i have thiis zqduuukm.exe in startup and cant get rid of it.i suspect its spyware. ran adware and spybot. de-selected startup items. tried to end this file in the processes menu but it wont delete.Anyone got any ideas on how i can get rid of this???thanks

I can't identify it either. I would try a search for it in regedit and delete it, seems that's where it could be..... what operating system are you using?

If you're running a FAT32 system (not NTFS) you can take note of it's location and delete it in raw dos.

tried a search for it in regedit but nothing.im using win xp and im running ntfs. this is very strange. any other ideas?

Download a copy of HijackThis (http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41). Install it into a permamnent folder.

Choose the option to scan and create a log.

Post the contents of the log here for review. Do not fix anything on your own as you can damage the OS and render the PC useless.

Logfile of HijackThis v1.98.2
Scan saved at 9:53:49 AM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOWNLOADS\Software\hjt\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vocm.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zqduuukm] c:\windows\system32\zqduuukm.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

zqduuukm.exe is also in processes but doesnt seem to show on logfile

Open Hijack this and choose scan.

Close all other browser and program windows

Place a check next to the following and click fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
O4 - HKLM\..\Run: [zqduuukm] c:\windows\system32\zqduuukm.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

Re-boot and delete the following files:

c:\windows\system32\zqduuukm.exe
C:\WINDOWS\farmmext.exe

You have to show hidden files (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Re-post your log

Open Hijack this and choose scan.

Close all other browser and program windows

Place a check next to the following and click fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
O4 - HKLM\..\Run: [zqduuukm] c:\windows\system32\zqduuukm.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

Re-boot and delete the following files:

c:\windows\system32\zqduuukm.exe
C:\WINDOWS\farmmext.exe

You have to show hidden files (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Re-post your log


Sounds like what I was thinking too, was very late and tired but I think Classics got ya.

Your version of HijackThis is out of date. It is up to 1.99 or more by now. Get the latest one and rerun and post the log

heres new log. by the way thanks people.appreciate it.


Logfile of HijackThis v1.99.1
Scan saved at 1:05:37 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOWNLOADS\Software\winrar\WinRAR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOWNLOADS\Software\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vocm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - [url]http://www2.incredimail.com/contents/setup/downloader/imloader.cab[/url]
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\DOWNLOADS\Software\internet erase\track eraser\Tracks Eraser Pro\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

That looks a lot better! How is it running now?

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications: Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed.
Spywareguard (http://www.wilderssecurity.net/spywareguard.html) <= SpywareGuard offers realtime protection from spyware installation attempts.
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.To protect yourself further: IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

running great. thanks for the info.

click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice

Be sure and note that doing this will delete any webpages that have been saved for offline viewing by the corresponding IE option. (I can't remember exactly how it's listed in Menu options.)

This was one of the malware applications that creates a random filename. I don't think we've gotten the master file yet that started it all, (unless it was in temp files) but here's hoping it won't come back...I fought a customer's machine a few weeks ago that was creating similar random filenames, couldn't find the "master" file causing it, and every reboot I had more odd files in System32. Try and shut one down via Task Manager and it recreated itself in less than 10 seconds, with a different filename. Finally did find it, but not without losing some of the little hair I have left. :eek:

Along with the suggestions david eaton made I would advise using Firefox (http://www.mozilla.org/) web browser, Mozilla's Thunderbird email client has a pretty good reputation although I haven't checked it out too closely yet, (I raraly use Windows any more) or try one of the other email clients like Eudora. Whichever you use, make sure it does NOT use ActiveX, that's how all this crud gets on your system along with bundled downloaded software.

I would also be highly suspect of Incredimail, it's all HTML and web based, which is an open invitation, especially if you're still running IE. I saw a computer a couple of years ago with a virus problem, AVG boot disk set found 192 infected files listed as incredimail.eml. That's 192 copies of a virus, (5 of them actually) all carried by Incredimail email messages...2 weeks later another 3 or 4 dropped in on the same computer. It didn't stop until Windows was reinstalled and Incredimail not.Anyone who has an incredimail account can easily get your address, unless you specifically set it up as unlisted, and think a huge problem (no matter what email client/program) is people clicking that "Forward to All" button...USE BCC INSTEAD! Then nobody has any email addresses to spam or sell to spammers.

Run Adaware regularly and keep it updated at least once every 2 weeks, same for Spybot. Watch email subject lines and return addresses closely, delete suspected spam without opening it. 99% of the spam I've seen is HTML based, usually includes a web bug and now probably carries spyware along too. If you must use Outlook/Outlook Express, lose that preview pane! (View\Layout\ UNCHECK Show Preview Pane.) The preview pane opens any email it "previews", rather than just taking a peek inside before opening. Any virus/trojan/spyware embedded in the email is automatically installed by ActiveX with no user intervention. Your best bet is to lose IE and OE, use Firefox and Thunderbird. Don't uninstall IE, just stop using it. It will be required for M$ updates.

And check the Applications and Security (http://www.pcguide.com/vb/forumdisplay.php?f=34) forum section, the "sticky" threads at top have more good information concerning this kind of malware.