trojan

Run ExplorerXP (not windows explorer) and look for this: C:\WINDOWS\qohquuytcl.exe

It is in your Windows directory and you need to fix it and delete it. Do that now while still in safe mode.

 

Download and extract Pocket KillBox to its own folder some place you can find it.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filename into KILL BOX. Check mark the box that says "Delete on Reboot" Now click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES and it will reboot.

C:\WINDOWS\qohquuytcl.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot into NORMAL MODE and post a new WinPfind log and tell me how the steps went.

 

Double check the below settings to make sure each one is correctly set.

- Right Click Start.
- Select Explore
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide extensions for known file types option.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Apply.
-Click OK.

 

Hmmm! That seems rather strange. If Search is showing the file and you have the Explorer settings correct, it should be showing there too.

In the search window, right click on the file and select delete. Does that work?

 

Well that is what we need to find out! But at least you know how to find it. So reboot into normal mode and let's see what happens.

The icon must be something related to BestOffers. This is part of what you had in the very beginning (nail.exe and the renaming trojan). That is why I kept working on trying to delete all these entries. They are all related.

I don't understand why killbox did not delete it.

 

But there was nothing to delete because you already deleted it. Just reboot the PC into normal mode and let's see what happens.

 

That's clean! No do you see what I kept on insisting that it was there and asking to delete it?

Is everything working okay now? If so, time to proceed to the below:

How to Protect yourself from malware!

 

I was referring to the WinPfind log being clean! You HJT log is basically clean althought I would not allow junk like below to run on my PCs. Some people consider it mild spyware. I just believe it is a waste of resources and I'll check for updates when I want to.


O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

 

Yes enable System Restore!

 

Looks okay! If later you change your mind about needing those three items for any reason, you can just restore them from the HijackThis backups.

 

You're welcome. Surf safely!