Solved: Trojans keep multiplying

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

IrishTexan

Thread Starter
Joined
Aug 1, 2001
Messages
91
:eek: I have been reading through the posts, trying to resolve my problem, but haven't been very successful. Please help :(

1st: My virus protection found a trojan horse at startup: C:\DO.EXE Trojan horse Downloader.Revop.a (this was what they listed). It could not be cleaned, so I had them delete it. Problem solved? Nope :mad:

When I started up my computer the next time, strings of exe files kept trying to load, which had no apparent source (according to pop-up window). I had to cancel all of them (about 20) and exit files from my start up ( which I had not listed to start.. and didn't even know what they were).

I then ran the free on-line scan from Trend. It discovered: Troj TOMADI.A, with was supposedly deleted by them.

The next time I started my computer, I got another long stream of exe files trying to load :eek:

I ran AVG again, and it found: Trojan horse Dropper.Small.4.AG This also could not be cleaned, so I had it deleted.

When I again started my computer, YEP ... another long stream of exe files trying to load. (Example: MORZE1, KPAJTZ64, POLFNE10, EXTOE0MK, YP8NY552, KXQB6755, VRMRONCU, K770BXCM, LCF4M0DO, as well as W5X3KWQD.exe (in my Startup) This file was also listed with an addition of /dk after it).

This time I ran Trojan Hunter, which came up with the following results: C:\windows\crgdypwx.exe (SDBot), C:\windows\crgdypwx.exe (Spyware.NCase. l0l) C:\RECYCLED\DCMZ.exe (Leak Test. 102), and C:\Program Files\Incredibar\bin\IBHttp.dll (SD Bot)

I sure hope this all means something to you, because it's jibberish to me :confused:

I then downloaded Hijack This (which was what was advised to others here) and ran a scan. This was what it revealed:

Logfile of HijackThis v1.97.7
Scan saved at 10:15:45 PM, on 4/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\DESK DRAWER\RECENT TECH DL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchassistant.iwon.com/srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\UPDATES\XTSEARCH.DLL (file missing)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\SDPH20.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\4.BIN\IWONBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
O4 - HKLM\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
O4 - Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
O4 - Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: KPAJTZG4.lnk = C:\WINDOWS\kpajtzg4.exe
O4 - Global Startup: POLFNEIO.lnk = C:\WINDOWS\polfneio.exe
O4 - Global Startup: EXTOE0MK.lnk = C:\WINDOWS\extoe0mk.exe
O4 - Global Startup: YP8NX552.lnk = C:\WINDOWS\yp8nx552.exe
O4 - Global Startup: KXQB6755.lnk = C:\WINDOWS\kxqb6755.exe
O4 - Global Startup: VRMRONCU.lnk = C:\WINDOWS\vrmroncu.exe
O4 - Global Startup: K770BXCM.lnk = C:\WINDOWS\k770bxcm.exe
O4 - Global Startup: LCF4M0DO.lnk = C:\WINDOWS\lcf4m0do.exe
O4 - Global Startup: W5X3KWQD.lnk = C:\WINDOWS\w5x3kwqd.exe
O4 - Global Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
O4 - Global Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
O4 - Global Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &2 Customize Menu - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComCustomIEMenu.html
O8 - Extra context menu item: &3 Edit Identities - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditIdent.html
O8 - Extra context menu item: &4 Edit Passcards - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditPass.html
O8 - Extra context menu item: &5 Fill from Identity - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillIdent.html
O8 - Extra context menu item: &6 Fill from Passcard - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillPass.html
O8 - Extra context menu item: &7 Fill Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComSavePass.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RF toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
O9 - Extra button: Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Girafa (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: BBSetup - http://bonzi.www.conxion.com/freebuddy/bbsetup.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8869786C-8E72-45DC-911D-AB3416AC1DF1} - http://www6.buttonware.net/canary_eacceleration_webcelerator_4.cab
O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} (JFC Classes) - http://www.iamgame.com/java2/cabs/swing.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.neteller.com/CFIDE/classes/CFJava.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {1ABA2A58-7407-4A50-BDB6-9059B375D012} - http://www.foxwareinc.com/unimax/tmc/install.cab
O16 - DPF: {730F2451-A3FE-4A72-938C-FC8A74F15978} - http://www.igetnet.com/downloads/nlmupgradev4.exe
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_5_1,0,2,5.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} (iWon Installer Start) - http://downloads.iwon.com/images/nocache/bingo/i1initialsetup1.0.0.2.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37618.2320138889
O16 - DPF: {20F6D002-518C-4FA3-8636-B2604E65E1B5} (URLDownload Class) - http://www2.bingoblowout.com/client/webbingo/controls/BingoBlowout.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4345/mcfscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = address.com

Can you, in your great wisdom, make sense of all of this? :eek:

If you do, please explain and instruct in VERY simple, EASY to understand terms, because I'm not in ANY WAY as literate about this stuff as y'all are. :eek:

P.S. I forgot to mention, that something is causing my browsing to slow to a crawl, my computer to freeze up, my mouse to quit working, and my sound to break up. I finally have to cold boot my computer.

I will be eternally grateful for your help.
 
Joined
Feb 15, 2004
Messages
826
  1. Download Ad-Aware 6.181 from http://www.lavasoftusa.com/
  2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads 01R280 07.04.2004 (or higher number/date). If it does not, then click here and install the file manually.
  3. Make sure the following settings are turned to ON
    -From the main window click on Start then Activate in-depth scan.
    -Click on Use custom scanning options>Customize and make sure the following options are turned on:
    Scan within archives
    Scan active processes
    Scan registry
    Scan my IE Favorites for banned URL
    Scan my host-files
  4. Click on Settings and make sure the following are enabled:
    Unload recognized processes during scanning
  5. Click on Cleaning engine and make sure that Let windows remove files in use at next reboot is on.
  6. Finally Click Proceed to save your settings.
  7. Click on Scan Now from the main window and select Use Custom Scanning options and click scan.
  8. When scan completes, remove all items, then run another scan but this time select the Perform Smart-System Scan option and then also remove all items it finds.

then
  1. Download Spyboy S&D from this page
  2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
  3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
  4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems

Next, remove these items from HJT:

O4 - HKCU\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
O4 - Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
O4 - Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: KPAJTZG4.lnk = C:\WINDOWS\kpajtzg4.exe
O4 - Global Startup: POLFNEIO.lnk = C:\WINDOWS\polfneio.exe
O4 - Global Startup: EXTOE0MK.lnk = C:\WINDOWS\extoe0mk.exe
O4 - Global Startup: YP8NX552.lnk = C:\WINDOWS\yp8nx552.exe
O4 - Global Startup: KXQB6755.lnk = C:\WINDOWS\kxqb6755.exe
O4 - Global Startup: VRMRONCU.lnk = C:\WINDOWS\vrmroncu.exe
O4 - Global Startup: K770BXCM.lnk = C:\WINDOWS\k770bxcm.exe
O4 - Global Startup: LCF4M0DO.lnk = C:\WINDOWS\lcf4m0do.exe
O4 - Global Startup: W5X3KWQD.lnk = C:\WINDOWS\w5x3kwqd.exe
O4 - Global Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
O4 - Global Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
O4 - Global Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe


After you have removed all of these files, reboot to safe mode and enable viewing of hidden/system files and delete these files:

O4 - HKCU\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
O4 - Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
O4 - Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: KPAJTZG4.lnk = C:\WINDOWS\kpajtzg4.exe
O4 - Global Startup: POLFNEIO.lnk = C:\WINDOWS\polfneio.exe
O4 - Global Startup: EXTOE0MK.lnk = C:\WINDOWS\extoe0mk.exe
O4 - Global Startup: YP8NX552.lnk = C:\WINDOWS\yp8nx552.exe
O4 - Global Startup: KXQB6755.lnk = C:\WINDOWS\kxqb6755.exe
O4 - Global Startup: VRMRONCU.lnk = C:\WINDOWS\vrmroncu.exe
O4 - Global Startup: K770BXCM.lnk = C:\WINDOWS\k770bxcm.exe
O4 - Global Startup: LCF4M0DO.lnk = C:\WINDOWS\lcf4m0do.exe
O4 - Global Startup: W5X3KWQD.lnk = C:\WINDOWS\w5x3kwqd.exe
O4 - Global Startup: 020UFPDV.lnk = C:\WINDOWS\020ufpdv.exe
O4 - Global Startup: QN8HI0RG.lnk = C:\WINDOWS\qn8hi0rg.exe
O4 - Global Startup: VGQWN0MK.lnk = C:\WINDOWS\vgqwn0mk.exe

How to boot to safe mode - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
How to enable viewing of hidden/system files - http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Please post a new HJT log once done with the above instructions.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
download this file (Adtomi Cleanup.zip). make sure you download the 98/ME clean up zip
from
http://www.thespykiller.co.uk/downloads.htm

It was created by Mosaic1 and is available here with her kind permission
And follow the instructions carefully.

First If you have a Script Blocking Program enabled, disable it so the scripts will run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part
--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line
(note not all infections have this icon, so if it isn't there then don't worry, just continue to the next step)

next press ctrl+ ALT+DEL once to bring up task manager, look in applications for the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log, If it isn't listed in the applications, then look in processes tab.

In your case the file/ process to stop is : C:\WINDOWS\VGQWN0MK.EXE
then press end task or end process and make sure that entry has disapeared from the list.
if you can't stop it running, then DO NOT CONTINUE, please ask for more help first and there might also be morze1 running, if so end that process as well.

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

Make sure all Browser and folder windows are closed and it will do everything automatically for you.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.
 

IrishTexan

Thread Starter
Joined
Aug 1, 2001
Messages
91
Nok 1: I have completed all of your instructions, including "view hidden files". However, I don't know where those files can be found so that I can delete them. Where do I find them?

If I download and use Adtomi Cleanup, would I still need to do the "hidden file" thing?

I REALLY appreciate how quickly you responded to my crisis. Y'all are the greatest!!
 
Joined
Oct 9, 2001
Messages
9,396
You wont be able to find them.........You have an Adtomi hijacking and its a quite involved process to remove....please follow dvk`s advice above and nothing else!
;)
 

IrishTexan

Thread Starter
Joined
Aug 1, 2001
Messages
91
Ok, I'll do what DVK advised ... but have I done any harm by deleting all those files? I deleted all but the hidden files.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
No you haven't done any harm at all, just that it unfortunately won't fix the problem

This pest has hidden files that reinstall the others and Nok's fix doesn't remove the hidden files

because you have deleted soemfiles it is very possible taht the file top stop running has changed

if the file I highlighted in red isn't the one showing at the bottom of the running processes, or with a /DK entry after it's name in hjt then post a new hjt log first so we can advise which file to stop running
 

IrishTexan

Thread Starter
Joined
Aug 1, 2001
Messages
91
OK.. The VGQWN0MK.EXE (in red) was no longer listed (actually there wasn't anything listed that wasn't supposed to be). So here's the new hjt log:

Logfile of HijackThis v1.97.7
Scan saved at 4:08:23 AM, on 4/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\DESK DRAWER\RECENT TECH DL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\SDPH20.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
O4 - HKLM\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &2 Customize Menu - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComCustomIEMenu.html
O8 - Extra context menu item: &3 Edit Identities - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditIdent.html
O8 - Extra context menu item: &4 Edit Passcards - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditPass.html
O8 - Extra context menu item: &5 Fill from Identity - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillIdent.html
O8 - Extra context menu item: &6 Fill from Passcard - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillPass.html
O8 - Extra context menu item: &7 Fill Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComSavePass.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: RF toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
O9 - Extra button: Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Girafa (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: BBSetup - http://bonzi.www.conxion.com/freebuddy/bbsetup.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} (JFC Classes) - http://www.iamgame.com/java2/cabs/swing.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.neteller.com/CFIDE/classes/CFJava.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {1ABA2A58-7407-4A50-BDB6-9059B375D012} - http://www.foxwareinc.com/unimax/tmc/install.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37618.2320138889
O16 - DPF: {20F6D002-518C-4FA3-8636-B2604E65E1B5} (URLDownload Class) - http://www2.bingoblowout.com/client/webbingo/controls/BingoBlowout.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4345/mcfscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = address.com

I'm so glad you understand all this, cause I haven't got a clue! I'm just putting all my trust in your expertise. Again, Thanks, so very much for your help.

I'll await your reply before doing anything else.
 
Joined
Oct 9, 2001
Messages
9,396
Dont worry,your in good hands:)

Well..........the rogue file is still there.
Download "MoveOnBoot" from here:
http://www.gibinsoft.net/gipoutils/fileutil/index.htm(Bottom of the page,where it says "old version")
Install it and re-boot.You should now be able to right-click C:\WINDOWS\VGQWN0MK.EXE and choose "Delete file on next reboot".....ok?

Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
O16 - DPF: BBSetup - http://bonzi.www.conxion.com/freebuddy/bbsetup.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.neteller.com/CFIDE/classes/CFJava.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {1ABA2A58-7407-4A50-BDB6-9059B375D012} - http://www.foxwareinc.com/unimax/tmc/install.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {20F6D002-518C-4FA3-8636-B2604E65E1B5} (URLDownload Class) - http://www2.bingoblowout.com/client...ingoBlowout.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab


Re-boot and lets see if its gone.
;)
 

IrishTexan

Thread Starter
Joined
Aug 1, 2001
Messages
91
OK .... Does this mean that I don't continue using Adtomi?

I'm now going to follow Steve's instructions with the "MoveOnBoot" and HJT again.

I'm not very clear on the MoveOnBoot instructions (right-clicking on VGQWN0MK.EXE). I'm hoping that when I install the program, it will be apparent.

Thanks sooooooo much y'all!
 
Joined
Oct 9, 2001
Messages
9,396
Its very easy to use once its installed,and very handy for removing any stubborn file.
;)
 

IrishTexan

Thread Starter
Joined
Aug 1, 2001
Messages
91
I'm really confused now! I downloaded MoveOnBoot and then rebooted my computer. When I came back up, there was NO VGQWN0MK.EXE anywhere on my computer. When I entered that file in MoveOnBoot, it was an "incorrect file name". What do I do next? Should I continue deleting the files listed in HJT?
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
OK
lets start from scratch and see
reboot and post a new hjt log
let's see which files are still there
 

IrishTexan

Thread Starter
Joined
Aug 1, 2001
Messages
91
Here's my new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 2:26:13 PM, on 4/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\DESK DRAWER\RECENT TECH DL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\SDPH20.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
O4 - HKLM\..\Run: [VGQWN0MK.EXE] C:\WINDOWS\VGQWN0MK.EXE /dk
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &2 Customize Menu - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComCustomIEMenu.html
O8 - Extra context menu item: &3 Edit Identities - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditIdent.html
O8 - Extra context menu item: &4 Edit Passcards - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComEditPass.html
O8 - Extra context menu item: &5 Fill from Identity - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillIdent.html
O8 - Extra context menu item: &6 Fill from Passcard - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillPass.html
O8 - Extra context menu item: &7 Fill Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms - res://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL/ComSavePass.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: RF toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
O9 - Extra button: Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Girafa (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: BBSetup - http://bonzi.www.conxion.com/freebuddy/bbsetup.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} (JFC Classes) - http://www.iamgame.com/java2/cabs/swing.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.neteller.com/CFIDE/classes/CFJava.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {1ABA2A58-7407-4A50-BDB6-9059B375D012} - http://www.foxwareinc.com/unimax/tmc/install.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37618.2320138889
O16 - DPF: {20F6D002-518C-4FA3-8636-B2604E65E1B5} (URLDownload Class) - http://www2.bingoblowout.com/client/webbingo/controls/BingoBlowout.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4345/mcfscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = address.com

See? It's not there either! Remember NOK1's earlier instructions -- to remove it from HJT? Well I did; but wasn't able at that time to remove them from the "Hidden Files". TThat's when we went to Adtomi ... but it wasn't there either .... so we went with Steve's instructions regarding "MoveOnboot". File still not there! I did not continue with the instructions to remove the files in HJT, per the second half of his instructions.

Help! What now?
 
Joined
Oct 9, 2001
Messages
9,396
Do you have hidden files showing?
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

C:\WINDOWS\VGQWN0MK.EXE is the file to find.......have a look for it and let us know if you find it.
;)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top