Can someone decipher this Hijack thread?

Discussion in 'adware, spyware & hijack cleaning' started by ZorakWilliams, Jun 29, 2004.

Thread Status:
Not open for further replies.
  1. ZorakWilliams

    ZorakWilliams Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    4
    Hello,

    I have downloaded adaware and hijack and will paste the results below. I had detected a virus in my pc the other day, using symantec I quaranteened it and deleted the effected files.

    However since then my IE has ran havoc, the homepage reverts to either casinopalazzo or coolsearch and a X icon(named xxx) has appeared on my desktop. Also web pages will randomly change to porn sites at any given time :eek: .

    Anyway I'm not that technically savy but have checked other posts and ran the adaware and hijack scans but have read only to delete specific files from hijack. I would appreciate any help anyone could provide.

    Here is the hijack code:
    Logfile of HijackThis v1.97.7
    Scan saved at 22:03:52, on 29/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\services\exploit.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\blpqnfni.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\NDrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Henry\Desktop\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Callme] C:\WINDOWS\System32\run32dll.exe
    O4 - HKLM\..\Run: [tmdcnaz] C:\WINDOWS\tmdcnaz.exe
    O4 - HKLM\..\Run: [dphmbauiidtlc] C:\WINDOWS\System32\blpqnfni.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38052.1550347222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab


    Yours Desperately,

    Zorak Williams
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI ZorakWilliams

    First update or download CWShredder to version 1.59.1
    CWShredder (http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe)
    Use the Fix button and follow the instructions you will receive.

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.


    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Then use the Disk Cleanup Utility to empty all your Temp folders.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. ZorakWilliams

    ZorakWilliams Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    4
    Followed all the instructions, ran all the scans, here's the log

    Logfile of HijackThis v1.97.7
    Scan saved at 01:41:55, on 30/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\blpqnfni.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\NDrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Callme] C:\WINDOWS\System32\run32dll.exe
    O4 - HKLM\..\Run: [tmdcnaz] C:\WINDOWS\tmdcnaz.exe
    O4 - HKLM\..\Run: [dphmbauiidtlc] C:\WINDOWS\System32\blpqnfni.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38052.1550347222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI ZorakWilliams

    Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net.

    Check the following items in HijackThis - close ALL windows\browsers except HijackThis and click "Fix checked":

    C:\WINDOWS\System32\blpqnfni.exe
    C:\WINDOWS\System32\NDrv.exe

    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe

    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

    O4 - HKLM\..\Run: [Callme] C:\WINDOWS\System32\run32dll.exe <----did YOU install this?
    ---Process File: run32dll or run32dll.exe
    Process Name: PAL PC Spy
    Description: A key recorder and screen capture utility that controls and monitors everything that happens on your computer and online.---------

    O4 - HKLM\..\Run: [tmdcnaz] C:\WINDOWS\tmdcnaz.exe
    O4 - HKLM\..\Run: [dphmbauiidtlc] C:\WINDOWS\System32\blpqnfni.exe

    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <---- optional

    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here


    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\WINDOWS\System32\blpqnfni.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\WINDOWS\System32\services\exploit.exe
    C:\WINDOWS\System32\NDrv.dll
    C:\WINDOWS\Downloaded Program Files\bridge.dll
    C:\WINDOWS\System32\run32dll.exe <------ see above !
    C:\WINDOWS\tmdcnaz.exe

    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Now, empty your TEMP Folder / Temporary Internet Files Folder and then empty your "Recycle Bin" and reboot.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log to see if everything "bad" is gone. Thanks.
     
  5. ZorakWilliams

    ZorakWilliams Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    4
    Marianna,

    Phew that took me a while but I followed the instructions, the only part I was unsure on was when you stated to delete the file

    c:\WINDOWS\System32\run32dll.exe but I only saw a file named rundll32. Is this the same? if so then should I go back and delete it?

    Here is the hijack log I took:

    Logfile of HijackThis v1.97.7
    Scan saved at 20:38:42, on 30/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [axfjzimfifm] C:\WINDOWS\System32\blpqnfni.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38052.1550347222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    My IE seems to be working better now and the homepage has reverted to msn.com.
     
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI ZorakWilliams

    c:\WINDOWS\System32\run32dll.exe but I only saw a file named rundll32. Is this the same? if so then should I go back and delete it?

    NOPE ! rundll32 is a VALID file ! the run32dll.exe is gone :)

    Still one item left to check in HJT:

    O4 - HKLM\..\Run: [axfjzimfifm] C:\WINDOWS\System32\blpqnfni.exe and click "fix checked".

    Maybe you have to go via ctrl-alt-del to end the task blpqnfni.exe

    Then in SAFEMODE delete the file: blpqnfni.exe

    Reboot

    Clean your temp. and temp. internet files - recycle bin.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    You can delete all the backups if your computer is running OK. They are only there in case a mistake is made and you need to restore something that was fixed by mistake.

    PLs. let me know IF all problems are gone :)
     
  7. ZorakWilliams

    ZorakWilliams Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    4
    Hi Marianna,

    Lucky I didn't delete that rundll32 file then ;) I could not find the blpqnfni.exe file in safe mode but I just ran HJT and the line O4 - HKLM\..\Run: [axfjzimfifm] C:\WINDOWS\System32\blpqnfni.exe is no longer there.

    PC seems to be working ok and IE isn't jumping to other random web pages so it all looks ok, I'll keep those backup files for now incase something does happen again.

    I can't thank you enough for your help and I don't know how to repay you, I can only say that I will postpone the invasion of your planet Earth. :D

    Many Thanks,

    Zorak Williams(Interstellar Gibbon)
     
  8. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi Zorak :)

    You're Welcome - glad we could help !

    Wow - you are from the same planet :ninja:
     

    Attached Files:

Thread Status:
Not open for further replies.