Solved

Need Help with HijackThis results log

Posted on 2004-03-23
13
1,401 Views
Last Modified: 2011-09-20
Hi,
I'm having problems with stuff that has been put on my computer by malicious websites and used HijackThis software to scan my registry.  As I have been told, I have copied the log of it's results to show to those of you far smarter than me to help recognize the doo-doo that can be eliminated.
What's currently happening is when windows comes up after startup, I get a long line of files where it says it is missing shortcuts to (with the searching flashlight). Some of those files: morse5.exe, mk4n7orb.exe, kj0nn008.ee, w9ad4x1p.exe, be8k663j.exe, ba990uf3.exe, t0uy3zf9.exe, whzw0cjn.exe, morze1.exe.  I noticed that alot of these are in the results of the HijackThis scan.  
After cancelling all of them, messages come up saying "an error has occured in your program. To keep working anyway,click ignore. Otherwise Close.   I click close and get the red X message 'This program has performed an illegal operation and will be shut down. General protection fault in module DDEML.DLL".
After being on the computer for a short time, everything will give me the error message that the computer is out of memory.  
Here is the HijackThis Log file:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=15841&
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;<local>
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\CLEARS~1\CSIE.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [IVZMTDMK] C:\WINDOWS\IVZMTDMK.exe
O4 - HKLM\..\Run: [indoww] C:\WINDOWS\SYSTEM\indoww.exe
O4 - HKLM\..\Run: [L0DUFJU5.EXE] C:\WINDOWS\L0DUFJU5.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95.exe -w3svc
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MemoryZipperPlus] C:\PROGRAM FILES\MEMZIP\MEMZIP.EXE
O4 - HKCU\..\Run: [L0DUFJU5.EXE] C:\WINDOWS\L0DUFJU5.EXE /dk
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: MHTD0QQC.lnk = C:\WINDOWS\mhtd0qqc.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: DU0UNQAH.lnk = C:\WINDOWS\du0unqah.exe
O4 - Startup: FZ4XA4G4.lnk = C:\WINDOWS\fz4xa4g4.exe
O4 - Startup: NOVYKVCP.lnk = C:\WINDOWS\novykvcp.exe
O4 - Startup: MK4N7ORB.lnk = C:\WINDOWS\mk4n7orb.exe
O4 - Startup: KJ0NN008.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Startup: W9AD4X1P.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Startup: BE8K663J.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Startup: GJ0QDO1E.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Startup: RCCGY1AM.lnk = C:\WINDOWS\rccgy1am.exe
O4 - Startup: 24N9C9AJ.lnk = C:\WINDOWS\24n9c9aj.exe
O4 - Startup: L8R79XUC.lnk = C:\WINDOWS\l8r79xuc.exe
O4 - Startup: PZBXTENM.lnk = C:\WINDOWS\pzbxtenm.exe
O4 - Startup: VLT9ZNK2.lnk = C:\WINDOWS\vlt9znk2.exe
O4 - Startup: 0PYJHQBR.lnk = C:\WINDOWS\0pyjhqbr.exe
O4 - Startup: BA9Q0UF3.lnk = C:\WINDOWS\ba9q0uf3.exe
O4 - Startup: UFZIY351.lnk = C:\WINDOWS\ufziy351.exe
O4 - Startup: D3EUHQJX.lnk = C:\WINDOWS\d3euhqjx.exe
O4 - Startup: FDUWFG08.lnk = C:\WINDOWS\fduwfg08.exe
O4 - Startup: T0UY3ZF9.lnk = C:\WINDOWS\t0uy3zf9.exe
O4 - Startup: ODHFNIIA.lnk = C:\WINDOWS\odhfniia.exe
O4 - Startup: WHZW0CJN.lnk = C:\WINDOWS\whzw0cjn.exe
O4 - Startup: 8BEN0JXE.lnk = C:\WINDOWS\8ben0jxe.exe
O4 - Startup: C9CBJYUB.lnk = C:\WINDOWS\c9cbjyub.exe
O4 - Startup: 7PLHWPAC.lnk = C:\WINDOWS\7plhwpac.exe
O4 - Startup: 52E0HLXL.lnk = C:\WINDOWS\52e0hlxl.exe
O4 - Startup: V5XTLGE6.lnk = C:\WINDOWS\v5xtlge6.exe
O4 - Startup: L0DUFJU5.lnk = C:\WINDOWS\l0dufju5.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: MHTD0QQC.lnk = C:\WINDOWS\mhtd0qqc.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: DU0UNQAH.lnk = C:\WINDOWS\du0unqah.exe
O4 - Global Startup: FZ4XA4G4.lnk = C:\WINDOWS\fz4xa4g4.exe
O4 - Global Startup: NOVYKVCP.lnk = C:\WINDOWS\novykvcp.exe
O4 - Global Startup: MK4N7ORB.lnk = C:\WINDOWS\mk4n7orb.exe
O4 - Global Startup: KJ0NN008.lnk = C:\WINDOWS\kj0nn008.exe
O4 - Global Startup: W9AD4X1P.lnk = C:\WINDOWS\w9ad4x1p.exe
O4 - Global Startup: BE8K663J.lnk = C:\WINDOWS\be8k663j.exe
O4 - Global Startup: GJ0QDO1E.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Global Startup: RCCGY1AM.lnk = C:\WINDOWS\rccgy1am.exe
O4 - Global Startup: 24N9C9AJ.lnk = C:\WINDOWS\24n9c9aj.exe
O4 - Global Startup: L8R79XUC.lnk = C:\WINDOWS\l8r79xuc.exe
O4 - Global Startup: PZBXTENM.lnk = C:\WINDOWS\pzbxtenm.exe
O4 - Global Startup: VLT9ZNK2.lnk = C:\WINDOWS\vlt9znk2.exe
O4 - Global Startup: 0PYJHQBR.lnk = C:\WINDOWS\0pyjhqbr.exe
O4 - Global Startup: BA9Q0UF3.lnk = C:\WINDOWS\ba9q0uf3.exe
O4 - Global Startup: UFZIY351.lnk = C:\WINDOWS\ufziy351.exe
O4 - Global Startup: D3EUHQJX.lnk = C:\WINDOWS\d3euhqjx.exe
O4 - Global Startup: FDUWFG08.lnk = C:\WINDOWS\fduwfg08.exe
O4 - Global Startup: T0UY3ZF9.lnk = C:\WINDOWS\t0uy3zf9.exe
O4 - Global Startup: ODHFNIIA.lnk = C:\WINDOWS\odhfniia.exe
O4 - Global Startup: WHZW0CJN.lnk = C:\WINDOWS\whzw0cjn.exe
O4 - Global Startup: 8BEN0JXE.lnk = C:\WINDOWS\8ben0jxe.exe
O4 - Global Startup: C9CBJYUB.lnk = C:\WINDOWS\c9cbjyub.exe
O4 - Global Startup: 7PLHWPAC.lnk = C:\WINDOWS\7plhwpac.exe
O4 - Global Startup: 52E0HLXL.lnk = C:\WINDOWS\52e0hlxl.exe
O4 - Global Startup: V5XTLGE6.lnk = C:\WINDOWS\v5xtlge6.exe
O4 - Global Startup: L0DUFJU5.lnk = C:\WINDOWS\l0dufju5.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.5657638889
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/249201d1d680d69c4423/netzip/RdxIE601.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/installers/InterActXInstall.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://D:\Bin\html\files\MotivePreQual.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://bannerfarm.ace.advertising.com/bannerfarm/42634/VBouncerOuter1301.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://cr.stop-popup-ads-now.com/download/cabs/BANN8002/stoppop.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/hitthepros03/foxsports/wtinst.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O19 - User stylesheet: C:\WINDOWS\hh.htt
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Oh please, any help would be so, so, soooooo appreciated!!

Dave
0
Comment
Question by:ascoredhat
  • 4
  • 2
  • 2
  • +4
13 Comments
 
LVL 21

Assisted Solution

by:jvuz
jvuz earned 50 total points
ID: 10665120
Do a search with adaware:

www.lavasoftusa.com

Make sure you have the latest update.
0
 

Author Comment

by:ascoredhat
ID: 10669694
Thanks, jvuz.  But actually i already ran Spybot Search and Destroy and it came up with nothing.  I'm sure the problems lie within the above illegal crap inside the registry above as most of the stuff within it under 'startup" heading are the exact same exe files that pop up over and over as windows comes up searching for missing shortcuts.  So i know that lots of the things above HAVE to be deleted using the Hijack This program, but I just needed help with what should be dumped from the above list and what I should leave alone, as I don't want to accidently zap something from the windows registry that screws things up.

Any help on what I can put check marks next to on the above list in Hijack This would be greatly appreciated.

Thanks!

Dave
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10670748
Check out this web site.

http://www.thatcomputerguy.us/

Go to their forums, to security - nice people, very knowledgeable, quick response.
I've used their help with Hijack This lists for many friends, co-workers, acquaintances, etc..
Also, I've found that Ad-aware (Lavasoft.com - free version) catches things that Spybot misses, and vice versa - I run both.
Another thing to look into is Spyware Blaster - one can never have enough secrurity tools!

Good luck!
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 100 total points
ID: 10670912
Just remembered another website - they have a forum devoted to Hijack This list interpretation - Die Hard is an expert!

http://help.lockergnome.com

Good luck!

Also, as jvuz responded to your question first, I would appreciate it if you would give points to him/her, rather than myself.
Thanks! (It's finally Spring in the Midwest, USA - Yayyyy!)
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10671549
Hello again!

I'm currently working on a friends computer to remove spyware/parasites/malware, etc..
Came across a few things you have on your computer.

O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file) - transponder, basically spyware.

02 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file) - search inhancement Hijacker.

02 - BHO: Clear Search - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\CLEARS~1\CSIE.DLL - spyware.

02 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL - spyware.

03 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file) - spyware/parasite.

http://bannerfarm.ace.advertising.com/bannerfarm/42634/VBouncerOuter1301.exe - spyware/malware.

Some of these things you should probably NOT automatically try to remove.
Go to the site listed below, where you'll find fairly comprehensive lists of CLSID's and programs with links on info. and
how to remove them. They try to keep these lists very complete, but I've found that they are not 100 percent complete.

http://www.sysinfo.org/

Note: anytime you have to edit the Registry - careful! - backup!

As always: your fellow user/abuser in computer chaos! :))  (I love experts-exchange!) Time for a libation!
Later!
0
 
LVL 2

Expert Comment

by:jetnet
ID: 10677215
Just to let you know, these:

O4 - Startup: DU0UNQAH.lnk = C:\WINDOWS\du0unqah.exe
O4 - Startup: FZ4XA4G4.lnk = C:\WINDOWS\fz4xa4g4.exe
O4 - Startup: NOVYKVCP.lnk = C:\WINDOWS\novykvcp.exe
O4 - Startup: MK4N7ORB.lnk = C:\WINDOWS\mk4n7orb.exe
O4 - Startup: KJ0NN008.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Startup: W9AD4X1P.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Startup: BE8K663J.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Startup: GJ0QDO1E.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Startup: RCCGY1AM.lnk = C:\WINDOWS\rccgy1am.exe
O4 - Startup: 24N9C9AJ.lnk = C:\WINDOWS\24n9c9aj.exe
O4 - Startup: L8R79XUC.lnk = C:\WINDOWS\l8r79xuc.exe
O4 - Startup: PZBXTENM.lnk = C:\WINDOWS\pzbxtenm.exe
O4 - Startup: VLT9ZNK2.lnk = C:\WINDOWS\vlt9znk2.exe
O4 - Startup: 0PYJHQBR.lnk = C:\WINDOWS\0pyjhqbr.exe
O4 - Startup: BA9Q0UF3.lnk = C:\WINDOWS\ba9q0uf3.exe
O4 - Startup: UFZIY351.lnk = C:\WINDOWS\ufziy351.exe
O4 - Startup: D3EUHQJX.lnk = C:\WINDOWS\d3euhqjx.exe
O4 - Startup: FDUWFG08.lnk = C:\WINDOWS\fduwfg08.exe
O4 - Startup: T0UY3ZF9.lnk = C:\WINDOWS\t0uy3zf9.exe
O4 - Startup: ODHFNIIA.lnk = C:\WINDOWS\odhfniia.exe
O4 - Startup: WHZW0CJN.lnk = C:\WINDOWS\whzw0cjn.exe
O4 - Startup: 8BEN0JXE.lnk = C:\WINDOWS\8ben0jxe.exe
O4 - Startup: C9CBJYUB.lnk = C:\WINDOWS\c9cbjyub.exe
O4 - Startup: 7PLHWPAC.lnk = C:\WINDOWS\7plhwpac.exe
O4 - Startup: 52E0HLXL.lnk = C:\WINDOWS\52e0hlxl.exe
O4 - Startup: V5XTLGE6.lnk = C:\WINDOWS\v5xtlge6.exe
O4 - Startup: L0DUFJU5.lnk = C:\WINDOWS\l0dufju5.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: MHTD0QQC.lnk = C:\WINDOWS\mhtd0qqc.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: DU0UNQAH.lnk = C:\WINDOWS\du0unqah.exe
O4 - Global Startup: FZ4XA4G4.lnk = C:\WINDOWS\fz4xa4g4.exe
O4 - Global Startup: NOVYKVCP.lnk = C:\WINDOWS\novykvcp.exe
O4 - Global Startup: MK4N7ORB.lnk = C:\WINDOWS\mk4n7orb.exe
O4 - Global Startup: KJ0NN008.lnk = C:\WINDOWS\kj0nn008.exe
O4 - Global Startup: W9AD4X1P.lnk = C:\WINDOWS\w9ad4x1p.exe
O4 - Global Startup: BE8K663J.lnk = C:\WINDOWS\be8k663j.exe
O4 - Global Startup: GJ0QDO1E.lnk = C:\WINDOWS\gj0qdo1e.exe
O4 - Global Startup: RCCGY1AM.lnk = C:\WINDOWS\rccgy1am.exe
O4 - Global Startup: 24N9C9AJ.lnk = C:\WINDOWS\24n9c9aj.exe
O4 - Global Startup: L8R79XUC.lnk = C:\WINDOWS\l8r79xuc.exe
O4 - Global Startup: PZBXTENM.lnk = C:\WINDOWS\pzbxtenm.exe
O4 - Global Startup: VLT9ZNK2.lnk = C:\WINDOWS\vlt9znk2.exe
O4 - Global Startup: 0PYJHQBR.lnk = C:\WINDOWS\0pyjhqbr.exe
O4 - Global Startup: BA9Q0UF3.lnk = C:\WINDOWS\ba9q0uf3.exe
O4 - Global Startup: UFZIY351.lnk = C:\WINDOWS\ufziy351.exe
O4 - Global Startup: D3EUHQJX.lnk = C:\WINDOWS\d3euhqjx.exe
O4 - Global Startup: FDUWFG08.lnk = C:\WINDOWS\fduwfg08.exe
O4 - Global Startup: T0UY3ZF9.lnk = C:\WINDOWS\t0uy3zf9.exe
O4 - Global Startup: ODHFNIIA.lnk = C:\WINDOWS\odhfniia.exe
O4 - Global Startup: WHZW0CJN.lnk = C:\WINDOWS\whzw0cjn.exe
O4 - Global Startup: 8BEN0JXE.lnk = C:\WINDOWS\8ben0jxe.exe
O4 - Global Startup: C9CBJYUB.lnk = C:\WINDOWS\c9cbjyub.exe
O4 - Global Startup: 7PLHWPAC.lnk = C:\WINDOWS\7plhwpac.exe
O4 - Global Startup: 52E0HLXL.lnk = C:\WINDOWS\52e0hlxl.exe
O4 - Global Startup: V5XTLGE6.lnk = C:\WINDOWS\v5xtlge6.exe
O4 - Global Startup: L0DUFJU5.lnk = C:\WINDOWS\l0dufju5.exe

Are viruses.  It looks like Bagle.Q to me, right off the bat, but maybe its a Klez strain.  Try downloading this program: http://vil.nai.com/vil/stinger/ and scanning your computer for viruses.  I know you may have a virus scanner on your computer, but you may have a very recent virus on there as well.  Give that a shot, because those Global Startups with random names in your Windows folder are viruses.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Expert Comment

by:carbonman
ID: 10682583
Ascoredhat (Dave)

I have this exact same virus which appeared on my computer on the 23rd of March and is creating the same havoc.   Did you ever find a solution as of yet because I have not.

Thanks,
Don
0
 
LVL 1

Assisted Solution

by:Phazon
Phazon earned 50 total points
ID: 10684634
I had this problem today and used the following to remove it.  Nothing would work Stinger, NAV, Adaware, Hijackthis.

o cleaned out the start up group
o deselected all entries from System Start Up
o hit CTRL-ALT-Del and removed all non-essential items from the task list
o ran HiJackThis and removed all /dk entries
o rebooted into safe mode - command prompt only
o changed to \windows
o did a dir *.exe /od.  All the last entries were 614,912 bytes, eight characters long and nonsensical - I manually deleted them
o there was another file called bargain2.exe.  I renamed and moved this.  It looke suspicious as it was dated within the past week or two
o changed to \windows\system and ran dir *.exe /od.  There were a couple of exe's in there that were dated within the past week.  I renamed them and moved them to another directory

Rebooted into Windows and everything was fine.  I ran the computer for about an hour and nothing inappropriate happened.  

I hope this helps.

Jim
0
 

Expert Comment

by:carbonman
ID: 10686072
Jim, thank you for this idea; looks logical and I will try.  I can manage the other steps but I am not familiar with the HiJack This software.

Thanks,
Don
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 50 total points
ID: 10686774
0
 

Author Comment

by:ascoredhat
ID: 10708812
Thank you for everyone's help.  The biggest help was the tip for the lockergnome site where Die Hard was extremely helpful in reading the HiJack Log.   The Avast and Adaware software also helped find bits and pieces of nasty stuff, so thanks there, too.

Thank you for all your kind assistance in this.  Why does it seem that viruses and hijacking sites are on the rise and are getting ever more nasty?  It seems everytime i turn around and go to a site, it's trying to get me to download stuff and won't let me click the page off without another one popping up trying to get me to "accept" a download or plug-in, and I'm not even talking porn sites.  These are just game/card sites here, which for the most part, I'm trying to stay away from.  Does anybody know of any good online article that helps shed light on how to avoid being hijacked?

Again, thanks to you all!

Dave
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10713220
Check this site out for a fairly complete explanation of what and why all the problems with spyware,adware, browser hijacking, etc..

http://www.spywareinfo.com/

Also, while you're there, you should look into SpywareGuard and SpywareBlaster, these help to prevent spyware, adware,
hijackers from infecting your computer.

Glad someone could help!!
Good luck!
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10713399
Keep you AV software up to date, get a popup blocker and Just Say No!
If you do a lot of recreational surfing, a software firewall isn't a bad idea either.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now