spyware pop-ups and wierd .exe files

rsd0562 · Jan 23, 2005

To Whom It may Concern,
Please bare with me as this is my first post to any forum.
Please help me rid my computer of spyware.
I have Windows 2000 running w/ 3 separate Users.
I am getting a lot of pop-ups and wierd .exe files running on my PC.
I'm sure I am infected w/ spyware but don't know how to remove it.
I am now trying to run FIREFOX browser but this doesn't allow us to go to some sites.
But this helps w/ the pop-ups.
I have run through your "Read me first before asking".
I have tried to delete programs through Add/Remove programs and they keep coming back. "Internet Offers", "TSA", "Websavings from Ebates", just to name a few.
I have run Ad-Aware and SpyBot plus a list of other Spyware removal tools recommened by you ( "CCleaner", "McAfee Avert Stinger", "CWShredder", "Kill2me") but the .exe files and pop-ups keep coming back?
The 3 different User each seem to have different wierd .exe files running.
Do I have to run each Spyware removal tool signed on as each User or just as Admin?

Spybot keeps identifying "VX2/?"but can not get rid of it?

I thought this was "VX2", but when I run the VX2 cleaner in Ad-Aware it says system is clean?

Each of the 3 Users have some different .exe files?

Also I used to be ale to go to www.liutilities.com and search their Processlibrary for .exe files but now I can't get there from w/ either Firefox or IE browser? Something must have been removed by mistake.

Thank you in advance for your help,

Rick

chaslang · Jan 23, 2005

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

After that do the following and only run what I ask you to run:

Download the below tools:

Pocket KillBox

VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP

Extract all the files from the Generic Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

rsd0562 · Jan 24, 2005

Thank you for getting back to me so soon.

I ran Hijackthis and Generic Find It Tool as you requested.

And have attached both log files. ( hopefully I did this corectly, I didn't see "Go Advanced", I just saved log file and went to Manage Attahments )

Do I have to run these tools under the other User names?

We are getting pop ups even when we don't have IE open?
You can hear clicking noises like pop-ups are opening but we don't see them?
Then all of a sudden a few of them will pop up?
It's driving us nuts!

Again, Thank you so much for your help.

chaslang · Jan 25, 2005

I don't know where you have been surfing but you have a ton of issues. And yes you need to fix all user accounts. Why didn't you run the online scanners in the READ ME FIRST? They may have fixed some of your many trojans. This going to be a bunch of work. You are going to have a ton of files and folders to delete.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINNT\system32\rmorjx\shentnr.exe
C:\WINNT\system32\bfdewk\kcqllx.exe
C:\WINNT\system32\nrueegjj\lfpkiigc.exe
C:\WINNT\system32\peopleonpage.exe
C:\WINNT\system32\secure.exe
C:\WINNT\system32\wsxsvc\wsxsvc.exe
C:\WINNT\system32\d?dplay.exe
C:\Documents and Settings\Administrator\Application Data\sswb.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINNT\mscore.dll
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll
O2 - BHO: (no name) - {030CE26F-8EA9-254C-F0A0-389F87C43277} - C:\WINNT\system32\oobhvibv\kqptcuvy.dll
O2 - BHO: (no name) - {059F874F-C3AF-8C33-6E4C-2AA35B6C9B17} - C:\WINNT\system32\illyehjr\rpmysnff.dll
O2 - BHO: (no name) - {0DC9099D-C35D-96FC-7B68-9BDC3A4ABBE9} - C:\WINNT\system32\qtwkoon.dll
O2 - BHO: SDWin32 Class - {1B018E27-DB69-46AA-A82C-6C5F8094CBB9} - C:\WINNT\system32\ntnoq.dll (file missing)
O2 - BHO: (no name) - {2FBD3721-FBAA-3EFF-4DD3-8125A7AA84E7} - C:\WINNT\system32\dyleesjg\iwueiwnl.dll
O2 - BHO: (no name) - {436EE2D3-06F7-08AB-F622-6EF4B3DBDC9F} - C:\WINNT\system32\aojjntut\jrmetrmp.dll
O2 - BHO: (no name) - {508EE01E-7FAA-3B8E-2189-87AFC8BA333C} - C:\WINNT\system32\nkinjeub\lirllxsh.dll
O2 - BHO: SDWin32 Class - {7614288F-4675-4BAF-A997-96D31FDB7353} - C:\WINNT\system32\sgbbl.dll (file missing)
O2 - BHO: (no name) - {805CB634-78A2-7250-869B-71A2AD8366E4} - C:\WINNT\system32\nfew.dll
O2 - BHO: SDWin32 Class - {847787EC-6DC0-4382-8954-F814A5A0F0F8} - C:\WINNT\system32\wveje.dll (file missing)
O2 - BHO: (no name) - {9186982E-D5E8-1023-5E45-D4ADB9414365} - C:\WINNT\system32\flexnaqh\mblqwxvk.dll
O2 - BHO: (no name) - {9840B9D3-3C24-D6EB-FE02-E6C1BA2BBAAF} - C:\WINNT\system32\ylvylman\oqvyjdex.dll
O2 - BHO: (no name) - {98C04253-8D5C-57FB-E605-CE400F6D5208} - C:\WINNT\system32\xqyajusf\rvalqdus.dll
O2 - BHO: SDWin32 Class - {9F3BF5A8-826A-47E0-8DBF-9F1944EEB5E4} - C:\WINNT\system32\bfezi.dll (file missing)
O2 - BHO: (no name) - {A375463E-518E-75EB-E7FA-764E52FE056D} - C:\WINNT\system32\qwwujebs\fbdfvruq.dll
O2 - BHO: (no name) - {A4EED2FD-66CE-7B42-650B-EC2B314C4811} - C:\WINNT\system32\kqclrneh\tcqqlbdd.dll
O2 - BHO: SDWin32 Class - {A6698FB7-EBC4-4B55-B24F-C28C601546FD} - C:\WINNT\system32\wzuei.dll (file missing)
O2 - BHO: (no name) - {AB504804-CE52-BCE4-79A5-FD95DD1F9D09} - C:\WINNT\system32\qaypwwgk\gumktwfj.dll
O2 - BHO: (no name) - {AF0142BF-D00A-3926-B9BD-66BC5A5FD050} - C:\WINNT\system32\fsjmkmxm\fbgkwawj.dll
O2 - BHO: (no name) - {BCF57C36-A3B6-F26A-CBA6-844F160270FE} - C:\WINNT\system32\smwjxagq\whdcuhiu.dll
O2 - BHO: (no name) - {D2A40864-9B79-27BF-2913-063FA924A8D1} - C:\WINNT\system32\dpygpsmb\elghjoeh.dll
O2 - BHO: (no name) - {D60AB930-7CFA-2607-869B-71A2AD8367E4} - C:\WINNT\system32\kziqdg.dll
O4 - HKLM\..\Run: [yljscy] C:\WINNT\system32\qlhidv\yljscy.exe
O4 - HKLM\..\Run: [rbfe] C:\WINNT\system32\ntoxopvm\rbfe.exe
O4 - HKLM\..\Run: [svilyup] C:\WINNT\system32\okmlg\svilyup.exe
O4 - HKLM\..\Run: [amegehe] C:\WINNT\system32\omjgldyi\amegehe.exe
O4 - HKLM\..\Run: [ydknrgjh] C:\WINNT\system32\ihnlml\ydknrgjh.exe
O4 - HKLM\..\Run: [ixjkgv] C:\WINNT\system32\cnsvi\ixjkgv.exe
O4 - HKLM\..\Run: [yrnbeke] C:\WINNT\system32\dqqttvnc\yrnbeke.exe
O4 - HKLM\..\Run: [wwhdh] C:\WINNT\system32\grsbadn\wwhdh.exe
O4 - HKLM\..\Run: [vurn] C:\WINNT\system32\gtkk\vurn.exe
O4 - HKLM\..\Run: [hijq] C:\WINNT\system32\lvvutw\hijq.exe
O4 - HKLM\..\Run: [qscnif] C:\WINNT\system32\birlefjj\qscnif.exe
O4 - HKLM\..\Run: [ifvem] C:\WINNT\system32\vxifdqbl\ifvem.exe
O4 - HKLM\..\Run: [gmijatk] C:\WINNT\system32\vodtso\gmijatk.exe
O4 - HKLM\..\Run: [krprplw] C:\WINNT\system32\aayxl\krprplw.exe
O4 - HKLM\..\Run: [gsffkjk] C:\WINNT\system32\dbgv\gsffkjk.exe
O4 - HKLM\..\Run: [ldupdh] C:\WINNT\system32\yvroowr\ldupdh.exe
O4 - HKLM\..\Run: [wpcljx] C:\WINNT\system32\jygfixej\wpcljx.exe
O4 - HKLM\..\Run: [qtrinhyj] C:\WINNT\system32\wubncr\qtrinhyj.exe
O4 - HKLM\..\Run: [tscqxie] C:\WINNT\system32\ypgrj\tscqxie.exe
O4 - HKLM\..\Run: [lmxjviy] C:\WINNT\system32\hmkcu\lmxjviy.exe
O4 - HKLM\..\Run: [pgnvwo] C:\WINNT\system32\tbghbu\pgnvwo.exe
O4 - HKLM\..\Run: [qwacwwjg] C:\WINNT\system32\bbhv\qwacwwjg.exe
O4 - HKLM\..\Run: [fncmb] C:\WINNT\system32\ouct\fncmb.exe
O4 - HKLM\..\Run: [kdqqw] C:\WINNT\system32\iqdnng\kdqqw.exe
O4 - HKLM\..\Run: [neykumn] C:\WINNT\system32\mkxhox\neykumn.exe
O4 - HKLM\..\Run: [eqio] C:\WINNT\system32\sjmpmfsw\eqio.exe
O4 - HKLM\..\Run: [eaedo] C:\WINNT\system32\kowgbkx\eaedo.exe
O4 - HKLM\..\Run: [freyycx] C:\WINNT\system32\bpnt\freyycx.exe
O4 - HKLM\..\Run: [aovgnoe] C:\WINNT\system32\yxmjmct\aovgnoe.exe
O4 - HKLM\..\Run: [kvbflo] C:\WINNT\system32\ngewf\kvbflo.exe
O4 - HKLM\..\Run: [stwvdwky] C:\WINNT\system32\xgre\stwvdwky.exe
O4 - HKLM\..\Run: [dbadarb] C:\WINNT\system32\qmqvh\dbadarb.exe
O4 - HKLM\..\Run: [dgyawy] C:\WINNT\system32\tdhf\dgyawy.exe
O4 - HKLM\..\Run: [fmbwesum] C:\WINNT\system32\mjpxnytj\fmbwesum.exe
O4 - HKLM\..\Run: [byrj] C:\WINNT\system32\ocnton\byrj.exe
O4 - HKLM\..\Run: [vjvi] C:\WINNT\system32\bbmiqo\vjvi.exe
O4 - HKLM\..\Run: [lexnk] C:\WINNT\system32\ujexf\lexnk.exe
O4 - HKLM\..\Run: [sghynwlv] C:\WINNT\system32\ytesn\sghynwlv.exe
O4 - HKLM\..\Run: [oxpaj] C:\WINNT\system32\xuhahp\oxpaj.exe
O4 - HKLM\..\Run: [vbup] C:\WINNT\system32\gficvmc\vbup.exe
O4 - HKLM\..\Run: [pagcgy] C:\WINNT\system32\qwwdbd\pagcgy.exe
O4 - HKLM\..\Run: [lxqpd] C:\WINNT\system32\tugi\lxqpd.exe
O4 - HKLM\..\Run: [qtivrah] C:\WINNT\system32\fvofm\qtivrah.exe
O4 - HKLM\..\Run: [rxhpk] C:\WINNT\system32\sbdgpaqs\rxhpk.exe
O4 - HKLM\..\Run: [abfajfw] C:\WINNT\system32\ealyovl\abfajfw.exe
O4 - HKLM\..\Run: [rhvnk] C:\WINNT\system32\huhkyoil\rhvnk.exe
O4 - HKLM\..\Run: [nxhqwa] C:\WINNT\system32\faloo\nxhqwa.exe
O4 - HKLM\..\Run: [tkbspw] C:\WINNT\system32\lrgbea\tkbspw.exe
O4 - HKLM\..\Run: [kysnckmw] C:\WINNT\system32\tuiib\kysnckmw.exe
O4 - HKLM\..\Run: [wbaxpu] C:\WINNT\system32\uohujfn\wbaxpu.exe
O4 - HKLM\..\Run: [dflmfiei] C:\WINNT\system32\udosblit\dflmfiei.exe
O4 - HKLM\..\Run: [yfvac] C:\WINNT\system32\nnfooi\yfvac.exe
O4 - HKLM\..\Run: [tmmjhl] C:\WINNT\system32\kkjcu\tmmjhl.exe
O4 - HKLM\..\Run: [oojjofeb] C:\WINNT\system32\jindla\oojjofeb.exe
O4 - HKLM\..\Run: [rbaqll] C:\WINNT\system32\mvhvkb\rbaqll.exe
O4 - HKLM\..\Run: [ukbgrji] C:\WINNT\system32\crbrl\ukbgrji.exe
O4 - HKLM\..\Run: [hcksgxvx] C:\WINNT\system32\eesf\hcksgxvx.exe
O4 - HKLM\..\Run: [fstomn] C:\WINNT\system32\dtxrcrh\fstomn.exe
O4 - HKLM\..\Run: [hyil] C:\WINNT\system32\ofdlryey\hyil.exe
O4 - HKLM\..\Run: [xxfxjskv] C:\WINNT\system32\bwccjqtb\xxfxjskv.exe
O4 - HKLM\..\Run: [vcitkake] C:\WINNT\system32\jefqcfg\vcitkake.exe
O4 - HKLM\..\Run: [oisfhf] C:\WINNT\system32\pjhs\oisfhf.exe
O4 - HKLM\..\Run: [vuencb] C:\WINNT\system32\dfgmiag\vuencb.exe
O4 - HKLM\..\Run: [xmix] C:\WINNT\system32\ltbvhys\xmix.exe
O4 - HKLM\..\Run: [hoihpwlb] C:\WINNT\system32\dbxn\hoihpwlb.exe
O4 - HKLM\..\Run: [oupjcmau] C:\WINNT\system32\djdqj\oupjcmau.exe
O4 - HKLM\..\Run: [upqa] C:\WINNT\system32\pavsbtom\upqa.exe
O4 - HKLM\..\Run: [abmsyr] C:\WINNT\system32\hwvx\abmsyr.exe
O4 - HKLM\..\Run: [essheso] C:\WINNT\system32\ydslvy\essheso.exe
O4 - HKLM\..\Run: [eafnccxu] C:\WINNT\system32\bwky\eafnccxu.exe
O4 - HKLM\..\Run: [iwbdie] C:\WINNT\system32\gtvit\iwbdie.exe
O4 - HKLM\..\Run: [sltv] C:\WINNT\system32\hpsrb\sltv.exe
O4 - HKLM\..\Run: [lnsxafvc] C:\WINNT\system32\gtsfabc\lnsxafvc.exe
O4 - HKLM\..\Run: [gjxqai] C:\WINNT\system32\lrujvs\gjxqai.exe
O4 - HKLM\..\Run: [hmfs] C:\WINNT\system32\xgydtwo\hmfs.exe
O4 - HKLM\..\Run: [icnqvth] C:\WINNT\system32\dwdbcfp\icnqvth.exe
O4 - HKLM\..\Run: [ykhdc] C:\WINNT\system32\osblmry\ykhdc.exe
O4 - HKLM\..\Run: [oknayuf] C:\WINNT\system32\ehkrdnv\oknayuf.exe
O4 - HKLM\..\Run: [nxproa] C:\WINNT\system32\godvtg\nxproa.exe
O4 - HKLM\..\Run: [chqtlmhl] C:\WINNT\system32\acqo\chqtlmhl.exe
O4 - HKLM\..\Run: [kbgmuaj] C:\WINNT\system32\jihnn\kbgmuaj.exe
O4 - HKLM\..\Run: [kjct] C:\WINNT\system32\fqob\kjct.exe
O4 - HKLM\..\Run: [nuitots] C:\WINNT\system32\jtujwpy\nuitots.exe
O4 - HKLM\..\Run: [kockksg] C:\WINNT\system32\sbkt\kockksg.exe
O4 - HKLM\..\Run: [ecpgyi] C:\WINNT\system32\xehumo\ecpgyi.exe
O4 - HKLM\..\Run: [xuiw] C:\WINNT\system32\mqnch\xuiw.exe
O4 - HKLM\..\Run: [suwgkwrs] C:\WINNT\system32\unaf\suwgkwrs.exe
O4 - HKLM\..\Run: [baxvvur] C:\WINNT\system32\kybih\baxvvur.exe
O4 - HKLM\..\Run: [oqvs] C:\WINNT\system32\imkn\oqvs.exe
O4 - HKLM\..\Run: [hyoyt] C:\WINNT\system32\jrnl\hyoyt.exe
O4 - HKLM\..\Run: [niag] C:\WINNT\system32\uqrquab\niag.exe
O4 - HKLM\..\Run: [hqdxgxrh] C:\WINNT\system32\wsijc\hqdxgxrh.exe
O4 - HKLM\..\Run: [epdj] C:\WINNT\system32\wwtvehf\epdj.exe
O4 - HKLM\..\Run: [tjhvpgx] C:\WINNT\system32\beavupqc\tjhvpgx.exe
O4 - HKLM\..\Run: [knkyqins] C:\WINNT\system32\igjg\knkyqins.exe
O4 - HKLM\..\Run: [xmwfqlv] C:\WINNT\system32\fuowoovs\xmwfqlv.exe
O4 - HKLM\..\Run: [hskfuv] C:\WINNT\system32\rvcof\hskfuv.exe
O4 - HKLM\..\Run: [lrsmpsp] C:\WINNT\system32\xhrxxso\lrsmpsp.exe
O4 - HKLM\..\Run: [qrxtqxt] C:\WINNT\system32\gxnqwg\qrxtqxt.exe
O4 - HKLM\..\Run: [sdilk] C:\WINNT\system32\qwdfrfed\sdilk.exe
O4 - HKLM\..\Run: [vypjxt] C:\WINNT\system32\fwpytmgj\vypjxt.exe
O4 - HKLM\..\Run: [xvwxh] C:\WINNT\system32\xfnkxck\xvwxh.exe
O4 - HKLM\..\Run: [mukblt] C:\WINNT\system32\tuoo\mukblt.exe
O4 - HKLM\..\Run: [kaeklk] C:\WINNT\system32\rypp\kaeklk.exe
O4 - HKLM\..\Run: [ertw] C:\WINNT\system32\ihwpxl\ertw.exe
O4 - HKLM\..\Run: [kavjoako] C:\WINNT\system32\cgeqg\kavjoako.exe
O4 - HKLM\..\Run: [knpdcyfd] C:\WINNT\system32\kpwrf\knpdcyfd.exe
O4 - HKLM\..\Run: [uyngfusr] C:\WINNT\system32\puhp\uyngfusr.exe
O4 - HKLM\..\Run: [fajd] C:\WINNT\system32\lnqcmpno\fajd.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\secure.exe
O4 - HKLM\..\Run: [tdidmv] C:\WINNT\system32\vjge\tdidmv.exe
O4 - HKLM\..\Run: [xjrmntr] C:\WINNT\system32\bdyhhm\xjrmntr.exe
O4 - HKLM\..\Run: [osyqubmt] C:\WINNT\system32\uefpu\osyqubmt.exe
O4 - HKLM\..\Run: [xajnlto] C:\WINNT\system32\xwtd\xajnlto.exe
O4 - HKLM\..\Run: [xmfwykl] C:\WINNT\system32\dgsqnck\xmfwykl.exe
O4 - HKLM\..\Run: [kurue] C:\WINNT\system32\nslgjwyw\kurue.exe
O4 - HKLM\..\Run: [jheyjbab] C:\WINNT\system32\xiiau\jheyjbab.exe
O4 - HKLM\..\Run: [477Q34U] pluodbc.exe
O4 - HKLM\..\Run: [ihumbv] C:\WINNT\system32\rgbhplq\ihumbv.exe
O4 - HKLM\..\Run: [goft] C:\WINNT\system32\ggffkg\goft.exe
O4 - HKLM\..\Run: [hwega] C:\WINNT\system32\exxwcan\hwega.exe
O4 - HKLM\..\Run: [pspvymuw] C:\WINNT\system32\eibeab\pspvymuw.exe
O4 - HKLM\..\Run: [kvnba] C:\WINNT\system32\yvris\kvnba.exe
O4 - HKLM\..\Run: [tcsv] C:\WINNT\system32\ygbqd\tcsv.exe
O4 - HKLM\..\Run: [vsljxgb] C:\WINNT\system32\lxxhqj\vsljxgb.exe
O4 - HKLM\..\Run: [bgagcbum] C:\WINNT\system32\pqtfcsa\bgagcbum.exe
O4 - HKLM\..\Run: [yhxhhto] C:\WINNT\system32\ucgmat\yhxhhto.exe
O4 - HKLM\..\Run: [bqqksxh] C:\WINNT\system32\muqhcqu\bqqksxh.exe
O4 - HKLM\..\Run: [dqygqeb] C:\WINNT\system32\nhxosi\dqygqeb.exe
O4 - HKLM\..\Run: [limbbkld] C:\WINNT\system32\cnitku\limbbkld.exe
O4 - HKLM\..\Run: [gbkuhv] C:\WINNT\system32\iqyh\gbkuhv.exe
O4 - HKLM\..\Run: [edpuygwu] C:\WINNT\system32\phtojbm\edpuygwu.exe
O4 - HKLM\..\Run: [fbjmeavd] C:\WINNT\system32\sttg\fbjmeavd.exe
O4 - HKLM\..\Run: [iqtphw] C:\WINNT\system32\gncxe\iqtphw.exe
O4 - HKLM\..\Run: [xttsy] C:\WINNT\system32\vybe\xttsy.exe
O4 - HKLM\..\Run: [navt] C:\WINNT\system32\aloh\navt.exe
O4 - HKLM\..\Run: [yagy] C:\WINNT\system32\sceulty\yagy.exe
O4 - HKLM\..\Run: [igyqed] C:\WINNT\system32\ymgrofk\igyqed.exe
O4 - HKLM\..\Run: [dhusk] C:\WINNT\system32\mbuw\dhusk.exe
O4 - HKLM\..\Run: [qvkly] C:\WINNT\system32\svqkqcjd\qvkly.exe
O4 - HKLM\..\Run: [dlgsrjmj] C:\WINNT\system32\casp\dlgsrjmj.exe
O4 - HKLM\..\Run: [mylngibp] C:\WINNT\system32\lhawad\mylngibp.exe
O4 - HKLM\..\Run: [wwfla] C:\WINNT\system32\lykgq\wwfla.exe
O4 - HKLM\..\Run: [waptbhrr] C:\WINNT\system32\tuhwhlc\waptbhrr.exe
O4 - HKLM\..\Run: [uvuwjiym] C:\WINNT\system32\gvqboua\uvuwjiym.exe
O4 - HKLM\..\Run: [rgae] C:\WINNT\system32\dcdwm\rgae.exe
O4 - HKLM\..\Run: [aextq] C:\WINNT\system32\mbgsx\aextq.exe
O4 - HKLM\..\Run: [xahf] C:\WINNT\system32\bbav\xahf.exe
O4 - HKLM\..\Run: [exwcbxq] C:\WINNT\system32\lshxm\exwcbxq.exe
O4 - HKLM\..\Run: [publsi] C:\WINNT\system32\xsvifyk\publsi.exe
O4 - HKLM\..\Run: [eslwdppf] C:\WINNT\system32\jklye\eslwdppf.exe
O4 - HKLM\..\Run: [ddhpeo] C:\WINNT\system32\wedxg\ddhpeo.exe
O4 - HKLM\..\Run: [javfnu] C:\WINNT\system32\qdiyc\javfnu.exe
O4 - HKLM\..\Run: [paenn] C:\WINNT\system32\lvhg\paenn.exe
O4 - HKLM\..\Run: [vgujohd] C:\WINNT\system32\anjn\vgujohd.exe
O4 - HKLM\..\Run: [rketlsq] C:\WINNT\system32\hsgq\rketlsq.exe
O4 - HKLM\..\Run: [llhhv] C:\WINNT\system32\qknvwtx\llhhv.exe
O4 - HKLM\..\Run: [hcjevdh] C:\WINNT\system32\boajlkys\hcjevdh.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ifrt] C:\WINNT\system32\bdohaxp\ifrt.exe
O4 - HKLM\..\Run: [pruqtxr] C:\WINNT\system32\crhybdva\pruqtxr.exe
O4 - HKLM\..\Run: [fjoprw] C:\WINNT\system32\nkvpcftd\fjoprw.exe
O4 - HKLM\..\Run: [mgtg] C:\WINNT\system32\qjslod\mgtg.exe
O4 - HKLM\..\Run: [tkhbs] C:\WINNT\system32\hpnp\tkhbs.exe
O4 - HKLM\..\Run: [yvucfqk] C:\WINNT\system32\wtpk\yvucfqk.exe
O4 - HKLM\..\Run: [vlmu] C:\WINNT\system32\doywa\vlmu.exe
O4 - HKLM\..\Run: [aetw] C:\WINNT\system32\mweqc\aetw.exe
O4 - HKLM\..\Run: [acxvbvek] C:\WINNT\system32\ydqocpv\acxvbvek.exe
O4 - HKLM\..\Run: [iwmurd] C:\WINNT\system32\kicmxv\iwmurd.exe
O4 - HKLM\..\Run: [axsfsd] C:\WINNT\system32\pvnto\axsfsd.exe
O4 - HKLM\..\Run: [iwdnmtny] C:\WINNT\system32\yddmay\iwdnmtny.exe
O4 - HKLM\..\Run: [wssy] C:\WINNT\system32\alyloti\wssy.exe
O4 - HKLM\..\Run: [nvggntr] C:\WINNT\system32\jubymr\nvggntr.exe
O4 - HKLM\..\Run: [rkihxwr] C:\WINNT\system32\raikyr\rkihxwr.exe
O4 - HKLM\..\Run: [dfouf] C:\WINNT\system32\vpil\dfouf.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINNT\enhupdt.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINNT\nyei.exe
O4 - HKLM\..\Run: [haiptqwf] C:\WINNT\system32\sommhmpj\haiptqwf.exe
O4 - HKLM\..\Run: [kvdo] C:\WINNT\system32\ssvmcd\kvdo.exe
O4 - HKLM\..\Run: [wbybjqqh] C:\WINNT\system32\wqwhbyy\wbybjqqh.exe
O4 - HKLM\..\Run: [jkuji] C:\WINNT\system32\cngvhy\jkuji.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [shentnr] C:\WINNT\system32\rmorjx\shentnr.exe
O4 - HKLM\..\Run: [kcqllx] C:\WINNT\system32\bfdewk\kcqllx.exe
O4 - HKLM\..\Run: [lfpkiigc] C:\WINNT\system32\nrueegjj\lfpkiigc.exe
O4 - HKLM\..\Run: [qtibo] C:\WINNT\system32\jqftjf\qtibo.exe
O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe
O4 - HKCU\..\Run: [Lwo4RQY2P] penwid.exe
O4 - HKCU\..\Run: [Hjx] C:\WINNT\system32\d?dplay.exe
O4 - HKCU\..\Run: [Orha] C:\Documents and Settings\Administrator\Application Data\sswb.exe
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\PROGRA~1\Toolbar\toolbar.dll
C:\WINNT\system32\rmorjx\shentnr.exe
C:\WINNT\system32\bfdewk\kcqllx.exe
C:\WINNT\system32\nrueegjj\lfpkiigc.exe
C:\WINNT\system32\peopleonpage.exe
C:\WINNT\system32\secure.exe
C:\WINNT\system32\wsxsvc\wsxsvc.exe
C:\WINNT\system32\d?dplay.exe
C:\Documents and Settings\Administrator\Application Data\sswb.exe
C:\WINNT\mscore.dll
C:\WINNT\BTGrab.dll
C:\WINNT\enhtb.dll
C:\WINNT\system32\qtwkoon.dll
C:\WINNT\system32\nfew.dll
C:\WINNT\system32\nfew.dll
C:\WINNT\system32\kziqdg.dll

There are a ton of these things to delete. I going to leave it to you to finish editing the lines below. All of the files being mention show either a DLL or and EXE file at the end of the line. You need to delete the folders being referenced and any files in the folder. For example the, the first one I list is C:\WINNT\system32\oobhvibv\kqptcuvy.dll You need to find and delete the folder named: C:\WINNT\system32\oobhvibv
What ever you do, DO NOT delete the system32 folder.

C:\WINNT\system32\oobhvibv\kqptcuvy.dll
C:\WINNT\system32\illyehjr\rpmysnff.dll
C:\WINNT\system32\dyleesjg\iwueiwnl.dll
C:\WINNT\system32\aojjntut\jrmetrmp.dll
C:\WINNT\system32\nkinjeub\lirllxsh.dll
C:\WINNT\system32\flexnaqh\mblqwxvk.dll
C:\WINNT\system32\ylvylman\oqvyjdex.dll
C:\WINNT\system32\xqyajusf\rvalqdus.dll
C:\WINNT\system32\qwwujebs\fbdfvruq.dll
C:\WINNT\system32\kqclrneh\tcqqlbdd.dll
C:\WINNT\system32\qaypwwgk\gumktwfj.dll
C:\WINNT\system32\fsjmkmxm\fbgkwawj.dll
C:\WINNT\system32\smwjxagq\whdcuhiu.dll
C:\WINNT\system32\dpygpsmb\elghjoeh.dll

I'm tired of editing! The remainder of these below also need deleting of the folders:

O4 - HKLM\..\Run: [yljscy] C:\WINNT\system32\qlhidv\yljscy.exe
O4 - HKLM\..\Run: [rbfe] C:\WINNT\system32\ntoxopvm\rbfe.exe
O4 - HKLM\..\Run: [svilyup] C:\WINNT\system32\okmlg\svilyup.exe
O4 - HKLM\..\Run: [amegehe] C:\WINNT\system32\omjgldyi\amegehe.exe
O4 - HKLM\..\Run: [ydknrgjh] C:\WINNT\system32\ihnlml\ydknrgjh.exe
O4 - HKLM\..\Run: [ixjkgv] C:\WINNT\system32\cnsvi\ixjkgv.exe
O4 - HKLM\..\Run: [yrnbeke] C:\WINNT\system32\dqqttvnc\yrnbeke.exe
O4 - HKLM\..\Run: [wwhdh] C:\WINNT\system32\grsbadn\wwhdh.exe
O4 - HKLM\..\Run: [vurn] C:\WINNT\system32\gtkk\vurn.exe
O4 - HKLM\..\Run: [hijq] C:\WINNT\system32\lvvutw\hijq.exe
O4 - HKLM\..\Run: [qscnif] C:\WINNT\system32\birlefjj\qscnif.exe
O4 - HKLM\..\Run: [ifvem] C:\WINNT\system32\vxifdqbl\ifvem.exe
O4 - HKLM\..\Run: [gmijatk] C:\WINNT\system32\vodtso\gmijatk.exe
O4 - HKLM\..\Run: [krprplw] C:\WINNT\system32\aayxl\krprplw.exe
O4 - HKLM\..\Run: [gsffkjk] C:\WINNT\system32\dbgv\gsffkjk.exe
O4 - HKLM\..\Run: [ldupdh] C:\WINNT\system32\yvroowr\ldupdh.exe
O4 - HKLM\..\Run: [wpcljx] C:\WINNT\system32\jygfixej\wpcljx.exe
O4 - HKLM\..\Run: [qtrinhyj] C:\WINNT\system32\wubncr\qtrinhyj.exe
O4 - HKLM\..\Run: [tscqxie] C:\WINNT\system32\ypgrj\tscqxie.exe
O4 - HKLM\..\Run: [lmxjviy] C:\WINNT\system32\hmkcu\lmxjviy.exe
O4 - HKLM\..\Run: [pgnvwo] C:\WINNT\system32\tbghbu\pgnvwo.exe
O4 - HKLM\..\Run: [qwacwwjg] C:\WINNT\system32\bbhv\qwacwwjg.exe
O4 - HKLM\..\Run: [fncmb] C:\WINNT\system32\ouct\fncmb.exe
O4 - HKLM\..\Run: [kdqqw] C:\WINNT\system32\iqdnng\kdqqw.exe
O4 - HKLM\..\Run: [neykumn] C:\WINNT\system32\mkxhox\neykumn.exe
O4 - HKLM\..\Run: [eqio] C:\WINNT\system32\sjmpmfsw\eqio.exe
O4 - HKLM\..\Run: [eaedo] C:\WINNT\system32\kowgbkx\eaedo.exe
O4 - HKLM\..\Run: [freyycx] C:\WINNT\system32\bpnt\freyycx.exe
O4 - HKLM\..\Run: [aovgnoe] C:\WINNT\system32\yxmjmct\aovgnoe.exe
O4 - HKLM\..\Run: [kvbflo] C:\WINNT\system32\ngewf\kvbflo.exe
O4 - HKLM\..\Run: [stwvdwky] C:\WINNT\system32\xgre\stwvdwky.exe
O4 - HKLM\..\Run: [dbadarb] C:\WINNT\system32\qmqvh\dbadarb.exe
O4 - HKLM\..\Run: [dgyawy] C:\WINNT\system32\tdhf\dgyawy.exe
O4 - HKLM\..\Run: [fmbwesum] C:\WINNT\system32\mjpxnytj\fmbwesum.exe
O4 - HKLM\..\Run: [byrj] C:\WINNT\system32\ocnton\byrj.exe
O4 - HKLM\..\Run: [vjvi] C:\WINNT\system32\bbmiqo\vjvi.exe
O4 - HKLM\..\Run: [lexnk] C:\WINNT\system32\ujexf\lexnk.exe
O4 - HKLM\..\Run: [sghynwlv] C:\WINNT\system32\ytesn\sghynwlv.exe
O4 - HKLM\..\Run: [oxpaj] C:\WINNT\system32\xuhahp\oxpaj.exe
O4 - HKLM\..\Run: [vbup] C:\WINNT\system32\gficvmc\vbup.exe
O4 - HKLM\..\Run: [pagcgy] C:\WINNT\system32\qwwdbd\pagcgy.exe
O4 - HKLM\..\Run: [lxqpd] C:\WINNT\system32\tugi\lxqpd.exe
O4 - HKLM\..\Run: [qtivrah] C:\WINNT\system32\fvofm\qtivrah.exe
O4 - HKLM\..\Run: [rxhpk] C:\WINNT\system32\sbdgpaqs\rxhpk.exe
O4 - HKLM\..\Run: [abfajfw] C:\WINNT\system32\ealyovl\abfajfw.exe
O4 - HKLM\..\Run: [rhvnk] C:\WINNT\system32\huhkyoil\rhvnk.exe
O4 - HKLM\..\Run: [nxhqwa] C:\WINNT\system32\faloo\nxhqwa.exe
O4 - HKLM\..\Run: [tkbspw] C:\WINNT\system32\lrgbea\tkbspw.exe
O4 - HKLM\..\Run: [kysnckmw] C:\WINNT\system32\tuiib\kysnckmw.exe
O4 - HKLM\..\Run: [wbaxpu] C:\WINNT\system32\uohujfn\wbaxpu.exe
O4 - HKLM\..\Run: [dflmfiei] C:\WINNT\system32\udosblit\dflmfiei.exe
O4 - HKLM\..\Run: [yfvac] C:\WINNT\system32\nnfooi\yfvac.exe
O4 - HKLM\..\Run: [tmmjhl] C:\WINNT\system32\kkjcu\tmmjhl.exe
O4 - HKLM\..\Run: [oojjofeb] C:\WINNT\system32\jindla\oojjofeb.exe
O4 - HKLM\..\Run: [rbaqll] C:\WINNT\system32\mvhvkb\rbaqll.exe
O4 - HKLM\..\Run: [ukbgrji] C:\WINNT\system32\crbrl\ukbgrji.exe
O4 - HKLM\..\Run: [hcksgxvx] C:\WINNT\system32\eesf\hcksgxvx.exe
O4 - HKLM\..\Run: [fstomn] C:\WINNT\system32\dtxrcrh\fstomn.exe
O4 - HKLM\..\Run: [hyil] C:\WINNT\system32\ofdlryey\hyil.exe
O4 - HKLM\..\Run: [xxfxjskv] C:\WINNT\system32\bwccjqtb\xxfxjskv.exe
O4 - HKLM\..\Run: [vcitkake] C:\WINNT\system32\jefqcfg\vcitkake.exe
O4 - HKLM\..\Run: [oisfhf] C:\WINNT\system32\pjhs\oisfhf.exe
O4 - HKLM\..\Run: [vuencb] C:\WINNT\system32\dfgmiag\vuencb.exe
O4 - HKLM\..\Run: [xmix] C:\WINNT\system32\ltbvhys\xmix.exe
O4 - HKLM\..\Run: [hoihpwlb] C:\WINNT\system32\dbxn\hoihpwlb.exe
O4 - HKLM\..\Run: [oupjcmau] C:\WINNT\system32\djdqj\oupjcmau.exe
O4 - HKLM\..\Run: [upqa] C:\WINNT\system32\pavsbtom\upqa.exe
O4 - HKLM\..\Run: [abmsyr] C:\WINNT\system32\hwvx\abmsyr.exe
O4 - HKLM\..\Run: [essheso] C:\WINNT\system32\ydslvy\essheso.exe
O4 - HKLM\..\Run: [eafnccxu] C:\WINNT\system32\bwky\eafnccxu.exe
O4 - HKLM\..\Run: [iwbdie] C:\WINNT\system32\gtvit\iwbdie.exe
O4 - HKLM\..\Run: [sltv] C:\WINNT\system32\hpsrb\sltv.exe
O4 - HKLM\..\Run: [lnsxafvc] C:\WINNT\system32\gtsfabc\lnsxafvc.exe
O4 - HKLM\..\Run: [gjxqai] C:\WINNT\system32\lrujvs\gjxqai.exe
O4 - HKLM\..\Run: [hmfs] C:\WINNT\system32\xgydtwo\hmfs.exe
O4 - HKLM\..\Run: [icnqvth] C:\WINNT\system32\dwdbcfp\icnqvth.exe
O4 - HKLM\..\Run: [ykhdc] C:\WINNT\system32\osblmry\ykhdc.exe
O4 - HKLM\..\Run: [oknayuf] C:\WINNT\system32\ehkrdnv\oknayuf.exe
O4 - HKLM\..\Run: [nxproa] C:\WINNT\system32\godvtg\nxproa.exe
O4 - HKLM\..\Run: [chqtlmhl] C:\WINNT\system32\acqo\chqtlmhl.exe
O4 - HKLM\..\Run: [kbgmuaj] C:\WINNT\system32\jihnn\kbgmuaj.exe
O4 - HKLM\..\Run: [kjct] C:\WINNT\system32\fqob\kjct.exe
O4 - HKLM\..\Run: [nuitots] C:\WINNT\system32\jtujwpy\nuitots.exe
O4 - HKLM\..\Run: [kockksg] C:\WINNT\system32\sbkt\kockksg.exe
O4 - HKLM\..\Run: [ecpgyi] C:\WINNT\system32\xehumo\ecpgyi.exe
O4 - HKLM\..\Run: [xuiw] C:\WINNT\system32\mqnch\xuiw.exe
O4 - HKLM\..\Run: [suwgkwrs] C:\WINNT\system32\unaf\suwgkwrs.exe
O4 - HKLM\..\Run: [baxvvur] C:\WINNT\system32\kybih\baxvvur.exe
O4 - HKLM\..\Run: [oqvs] C:\WINNT\system32\imkn\oqvs.exe
O4 - HKLM\..\Run: [hyoyt] C:\WINNT\system32\jrnl\hyoyt.exe
O4 - HKLM\..\Run: [niag] C:\WINNT\system32\uqrquab\niag.exe
O4 - HKLM\..\Run: [hqdxgxrh] C:\WINNT\system32\wsijc\hqdxgxrh.exe
O4 - HKLM\..\Run: [epdj] C:\WINNT\system32\wwtvehf\epdj.exe
O4 - HKLM\..\Run: [tjhvpgx] C:\WINNT\system32\beavupqc\tjhvpgx.exe
O4 - HKLM\..\Run: [knkyqins] C:\WINNT\system32\igjg\knkyqins.exe
O4 - HKLM\..\Run: [xmwfqlv] C:\WINNT\system32\fuowoovs\xmwfqlv.exe
O4 - HKLM\..\Run: [hskfuv] C:\WINNT\system32\rvcof\hskfuv.exe
O4 - HKLM\..\Run: [lrsmpsp] C:\WINNT\system32\xhrxxso\lrsmpsp.exe
O4 - HKLM\..\Run: [qrxtqxt] C:\WINNT\system32\gxnqwg\qrxtqxt.exe
O4 - HKLM\..\Run: [sdilk] C:\WINNT\system32\qwdfrfed\sdilk.exe
O4 - HKLM\..\Run: [vypjxt] C:\WINNT\system32\fwpytmgj\vypjxt.exe
O4 - HKLM\..\Run: [xvwxh] C:\WINNT\system32\xfnkxck\xvwxh.exe
O4 - HKLM\..\Run: [mukblt] C:\WINNT\system32\tuoo\mukblt.exe
O4 - HKLM\..\Run: [kaeklk] C:\WINNT\system32\rypp\kaeklk.exe
O4 - HKLM\..\Run: [ertw] C:\WINNT\system32\ihwpxl\ertw.exe
O4 - HKLM\..\Run: [kavjoako] C:\WINNT\system32\cgeqg\kavjoako.exe
O4 - HKLM\..\Run: [knpdcyfd] C:\WINNT\system32\kpwrf\knpdcyfd.exe
O4 - HKLM\..\Run: [uyngfusr] C:\WINNT\system32\puhp\uyngfusr.exe
O4 - HKLM\..\Run: [fajd] C:\WINNT\system32\lnqcmpno\fajd.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\secure.exe
O4 - HKLM\..\Run: [tdidmv] C:\WINNT\system32\vjge\tdidmv.exe
O4 - HKLM\..\Run: [xjrmntr] C:\WINNT\system32\bdyhhm\xjrmntr.exe
O4 - HKLM\..\Run: [osyqubmt] C:\WINNT\system32\uefpu\osyqubmt.exe
O4 - HKLM\..\Run: [xajnlto] C:\WINNT\system32\xwtd\xajnlto.exe
O4 - HKLM\..\Run: [xmfwykl] C:\WINNT\system32\dgsqnck\xmfwykl.exe
O4 - HKLM\..\Run: [kurue] C:\WINNT\system32\nslgjwyw\kurue.exe
O4 - HKLM\..\Run: [jheyjbab] C:\WINNT\system32\xiiau\jheyjbab.exe
O4 - HKLM\..\Run: [477Q34U] pluodbc.exe <--- just the file probably in c:\winnt\system32
O4 - HKLM\..\Run: [ihumbv] C:\WINNT\system32\rgbhplq\ihumbv.exe
O4 - HKLM\..\Run: [goft] C:\WINNT\system32\ggffkg\goft.exe
O4 - HKLM\..\Run: [hwega] C:\WINNT\system32\exxwcan\hwega.exe
O4 - HKLM\..\Run: [pspvymuw] C:\WINNT\system32\eibeab\pspvymuw.exe
O4 - HKLM\..\Run: [kvnba] C:\WINNT\system32\yvris\kvnba.exe
O4 - HKLM\..\Run: [tcsv] C:\WINNT\system32\ygbqd\tcsv.exe
O4 - HKLM\..\Run: [vsljxgb] C:\WINNT\system32\lxxhqj\vsljxgb.exe
O4 - HKLM\..\Run: [bgagcbum] C:\WINNT\system32\pqtfcsa\bgagcbum.exe
O4 - HKLM\..\Run: [yhxhhto] C:\WINNT\system32\ucgmat\yhxhhto.exe
O4 - HKLM\..\Run: [bqqksxh] C:\WINNT\system32\muqhcqu\bqqksxh.exe
O4 - HKLM\..\Run: [dqygqeb] C:\WINNT\system32\nhxosi\dqygqeb.exe
O4 - HKLM\..\Run: [limbbkld] C:\WINNT\system32\cnitku\limbbkld.exe
O4 - HKLM\..\Run: [gbkuhv] C:\WINNT\system32\iqyh\gbkuhv.exe
O4 - HKLM\..\Run: [edpuygwu] C:\WINNT\system32\phtojbm\edpuygwu.exe
O4 - HKLM\..\Run: [fbjmeavd] C:\WINNT\system32\sttg\fbjmeavd.exe
O4 - HKLM\..\Run: [iqtphw] C:\WINNT\system32\gncxe\iqtphw.exe
O4 - HKLM\..\Run: [xttsy] C:\WINNT\system32\vybe\xttsy.exe
O4 - HKLM\..\Run: [navt] C:\WINNT\system32\aloh\navt.exe
O4 - HKLM\..\Run: [yagy] C:\WINNT\system32\sceulty\yagy.exe
O4 - HKLM\..\Run: [igyqed] C:\WINNT\system32\ymgrofk\igyqed.exe
O4 - HKLM\..\Run: [dhusk] C:\WINNT\system32\mbuw\dhusk.exe
O4 - HKLM\..\Run: [qvkly] C:\WINNT\system32\svqkqcjd\qvkly.exe
O4 - HKLM\..\Run: [dlgsrjmj] C:\WINNT\system32\casp\dlgsrjmj.exe
O4 - HKLM\..\Run: [mylngibp] C:\WINNT\system32\lhawad\mylngibp.exe
O4 - HKLM\..\Run: [wwfla] C:\WINNT\system32\lykgq\wwfla.exe
O4 - HKLM\..\Run: [waptbhrr] C:\WINNT\system32\tuhwhlc\waptbhrr.exe
O4 - HKLM\..\Run: [uvuwjiym] C:\WINNT\system32\gvqboua\uvuwjiym.exe
O4 - HKLM\..\Run: [rgae] C:\WINNT\system32\dcdwm\rgae.exe
O4 - HKLM\..\Run: [aextq] C:\WINNT\system32\mbgsx\aextq.exe
O4 - HKLM\..\Run: [xahf] C:\WINNT\system32\bbav\xahf.exe
O4 - HKLM\..\Run: [exwcbxq] C:\WINNT\system32\lshxm\exwcbxq.exe
O4 - HKLM\..\Run: [publsi] C:\WINNT\system32\xsvifyk\publsi.exe
O4 - HKLM\..\Run: [eslwdppf] C:\WINNT\system32\jklye\eslwdppf.exe
O4 - HKLM\..\Run: [ddhpeo] C:\WINNT\system32\wedxg\ddhpeo.exe
O4 - HKLM\..\Run: [javfnu] C:\WINNT\system32\qdiyc\javfnu.exe
O4 - HKLM\..\Run: [paenn] C:\WINNT\system32\lvhg\paenn.exe
O4 - HKLM\..\Run: [vgujohd] C:\WINNT\system32\anjn\vgujohd.exe
O4 - HKLM\..\Run: [rketlsq] C:\WINNT\system32\hsgq\rketlsq.exe
O4 - HKLM\..\Run: [llhhv] C:\WINNT\system32\qknvwtx\llhhv.exe
O4 - HKLM\..\Run: [hcjevdh] C:\WINNT\system32\boajlkys\hcjevdh.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ifrt] C:\WINNT\system32\bdohaxp\ifrt.exe
O4 - HKLM\..\Run: [pruqtxr] C:\WINNT\system32\crhybdva\pruqtxr.exe
O4 - HKLM\..\Run: [fjoprw] C:\WINNT\system32\nkvpcftd\fjoprw.exe
O4 - HKLM\..\Run: [mgtg] C:\WINNT\system32\qjslod\mgtg.exe
O4 - HKLM\..\Run: [tkhbs] C:\WINNT\system32\hpnp\tkhbs.exe
O4 - HKLM\..\Run: [yvucfqk] C:\WINNT\system32\wtpk\yvucfqk.exe
O4 - HKLM\..\Run: [vlmu] C:\WINNT\system32\doywa\vlmu.exe
O4 - HKLM\..\Run: [aetw] C:\WINNT\system32\mweqc\aetw.exe
O4 - HKLM\..\Run: [acxvbvek] C:\WINNT\system32\ydqocpv\acxvbvek.exe
O4 - HKLM\..\Run: [iwmurd] C:\WINNT\system32\kicmxv\iwmurd.exe
O4 - HKLM\..\Run: [axsfsd] C:\WINNT\system32\pvnto\axsfsd.exe
O4 - HKLM\..\Run: [iwdnmtny] C:\WINNT\system32\yddmay\iwdnmtny.exe
O4 - HKLM\..\Run: [wssy] C:\WINNT\system32\alyloti\wssy.exe
O4 - HKLM\..\Run: [nvggntr] C:\WINNT\system32\jubymr\nvggntr.exe
O4 - HKLM\..\Run: [rkihxwr] C:\WINNT\system32\raikyr\rkihxwr.exe
O4 - HKLM\..\Run: [dfouf] C:\WINNT\system32\vpil\dfouf.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINNT\enhupdt.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINNT\nyei.exe <--- just the file probably in c:\winnt\system32
O4 - HKLM\..\Run: [haiptqwf] C:\WINNT\system32\sommhmpj\haiptqwf.exe
O4 - HKLM\..\Run: [kvdo] C:\WINNT\system32\ssvmcd\kvdo.exe
O4 - HKLM\..\Run: [wbybjqqh] C:\WINNT\system32\wqwhbyy\wbybjqqh.exe
O4 - HKLM\..\Run: [jkuji] C:\WINNT\system32\cngvhy\jkuji.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [shentnr] C:\WINNT\system32\rmorjx\shentnr.exe
O4 - HKLM\..\Run: [kcqllx] C:\WINNT\system32\bfdewk\kcqllx.exe
O4 - HKLM\..\Run: [lfpkiigc] C:\WINNT\system32\nrueegjj\lfpkiigc.exe
O4 - HKLM\..\Run: [qtibo] C:\WINNT\system32\jqftjf\qtibo.exe
O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe <--- just the file probably in c:\winnt\system32
O4 - HKCU\..\Run: [Lwo4RQY2P] penwid.exe <--- just the file probably in c:\winnt\system32

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

rsd0562 · Jan 26, 2005

I don't know what happened. I just got kicked out of my reply.
Thank you again for your quick reply.

We are still getting pop-ups as soon as windows comes up.
I have attached a new hjt log and a new findit log.
Also some new .exe files have appeared.
I think someone went on the computer.

When you say I must fix the other user accounts, do I have to run hjt and findit under their ids? This should be done after admin is fixed?

Here are the results of what you asked me to do.
Some files were not found.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINNT\system32\rmorjx\shentnr.exe - Not Found
C:\WINNT\system32\bfdewk\kcqllx.exe - Not Found
C:\WINNT\system32\nrueegjj\lfpkiigc.exe - Not Found

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html - Not Found
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html - Not Found
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html - Not Found
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.popupsearches.com/sidesearch.html - Not Found
But looks like there is a "websearch" in its place

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\PROGRA~1\Toolbar\toolbar.dll - Not Found

C:\WINNT\system32\d?dplay.exe - Not Found but found 'dvdplay.exe' - did NOT delete
C:\Documents and Settings\Administrator\Application Data\sswb.exe - Not Found Here
C:\WINNT\enhtb.dll - Not Found but found 'enhtb.exe' here, did NOT delete
C:\WINNT\system32\qtwkoon.dll - Not Found
C:\WINNT\system32\nfew.dll - Not Found
C:\WINNT\system32\nfew.dll - Not Found
C:\WINNT\system32\kziqdg.dll - Not Found

There are a ton of these things to delete. I going to leave it to you to finish editing the lines below. All of the files being mention show either a DLL or and EXE file at the end of the line. You need to delete the folders being referenced and any files in the folder. For example the, the first one I list is C:\WINNT\system32\oobhvibv\kqptcuvy.dll You need to find and delete the folder named: C:\WINNT\system32\oobhvibv
What ever you do, DO NOT delete the system32 folder.

O4 - HKLM\..\Run: [477Q34U] pluodbc.exe <--- just the file probably in c:\winnt\system32 - Not Found

O4 - HKLM\..\Run: [Enh Win Updt] C:\WINNT\enhupdt.exe - Not Found
O4 - HKLM\..\Run: [Makarzy] C:\WINNT\nyei.exe <--- just the file probably in c:\winnt\system32 - Not Found
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe" - Found but wasn't sure what to Delete
O4 - HKCU\..\Run: [Lwo4RQY2P] penwid.exe <--- just the file probably in c:\winnt\system32 - Not Found

Thanks again.

chaslang · Jan 26, 2005

You must remember that ALL BROWSERS must ALWAYS be shut down before running HijackThis. You still had: C:\Program Files\Internet Explorer\iexplore.exe running.

Leaving it running can interfere with the ability of HJT to properly fix problems.

OK we made a bunch of progress but have more trojans to fix:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINNT\system32\ofnvtcx\hbjyowy.exe
C:\WINNT\system32\wiel\myghnxry.exe
C:\WINNT\system32\vyga\dtvn.exe
C:\WINNT\system32\ipcyxia\qsrmx.exe
C:\WINNT\ufwvvzlc.exe
C:\WINNT\system32\xzjnyxji.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=136225757&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=136225757&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=136225757&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=136225757&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?uid=136225757&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?uid=136225757&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O4 - HKLM\..\Run: [hbjyowy] C:\WINNT\system32\ofnvtcx\hbjyowy.exe
O4 - HKLM\..\Run: [myghnxry] C:\WINNT\system32\wiel\myghnxry.exe
O4 - HKLM\..\Run: [dtvn] C:\WINNT\system32\vyga\dtvn.exe
O4 - HKLM\..\Run: [qsrmx] C:\WINNT\system32\ipcyxia\qsrmx.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [pdmuia] C:\WINNT\system32\uwfxrw\pdmuia.exe
O4 - HKLM\..\Run: [ieipyk] C:\WINNT\system32\oifpuu\ieipyk.exe
O4 - HKLM\..\Run: [iffvjfc] C:\WINNT\system32\bqcatd\iffvjfc.exe
O4 - HKLM\..\Run: [nuko] C:\WINNT\system32\dteltm\nuko.exe
O4 - HKLM\..\Run: [C:\WINNT\ufwvvzlc.exe] C:\WINNT\ufwvvzlc.exe
O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe
O4 - HKLM\..\Run: [ttqpnoxzjgnt] C:\WINNT\system32\xzjnyxji.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINNT\nyei.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\BTGrab.dll
C:\WINNT\ufwvvzlc.exe
C:\WINNT\system32\xzjnyxji.exe
C:\WINNT\ssqb.exe or C:\WINNT\system32\ssqb.exe
C:\WINNT\nyei.exe
C:\WINNT\system32\ofnvtcx <-- delete the folder
C:\WINNT\system32\wiel <-- delete the folder
C:\WINNT\system32\vyga <-- delete the folder
C:\WINNT\system32\ipcyxia <-- delete the folder
C:\Program Files\Common Files\Java <-- delete the folder
C:\WINNT\system32\uwfxrw <-- delete the folder
C:\WINNT\system32\oifpuu <-- delete the folder
C:\WINNT\system32\bqcatd <-- delete the folder
C:\WINNT\system32\dteltm <-- delete the folder
C:\Program Files\ezula <--- delete the folder
C:\Program Files\Web Offer <-- delete the folder

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

rsd0562 · Jan 26, 2005

Thank you again.

I have attached the new HJT log and Findit log.

On last reboot did not get any pop-ups but noticed about 10 wird .exe files in the C:\WINNT folder All with the same Creation date and time of 11/30/04 5:31AM? I'm afraid this will happen again.
atosu.exe
auklpru.exe
ewayyau.exe
nnwncriu.exe
pncutu.exe
rpskqu.exe
snhynnu.exe
ufwvvzlcu.exe ( You had me delete ufwvvzlc.exe )
xwzwgznpbru.exe
yuizbbbzsu.exe

C:\WINNT\nyei.exe - Not Found
C:\Program Files\ezula Folder - Not Found
C:\Program Files\Web Offer Folder - Not Found

Running Windows 2000 Pro.
Do I have to do anything with the other two User Ids I have on the system?

How do I prevent this from happening again?

Can you recommend a good Pop-Up Blocker.

What should I run Daily besides Ad-Aware and SpyBot?

Thank you again for your help.

Rsd0562

chaslang · Jan 26, 2005

You're welcome. Your log is now clean.

You already show a popup blocker being used. You don't need one anyway. Follow the steps in the below link (all of them) and switch to FireFox with built-in popup blocking.

How to Protect yourself from malware!

You should also boot in safe mode and run Windows Explorer to see if you can locate and delete (you must not delete anything but those exact file names with the ? in them)

C:\WINNT\System32\w?crtupd.exe
C:\WINNT\System32\d?dplay.exe <-- do not delete dvdplay.exe
C:\WINNT\System32\??ool32.exe <-- do not delete spoolsv32.exe

How are things running? I would expect a whole lot better and faster than before.

Those files you mentioned are all more than likely left overs from all these problems. I would start by moving them to a folder named C:\junk or you can leave them where the are at and just rename all of them. Change all the .EXE to .XXX so that cannot run. Then reboot and wait a few days to make sure none of them are required. Then you could delete them.

rsd0562 · Jan 28, 2005

I can not thank you enough.

System seems to be much better. Spybot still can not get rid of "VX2/?".

Also, when run Adaware it picked up 200 items? If I'm clean how/why do I still get these things?

Results of your last post:

C:\WINNT\System32\w?crtupd.exe - Not Found
C:\WINNT\System32\d?dplay.exe <-- do not delete dvdplay.exe - Not Found
C:\WINNT\System32\??ool32.exe <-- do not delete spoolsv32.exe - Not Found

I renamed those questionable .exe files to .xxx and have not had a problem, that I know of anyway.

Just starting to follow your "How to protect yourself from malware".
Have to run Windows update from IE.
For some reason I can not run Windows Update. I get the following error message. "Software Update Incomplete". I had my security setting to High, I set it to "medium", even tried "low", both did Not work?
Active scripting and download and initialization of ActiveX Controls were set to enabled. I was never prompted for a "Trust Certificate".
I went to the help and they suggested deleting the C:\ProgramFiles\Windows Update\V4 folder. But then at the end of the instructions said it applies to W2000 Standard. I have W2000 Pro. Should I rename the V4 folder and try update again?
Do you have any ideas on this one?

When I start up computer I get a Windows File Protection Error. I thought that spyware had somehow currupted a sytem file.
I had this error before you and I spoke. So I know nothing we did caused it.
The error states "Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability windows must restore the original versions of these files. Insert your W2000 professional cd now." I insert the CD and hit "retry" and the error goes away, no message or anything. But on next reboot the error is back. I also put CD in and did a reboot and did "Not hit any key" to boot from cd, just let it come up normally and it came up w/ out any error. But as soon as I reboot w/ out cd in the error is back? The Logs do not show any type of error.
Do you have any suggestions on this?

Thank you for all of your help,

RSD0562

chaslang · Jan 28, 2005

Give me the log from Spybot and Ad-Aware. I would bet the many of the Ad-Aware items are just MRU's (most recently used) or cookies. Neither are really problems.

A few people have been having problems with Windows Updates. I'm not sure what the problem is yet. Yes, try renaming the V4 folder and I believe they mention a few files that they want your to delete. Follow their instructions and let me know what happens.

When you get the error at startup, does it ever mention any file names? If so, what are they?

rsd0562 · Jan 29, 2005

Attached please find the Ad-Aware log. I can not find the spybot logs. What are they called and where are they located? Spybot says that Ad-aware complains about these logs or recovery files. Maybe got rid of them by mistake. Where should they be?

Just ran spybot and it still does not delete "VX2/?"

Windows error at start up does not give a file.

The System log says "Windows File Protection could not be initialized. The specific error code is 0xc000000f.".

I still must try deleting the V4 folder. I will let you know results.

Thanks again.

rsd0562

chaslang · Jan 29, 2005

For the "Windows File Protection" message, check this out: http://support.microsoft.com/default.aspx?scid=kb;EN-US;296241

Run Ad-Aware and click the Scan Now button then uncheck the "Search for negligible risk entries" option at the bottom. It should become a red X. That will remove the checks for things like MRUs which are not really problems.

When you run Ad-Aware, are you running it in safe mode or normal mode?
Also are you telling it to fix those items it finds? Are you selecting all the items and then telling it to fix them. When it is done scanning, click the Next button, then Right Click in the window showing all the malware. Click the item that says Select All Abjects. Then click the Next button and a window should come up saying ### objects will be removed. Select OK. (the ### is what ever number of problems it has found on your system).

Does it give ant messages saying items cannot be fixed.

Spybot saves logs in its own folder in the the logs subfolder! You can copy and paste from those files using notepad to view them. Or you can view them from Spybot in its Tools, View Report menu (available from Advance Mode).

rsd0562 · Feb 1, 2005

I've been away from my computer for awhile. back now.

I've attached the spybot log as requested. Still can not get rid of "VX2/?".
Found in c:\documents and settings\all users\application data\spybot search and destroy\logs.

Pop_Ups seem to be gone!!!! Hurray!! Also using Firefox when I can. Can't get to some sites w/ Firefox, so have to use IE. Also can't seem to find FireFox Parental Controls?

The site for "Windows File Protection" looks good. I'm in the process of locating another w2000 user and retrieving the file to eliminate this error. Thanks.

I am running ad-aware in the normal mode and already doing everything you stated. I do "Select All" and let it fix. In the past I did get messages that it could not remove some files but after running it on reboot as ad-aware suggests, got no errors. I do not recall the names of these files. If it happens again I will include.

The Windows Update is still failing? I followed MS steps (http://support.microsoft.com/default.aspx?scid=kb;EN;Q319585&LN=EN)and deleted files in the V4 folder and even tried deleting the V4 folder but still did not work???

Once again, thank you for all of your help. You've been a lifesaver.

chaslang · Feb 1, 2005

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixalt.reg. Doubleclick it and grant it permission to merge in the registry entries.

REGEDIT4
[-HKEY_USERS\.DEFAULT\Software\Destiny]
Click to expand...

Now run a new Spybot scan. How does it look now?

rsd0562 · Feb 7, 2005

Thanks again.

Pop-ups are gone! Wierd .exe files are gone! VX2/? error is gone!

I copied and pasted the below statement into the registry as you requested. This worked beautifully. Spybot was clean. It did not find "VX2/?". Hooray!

There are a few programs that I can not uninstall. "DMVLITE" and "Web Savings from Ebates". "DMVLITE" gives me the error "Cannot find 'file:///C:/WINNT/system32/wsxsvc/uninstall.html'. Then when I hit OK to error message it opens IE?
"Ebates" gives me a WJVIEW error " ERROR: Could not execute MAIN : The system cannot find the file speciifed."??
How can I get rid of these programs?

The site for "Windows File Protection" looked good but...it did not work??
http://support.microsoft.com/default.aspx?scid=kb;EN-US;296241
The description fit my problem. I tried the resolution and got the certificate from another w2000 user and appied as instructed but still got the error? During the reboot after I imported the certificate we had a power hit. Got the error. Thought it was because of the power hit, so I removed the certificate as per instruction and re-imported it but still got the error?

Adaware just recently said it could not get rid of 1 file and listed it 3 times?
"C:\progra~1\ezula\CHCON.dll", "C:\program files\ezula\chcon.dll"?
It got rid of it on re-boot? Ad-aware comes back w/ this message once in a while?

The Windows Update is still failing? I followed MS steps (http://support.microsoft.com/defaul...N;Q319585&LN=EN)and deleted files in the V4 folder and even tried deleting the V4 folder but still did not work???

Thank you for all of your help.

Rsd0562

chaslang · Feb 8, 2005

You're welcome.

Okay now we have some more knowledge about how it appears in add/remove programs. The DMVLITE is Delfin Media Viewer Adware (that's what the wsxsvc folder was).

Search your registry for DMVLITE and also Ebates. Tell me exactly what you find (the full registry key path up to an including the items being search for).

Check the Software Forum for help on the Windows File Protection error. Make sure you mention the link you already tried and your results. I'm sure Adrynalyne can provide some insight to this problem. Also mention your Windows Update problem.

That's strange! I asked you to delete that C:\program files\ezula awhile back and you said you could not find it. Check again.

Log in or Sign up

spyware pop-ups and wierd .exe files

rsd0562 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rsd0562 Private E-2

Attached Files:

hijackthis.log

output.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rsd0562 Private E-2

Attached Files:

hijackthis.log

output.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rsd0562 Private E-2

Attached Files:

hijackthis.log

output.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rsd0562 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rsd0562 Private E-2

Attached Files:

AdAware-log-20050127.TXT

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rsd0562 Private E-2

Attached Files:

Fixes.050201-2213.txt

Checks.050201-2212.txt-Checks.050201-2208.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rsd0562 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member