1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojans keep multiplying

Discussion in 'Virus & Other Malware Removal' started by IrishTexan, Apr 8, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. IrishTexan

    IrishTexan Thread Starter

    Joined:
    Aug 1, 2001
    Messages:
    91
    :eek: I have been reading through the posts, trying to resolve my problem, but haven't been very successful. Please help :(

    1st: My virus protection found a trojan horse at startup: C:\DO.EXE Trojan horse Downloader.Revop.a (this was what they listed). It could not be cleaned, so I had them delete it. Problem solved? Nope :mad:

    When I started up my computer the next time, strings of exe files kept trying to load, which had no apparent source (according to pop-up window). I had to cancel all of them (about 20) and exit files from my start up ( which I had not listed to start.. and didn't even know what they were).

    I then ran the free on-line scan from Trend. It discovered: Troj TOMADI.A, with was supposedly deleted by them.

    The next time I started my computer, I got another long stream of exe files trying to load :eek:

    I ran AVG again, and it found: Trojan horse Dropper.Small.4.AG This also could not be cleaned, so I had it deleted.

    When I again started my computer, YEP ... another long stream of exe files trying to load. (Example: MORZE1, KPAJTZ64, POLFNE10, EXTOE0MK, YP8NY552, KXQB6755, VRMRONCU, K770BXCM, LCF4M0DO, as well as W5X3KWQD.exe (in my Startup) This file was also listed with an addition of /dk after it).

    This time I ran Trojan Hunter, which came up with the following results: C:\windows\crgdypwx.exe (SDBot), C:\windows\crgdypwx.exe (Spyware.NCase. l0l) C:\RECYCLED\DCMZ.exe (Leak Test. 102), and C:\Program Files\Incredibar\bin\IBHttp.dll (SD Bot)

    I sure hope this all means something to you, because it's jibberish to me :confused:

    I then downloaded Hijack This (which was what was advised to others here) and ran a scan. This was what it revealed:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:15:45 PM, on 4/8/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\DESK DRAWER\RECENT TECH DL\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchassistant.iwon.com/srchlft.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\UPDATES\XTSEARCH.DLL (file missing)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\SDPH20.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL
    O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\4.BIN\IWONBAR.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
    O4 - HKLM\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
    O4 - Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
    O4 - Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: KPAJTZG4.lnk = C:\WINDOWS\kpajtzg4.exe
    O4 - Global Startup: POLFNEIO.lnk = C:\WINDOWS\polfneio.exe
    O4 - Global Startup: EXTOE0MK.lnk = C:\WINDOWS\extoe0mk.exe
    O4 - Global Startup: YP8NX552.lnk = C:\WINDOWS\yp8nx552.exe
    O4 - Global Startup: KXQB6755.lnk = C:\WINDOWS\kxqb6755.exe
    O4 - Global Startup: VRMRONCU.lnk = C:\WINDOWS\vrmroncu.exe
    O4 - Global Startup: K770BXCM.lnk = C:\WINDOWS\k770bxcm.exe
    O4 - Global Startup: LCF4M0DO.lnk = C:\WINDOWS\lcf4m0do.exe
    O4 - Global Startup: W5X3KWQD.lnk = C:\WINDOWS\w5x3kwqd.exe
    O4 - Global Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
    O4 - Global Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
    O4 - Global Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &2 Customize Menu - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComCustomIEMenu.html
    O8 - Extra context menu item: &3 Edit Identities - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditIdent.html
    O8 - Extra context menu item: &4 Edit Passcards - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditPass.html
    O8 - Extra context menu item: &5 Fill from Identity - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillIdent.html
    O8 - Extra context menu item: &6 Fill from Passcard - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillPass.html
    O8 - Extra context menu item: &7 Fill Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillForms.html
    O8 - Extra context menu item: &8 Save Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComSavePass.html
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: RF toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
    O9 - Extra button: Save Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Girafa (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
    O16 - DPF: BBSetup - http://bonzi.www.conxion.com/freebuddy/bbsetup.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {8869786C-8E72-45DC-911D-AB3416AC1DF1} - http://www6.buttonware.net/canary_eacceleration_webcelerator_4.cab
    O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
    O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} (JFC Classes) - http://www.iamgame.com/java2/cabs/swing.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.neteller.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {1ABA2A58-7407-4A50-BDB6-9059B375D012} - http://www.foxwareinc.com/unimax/tmc/install.cab
    O16 - DPF: {730F2451-A3FE-4A72-938C-FC8A74F15978} - http://www.igetnet.com/downloads/nlmupgradev4.exe
    O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_5_1,0,2,5.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} (iWon Installer Start) - http://downloads.iwon.com/images/nocache/bingo/i1initialsetup1.0.0.2.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37618.2320138889
    O16 - DPF: {20F6D002-518C-4FA3-8636-B2604E65E1B5} (URLDownload Class) - http://www2.bingoblowout.com/client/webbingo/controls/BingoBlowout.CAB
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4345/mcfscan.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = address.com

    Can you, in your great wisdom, make sense of all of this? :eek:

    If you do, please explain and instruct in VERY simple, EASY to understand terms, because I'm not in ANY WAY as literate about this stuff as y'all are. :eek:

    P.S. I forgot to mention, that something is causing my browsing to slow to a crawl, my computer to freeze up, my mouse to quit working, and my sound to break up. I finally have to cold boot my computer.

    I will be eternally grateful for your help.
     
  2. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    1. Download Ad-Aware 6.181 from http://www.lavasoftusa.com/
    2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads 01R280 07.04.2004 (or higher number/date). If it does not, then click here and install the file manually.
    3. Make sure the following settings are turned to ON
      -From the main window click on Start then Activate in-depth scan.
      -Click on Use custom scanning options>Customize and make sure the following options are turned on:
      Scan within archives
      Scan active processes
      Scan registry
      Scan my IE Favorites for banned URL
      Scan my host-files
    4. Click on Settings and make sure the following are enabled:
      Unload recognized processes during scanning
    5. Click on Cleaning engine and make sure that Let windows remove files in use at next reboot is on.
    6. Finally Click Proceed to save your settings.
    7. Click on Scan Now from the main window and select Use Custom Scanning options and click scan.
    8. When scan completes, remove all items, then run another scan but this time select the Perform Smart-System Scan option and then also remove all items it finds.

    then
    1. Download Spyboy S&D from this page
    2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
    3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
    4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems

    Next, remove these items from HJT:

    O4 - HKCU\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
    O4 - Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
    O4 - Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: KPAJTZG4.lnk = C:\WINDOWS\kpajtzg4.exe
    O4 - Global Startup: POLFNEIO.lnk = C:\WINDOWS\polfneio.exe
    O4 - Global Startup: EXTOE0MK.lnk = C:\WINDOWS\extoe0mk.exe
    O4 - Global Startup: YP8NX552.lnk = C:\WINDOWS\yp8nx552.exe
    O4 - Global Startup: KXQB6755.lnk = C:\WINDOWS\kxqb6755.exe
    O4 - Global Startup: VRMRONCU.lnk = C:\WINDOWS\vrmroncu.exe
    O4 - Global Startup: K770BXCM.lnk = C:\WINDOWS\k770bxcm.exe
    O4 - Global Startup: LCF4M0DO.lnk = C:\WINDOWS\lcf4m0do.exe
    O4 - Global Startup: W5X3KWQD.lnk = C:\WINDOWS\w5x3kwqd.exe
    O4 - Global Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
    O4 - Global Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
    O4 - Global Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe


    After you have removed all of these files, reboot to safe mode and enable viewing of hidden/system files and delete these files:

    O4 - HKCU\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
    O4 - Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
    O4 - Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: KPAJTZG4.lnk = C:\WINDOWS\kpajtzg4.exe
    O4 - Global Startup: POLFNEIO.lnk = C:\WINDOWS\polfneio.exe
    O4 - Global Startup: EXTOE0MK.lnk = C:\WINDOWS\extoe0mk.exe
    O4 - Global Startup: YP8NX552.lnk = C:\WINDOWS\yp8nx552.exe
    O4 - Global Startup: KXQB6755.lnk = C:\WINDOWS\kxqb6755.exe
    O4 - Global Startup: VRMRONCU.lnk = C:\WINDOWS\vrmroncu.exe
    O4 - Global Startup: K770BXCM.lnk = C:\WINDOWS\k770bxcm.exe
    O4 - Global Startup: LCF4M0DO.lnk = C:\WINDOWS\lcf4m0do.exe
    O4 - Global Startup: W5X3KWQD.lnk = C:\WINDOWS\w5x3kwqd.exe
    O4 - Global Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
    O4 - Global Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
    O4 - Global Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe

    How to boot to safe mode - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    How to enable viewing of hidden/system files - http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Please post a new HJT log once done with the above instructions.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    download this file (Adtomi Cleanup.zip). make sure you download the 98/ME clean up zip
    from
    http://www.thespykiller.co.uk/downloads.htm

    It was created by Mosaic1 and is available here with her kind permission
    And follow the instructions carefully.

    First If you have a Script Blocking Program enabled, disable it so the scripts will run.

    Unzip it to C:\Windows

    See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part
    --A web page from Adtomi would appear "-uninstall was succesful!"
    then go off line
    (note not all infections have this icon, so if it isn't there then don't worry, just continue to the next step)

    next press ctrl+ ALT+DEL once to bring up task manager, look in applications for the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log, If it isn't listed in the applications, then look in processes tab.

    In your case the file/ process to stop is : C:\WINDOWS\VGQWN0MK.EXE
    then press end task or end process and make sure that entry has disapeared from the list.
    if you can't stop it running, then DO NOT CONTINUE, please ask for more help first and there might also be morze1 running, if so end that process as well.

    Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

    ***Do not Touch the VBS files. The bat file will run the scripts.

    Make sure all Browser and folder windows are closed and it will do everything automatically for you.

    It will remove the Adtomi Spyware files from the Windows Folder
    Clean the Startup Folders
    Create Backups of the Adtomi exe files it deletes and save them in this folder
    Create a list of all oddly named files deleted from the Windows Folder
    Uninstall the BHO
    Start HijackThis and give you directions on what to remove.

    When you have finished please restart the computer.

    Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.
     
  4. IrishTexan

    IrishTexan Thread Starter

    Joined:
    Aug 1, 2001
    Messages:
    91
    Nok 1: I have completed all of your instructions, including "view hidden files". However, I don't know where those files can be found so that I can delete them. Where do I find them?

    If I download and use Adtomi Cleanup, would I still need to do the "hidden file" thing?

    I REALLY appreciate how quickly you responded to my crisis. Y'all are the greatest!!
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    You wont be able to find them.........You have an Adtomi hijacking and its a quite involved process to remove....please follow dvk`s advice above and nothing else!
    ;)
     
  6. IrishTexan

    IrishTexan Thread Starter

    Joined:
    Aug 1, 2001
    Messages:
    91
    Ok, I'll do what DVK advised ... but have I done any harm by deleting all those files? I deleted all but the hidden files.
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    No you haven't done any harm at all, just that it unfortunately won't fix the problem

    This pest has hidden files that reinstall the others and Nok's fix doesn't remove the hidden files

    because you have deleted soemfiles it is very possible taht the file top stop running has changed

    if the file I highlighted in red isn't the one showing at the bottom of the running processes, or with a /DK entry after it's name in hjt then post a new hjt log first so we can advise which file to stop running
     
  8. IrishTexan

    IrishTexan Thread Starter

    Joined:
    Aug 1, 2001
    Messages:
    91
    OK.. The VGQWN0MK.EXE (in red) was no longer listed (actually there wasn't anything listed that wasn't supposed to be). So here's the new hjt log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:08:23 AM, on 4/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\DESK DRAWER\RECENT TECH DL\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\SDPH20.DLL
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
    O4 - HKLM\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &2 Customize Menu - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComCustomIEMenu.html
    O8 - Extra context menu item: &3 Edit Identities - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditIdent.html
    O8 - Extra context menu item: &4 Edit Passcards - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditPass.html
    O8 - Extra context menu item: &5 Fill from Identity - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillIdent.html
    O8 - Extra context menu item: &6 Fill from Passcard - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillPass.html
    O8 - Extra context menu item: &7 Fill Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillForms.html
    O8 - Extra context menu item: &8 Save Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComSavePass.html
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: RF toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
    O9 - Extra button: Save Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Girafa (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
    O16 - DPF: BBSetup - http://bonzi.www.conxion.com/freebuddy/bbsetup.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
    O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} (JFC Classes) - http://www.iamgame.com/java2/cabs/swing.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.neteller.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {1ABA2A58-7407-4A50-BDB6-9059B375D012} - http://www.foxwareinc.com/unimax/tmc/install.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37618.2320138889
    O16 - DPF: {20F6D002-518C-4FA3-8636-B2604E65E1B5} (URLDownload Class) - http://www2.bingoblowout.com/client/webbingo/controls/BingoBlowout.CAB
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4345/mcfscan.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = address.com

    I'm so glad you understand all this, cause I haven't got a clue! I'm just putting all my trust in your expertise. Again, Thanks, so very much for your help.

    I'll await your reply before doing anything else.
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Dont worry,your in good hands:)

    Well..........the rogue file is still there.
    Download "MoveOnBoot" from here:
    http://www.gibinsoft.net/gipoutils/fileutil/index.htm(Bottom of the page,where it says "old version")
    Install it and re-boot.You should now be able to right-click C:\WINDOWS\VGQWN0MK.EXE and choose "Delete file on next reboot".....ok?

    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O4 - HKLM\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
    O16 - DPF: BBSetup - http://bonzi.www.conxion.com/freebuddy/bbsetup.exe
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.neteller.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {1ABA2A58-7407-4A50-BDB6-9059B375D012} - http://www.foxwareinc.com/unimax/tmc/install.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {20F6D002-518C-4FA3-8636-B2604E65E1B5} (URLDownload Class) - http://www2.bingoblowout.com/client...ingoBlowout.CAB
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab


    Re-boot and lets see if its gone.
    ;)
     
  10. IrishTexan

    IrishTexan Thread Starter

    Joined:
    Aug 1, 2001
    Messages:
    91
    OK .... Does this mean that I don't continue using Adtomi?

    I'm now going to follow Steve's instructions with the "MoveOnBoot" and HJT again.

    I'm not very clear on the MoveOnBoot instructions (right-clicking on VGQWN0MK.EXE). I'm hoping that when I install the program, it will be apparent.

    Thanks sooooooo much y'all!
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Its very easy to use once its installed,and very handy for removing any stubborn file.
    ;)
     
  12. IrishTexan

    IrishTexan Thread Starter

    Joined:
    Aug 1, 2001
    Messages:
    91
    I'm really confused now! I downloaded MoveOnBoot and then rebooted my computer. When I came back up, there was NO VGQWN0MK.EXE anywhere on my computer. When I entered that file in MoveOnBoot, it was an "incorrect file name". What do I do next? Should I continue deleting the files listed in HJT?
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    OK
    lets start from scratch and see
    reboot and post a new hjt log
    let's see which files are still there
     
  14. IrishTexan

    IrishTexan Thread Starter

    Joined:
    Aug 1, 2001
    Messages:
    91
    Here's my new HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:26:13 PM, on 4/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\DESK DRAWER\RECENT TECH DL\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\SDPH20.DLL
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
    O4 - HKLM\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &2 Customize Menu - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComCustomIEMenu.html
    O8 - Extra context menu item: &3 Edit Identities - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditIdent.html
    O8 - Extra context menu item: &4 Edit Passcards - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditPass.html
    O8 - Extra context menu item: &5 Fill from Identity - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillIdent.html
    O8 - Extra context menu item: &6 Fill from Passcard - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillPass.html
    O8 - Extra context menu item: &7 Fill Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillForms.html
    O8 - Extra context menu item: &8 Save Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComSavePass.html
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: RF toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
    O9 - Extra button: Save Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Girafa (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
    O16 - DPF: BBSetup - http://bonzi.www.conxion.com/freebuddy/bbsetup.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
    O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} (JFC Classes) - http://www.iamgame.com/java2/cabs/swing.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.neteller.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {1ABA2A58-7407-4A50-BDB6-9059B375D012} - http://www.foxwareinc.com/unimax/tmc/install.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37618.2320138889
    O16 - DPF: {20F6D002-518C-4FA3-8636-B2604E65E1B5} (URLDownload Class) - http://www2.bingoblowout.com/client/webbingo/controls/BingoBlowout.CAB
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4345/mcfscan.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = address.com

    See? It's not there either! Remember NOK1's earlier instructions -- to remove it from HJT? Well I did; but wasn't able at that time to remove them from the "Hidden Files". TThat's when we went to Adtomi ... but it wasn't there either .... so we went with Steve's instructions regarding "MoveOnboot". File still not there! I did not continue with the instructions to remove the files in HJT, per the second half of his instructions.

    Help! What now?
     
  15. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Do you have hidden files showing?
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    C:\WINDOWS\VGQWN0MK.EXE is the file to find.......have a look for it and let us know if you find it.
    ;)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218606

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice