Cursor takeover - HELP!

I have run McAfee virus scan, Ad-Aware SE, Spybot, and CW Shredder and cannot get rid of this cursor takeover.

My cursor has been taken over - the pointer is now yellow and when I load a program or web-page it turns into a dinosaur (barney?). My computer is very slow as well.

What can I do to fix this? THanks!

 

Please follow all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal


If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

Tried everything in the list. Has anyone come across this virus? How to get rid of it? Thanks.

 

Hijack This Tutorial And How To Post Your Log File

 

The instructions say that "if you don't know how to use Hijack this or understand it, then you shouldn't use it."

I fall into that category...

The best description of the problem is that my computer is running slower and the only signs that there is a virus is the cursor. The cursor still works but it is a different color and instead of changing to an hour-glass when something is loading, it changes to a dinosaur walking.

Many thanks.

 

Run the program and post your log, I can't do squat until I see it. Just don't "fix" anything with it until we tell you to.

Also, have you tried to run the alternative scans listed in the 1st tutorial?

 

Log File Saved As Attachment -Kodo

 

a-squared (a²) Personal Edition 1.1

download that program and run it in safe mode. (required FREE registration)

When you're done, post another log file. Please upload the files as an attachment.

also, if you haven't paid for spykiller, uninstall it.

 

It found 1 malware
Filename Diagnosis
C:\Documents and Settings\Jonathan Lawrence\Local Settings\Temp\~7085928687.tmp TrojanDownloader.Win32.Siboco


Log attached

 

It's not letting me add the log as an attachment - says there is an error.

 

ok..load up HiJacThis and put a check box mark on each of the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html

O2 - BHO: (no name) - {0766393F-7380-A5B1-3C75-E2A4E8B23A3C} - C:\WINNT\System32\rbacyxnc.dll (file missing)
O2 - BHO: (no name) - {0B4AFA2F-4881-2027-6286-F727722B8904} - C:\WINNT\System32\jdmmrvuq.dll
O2 - BHO: (no name) - {0DD75A28-FDC7-B253-ECA2-58D17BCCF45D} - C:\WINNT\System32\fbyhdzvx.dll (file missing)
O2 - BHO: (no name) - {14EECD75-D483-DB8A-DB79-B243BA0F8DCE} - C:\WINNT\System32\uppiockq.dll
O2 - BHO: (no name) - {1875E42E-4C08-4B36-D323-2F8E55C210A2} - C:\WINNT\System32\dtveajti.dll (file missing)
O2 - BHO: (no name) - {1BC95377-0BBC-4D9B-2FD1-0E7C5E99BDA6} - C:\WINNT\System32\iomryalg.dll (file missing)
O2 - BHO: (no name) - {2263848E-0BD2-DE0A-E9E9-8FE96E8C44E3} - C:\WINNT\System32\zhtzzppf.dll (file missing)
O2 - BHO: (no name) - {277D771D-8E80-DB79-7970-F12BAB268682} - C:\WINNT\System32\riskuyjt.dll (file missing)
O2 - BHO: (no name) - {28B2076B-A556-317E-48AC-7D092D7D7B7F} - C:\WINNT\System32\opfakfzn.dll (file missing)
O2 - BHO: (no name) - {35DD29DE-7E7C-4E03-729B-14FE7AE70632} - C:\WINNT\System32\ezfwfmnj.dll (file missing)
O2 - BHO: (no name) - {3B13D947-E8F9-996B-A373-4DFBBBE59955} - C:\WINNT\System32\jkpvkifd.dll
O2 - BHO: (no name) - {3B2388F7-AD86-3562-CE78-057E4C3C9FDD} - C:\WINNT\System32\wkhyyltc.dll
O2 - BHO: (no name) - {3BA1CC6D-35EE-256E-5BD8-730231EC81C3} - C:\WINNT\System32\umbqunbo.dll
O2 - BHO: (no name) - {3C3336A9-F391-5159-F97D-BCFF5C112665} - C:\WINNT\System32\jsabnopt.dll
O2 - BHO: (no name) - {40B59939-7BFA-728E-3397-89C645190D8C} - C:\WINNT\System32\fxdtvzju.dll (file missing)
O2 - BHO: (no name) - {43A2A983-5B47-F2F3-C6F6-16D864795477} - C:\WINNT\System32\gksuhvyn.dll (file missing)
O2 - BHO: (no name) - {46B5E013-407C-8A2A-89A7-6DEAC3CC8EAE} - C:\WINNT\System32\qrndnoyx.dll
O2 - BHO: (no name) - {4A668F03-F61E-19A9-37C5-4BE5AE752803} - C:\WINNT\System32\gbszyucf.dll
O2 - BHO: (no name) - {4B1C0797-F20D-8803-1A90-563273E11BC8} - C:\WINNT\System32\cysutnrq.dll (file missing)
O2 - BHO: (no name) - {4BD5EBC8-C8DD-8B7B-39AD-8CAD0546F65F} - C:\WINNT\System32\yjkrnrfb.dll (file missing)
O2 - BHO: (no name) - {4BE5FE11-C80A-2DDF-CA48-069FAB462412} - C:\WINNT\System32\gwkfqszr.dll
O2 - BHO: (no name) - {515FBEFD-EB10-4DF2-20DF-29578127BC4C} - C:\WINNT\System32\kxdmlfis.dll (file missing)

O2 - BHO: (no name) - {5503118B-C330-CB2B-A338-152F081B7E5B} - C:\WINNT\System32\mqalgshk.dll
O2 - BHO: (no name) - {553B3932-A0E9-BEAF-CD36-B82EFF303B57} - C:\WINNT\System32\gvetdqwo.dll
O2 - BHO: (no name) - {58700904-C894-7866-C1BB-803C39198337} - C:\WINNT\System32\fzfulhga.dll (file missing)
O2 - BHO: (no name) - {5A770C2F-FD02-9F93-B6E8-F73D2551B9AA} - C:\WINNT\System32\fcwntoky.dll (file missing)
O2 - BHO: (no name) - {6EB4D9C2-E45E-3BD0-A947-6238EF3E5437} - C:\WINNT\System32\umplspss.dll (file missing)
O2 - BHO: (no name) - {7912FE15-F122-13FF-7C73-63FCF5F7BE85} - C:\WINNT\System32\uauqceyo.dll
O2 - BHO: (no name) - {7970F12B-AB26-8682-C936-1040681AC221} - C:\WINNT\System32\turtwmql.dll
O2 - BHO: (no name) - {7CA11045-0F73-544F-F68E-5861834FE06E} - C:\WINNT\System32\skeizbvv.dll (file missing)
O2 - BHO: (no name) - {8010790B-EE2E-CFB0-4EB7-7D028BA12B43} - C:\WINNT\System32\hopmhjfz.dll
O2 - BHO: (no name) - {810BC72B-798D-5A0F-3BC7-E5B13328A6FA} - C:\WINNT\System32\jgdeyhzr.dll (file missing)
O2 - BHO: (no name) - {8129A51A-7806-8FA1-535D-250DFFA31AE3} - C:\WINNT\System32\mtotlqgn.dll (file missing)
O2 - BHO: (no name) - {85C1C736-2A0E-6834-B3E1-87A86FC127A4} - C:\WINNT\System32\zzauoskw.dll
O2 - BHO: (no name) - {86EADA5D-98B0-177B-DCC8-D298FF426FAA} - C:\WINNT\System32\dhowkfjp.dll
O2 - BHO: (no name) - {87485751-E283-E38D-3577-41B2390302C8} - C:\WINNT\System32\gimsppwp.dll
O2 - BHO: (no name) - {87E5BB62-C7C8-2F1E-271F-69DD92638019} - C:\WINNT\System32\jfbtiiyv.dll
O2 - BHO: (no name) - {8CD89708-B0FF-4277-FD65-43A1C94F2864} - C:\WINNT\System32\teqyzvjc.dll (file missing)
O2 - BHO: (no name) - {9108289C-69CE-1B54-DA43-9D8A775E7592} - C:\WINNT\System32\bepqhdne.dll
O2 - BHO: (no name) - {974CD049-5129-3B3B-E0EE-B02752AE1661} - C:\WINNT\System32\yoamdrbv.dll (file missing)
O2 - BHO: (no name) - {978086AA-8DEE-F240-9D05-2237524942D7} - C:\WINNT\System32\htougtkz.dll (file missing)
O2 - BHO: (no name) - {97DC6799-9E48-41D3-50F6-3E40EC6288DE} - C:\WINNT\System32\osfonmhr.dll (file missing)
O2 - BHO: (no name) - {9D2E3FDD-EE83-92DC-2757-3D046E29243A} - C:\WINNT\System32\oaxavxag.dll (file missing)
O2 - BHO: (no name) - {9EA2B67A-D518-3001-D96F-88B5F40835B7} - C:\WINNT\System32\hjiojndl.dll (file missing)
O2 - BHO: (no name) - {A0F7D7BE-8F0C-04EE-A677-55EC5BD0D017} - C:\WINNT\System32\jihchttj.dll (file missing)
O2 - BHO: (no name) - {A4B6578E-04E8-E43B-3DC0-0E01A6455C31} - C:\WINNT\System32\hgtpdjjz.dll
O2 - BHO: (no name) - {BA18B649-CEBC-1A6F-3A74-BA70D6F973F0} - C:\WINNT\System32\nvkszpsl.dll (file missing)
O2 - BHO: (no name) - {BE259C3A-0E1F-4FB4-080A-48EAAFBD0ECD} - C:\WINNT\System32\apdonshn.dll (file missing)
O2 - BHO: (no name) - {C0D75BAF-A57D-5BA1-B7DA-205E770FBF92} - C:\WINNT\System32\snhkyygr.dll
O2 - BHO: (no name) - {C568FAD5-B59A-B057-AA99-9BCDD9AFED33} - C:\WINNT\System32\zubdncwz.dll
O2 - BHO: (no name) - {C7C9278E-19AB-B59B-D160-179ED519E19A} - C:\WINNT\System32\mhvzajqg.dll
O2 - BHO: (no name) - {C80DD4FA-9B1B-6A77-7392-D7D40B6BECBE} - C:\WINNT\System32\vmazkckc.dll (file missing)
O2 - BHO: (no name) - {C89F364B-4CEC-B7CC-7A76-46CB692DCE96} - C:\WINNT\System32\wovpdgxb.dll (file missing)
O2 - BHO: (no name) - {CBCD588B-328E-83CE-D47D-461CE0FCEF5F} - C:\WINNT\System32\tohtywjh.dll (file missing)
O2 - BHO: (no name) - {D3195C03-7BDE-D1D8-3E15-D012204933E2} - C:\WINNT\System32\iotefvxq.dll (file missing)
O2 - BHO: (no name) - {D96F88B5-F408-35B7-9197-E8B8FFBCE4D1} - C:\WINNT\System32\oqxssjnh.dll (file missing)
O2 - BHO: (no name) - {EDA05DA3-4034-E70B-E54F-8E716F2637D3} - C:\WINNT\System32\lnujzppb.dll (file missing)
O2 - BHO: (no name) - {F970B657-81E7-A410-CD20-C1B2B5D9A033} - C:\WINNT\System32\geydutlv.dll
O2 - BHO: (no name) - {FB07F324-7FE8-3C60-7939-333E8F71015F} - C:\WINNT\System32\avclrlln.dll
O2 - BHO: (no name) - {FB17A1D5-4574-D757-A43E-EAC0204686E7} - C:\WINNT\System32\ncupxghe.dll

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [tY3Jpj] C:\documents and settings\jonathan lawrence\local settings\temp\tY3Jpj.exe
O4 - HKLM\..\Run: [47T3AC927SSBYL] C:\WINNT\System32\GmtmBu.exe
O4 - HKLM\..\Run: [wlfjvrdgbew] C:\WINNT\System32\igwoeq.exe

O4 - HKLM\..\Run: [kqixexon] C:\WINNT\System32\kqixexon.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe (file missing)
O9 - Extra ''Tools'' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ComcastHSI - {186A258A-FC9B-438B-92D0-1835ED4D3044} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: Support - {BDF2EF64-3427-4071-8C8F-3D7C90E74C03} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {EF6994D3-153D-4629-9FA6-188933579F26} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab


CLOSE IE.. ALL instances of it , including this one you're reading in right now and then Click FIX ..

now try to find the following on your system and delete it

c:\installer\id53.exe
C:\documents and settings\jonathan lawrence\local settings\temp\tY3Jpj.exe

I would recommend deleting all the files in the temp directory.

Reboot to safe mode and run adaware and spybot again.

Remove any items in your add/remove control panel that relate to search bars and any software you don't know about.

then post a new log file.

 

Tried to do everything as requested. Succeeded in deleting the items in the Hijack this log

couldn't find these anywhere (searched in the directories)c:\installer\id53.exe (blank folder, nothing in it, but deleted anyway)
C:\documents and settings\jonathan lawrence\local settings\temp\tY3Jpj.exe

I would recommend deleting all the files in the temp directory. Was nervous to delete some of these because I'm not sure what they are. Some are for Kodak easyshare, AOL, etc. others I have no idea...)
Reboot to safe mode and run adaware and spybot again. Still found some things and deleted / fixed all of them

Remove any items in your add/remove control panel that relate to search bars and any software you don't know about. Didn't find anything I didn't know in here. Problem still here though...new log attached

 

place HiJackThis into c:\program files\hijackthis
please.. you shouldn't be running it from the location you are running it from.

try to locate this file.
C:\WINNT\System32\kqixexon.exe {DELETE}
C:\WINNT\System32\rcamsp.exe {DELETE}


remove this in HJT
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKCU\..\Run: [rcamsp] C:\WINNT\System32\rcamsp.exe

Reboot to safe mode and run adaware and spybot again

 

place HiJackThis into c:\program files\hijackthis Done - thanks
please.. you shouldn't be running it from the location you are running it from.

try to locate this file.
C:\WINNT\System32\kqixexon.exe {DELETE} Found this one but it says "cannot delete - file may be in use" ??
C:\WINNT\System32\rcamsp.exe {DELETE} Can't find this one


remove this in HJT DONE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKCU\..\Run: [rcamsp] C:\WINNT\System32\rcamsp.exe

Reboot to safe mode and run adaware and spybot again DONE - problem still there. Maybe it's not spyware? Could it be something else? Thanks again for your help

 

ok, that appears to be the last one left.

boot to safe mode. find the file C:\WINNT\System32\kqixexon.exe and delete it . if it says you can't then we'll have to try something a little more indepth.

otherwise, how is everything working so far?

 

Deleted kqixexon.exe in safe mode. Everything went fine, except for the fact that the cursor problem is still there

Don't know what to do.... At least the rest of my computer is a lot cleaner. Thanks

 

Hey Seaside,

For your cursor issue did you check settings??

Start > Control Panel > Printers & other Hardware > Mouse > Pointers Tab

You might be able to reset it with the options given. (Default Scheme) Also note that, if you choose "Browse" you'll find a dinosaur theme or two

Just a thought,

PP

*** Assuming Windows XP

 

Oh for the love of God! lol, This would be too funny if it weren't so tragic. How the heck did it change those settings by itself? Must have been some kind of virus in the system...

Anyway - many thanks to you PhilliePhan

 

Look on the bright side - This simple little problem got you to post in this forum and you and Kodo were able to remove an awful lot of crap from your machine!! It HAS to be running much better after that - So maybe the dinosaur was a blessing in disguise!?

Best,
PP