Here's my log, please help me get rid of the virus. I don't know how to get this application to the directory and out of a temp file like i'm supposed to so could you explain that too?







Logfile of HijackThis v1.99.1
Scan saved at 8:48:38 AM, on 3/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\9e9qtyh6\9e9qtyh6.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\isitmgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\iiwu\iiwum.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\windows\system32\npipyyk.exe
C:\WINDOWS\explorer.exe
C:\windows\system32\packager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {12CCDF05-6431-4102-BDC7-F5CE8DEC7442} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: (no name) - {140015A9-C49B-4860-9F20-9A5F435BF7C9} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: (no name) - {367BE849-ED99-4D5E-9592-CD28059290D4} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: (no name) - {385E7BB0-5B62-439F-8DDE-8944E244AF6D} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {693EB458-9880-4C8B-9DA1-786AA02E4372} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: (no name) - {80204023-FD3C-47CC-BF48-C4FAC220A3B5} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: (no name) - {80A47345-7DEC-4B70-BD67-0CF483ED20DF} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: (no name) - {ABFAB204-BB9D-46D9-B390-F749D010DC59} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: (no name) - {BB9521C4-EBFA-4A8F-ADB3-3DDE55327310} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O2 - BHO: (no name) - {D866BFA8-391C-4871-8584-4F14E4DDB1FD} - C:\Program Files\9e9qtyh6\9e9qtyh6.dll
O4 - HKLM\..\Run: [9e9qtyh6] C:\Program Files\9e9qtyh6\9e9qtyh6.exe
O4 - HKLM\..\Run: [npipyyk] c:\windows\system32\npipyyk.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitecoc32.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [fosqRUMFj] isitmgr.exe
O4 - HKCU\..\Run: [iiwu] C:\PROGRA~1\COMMON~1\iiwu\iiwum.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

Hi Galeviolets,

Check your computer with the following free anti-virus/anti-trojan products.

Housecall Anti Virus Panda Anti Virus Trojan Scan Bit Defender

And, here's the link to McAfee AVERT Stinger and instructions for use.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.

Post a new log after these steps.

The internet won't stay up long enought to do the scans and when I try to use the regular msn search bar, I get directed to this 404 error. But my boss, Art is just going to erase the whole computer. Will that erase the virus with it?

Hi Galeviolets,

if your boss is going to erase and reinstall it will delete the infections.