I have a start up process on my WINXP Pro machine called bqzauw.exe.
It goes by the name Process <nnnn> where nnnn is some four digit number
that changes from tim to time. Neither AntiVirus nor Spyware programs
see it, but I am very suspicious. I cannot delete it. Do you know what
it is, where it came from, what it does, or how I can get rid of it?

---

Request for Question Clarification by hummer-ga on 08 Oct 2004 14:03 PDT

Hi petercnslt,

Have you tried HouseCall? It's an online virus scan that often catches
things that others miss - it wouldn't hurt to give it a try.

HouseCall:
http://housecall.trendmicro.com/

Regards,
hummer

---

Request for Question Clarification by sublime1-ga on 08 Oct 2004 17:03 PDT

peter...

It is certainly not a legitimate Windows file. While I cannot
locate anything about it on the internet, I can certainly tell
you how to delete it. Would that satisfy your interests enough
to qualify as an acceptable answer?

sublime1-ga

---

Clarification of Question by petercnslt-ga on 08 Oct 2004 17:41 PDT

I would like to get rid of it, but if you don't know what it is how do
get the whole thing (registry enties etc.)

Hi petercnslt!!


I am pretty sure that the bqzauw.exe is associated with a PESTware in
your computer and I think that you can get rid from it without "side
effects".
It is very common that spywares and viruses also use random generated
names to avoid an easy recognition of them, just see the following
Google search result page for "random names spyware" keywords:
://www.google.com/search?num=20&hl=en&lr=&newwindow=1&c2coff=1&q=random+names+spyware


What you must do is the following:

1- To have an idea of what is this:

A-. Use the HijackThis program.

HijackThis examines key areas of the registry and the operative
system's files and lists their contents. These areas are used by both
good and bad programs, you must decide what should be removed.
Please download and run HijackThis and post the log. Please donīt fix
anything just post the log (paste the text of the log in a request of
answer clarification box) and I will tell you which things you must
fix.
To download HijackThis:
http://www.majorgeeks.com/download3155.html

To know how to use it and how to generate the log visit the following pages:
"HijackThis Quick Start":
http://s89223352.onlinehome.us/mirror/hjt/

"HijackThis Tutorial": (more complete one)
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

Please read the "How to use HijackThis" section:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse


B-. Perform two online scans:

For viruses:
At this point I agree with Hummer-ga and suggest the following one:
HouseCall:
Click on the "Scan Now. It's Free!" link and accept all the required
downloads and temporary installs.
http://housecall.trendmicro.com/


For spyware and other pestwares:
PestPatrol:
Click on Pest Scan logo to scan your PC, all the required downloads
and temporary installs.
This scanner did not remove the anything, so please tell me what it finds
www.pestscan.com

----------------------------------------------------------

2- How to get rid of it (at least temporarily):

A-. Kill the process:
Use Task Manager to stop any process that is running. Call it using
the shortcut  Ctrl+Alt+Del. Choose the Processes tab to list all
programs. Find the bqzauw.exe, highlight it, and end it.


B-. Make it visible:
Almost spyware's files are created as hidden and/or protected files,
so if you don't allow Windows to show this type of files you cannot
see them in the Explorer window and you will not be able to move,
delete, modify, and quarantine them:
Open an Explorer window --> On the Explorer window click on Tools menu
--> Folder Options --> Click on the View tab --> check "Display
contents of System Folders" and "Show hidden files and folders" -->
Uncheck "Hide extensions for known file types" and "Hide protected
operating system files" (ignore the warning message) --> click on
"Apply to all folders" --> Accept and close that window and then click
on View menu --> select Details.


C-. Now, find it!!:
Just use the Windows' search tool to find the bqzauw.exe file.
Open an Explorer window --> Use the Ctrl+Q shortcut --> The search
assistant will be showed, type bqzauw.exe in the file name box and
click the Search button.


D-. Quarantine it:
At this point you may be not sure about if you want to delete it or
you only want to don't let it run.
To delete it do a right click on it and select the delete option.
To don't let it run you must change it extension, do a right click on
it and select rename and change its name to bqzauw.ex1. It will not be
able to run again until you change its name to the original name.


----------------------------------------------------------

An additional thing that could be helpful is the Startup list
generated by HijackThis, please post the text of this log file
following these instructions:
"How to Generate a Startup Listing"
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HTStartupList

-----------------------------------------------------------

I hope that this helps you. Remember that this answer is not
considered complete until you feel satisfy with it. Please use the
clarification feature to request for further assistance on this and to
post the logs from HijackThis or any additional relevant info related
that could help. I will gladly respond to your requests.


Best regards.
livioflores-ga

---

Request for Answer Clarification by petercnslt-ga on 10 Oct 2004 09:40 PDT

I have morw information gleaned from Zone Alarm Security Suite (ZASS):

bqzauw.exe (now on my machine as Process 2488)comes from
callinghome.biz with the original name of Caller.exe. I Googled the
callinghome website and found a program that keeps a channel open to a
firewalled computer.

I now stop the process whenever I boot up, and it is totally without
rights in ZASS.

Would still like to remove. Do I follow the given instructions or does
this information help.

Appearantly someone put this on my machine for no good purpose!

---

Clarification of Answer by livioflores-ga on 10 Oct 2004 21:38 PDT

Hi!!

What I suggest is to don't let it run.

callinghome.biz installs a trojan in your computer that must be
removed completely. The installed file is "randomname.exe" (normally
in c:\windows\system32 directory).


Give another chance to Adaware download it and update it before scanning:
Download it from:
http://downloads.planetmirror.com/pub/majorgeeks/spyware/aawsepersonal.exe
or
http://www.majorgeeks.com/download506.html


A helpful guide for Adaware:
"Ad-aware Tutorial":
http://www.fluteloop.com/Adaware6.htm

The suggested settings for a succesful scan with Adaware are: (click
on the Configuration button)

-Under Scanning check the following items: 
Scan within archives 
Scan active processes
Scan registry
Deep-scan registry
Scan my IE Favourites for banned URL's
Scan my host's file 

-Tweaks:
·Under Scanning engine settings, please check:
"Unload recognised processes during scanning"
·Under Cleaning engine, please check:
"Always try to unload modules before deletion"
"Let Windows remove files in use at next reboot"


Remove what it finds by placing a check in the box to the left of the
object or use the select all feature. Reboot the PC.


If Adaware does not work please download and run HijackThis and post
the log without fixing anything, I will indicate you which things must
be fixed.


I hope that this helps you.


Regards.
livioflores-ga