Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde Trojans


  • This topic is locked This topic is locked
9 replies to this topic

#1 jack12357

jack12357

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 26 August 2007 - 10:48 PM

i've tried spybot S&D, Housecall antivirus, and Stinger, and none of them can get rid of the two infected .dll files in my system32 directory (rqrqoll.dll and jkhih.dll). spybot says that it can't remove them because they are still in memory, and suggests that i reboot. tried that three times, once in safe mode. apparently they were still in memory while i was in safe mode. the following is my hijackthis log. can anybody suggest something that will get rid of it (short of downloading knoppix, borrowing a CD from one of my roommates and deleting it from there, or nuking the system from orbit)? any help would be GREATLY appreciated. also anything i can do to prevent future infection? i have windows firewall enabled, i use firefox, and windows is totally updated.

==================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:10 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\SCardSvr.exe
D:\Program Files\Apoint\Apoint.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Apoint\Apntex.exe
D:\Program Files\Apoint\HidFind.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Apoint] D:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187045621111
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187045614432
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4021 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 PM

Posted 26 August 2007 - 11:13 PM

Hello jack12357,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 jack12357

jack12357
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 27 August 2007 - 12:20 AM

Here is Combofix's logfile:

ComboFix 07-08-26.3 - "Jack Darcy" 2007-08-26 22:45:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.92 [GMT -6:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\cookies.ini
D:\WINDOWS\system32\hihkj.bak1
D:\WINDOWS\system32\hihkj.ini
D:\WINDOWS\system32\jkhih.dll
D:\WINDOWS\system32\qqyoulmw.ini
D:\WINDOWS\system32\rqrqoll.dll
D:\WINDOWS\system32\rrvjrxvo.dll
D:\WINDOWS\system32\wmluoyqq.dll


((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))


2007-08-26 22:43 51,200 --a------ D:\WINDOWS\nircmd.exe
2007-08-26 21:34 <DIR> d-------- D:\Program Files\Trend Micro
2007-08-26 20:27 <DIR> d-------- D:\DOCUME~1\JACKDA~1\.housecall6.6
2007-08-24 18:16 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-19 21:19 <DIR> d-------- D:\jacks temp folder
2007-08-19 19:29 12,928 --a--c--- D:\WINDOWS\system32\dllcache\dot4prt.sys
2007-08-19 19:29 12,928 --a------ D:\WINDOWS\system32\drivers\Dot4Prt.sys
2007-08-19 19:28 23,808 --a--c--- D:\WINDOWS\system32\dllcache\dot4usb.sys
2007-08-19 19:28 23,808 --a------ D:\WINDOWS\system32\drivers\Dot4usb.sys
2007-08-19 19:28 207,360 --a--c--- D:\WINDOWS\system32\dllcache\dot4.sys
2007-08-19 19:28 207,360 --a------ D:\WINDOWS\system32\drivers\Dot4.sys
2007-08-16 00:12 <DIR> d-------- D:\WINDOWS\pss
2007-08-16 00:10 204,800 --a------ D:\WINDOWS\system32\IVIresizeW7.dll
2007-08-16 00:10 200,704 --a------ D:\WINDOWS\system32\IVIresizeA6.dll
2007-08-16 00:10 20,480 --a------ D:\WINDOWS\system32\IVIresize.dll
2007-08-16 00:10 192,512 --a------ D:\WINDOWS\system32\IVIresizeP6.dll
2007-08-16 00:10 192,512 --a------ D:\WINDOWS\system32\IVIresizeM6.dll
2007-08-16 00:10 188,416 --a------ D:\WINDOWS\system32\IVIresizePX.dll
2007-08-16 00:10 <DIR> d-------- D:\Program Files\Common Files\InterVideo
2007-08-16 00:09 831,600 --a------ D:\WINDOWS\system32\Ctaa1.dat
2007-08-16 00:09 77,824 --a------ D:\WINDOWS\system32\ctdvda32.dll
2007-08-16 00:09 333,600 --a------ D:\WINDOWS\system32\drivers\ctdvda2k.sys
2007-08-16 00:09 122,880 --a------ D:\WINDOWS\system32\cddvdint.dll
2007-08-16 00:09 <DIR> d-------- D:\Program Files\InterVideo
2007-08-16 00:09 <DIR> d-------- D:\Program Files\Creative
2007-08-15 23:59 <DIR> d-------- D:\Program Files\uTorrent
2007-08-15 23:59 <DIR> d-------- D:\DOCUME~1\JACKDA~1\APPLIC~1\uTorrent
2007-08-15 14:25 <DIR> d-------- D:\DOCUME~1\JACKDA~1\Incomplete
2007-08-15 14:17 <DIR> d-------- D:\DOCUME~1\JACKDA~1\APPLIC~1\LimeWire
2007-08-15 14:16 <DIR> d-------- D:\Program Files\LimeWire
2007-08-15 12:36 1,891 --a------ D:\WINDOWS\mozver.dat
2007-08-15 10:00 <DIR> d-------- D:\DOCUME~1\JACKDA~1\APPLIC~1\WinRAR
2007-08-15 09:31 982 --a------ D:\WINDOWS\eReg.dat
2007-08-15 09:22 <DIR> d-------- D:\Program Files\EA Games
2007-08-14 18:55 12,160 --a--c--- D:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-14 18:55 12,160 --a------ D:\WINDOWS\system32\drivers\mouhid.sys
2007-08-14 18:54 9,600 --a--c--- D:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-14 18:54 9,600 --a------ D:\WINDOWS\system32\drivers\hidusb.sys
2007-08-14 18:45 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-14 16:49 <DIR> d-------- D:\Program Files\Bonjour
2007-08-14 16:41 <DIR> d-------- D:\Program Files\Common Files\Macrovision Shared
2007-08-14 16:05 24,816 --a------ D:\WINDOWS\system32\mdimon.dll
2007-08-14 16:04 <DIR> d-------- D:\WINDOWS\SHELLNEW
2007-08-14 16:04 <DIR> d-------- D:\Program Files\Microsoft ActiveSync
2007-08-14 15:49 <DIR> dr-h----- D:\MSOCache
2007-08-14 14:25 <DIR> d-------- D:\Program Files\iTunes
2007-08-14 14:25 <DIR> d-------- D:\Program Files\iPod
2007-08-14 14:25 <DIR> d-------- D:\DOCUME~1\JACKDA~1\APPLIC~1\Apple Computer
2007-08-14 14:24 <DIR> d----c--- D:\WINDOWS\system32\DRVSTORE
2007-08-14 14:24 <DIR> d-------- D:\Program Files\QuickTime
2007-08-14 14:24 <DIR> d-------- D:\Program Files\Common Files\Apple
2007-08-14 14:24 <DIR> d-------- D:\Program Files\Apple Software Update
2007-08-14 14:24 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-14 14:24 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-14 14:05 <DIR> d-------- D:\Program Files\Windows Media Connect 2
2007-08-14 14:04 <DIR> d-------- D:\WINDOWS\system32\LogFiles
2007-08-14 14:04 <DIR> d-------- D:\WINDOWS\system32\drivers\UMDF
2007-08-14 13:18 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-14 13:03 33,792 --a--c--- D:\WINDOWS\system32\dllcache\custsat.dll
2007-08-14 12:58 23,040 -----c--- D:\WINDOWS\system32\dllcache\fltmc.exe
2007-08-14 12:58 16,896 -----c--- D:\WINDOWS\system32\dllcache\fltlib.dll
2007-08-14 12:58 128,896 -----c--- D:\WINDOWS\system32\dllcache\fltmgr.sys
2007-08-14 12:05 <DIR> d-------- D:\Program Files\Apoint
2007-08-14 12:04 <DIR> d-------- D:\Program Files\SigmaTel
2007-08-14 12:04 <DIR> d-------- D:\Program Files\CONEXANT
2007-08-14 12:03 705,408 --a------ D:\WINDOWS\system32\drivers\HSF_CNXT.sys
2007-08-14 12:03 42,858 --a------ D:\WINDOWS\system32\hsfci014.dll
2007-08-14 12:03 208,384 --a------ D:\WINDOWS\system32\drivers\HSFHWICH.sys
2007-08-14 12:03 1,033,728 --a------ D:\WINDOWS\system32\drivers\HSF_DPV.SYS
2007-08-14 11:53 <DIR> d--h----- D:\Program Files\InstallShield Installation Information
2007-08-14 11:53 <DIR> d-------- D:\Program Files\ATI Technologies
2007-08-14 11:45 0 --a------ D:\WINDOWS\nsreg.dat
2007-08-14 11:03 <DIR> d-------- D:\WINDOWS\provisioning
2007-08-14 11:03 <DIR> d-------- D:\WINDOWS\peernet
2007-08-14 11:00 <DIR> d-------- D:\WINDOWS\ServicePackFiles
2007-08-14 10:54 <DIR> d-------- D:\WINDOWS\EHome
2007-08-14 10:50 4,569 --a------ D:\WINDOWS\system32\secupd.dat
2007-08-14 10:50 11,776 --a------ D:\WINDOWS\system32\spnpinst.exe
2007-08-14 10:32 614,912 --a------ D:\WINDOWS\system32\h323msp.dll
2007-08-14 10:32 331,264 --a------ D:\WINDOWS\system32\ipnathlp.dll
2007-08-14 10:09 1,082,368 --a------ D:\WINDOWS\system32\esent.dll
2007-08-13 17:02 23,856 --a------ D:\WINDOWS\system32\spupdsvc.exe
2007-08-13 17:01 <DIR> d--h----- D:\WINDOWS\$hf_mig$
2007-08-13 17:01 <DIR> d-------- D:\WINDOWS\system32\bits
2007-08-13 17:00 8,192 --a------ D:\WINDOWS\system32\bitsprx2.dll
2007-08-13 17:00 7,168 --a------ D:\WINDOWS\system32\bitsprx3.dll
2007-08-13 17:00 351,232 --a------ D:\WINDOWS\system32\winhttp.dll
2007-08-13 17:00 18,944 --a------ D:\WINDOWS\system32\qmgrprxy.dll
2007-08-13 16:55 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
2007-08-13 16:54 43,352 --a------ D:\WINDOWS\system32\wups2.dll
2007-08-13 16:53 549,720 --a--c--- D:\WINDOWS\system32\dllcache\wuapi.dll
2007-08-13 16:53 549,720 --a------ D:\WINDOWS\system32\wuapi.dll
2007-08-13 16:53 33,624 --a--c--- D:\WINDOWS\system32\dllcache\wups.dll
2007-08-13 16:53 33,624 --a------ D:\WINDOWS\system32\wups.dll
2007-08-13 16:53 325,976 --a--c--- D:\WINDOWS\system32\dllcache\wucltui.dll
2007-08-13 16:53 325,976 --a------ D:\WINDOWS\system32\wucltui.dll
2007-08-13 16:53 186,136 --a------ D:\WINDOWS\system32\wuaueng1.dll
2007-08-13 16:53 167,704 --a------ D:\WINDOWS\system32\wuauclt1.exe
2007-08-13 16:53 <DIR> d--hs---- D:\DOCUME~1\JACKDA~1\UserData
2007-08-13 16:43 <DIR> d--h----- D:\WUTemp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 09:42 12400 --a------ D:\WINDOWS\system32\drivers\secdrv.sys
2007-07-30 19:19 92504 --a------ D:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 53080 --a------ D:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 207736 --a------ D:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ D:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ D:\WINDOWS\system32\wuaueng.dll
2007-06-26 00:08 1104896 --a------ D:\WINDOWS\system32\msxml3.dll
2007-06-19 07:31 282112 --a------ D:\WINDOWS\system32\gdi32.dll
2007-06-13 04:23 1033216 --a------ D:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34688B0B-6710-4982-B6E9-6AA48CDBF63d}]
D:\WINDOWS\system32\fqpxqesn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="D:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "D:\WINDOWS\system32\wmluoyqq.dll",forkonce

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;D:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 jswimd;jswimd Service;D:\WINDOWS\system32\DRIVERS\jswimd.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 22:51:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 22:53:06 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-08-26 22:52

--- E O F ---


...and here is my new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:18 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Apoint\Apoint.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Apoint\Apntex.exe
D:\Program Files\Apoint\HidFind.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34688B0B-6710-4982-B6E9-6AA48CDBF63d} - D:\WINDOWS\system32\fqpxqesn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] D:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187045621111
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187045614432
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4344 bytes



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 PM

Posted 28 August 2007 - 12:23 AM

Hello,

I notice that you do not seem to be running Antivirus software or a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them!!

AVG, Avira OR Avast are good FREE antivirus. Some good free firewalls are Outpostor Kerio http://www.sunbelt-software.com/Kerio-Download.cfm
A tutorial on understanding and using firewalls may be found here.
Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

When you've done this, run a full system scan. Let it clean what it finds.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {34688B0B-6710-4982-B6E9-6AA48CDBF63d} - D:\WINDOWS\system32\fqpxqesn.dll (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

In your reply, please let me know how it's running now and post a (hopefully) last HijackThis log. :thumbsup:

Thanks,
tea

Edited by teacup61, 28 August 2007 - 12:24 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 jack12357

jack12357
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 28 August 2007 - 03:54 PM

I fixed the entry you said to, downloaded, installed and updated antivir, then ran antivir and scanned my d:\. found 4 things in ...\my music, deleted all of them.

did a scan with hijackthis, here's my most recent logfile:


Logfile of Trend Micro HijackThis v2.0.2 (BETA)
Scan saved at 2:43:06 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Apoint\Apoint.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Apoint\Apntex.exe
D:\Program Files\Apoint\HidFind.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Jack Darcy\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] D:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187045621111
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187045614432
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4981 bytes

everything seems to work correctly, but IE is all screwy- when Antivir tried to open up an IE window, it said it was "offline" and i got the "connect or try again" screen. im not worried about it, since i use FF, but i thought i'd give it a mention. also, IE says it's running with "no add-ons". again, i couldn't care less.


oh and P.S. -
the forum here wouldn't let me post my logfile because i was using the 2.0.0 version of hijackthis, so i upgraded to 2.0.2 but my logfiles STILL say 2.0.0, so i just changed the version number in my logfile so it would let me post. i hope this isn't a problem.

#6 jack12357

jack12357
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 28 August 2007 - 03:56 PM

finally got it to display the right version #, here's a more recent logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:51 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Apoint\Apoint.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Apoint\Apntex.exe
D:\Program Files\Apoint\HidFind.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] D:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187045621111
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187045614432
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4682 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 PM

Posted 28 August 2007 - 04:41 PM

Hello,

Perhaps Bonjour or FlexNet has something to do with screwy IE? Other than that, everything looks great. :thumbsup:

Please delete ComboFix and it's accompanying folder C:\Qoobox. Empty your Recycle Bin and reboot your computer.

Now you get........."The Speech"!! :flowers:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

PLEASE install a Firewall. I gave you some suggestions earlier. :huh:

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 jack12357

jack12357
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 28 August 2007 - 10:24 PM

Seems to be in the clear now. Thanks a million!

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 PM

Posted 29 August 2007 - 02:29 PM

You're welcome a million. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 PM

Posted 05 September 2007 - 10:30 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users