII characters, it should find the entry that it is meant to and remove the associated registry entries and folders. Either way, it is a good program to have in case there are other entries later that can't be removed.

 

[ericson]

xxdanielxx
look for a file called UNWISE

That file wasn't there. Ad-aware's support forums directed me to a few steps that worked though. Ad-aware 2008 installed-updated-scanned and everything found was fixed.

Go to the link below and download CWShredder

Done.

Also download SDFix

Done and log attached as requested.

One more thing do you have Itunes or quicktime installed. When you finish the above post a fresh hijackthis log

No Itunes, there is an "Ibook" external storage drive though. There might be some driver installed from that which I'm not aware of.
Quicktime was uninstalled but, for some reason, there are a few pieces of the program left over. Similar deal to the Ad-aware 2007.

Hijackthis log attatched.
Note: I ran this Hijack log after Blind Dragon's OTMoveIt2 request.

Blind Dragon
Please download the OTMoveIt2 by OldTimer.

Attached.


Thanks for the help everyone, I don't know what the wife did but the computer is far more protected now =D. Let me know if you see anything else from the logs.

 

[xxdanielxx]

boot into safe mode run hijackthis and place a check mark next to the following items

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab

O21 - SSODL: dchqhofw - {18c10ed5-b47f-4b85-9565-e02385cc72ae} - C:\Documents and Settings\All Users\Application Data\dchqhofw.dll (file missing)