Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unable to get rid of Betterinternet & Rads01.quadrogram

Status
Not open for further replies.
mitchellmj

mitchellmj

MIS
Sep 30, 2003
29
US
Need HELP! I have one PC running XP Pro and have been unable to get rid of BetterInternet and Rads01.quadrogram, it just keeps repopulating itself everytime I reboot.

I have run/done the following with no luck:
CWShredder - Adaware - Spybot - look2me - disabled system restore points - have manually removed files from directories that Adaware finds and edited the registry. I have run vx2finder which comes up with nothing!

I have read through and tried as much as possible what was in Thread760-666236 posted by "webdjoe" on 9/28/03 with no luck!

Here is a copy of the hyjackthis log - any help at all would be greatly appreciated>
Logfile of HijackThis v1.97.7
Scan saved at 10:41:29 AM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\eds\i-deas10\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\eds\i-deas10\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe
C:\eds\i-deas10\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe
C:\eds\i-deas10\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\bxxulu.exe
C:\WINDOWS\cydylhf.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
J:\PROG\adaware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [FRYHIGHRES] rundll32 "C:\Program Files\ATI Technologies\Fire GL Control Panel\atipmogl.dll",DetectHighResMonitor
O4 - HKLM\..\Run: [huazljbqtrqmz] C:\WINDOWS\System32\bxxulu.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [hvnfwxcib] C:\WINDOWS\cydylhf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {B3E0F81F-73F8-470B-A56B-D895EFF19260} (ATLF3D Class) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Airpax.net
O17 - HKLM\Software\..\Telephony: DomainName = Airpax.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Airpax.net

Thanks in advance
mitchellmj
 
Sort by date Sort by votes
You can also remove these entries, using Hijack this!, after you've disabled system restore:

O4 - HKLM\..\Run: [huazljbqtrqmz] C:\WINDOWS\System32\bxxulu.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [hvnfwxcib] C:\WINDOWS\cydylhf.exe

Then, reboot into Safe Mode and delete these two files from their locations:

C:\WINDOWS\System32\bxxulu.exe
C:\WINDOWS\cydylhf.exe

Any better?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
hi, welcome to TSG.

the version of hijack this you have is outdated, download a newer version from below.


Download hijack this from the link below.Please do this. Click here:


to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.
 
Upvote 0 Downvote
Guys/gals...time stamps are your friend.
Please take a look at the date of last reply in theis thread before lb63640 retrieved it from the dustbin.

The Symantec removal tool didn't exist at the time of the original post and the version of HJT! used was the current one at that time, as well.

This thread was dead and buried over a year ago...let's make sure there's a call for response before posting up a storm.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
265
2ffat
2ffat
riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
112
riobogmedacaliaires
riobogmedacaliaires
SantaMufasa
  • Locked
  • Question
How can I get rid of "PC Fix Speed", a particularly nasty PC malware infection. 2
Replies
18
Views
299
kjv1611
kjv1611
JordanWitthoft
  • Locked
  • Question
Software to check suspicious links
Replies
2
Views
136
MakeItSo
MakeItSo
Macola10
  • Locked
  • Question
Kapersky Small Office Security
Replies
0
Views
121
Macola10
Macola10

Part and Inventory Search

Sponsor

Back
Top