Startup Items

[geekwannabe]

My computer got infected really bad recently. I now have it almost back to
normal, but I am still having some spyware problems. It seems to be
reinfecting itself. I noticed there a couple items in the startup programs
that I don't recognize. One is jdqotukg, command "rundll32.exe"
"C:/windows/system32/jdqotukg.dll",b and the other is xdbnafkq, command
rundll32.exe "c:/windows/system32/xdbnafkq.dll",s. Are these legitimate
startup items? I am afraid to turn them off, in case they are necessary,
because I only half-a** know what I am doing here. Thank you so much for
your help!

 

[Lanwench [MVP - Exchange]]

My computer got infected really bad recently. I now have it almost
back to normal, but I am still having some spyware problems. It
seems to be reinfecting itself. I noticed there a couple items in
the startup programs that I don't recognize. One is jdqotukg,
command "rundll32.exe" "C:/windows/system32/jdqotukg.dll",b and the
other is xdbnafkq, command rundll32.exe
"c:/windows/system32/xdbnafkq.dll",s. Are these legitimate startup
items? I am afraid to turn them off, in case they are necessary,
because I only half-a** know what I am doing here. Thank you so much
for your help!

Those definitely are not part of a normal Windows install. Rather than doing
stuff in Startup, tho, I'd advise you to use Spybot & AdAware to scan your
computer thoroughly (update & run in safe mode whenever possible with system
restore turned *off* first). Make sure you have a good backup of your data
files just in case something goes awry.....

Try posting in microsoft.public.security.homeusers for more expert help
dealing with malware.

 

[Lem]

My computer got infected really bad recently. I now have it almost back to
normal, but I am still having some spyware problems. It seems to be
reinfecting itself. I noticed there a couple items in the startup programs
that I don't recognize. One is jdqotukg, command "rundll32.exe"
"C:/windows/system32/jdqotukg.dll",b and the other is xdbnafkq, command
rundll32.exe "c:/windows/system32/xdbnafkq.dll",s. Are these legitimate
startup items? I am afraid to turn them off, in case they are necessary,
because I only half-a** know what I am doing here. Thank you so much for
your help!

You haven't cleaned things up yet. Randomly-named executables are
almost always malware.

There is one school of thought that holds that once a computer has been
compromised as yours has, one ought to do a clean install of the
operating system and reload all of the applications because it's
impossible to be 100% certain that you have rooted out all of the bad stuff.

On the other hand, you can try. *Read* the following excellent advice
from MVP Malke:
http://www.elephantboycomputers.com/page2.html#Removing_Malware



--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

[geekwannabe]

Lem and Lanwench - thank you both for your replies. I didn't think these
were normal startup items. I did do a repair reinstall and it helped,
because before that the computer was barely functional. I was too chicken to
do a full reinstall! I have used Spybot, Ad-aware and Spy Sweeper, but it
just keeps coming back. This is my work computer, and we are ordering a new
one. So as soon as I get that, this evil one is going home with me so I can
do the full reinstall with no worries. Thanks again!

 

[Elmo]

My computer got infected really bad recently. I now have it almost back to
normal, but I am still having some spyware problems. It seems to be
reinfecting itself. I noticed there a couple items in the startup programs
that I don't recognize. One is jdqotukg, command "rundll32.exe"
"C:/windows/system32/jdqotukg.dll",b and the other is xdbnafkq, command
rundll32.exe "c:/windows/system32/xdbnafkq.dll",s. Are these legitimate
startup items? I am afraid to turn them off, in case they are necessary,
because I only half-a** know what I am doing here. Thank you so much for
your help!

The malware was removed, but the reference to the files was not removed
from the registry.

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type the name of the file into the search pane. Click "Find Next", and
when located, delete the reference to the file. Press F3 to continue
the search.

You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.

 

[PA Bear [MS MVP]]

You have a Vundo infection (which probably brought its friends Zlob and
SDBot along for the ride). You will need expert assistance to clean the
machine.

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.