Virus recovery

[multinetting]

After recovering from a recent virus...

Does anybody know what the following startup entry is?

otohacaf Runndll32.exe "C\WINDOWS\otohacaf.dll",startup
In registry it is called Wjoxafawi

It sounds iffy to me, but the dll file is very old and hasn't been changed.

I can't delete the registry entry or disable the startup.....and XP will not boot up in safe mode...pf8.

I would welcome any suggestions on the startup entry or the safe mode issue....Thanks.

[RealBlackStuff]

That's definitely virus/adware/spyware/trojan junk.
Click on Start/Run, then type in:
REGSVR32 /u C:\Windows\System32\otohacaf.dll
and hit Enter.

Go into your registry (Click on Start/Run, then type in: regedit and hit Enter).
Once in there, click on Edit/Find and type runonce in the searchbox.
Hit enter to find the first occurence.
When found, see if there is an entry Run immediately above the Runonce entry.
If not, press F3 to continue the search, until you find the Run/Runonce combination directly above each other.
If you see this Run, click on it. On the right hand side you see various entries.
Look for anything with otohacaf or Wjoxafawi in it.
If found, click on the first part of that line (which should now become highlighted), verify you have the correct line, then press the Del or Delete button, and confirm.
Continue your search by pressing F3. (Note: after you were in Run, of course the next entry is again Runonce, so hit F3 once more).
Delete all of them wonky entries.
When no more entries found, close Regedit.
Now click on Start/Run/Programs/Startup and check if there is an entry with otohacaf or Wjoxafawi in it.
If found, right-click it and select Delete. Confirm.
When done, reboot.
Hopefully everything is OK now, and you can delete: C\WINDOWS\otohacaf.dll
Also do a search for this Wjoxafawi or Wjoxafawi.exe etc. and delete it/them.
Let us know what gives.

[multinetting]

Thanks for this, unfortunately every time I deleted the entry, it replicated itself. The key was fixing the safe mode ...found this...http://blog.didierstevens.com/2007/02/1 ... -reg-file/ It fixed my safe mode, and then I was able to blast this thing off my computer.