1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

gettin frustrated

Discussion in 'Virus & Other Malware Removal' started by waitaslepers, Apr 6, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. waitaslepers

    waitaslepers Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    3
    ok i have this stupud trojan called TrojanSpy.Win32.BiSpy.c and i cant delete it cuz it says it is in an archive. ive tried f-secure and TDS-3. non can help. they gor rid of what came with the trojan but not that one it self. how can i get rid of this? please help. thank you! ;)
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Do you mean that the infected file is in the System Restore area? If you did see System Restore or RESTOR mentioned, then you just have to flush the restore points to get rid of any infected files that are in RESTOR.
    After things are straightened out, you can enable restore and create a new restore point.

    Just exactly where and what is the filename you are seeing? If it is just the trojan itself, it can usually be deleted; granted there are sometimes some steps you have to do, such as hunting for the file from Safe Mode or stopping the running process...or removing a Registry entry. If you post a HijackThis log, we may be able to easily spot something in the log, too.

    Directions, download for HJthis:

    http://s89223352.onlinehome.us/mirror/hjt/

    Use the download link just down under "Lurkhere"
    for, "HJThis from here" download it to a folder you make on the hard drive, like C:\HJT and run the download from there after unzipping. DO NOT use HJT to fix anything yet! Just let it scan and follow the directions to save and copy/paste your log into a new reply to this thread.
     
  3. waitaslepers

    waitaslepers Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    3
    i did the scan and this is what i came up with:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:03:56 PM, on 4/7/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\GWMDMMSG.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FSMA32.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FSMB32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FCH32.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\BACKWEB\4476822\PROGRAM\FSBWSYS.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FAMEH32.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSGK32.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\FWES\PROGRAM\FSDFWD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSSM32.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSAV32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FSM32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\BACKWEB\4476822\PROGRAM\BACKWEB-4476822.EXE
    C:\PROGRAM FILES\JUNO6\ZCAST.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\JUNO6\CHKRAS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\EPYEDWUF\HIJACKTHIS[1].EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?c001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\SPOOL32.EXE
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
    O2 - BHO: (no name) - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME2.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [spool32] C:\WINDOWS\SYSTEM\SPOOL32.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [spool32] C:\WINDOWS\SYSTEM\SPOOL32.EXE
    O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Common\FSMA32.EXE
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 41MV7PWV.lnk = C:\WINDOWS\41mv7pwv.exe
    O4 - Startup: 1W498XLK.lnk = C:\WINDOWS\1w498xlk.exe
    O4 - Startup: KO1ZFAQF.lnk = C:\WINDOWS\ko1zfaqf.exe
    O4 - Startup: 70JJUZQ8.lnk = C:\WINDOWS\70jjuzq8.exe
    O4 - Startup: VBAGRQ03.lnk = C:\WINDOWS\vbagrq03.exe
    O4 - Startup: D6FG21TO.lnk = C:\WINDOWS\d6fg21to.exe
    O4 - Startup: XH426LJ2.lnk = C:\WINDOWS\xh426lj2.exe
    O4 - Startup: I7JR2YY7.lnk = C:\WINDOWS\i7jr2yy7.exe
    O4 - Startup: GCZZRHCG.lnk = C:\WINDOWS\gczzrhcg.exe
    O4 - Startup: N86RW4F7.lnk = C:\WINDOWS\n86rw4f7.exe
    O4 - Startup: 0WXLR0B9.lnk = C:\WINDOWS\0wxlr0b9.exe
    O4 - Startup: GI02B5EX.lnk = C:\WINDOWS\gi02b5ex.exe
    O4 - Startup: 1OP81W51.lnk = C:\WINDOWS\1op81w51.exe
    O4 - Startup: ELQYJHG5.lnk = C:\WINDOWS\elqyjhg5.exe
    O4 - Startup: X9H5WGYG.lnk = C:\WINDOWS\x9h5wgyg.exe
    O4 - Startup: QRWBCHJ5.lnk = C:\WINDOWS\qrwbchj5.exe
    O4 - Startup: 05FR7V20.lnk = C:\WINDOWS\05fr7v20.exe
    O4 - Startup: RCKVA3O4.lnk = C:\WINDOWS\rckva3o4.exe
    O4 - Startup: GVRLMNF3.lnk = C:\WINDOWS\gvrlmnf3.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Global Startup: 3C5AW3MQ.lnk = C:\WINDOWS\3c5aw3mq.exe
    O4 - Global Startup: VCPK8A30.lnk = C:\WINDOWS\vcpk8a30.exe
    O4 - Global Startup: J42P4ZCH.lnk = C:\WINDOWS\j42p4zch.exe
    O4 - Global Startup: 6W8NN8CA.lnk = C:\WINDOWS\6w8nn8ca.exe
    O4 - Global Startup: 1304IMEB.lnk = C:\WINDOWS\1304imeb.exe
    O4 - Global Startup: U2V3C9D9.lnk = C:\WINDOWS\u2v3c9d9.exe
    O4 - Global Startup: CPP7YI4N.lnk = C:\WINDOWS\cpp7yi4n.exe
    O4 - Global Startup: OV6L0LR0.lnk = C:\WINDOWS\ov6l0lr0.exe
    O4 - Global Startup: KBV0WO9U.lnk = C:\WINDOWS\kbv0wo9u.exe
    O4 - Global Startup: DFUK9PM4.lnk = C:\WINDOWS\dfuk9pm4.exe
    O4 - Global Startup: TNYVIPF4.lnk = C:\WINDOWS\tnyvipf4.exe
    O4 - Global Startup: 6ZQRXEUZ.lnk = C:\WINDOWS\6zqrxeuz.exe
    O4 - Global Startup: EBCEGFG0.lnk = C:\WINDOWS\ebcegfg0.exe
    O4 - Global Startup: 4PWIDVV8.lnk = C:\WINDOWS\4pwidvv8.exe
    O4 - Global Startup: JR1KZXML.lnk = C:\WINDOWS\jr1kzxml.exe
    O4 - Global Startup: 37GR93J7.lnk = C:\WINDOWS\37gr93j7.exe
    O4 - Global Startup: IN06VMD2.lnk = C:\WINDOWS\in06vmd2.exe
    O4 - Global Startup: 8WIFMHZD.lnk = C:\WINDOWS\8wifmhzd.exe
    O4 - Global Startup: 7LZCQVD7.lnk = C:\WINDOWS\7lzcqvd7.exe
    O4 - Global Startup: 22THHHZ1.lnk = C:\WINDOWS\22thhhz1.exe
    O4 - Global Startup: 41H3EPAL.lnk = C:\WINDOWS\41h3epal.exe
    O4 - Global Startup: 20RJRI0J.lnk = C:\WINDOWS\20rjri0j.exe
    O4 - Global Startup: 9WYUGNRH.lnk = C:\WINDOWS\9wyugnrh.exe
    O4 - Global Startup: KQ9EA80J.lnk = C:\WINDOWS\kq9ea80j.exe
    O4 - Global Startup: 3OA0WXF8.lnk = C:\WINDOWS\3oa0wxf8.exe
    O4 - Global Startup: CP2D2BJK.lnk = C:\WINDOWS\cp2d2bjk.exe
    O4 - Global Startup: CN8AZ46R.lnk = C:\WINDOWS\cn8az46r.exe
    O4 - Global Startup: K8LJEG01.lnk = C:\WINDOWS\k8ljeg01.exe
    O4 - Global Startup: TFLTTZGX.lnk = C:\WINDOWS\tflttzgx.exe
    O4 - Global Startup: 60ATY9O6.lnk = C:\WINDOWS\60aty9o6.exe
    O4 - Global Startup: PEO8K6T2.lnk = C:\WINDOWS\peo8k6t2.exe
    O4 - Global Startup: 090U7JDN.lnk = C:\WINDOWS\090u7jdn.exe
    O4 - Global Startup: T2PE7HFP.lnk = C:\WINDOWS\t2pe7hfp.exe
    O4 - Global Startup: 92NU6ANO.lnk = C:\WINDOWS\92nu6ano.exe
    O4 - Global Startup: 03OMLJ7X.lnk = C:\WINDOWS\03omlj7x.exe
    O4 - Global Startup: 5XMYFGX8.lnk = C:\WINDOWS\5xmyfgx8.exe
    O4 - Global Startup: EY8Y3DUH.lnk = C:\WINDOWS\ey8y3duh.exe
    O4 - Global Startup: 8OU966G1.lnk = C:\WINDOWS\8ou966g1.exe
    O4 - Global Startup: QEIMGQ3M.lnk = C:\WINDOWS\qeimgq3m.exe
    O4 - Global Startup: WC6EL8FG.lnk = C:\WINDOWS\wc6el8fg.exe
    O4 - Global Startup: VH52LIVH.lnk = C:\WINDOWS\vh52livh.exe
    O4 - Global Startup: 8EWCM814.lnk = C:\WINDOWS\8ewcm814.exe
    O4 - Global Startup: CIZL29QZ.lnk = C:\WINDOWS\cizl29qz.exe
    O4 - Global Startup: AD7TBP9D.lnk = C:\WINDOWS\ad7tbp9d.exe
    O4 - Global Startup: JT6UXBO5.lnk = C:\WINDOWS\jt6uxbo5.exe
    O4 - Global Startup: 39L30A1Q.lnk = C:\WINDOWS\39l30a1q.exe
    O4 - Global Startup: BM9152RK.lnk = C:\WINDOWS\bm9152rk.exe
    O4 - Global Startup: FZO0EH21.lnk = C:\WINDOWS\fzo0eh21.exe
    O4 - Global Startup: TVKW4JFI.lnk = C:\WINDOWS\tvkw4jfi.exe
    O4 - Global Startup: F-Secure Internet Security 2004.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\backweb-4476822.exe
    O4 - Global Startup: 8L1OGXU9.lnk = C:\WINDOWS\8l1ogxu9.exe
    O4 - Global Startup: 1ZL95IIY.lnk = C:\WINDOWS\1zl95iiy.exe
    O4 - Global Startup: J0Q28MQD.lnk = C:\WINDOWS\j0q28mqd.exe
    O4 - Global Startup: OPQ67ABK.lnk = C:\WINDOWS\opq67abk.exe
    O4 - Global Startup: 06TCYDY1.lnk = C:\WINDOWS\06tcydy1.exe
    O4 - Global Startup: 4QTVK7IB.lnk = C:\WINDOWS\4qtvk7ib.exe
    O4 - Global Startup: J0NHDLF6.lnk = C:\WINDOWS\j0nhdlf6.exe
    O4 - Global Startup: 8HGVLNGV.lnk = C:\WINDOWS\8hgvlngv.exe
    O4 - Global Startup: YX6W72YL.lnk = C:\WINDOWS\yx6w72yl.exe
    O4 - Global Startup: T9KTHGY0.lnk = C:\WINDOWS\t9kthgy0.exe
    O4 - Global Startup: 4ENHY4AL.lnk = C:\WINDOWS\4enhy4al.exe
    O4 - Global Startup: LKW43LNF.lnk = C:\WINDOWS\lkw43lnf.exe
    O4 - Global Startup: EDMEEHVX.lnk = C:\WINDOWS\edmeehvx.exe
    O4 - Global Startup: 75MCNUB6.lnk = C:\WINDOWS\75mcnub6.exe
    O4 - Global Startup: RLCNZQQD.lnk = C:\WINDOWS\rlcnzqqd.exe
    O4 - Global Startup: PE0AW5H0.lnk = C:\WINDOWS\pe0aw5h0.exe
    O4 - Global Startup: L8UXHJ5K.lnk = C:\WINDOWS\l8uxhj5k.exe
    O4 - Global Startup: 5YGX6DLM.lnk = C:\WINDOWS\5ygx6dlm.exe
    O4 - Global Startup: RRJOFPDP.lnk = C:\WINDOWS\rrjofpdp.exe
    O4 - Global Startup: 0650BFWB.lnk = C:\WINDOWS\0650bfwb.exe
    O4 - Global Startup: Z2RY6E3L.lnk = C:\WINDOWS\z2ry6e3l.exe
    O4 - Global Startup: GJU6LGUI.lnk = C:\WINDOWS\gju6lgui.exe
    O4 - Global Startup: GV2TKVWJ.lnk = C:\WINDOWS\gv2tkvwj.exe
    O4 - Global Startup: DKZ0R5BZ.lnk = C:\WINDOWS\dkz0r5bz.exe
    O4 - Global Startup: CRU3198I.lnk = C:\WINDOWS\cru3198i.exe
    O4 - Global Startup: EKLJGD4E.lnk = C:\WINDOWS\ekljgd4e.exe
    O4 - Global Startup: TGXYWG0Y.lnk = C:\WINDOWS\tgxywg0y.exe
    O4 - Global Startup: HDWKHR1W.lnk = C:\WINDOWS\hdwkhr1w.exe
    O4 - Global Startup: PIUJ6MW9.lnk = C:\WINDOWS\piuj6mw9.exe
    O4 - Global Startup: JC5F9W4A.lnk = C:\WINDOWS\jc5f9w4a.exe
    O4 - Global Startup: YEA86R02.lnk = C:\WINDOWS\yea86r02.exe
    O4 - Global Startup: X0U3D0RI.lnk = C:\WINDOWS\x0u3d0ri.exe
    O4 - Global Startup: CR2Q08FG.lnk = C:\WINDOWS\cr2q08fg.exe
    O4 - Global Startup: 9XE0OJBK.lnk = C:\WINDOWS\9xe0ojbk.exe
    O4 - Global Startup: 59L68R1D.lnk = C:\WINDOWS\59l68r1d.exe
    O4 - Global Startup: 87N5L1B4.lnk = C:\WINDOWS\87n5l1b4.exe
    O4 - Global Startup: PV0XQMH4.lnk = C:\WINDOWS\pv0xqmh4.exe
    O4 - Global Startup: 191LHBQ6.lnk = C:\WINDOWS\191lhbq6.exe
    O4 - Global Startup: 16NW0M80.lnk = C:\WINDOWS\16nw0m80.exe
    O4 - Global Startup: 2M0R2YAP.lnk = C:\WINDOWS\2m0r2yap.exe
    O4 - Global Startup: WGPLPN3X.lnk = C:\WINDOWS\wgplpn3x.exe
    O4 - Global Startup: MW911ITE.lnk = C:\WINDOWS\mw911ite.exe
    O4 - Global Startup: 98UV25M8.lnk = C:\WINDOWS\98uv25m8.exe
    O4 - Global Startup: I06J0OY3.lnk = C:\WINDOWS\i06j0oy3.exe
    O4 - Global Startup: 41MV7PWV.lnk = C:\WINDOWS\41mv7pwv.exe
    O4 - Global Startup: 1W498XLK.lnk = C:\WINDOWS\1w498xlk.exe
    O4 - Global Startup: KO1ZFAQF.lnk = C:\WINDOWS\ko1zfaqf.exe
    O4 - Global Startup: 70JJUZQ8.lnk = C:\WINDOWS\70jjuzq8.exe
    O4 - Global Startup: VBAGRQ03.lnk = C:\WINDOWS\vbagrq03.exe
    O4 - Global Startup: OLF9U727.lnk = C:\WINDOWS\olf9u727.exe
    O4 - Global Startup: 8C0EC9LZ.lnk = C:\WINDOWS\8c0ec9lz.exe
    O4 - Global Startup: A7XH3MRO.lnk = C:\WINDOWS\a7xh3mro.exe
    O4 - Global Startup: KWRC0Y4A.lnk = C:\WINDOWS\kwrc0y4a.exe
    O4 - Global Startup: 0YLJH31U.lnk = C:\WINDOWS\0yljh31u.exe
    O4 - Global Startup: GYVICZNN.lnk = C:\WINDOWS\gyvicznn.exe
    O4 - Global Startup: IKB6JDRL.lnk = C:\WINDOWS\ikb6jdrl.exe
    O4 - Global Startup: HART6OCN.lnk = C:\WINDOWS\hart6ocn.exe
    O4 - Global Startup: XK7JWQ5I.lnk = C:\WINDOWS\xk7jwq5i.exe
    O4 - Global Startup: UGX4ILHC.lnk = C:\WINDOWS\ugx4ilhc.exe
    O4 - Global Startup: D6FG21TO.lnk = C:\WINDOWS\d6fg21to.exe
    O4 - Global Startup: XH426LJ2.lnk = C:\WINDOWS\xh426lj2.exe
    O4 - Global Startup: I7JR2YY7.lnk = C:\WINDOWS\i7jr2yy7.exe
    O4 - Global Startup: GCZZRHCG.lnk = C:\WINDOWS\gczzrhcg.exe
    O4 - Global Startup: N86RW4F7.lnk = C:\WINDOWS\n86rw4f7.exe
    O4 - Global Startup: 0WXLR0B9.lnk = C:\WINDOWS\0wxlr0b9.exe
    O4 - Global Startup: GI02B5EX.lnk = C:\WINDOWS\gi02b5ex.exe
    O4 - Global Startup: 1OP81W51.lnk = C:\WINDOWS\1op81w51.exe
    O4 - Global Startup: ELQYJHG5.lnk = C:\WINDOWS\elqyjhg5.exe
    O4 - Global Startup: X9H5WGYG.lnk = C:\WINDOWS\x9h5wgyg.exe
    O4 - Global Startup: QRWBCHJ5.lnk = C:\WINDOWS\qrwbchj5.exe
    O4 - Global Startup: 05FR7V20.lnk = C:\WINDOWS\05fr7v20.exe
    O4 - Global Startup: RCKVA3O4.lnk = C:\WINDOWS\rckva3o4.exe
    O4 - Global Startup: GVRLMNF3.lnk = C:\WINDOWS\gvrlmnf3.exe
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    (y)
     
  4. waitaslepers

    waitaslepers Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    3
    can anyone help me please!!! i did the hijack this scan above there and thats what i came up with. please help me out on this. the file that keeps coming up in my virus scan is TrojanSpy.Win32.BiSpy.c and it says it can not be deleted cuz it is in an archive!

    thank you
     
  5. KMW

    KMW

    Joined:
    Apr 1, 2004
    Messages:
    877
    One newbie to another
    problem sounds like a nasty one

    A user named Blank75 had a similar problem, enter his name in search/advanced will find it, Firman1 was his moderater

    cheers
    tried to post link for ya but didn't work
     
  6. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    It is a nasty one..............its the Adtomi hijack and its not easy to remove....You are going to have to follow these instructions to the letter.

    Download this file (Adtomi Cleanup.zip). make sure you download the 98/ME clean up zip
    from
    http://www.thespykiller.co.uk/downloads.htm

    It was created by Mosaic1 and is available here with her kind permission
    And follow the instructions carefully.

    First If you have a Script Blocking Program enabled, disable it so the scripts will run.

    Unzip it to C:\Windows

    See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove....you must be online for this part
    --A web page from Adtomi would appear "-uninstall was successful!"
    Then go off line.......
    (note not all infections have this icon, so if it isn't there then don't worry, just continue to the next step)

    next press ctrl+ ALT+DEL once to bring up task manager, look in applications for the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log, If it isn't listed in the applications, then look in processes tab.

    In your case the file/ process to stop is : C:\WINDOWS\morze1.exe
    then press end task or end process and make sure that entry has disapeared from the list.
    If you can't stop it running, then DO NOT CONTINUE, please ask for more help first.

    Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

    ***Do not Touch the VBS files. The bat file will run the scripts.

    Make sure all Browser and folder windows are closed and it will do everything automatically for you.

    It will remove the Adtomi Spyware files from the Windows Folder
    Clean the Startup Folders
    Create Backups of the Adtomi exe files it deletes and save them in this folder
    Create a list of all oddly named files deleted from the Windows Folder
    Uninstall the BHO
    Start HijackThis and give you directions on what to remove.

    When you have finished please restart the computer.

    Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.
    ;)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217792

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice