gettin frustrated

[waitaslepers]

ok i have this stupud trojan called TrojanSpy.Win32.BiSpy.c and i cant delete it cuz it says it is in an archive. ive tried f-secure and TDS-3. non can help. they gor rid of what came with the trojan but not that one it self. how can i get rid of this? please help. thank you!

 

[Byteman]

Hi, Do you mean that the infected file is in the System Restore area? If you did see System Restore or RESTOR mentioned, then you just have to flush the restore points to get rid of any infected files that are in RESTOR.
After things are straightened out, you can enable restore and create a new restore point.

Just exactly where and what is the filename you are seeing? If it is just the trojan itself, it can usually be deleted; granted there are sometimes some steps you have to do, such as hunting for the file from Safe Mode or stopping the running process...or removing a Registry entry. If you post a HijackThis log, we may be able to easily spot something in the log, too.

Directions, download for HJthis:

http://s89223352.onlinehome.us/mirror/hjt/

Use the download link just down under "Lurkhere"
for, "HJThis from here" download it to a folder you make on the hard drive, like C:\HJT and run the download from there after unzipping. DO NOT use HJT to fix anything yet! Just let it scan and follow the directions to save and copy/paste your log into a new reply to this thread.

 

[waitaslepers]

i did the scan and this is what i came up with:

Logfile of HijackThis v1.97.7
Scan saved at 3:03:56 PM, on 4/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\GWMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FSMA32.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FSMB32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FCH32.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\BACKWEB\4476822\PROGRAM\FSBWSYS.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FAMEH32.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSGK32.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\FWES\PROGRAM\FSDFWD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSSM32.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSAV32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\COMMON\FSM32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\BACKWEB\4476822\PROGRAM\BACKWEB-4476822.EXE
C:\PROGRAM FILES\JUNO6\ZCAST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO6\CHKRAS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\EPYEDWUF\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?c001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\SPOOL32.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SPOOL32.EXE
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: (no name) - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME2.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [spool32] C:\WINDOWS\SYSTEM\SPOOL32.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [F-Secure Manager] "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [spool32] C:\WINDOWS\SYSTEM\SPOOL32.EXE
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Common\FSMA32.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 41MV7PWV.lnk = C:\WINDOWS\41mv7pwv.exe
O4 - Startup: 1W498XLK.lnk = C:\WINDOWS\1w498xlk.exe
O4 - Startup: KO1ZFAQF.lnk = C:\WINDOWS\ko1zfaqf.exe
O4 - Startup: 70JJUZQ8.lnk = C:\WINDOWS\70jjuzq8.exe
O4 - Startup: VBAGRQ03.lnk = C:\WINDOWS\vbagrq03.exe
O4 - Startup: D6FG21TO.lnk = C:\WINDOWS\d6fg21to.exe
O4 - Startup: XH426LJ2.lnk = C:\WINDOWS\xh426lj2.exe
O4 - Startup: I7JR2YY7.lnk = C:\WINDOWS\i7jr2yy7.exe
O4 - Startup: GCZZRHCG.lnk = C:\WINDOWS\gczzrhcg.exe
O4 - Startup: N86RW4F7.lnk = C:\WINDOWS\n86rw4f7.exe
O4 - Startup: 0WXLR0B9.lnk = C:\WINDOWS\0wxlr0b9.exe
O4 - Startup: GI02B5EX.lnk = C:\WINDOWS\gi02b5ex.exe
O4 - Startup: 1OP81W51.lnk = C:\WINDOWS\1op81w51.exe
O4 - Startup: ELQYJHG5.lnk = C:\WINDOWS\elqyjhg5.exe
O4 - Startup: X9H5WGYG.lnk = C:\WINDOWS\x9h5wgyg.exe
O4 - Startup: QRWBCHJ5.lnk = C:\WINDOWS\qrwbchj5.exe
O4 - Startup: 05FR7V20.lnk = C:\WINDOWS\05fr7v20.exe
O4 - Startup: RCKVA3O4.lnk = C:\WINDOWS\rckva3o4.exe
O4 - Startup: GVRLMNF3.lnk = C:\WINDOWS\gvrlmnf3.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: 3C5AW3MQ.lnk = C:\WINDOWS\3c5aw3mq.exe
O4 - Global Startup: VCPK8A30.lnk = C:\WINDOWS\vcpk8a30.exe
O4 - Global Startup: J42P4ZCH.lnk = C:\WINDOWS\j42p4zch.exe
O4 - Global Startup: 6W8NN8CA.lnk = C:\WINDOWS\6w8nn8ca.exe
O4 - Global Startup: 1304IMEB.lnk = C:\WINDOWS\1304imeb.exe
O4 - Global Startup: U2V3C9D9.lnk = C:\WINDOWS\u2v3c9d9.exe
O4 - Global Startup: CPP7YI4N.lnk = C:\WINDOWS\cpp7yi4n.exe
O4 - Global Startup: OV6L0LR0.lnk = C:\WINDOWS\ov6l0lr0.exe
O4 - Global Startup: KBV0WO9U.lnk = C:\WINDOWS\kbv0wo9u.exe
O4 - Global Startup: DFUK9PM4.lnk = C:\WINDOWS\dfuk9pm4.exe
O4 - Global Startup: TNYVIPF4.lnk = C:\WINDOWS\tnyvipf4.exe
O4 - Global Startup: 6ZQRXEUZ.lnk = C:\WINDOWS\6zqrxeuz.exe
O4 - Global Startup: EBCEGFG0.lnk = C:\WINDOWS\ebcegfg0.exe
O4 - Global Startup: 4PWIDVV8.lnk = C:\WINDOWS\4pwidvv8.exe
O4 - Global Startup: JR1KZXML.lnk = C:\WINDOWS\jr1kzxml.exe
O4 - Global Startup: 37GR93J7.lnk = C:\WINDOWS\37gr93j7.exe
O4 - Global Startup: IN06VMD2.lnk = C:\WINDOWS\in06vmd2.exe
O4 - Global Startup: 8WIFMHZD.lnk = C:\WINDOWS\8wifmhzd.exe
O4 - Global Startup: 7LZCQVD7.lnk = C:\WINDOWS\7lzcqvd7.exe
O4 - Global Startup: 22THHHZ1.lnk = C:\WINDOWS\22thhhz1.exe
O4 - Global Startup: 41H3EPAL.lnk = C:\WINDOWS\41h3epal.exe
O4 - Global Startup: 20RJRI0J.lnk = C:\WINDOWS\20rjri0j.exe
O4 - Global Startup: 9WYUGNRH.lnk = C:\WINDOWS\9wyugnrh.exe
O4 - Global Startup: KQ9EA80J.lnk = C:\WINDOWS\kq9ea80j.exe
O4 - Global Startup: 3OA0WXF8.lnk = C:\WINDOWS\3oa0wxf8.exe
O4 - Global Startup: CP2D2BJK.lnk = C:\WINDOWS\cp2d2bjk.exe
O4 - Global Startup: CN8AZ46R.lnk = C:\WINDOWS\cn8az46r.exe
O4 - Global Startup: K8LJEG01.lnk = C:\WINDOWS\k8ljeg01.exe
O4 - Global Startup: TFLTTZGX.lnk = C:\WINDOWS\tflttzgx.exe
O4 - Global Startup: 60ATY9O6.lnk = C:\WINDOWS\60aty9o6.exe
O4 - Global Startup: PEO8K6T2.lnk = C:\WINDOWS\peo8k6t2.exe
O4 - Global Startup: 090U7JDN.lnk = C:\WINDOWS\090u7jdn.exe
O4 - Global Startup: T2PE7HFP.lnk = C:\WINDOWS\t2pe7hfp.exe
O4 - Global Startup: 92NU6ANO.lnk = C:\WINDOWS\92nu6ano.exe
O4 - Global Startup: 03OMLJ7X.lnk = C:\WINDOWS\03omlj7x.exe
O4 - Global Startup: 5XMYFGX8.lnk = C:\WINDOWS\5xmyfgx8.exe
O4 - Global Startup: EY8Y3DUH.lnk = C:\WINDOWS\ey8y3duh.exe
O4 - Global Startup: 8OU966G1.lnk = C:\WINDOWS\8ou966g1.exe
O4 - Global Startup: QEIMGQ3M.lnk = C:\WINDOWS\qeimgq3m.exe
O4 - Global Startup: WC6EL8FG.lnk = C:\WINDOWS\wc6el8fg.exe
O4 - Global Startup: VH52LIVH.lnk = C:\WINDOWS\vh52livh.exe
O4 - Global Startup: 8EWCM814.lnk = C:\WINDOWS\8ewcm814.exe
O4 - Global Startup: CIZL29QZ.lnk = C:\WINDOWS\cizl29qz.exe
O4 - Global Startup: AD7TBP9D.lnk = C:\WINDOWS\ad7tbp9d.exe
O4 - Global Startup: JT6UXBO5.lnk = C:\WINDOWS\jt6uxbo5.exe
O4 - Global Startup: 39L30A1Q.lnk = C:\WINDOWS\39l30a1q.exe
O4 - Global Startup: BM9152RK.lnk = C:\WINDOWS\bm9152rk.exe
O4 - Global Startup: FZO0EH21.lnk = C:\WINDOWS\fzo0eh21.exe
O4 - Global Startup: TVKW4JFI.lnk = C:\WINDOWS\tvkw4jfi.exe
O4 - Global Startup: F-Secure Internet Security 2004.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\backweb-4476822.exe
O4 - Global Startup: 8L1OGXU9.lnk = C:\WINDOWS\8l1ogxu9.exe
O4 - Global Startup: 1ZL95IIY.lnk = C:\WINDOWS\1zl95iiy.exe
O4 - Global Startup: J0Q28MQD.lnk = C:\WINDOWS\j0q28mqd.exe
O4 - Global Startup: OPQ67ABK.lnk = C:\WINDOWS\opq67abk.exe
O4 - Global Startup: 06TCYDY1.lnk = C:\WINDOWS\06tcydy1.exe
O4 - Global Startup: 4QTVK7IB.lnk = C:\WINDOWS\4qtvk7ib.exe
O4 - Global Startup: J0NHDLF6.lnk = C:\WINDOWS\j0nhdlf6.exe
O4 - Global Startup: 8HGVLNGV.lnk = C:\WINDOWS\8hgvlngv.exe
O4 - Global Startup: YX6W72YL.lnk = C:\WINDOWS\yx6w72yl.exe
O4 - Global Startup: T9KTHGY0.lnk = C:\WINDOWS\t9kthgy0.exe
O4 - Global Startup: 4ENHY4AL.lnk = C:\WINDOWS\4enhy4al.exe
O4 - Global Startup: LKW43LNF.lnk = C:\WINDOWS\lkw43lnf.exe
O4 - Global Startup: EDMEEHVX.lnk = C:\WINDOWS\edmeehvx.exe
O4 - Global Startup: 75MCNUB6.lnk = C:\WINDOWS\75mcnub6.exe
O4 - Global Startup: RLCNZQQD.lnk = C:\WINDOWS\rlcnzqqd.exe
O4 - Global Startup: PE0AW5H0.lnk = C:\WINDOWS\pe0aw5h0.exe
O4 - Global Startup: L8UXHJ5K.lnk = C:\WINDOWS\l8uxhj5k.exe
O4 - Global Startup: 5YGX6DLM.lnk = C:\WINDOWS\5ygx6dlm.exe
O4 - Global Startup: RRJOFPDP.lnk = C:\WINDOWS\rrjofpdp.exe
O4 - Global Startup: 0650BFWB.lnk = C:\WINDOWS\0650bfwb.exe
O4 - Global Startup: Z2RY6E3L.lnk = C:\WINDOWS\z2ry6e3l.exe
O4 - Global Startup: GJU6LGUI.lnk = C:\WINDOWS\gju6lgui.exe
O4 - Global Startup: GV2TKVWJ.lnk = C:\WINDOWS\gv2tkvwj.exe
O4 - Global Startup: DKZ0R5BZ.lnk = C:\WINDOWS\dkz0r5bz.exe
O4 - Global Startup: CRU3198I.lnk = C:\WINDOWS\cru3198i.exe
O4 - Global Startup: EKLJGD4E.lnk = C:\WINDOWS\ekljgd4e.exe
O4 - Global Startup: TGXYWG0Y.lnk = C:\WINDOWS\tgxywg0y.exe
O4 - Global Startup: HDWKHR1W.lnk = C:\WINDOWS\hdwkhr1w.exe
O4 - Global Startup: PIUJ6MW9.lnk = C:\WINDOWS\piuj6mw9.exe
O4 - Global Startup: JC5F9W4A.lnk = C:\WINDOWS\jc5f9w4a.exe
O4 - Global Startup: YEA86R02.lnk = C:\WINDOWS\yea86r02.exe
O4 - Global Startup: X0U3D0RI.lnk = C:\WINDOWS\x0u3d0ri.exe
O4 - Global Startup: CR2Q08FG.lnk = C:\WINDOWS\cr2q08fg.exe
O4 - Global Startup: 9XE0OJBK.lnk = C:\WINDOWS\9xe0ojbk.exe
O4 - Global Startup: 59L68R1D.lnk = C:\WINDOWS\59l68r1d.exe
O4 - Global Startup: 87N5L1B4.lnk = C:\WINDOWS\87n5l1b4.exe
O4 - Global Startup: PV0XQMH4.lnk = C:\WINDOWS\pv0xqmh4.exe
O4 - Global Startup: 191LHBQ6.lnk = C:\WINDOWS\191lhbq6.exe
O4 - Global Startup: 16NW0M80.lnk = C:\WINDOWS\16nw0m80.exe
O4 - Global Startup: 2M0R2YAP.lnk = C:\WINDOWS\2m0r2yap.exe
O4 - Global Startup: WGPLPN3X.lnk = C:\WINDOWS\wgplpn3x.exe
O4 - Global Startup: MW911ITE.lnk = C:\WINDOWS\mw911ite.exe
O4 - Global Startup: 98UV25M8.lnk = C:\WINDOWS\98uv25m8.exe
O4 - Global Startup: I06J0OY3.lnk = C:\WINDOWS\i06j0oy3.exe
O4 - Global Startup: 41MV7PWV.lnk = C:\WINDOWS\41mv7pwv.exe
O4 - Global Startup: 1W498XLK.lnk = C:\WINDOWS\1w498xlk.exe
O4 - Global Startup: KO1ZFAQF.lnk = C:\WINDOWS\ko1zfaqf.exe
O4 - Global Startup: 70JJUZQ8.lnk = C:\WINDOWS\70jjuzq8.exe
O4 - Global Startup: VBAGRQ03.lnk = C:\WINDOWS\vbagrq03.exe
O4 - Global Startup: OLF9U727.lnk = C:\WINDOWS\olf9u727.exe
O4 - Global Startup: 8C0EC9LZ.lnk = C:\WINDOWS\8c0ec9lz.exe
O4 - Global Startup: A7XH3MRO.lnk = C:\WINDOWS\a7xh3mro.exe
O4 - Global Startup: KWRC0Y4A.lnk = C:\WINDOWS\kwrc0y4a.exe
O4 - Global Startup: 0YLJH31U.lnk = C:\WINDOWS\0yljh31u.exe
O4 - Global Startup: GYVICZNN.lnk = C:\WINDOWS\gyvicznn.exe
O4 - Global Startup: IKB6JDRL.lnk = C:\WINDOWS\ikb6jdrl.exe
O4 - Global Startup: HART6OCN.lnk = C:\WINDOWS\hart6ocn.exe
O4 - Global Startup: XK7JWQ5I.lnk = C:\WINDOWS\xk7jwq5i.exe
O4 - Global Startup: UGX4ILHC.lnk = C:\WINDOWS\ugx4ilhc.exe
O4 - Global Startup: D6FG21TO.lnk = C:\WINDOWS\d6fg21to.exe
O4 - Global Startup: XH426LJ2.lnk = C:\WINDOWS\xh426lj2.exe
O4 - Global Startup: I7JR2YY7.lnk = C:\WINDOWS\i7jr2yy7.exe
O4 - Global Startup: GCZZRHCG.lnk = C:\WINDOWS\gczzrhcg.exe
O4 - Global Startup: N86RW4F7.lnk = C:\WINDOWS\n86rw4f7.exe
O4 - Global Startup: 0WXLR0B9.lnk = C:\WINDOWS\0wxlr0b9.exe
O4 - Global Startup: GI02B5EX.lnk = C:\WINDOWS\gi02b5ex.exe
O4 - Global Startup: 1OP81W51.lnk = C:\WINDOWS\1op81w51.exe
O4 - Global Startup: ELQYJHG5.lnk = C:\WINDOWS\elqyjhg5.exe
O4 - Global Startup: X9H5WGYG.lnk = C:\WINDOWS\x9h5wgyg.exe
O4 - Global Startup: QRWBCHJ5.lnk = C:\WINDOWS\qrwbchj5.exe
O4 - Global Startup: 05FR7V20.lnk = C:\WINDOWS\05fr7v20.exe
O4 - Global Startup: RCKVA3O4.lnk = C:\WINDOWS\rckva3o4.exe
O4 - Global Startup: GVRLMNF3.lnk = C:\WINDOWS\gvrlmnf3.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[waitaslepers]

can anyone help me please!!! i did the hijack this scan above there and thats what i came up with. please help me out on this. the file that keeps coming up in my virus scan is TrojanSpy.Win32.BiSpy.c and it says it can not be deleted cuz it is in an archive!

thank you

 

[KMW]

One newbie to another
problem sounds like a nasty one

A user named Blank75 had a similar problem, enter his name in search/advanced will find it, Firman1 was his moderater

cheers
tried to post link for ya but didn't work

 

[$teve]

It is a nasty one..............its the Adtomi hijack and its not easy to remove....You are going to have to follow these instructions to the letter.

Download this file (Adtomi Cleanup.zip). make sure you download the 98/ME clean up zip
from
http://www.thespykiller.co.uk/downloads.htm

It was created by Mosaic1 and is available here with her kind permission
And follow the instructions carefully.

First If you have a Script Blocking Program enabled, disable it so the scripts will run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove....you must be online for this part
--A web page from Adtomi would appear "-uninstall was successful!"
Then go off line.......
(note not all infections have this icon, so if it isn't there then don't worry, just continue to the next step)

next press ctrl+ ALT+DEL once to bring up task manager, look in applications for the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log, If it isn't listed in the applications, then look in processes tab.

In your case the file/ process to stop is : C:\WINDOWS\morze1.exe
then press end task or end process and make sure that entry has disapeared from the list.
If you can't stop it running, then DO NOT CONTINUE, please ask for more help first.

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

Make sure all Browser and folder windows are closed and it will do everything automatically for you.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.