Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/ssqrp.dll Removal Help Please!


  • Please log in to reply
5 replies to this topic

#1 SanguinaryBoy

SanguinaryBoy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 18 February 2008 - 05:12 PM

I've got an infection that I cannot get rid of. I have run Ad-Aware, Spybot S & D, Autoruns (and unchecked the ssqrp files but they come back) Housecall Anti-virus, McAfee Stinger, and I originally was using a Symantec antivirus when I first got the problem, but it was a free trial which has since expired. I believe the files causing the problem have something to do with the ssqrp.dll file in my system32 folder. they cannot be deleted most of the time, and the one time I deleted it after renaming and running in safe mode it came back. It recreates itself every time I restart my computer. I have been having an advertisement that takes over other ad spaces on webpages (including this one), and sometimes also every video screen when I go to youtube.com that looks like the image linked here: http://82.98.235.72/banners/newbanner1/300x250.gif. The actual site it links to his this one //85.17.166.173/go/?cmp=nm_bm3c_300x250&uid=D2BE4F8C673D49879657B725C7D051C4&guid=D2BE4F8C673D49879657B725C7D051C4&aid= which I have not been too as I'm sure its no good. Also a symptom I notice is that my fan is running on my laptop all the time now, and it gets very hot when I run it for very long. I'll include a current hijack this log below. Thank you so much for your help, I want my computer back!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:35 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.yahoo.com/help/us/music/yme/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\hadlvonp.dll",s
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\gpuihque.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 6959 bytes

Edited by KoanYorel, 18 February 2008 - 05:31 PM.
to disable hot link URL above


BC AdBot (Login to Remove)

 


m

#2 SanguinaryBoy

SanguinaryBoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 20 February 2008 - 01:23 PM

Ok, sorry to add more info, but things have changed a bit.

I did some more reading on other threads here and on a Spybot forum and learned about Vundofix. I felt pretty confident giving it a shot and it seems to have worked. Also I realized that because I had unchecked the ssqrp on my msconfig it meant it wouldn't be showing up in my HJT log. Either way, Vundofix seems to have taken care of the ssqrp and all the 8 letter files it creates that I read about. The only thing I wasn't sure about was that it wanted to remove MSconfig from my folder, but it did not give me the option of leaving that file. I had created a system restore point and decided to go for it. So far everything seems great. The "takeover" ads I was getting are gone, and everything is running faster and my fan isn't blowing all the time. The only negative thing I've noticed is that when I type msconfig into my run box it doesn't come up, however I can still access it by going to the PChealth folder. I still wouldn't mind a little input to make sure everything else looks good, so I'll post my most recent HJT log and the vundofix log as well. Thanks again in advance for checking these out for me!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:54 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.yahoo.com/help/us/music/yme/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrp.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 6414 bytes





VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 8:22:15 AM 2/20/2008

Listing files found while scanning....

C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
C:\WINDOWS\system32\aloukkho.dll
C:\WINDOWS\system32\apddqmfu.dll
C:\WINDOWS\system32\cffvfkok.dll
C:\WINDOWS\system32\dlpwoyxy.dll
C:\WINDOWS\system32\dmcbgohg.dll
C:\WINDOWS\system32\dnfvtcct.dll
C:\WINDOWS\system32\ebgfrbse.dll
C:\WINDOWS\system32\endgxtba.dll
C:\WINDOWS\system32\euqhiupg.ini
C:\WINDOWS\system32\fcrlwrli.dll
C:\WINDOWS\system32\fgsotgld.dll
C:\WINDOWS\system32\fobboolg.dll
C:\WINDOWS\system32\furxifxu.dll
C:\WINDOWS\system32\gcotcxcr.dll
C:\WINDOWS\system32\ghogbcmd.ini
C:\WINDOWS\system32\gpuihque.dll
C:\WINDOWS\system32\gtbtbstq.dll
C:\WINDOWS\system32\hadlvonp.dll
C:\WINDOWS\system32\hhvrgasb.dll
C:\WINDOWS\system32\hiotdxmf.dll
C:\WINDOWS\system32\hqtdssvl.dll
C:\WINDOWS\system32\htxrveto.dll
C:\WINDOWS\system32\inqqiugt.dll
C:\WINDOWS\system32\jeqyeuxy.dll
C:\WINDOWS\system32\jxrbmenr.dll
C:\WINDOWS\system32\mhteuhud.dll
C:\WINDOWS\system32\mnetmnka.dll
C:\WINDOWS\system32\nbxnrdho.dll
C:\WINDOWS\system32\nebuvuhx.dll
C:\WINDOWS\system32\oiofhxts.dll
C:\WINDOWS\system32\ojjvnaxc.dll
C:\WINDOWS\system32\omkxmhml.dll
C:\WINDOWS\system32\orwiowmy.dll
C:\WINDOWS\system32\pdjmpnwo.dll
C:\WINDOWS\system32\pmppcrtw.dll
C:\WINDOWS\system32\qptuamww.dll
C:\WINDOWS\system32\qymcqgbb.dll
C:\WINDOWS\system32\rycmyrtx.dll
C:\WINDOWS\system32\scwkwacv.dll
C:\WINDOWS\system32\spboskyx.dll
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.exe
C:\WINDOWS\system32\tjsboeft.dll
C:\WINDOWS\system32\tlanxxaj.dll
C:\WINDOWS\system32\toghfawf.dll
C:\WINDOWS\system32\ttgcsaum.dll
C:\WINDOWS\system32\ueumackb.dll
C:\WINDOWS\system32\uoanhuje.dll
C:\WINDOWS\system32\usgsdxco.dll
C:\WINDOWS\system32\vbppcwog.dll
C:\WINDOWS\system32\vkjvbsln.dll
C:\WINDOWS\system32\vxqcwwpm.dll
C:\WINDOWS\system32\welehaoh.dll
C:\WINDOWS\system32\wwlmehbc.dll
C:\WINDOWS\system32\xjmhethj.dll
C:\WINDOWS\system32\xufmqlnf.dll
C:\WINDOWS\system32\xwevjtaf.dll
C:\WINDOWS\system32\xydbhljf.dll

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\aloukkho.dll
C:\WINDOWS\system32\aloukkho.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\apddqmfu.dll
C:\WINDOWS\system32\apddqmfu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cffvfkok.dll
C:\WINDOWS\system32\cffvfkok.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dlpwoyxy.dll
C:\WINDOWS\system32\dlpwoyxy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dmcbgohg.dll
C:\WINDOWS\system32\dmcbgohg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dnfvtcct.dll
C:\WINDOWS\system32\dnfvtcct.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ebgfrbse.dll
C:\WINDOWS\system32\ebgfrbse.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\endgxtba.dll
C:\WINDOWS\system32\endgxtba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\euqhiupg.ini
C:\WINDOWS\system32\euqhiupg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fcrlwrli.dll
C:\WINDOWS\system32\fcrlwrli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgsotgld.dll
C:\WINDOWS\system32\fgsotgld.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fobboolg.dll
C:\WINDOWS\system32\fobboolg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\furxifxu.dll
C:\WINDOWS\system32\furxifxu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gcotcxcr.dll
C:\WINDOWS\system32\gcotcxcr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghogbcmd.ini
C:\WINDOWS\system32\ghogbcmd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gpuihque.dll
C:\WINDOWS\system32\gpuihque.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gtbtbstq.dll
C:\WINDOWS\system32\gtbtbstq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hadlvonp.dll
C:\WINDOWS\system32\hadlvonp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhvrgasb.dll
C:\WINDOWS\system32\hhvrgasb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hiotdxmf.dll
C:\WINDOWS\system32\hiotdxmf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hqtdssvl.dll
C:\WINDOWS\system32\hqtdssvl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\htxrveto.dll
C:\WINDOWS\system32\htxrveto.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\inqqiugt.dll
C:\WINDOWS\system32\inqqiugt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jeqyeuxy.dll
C:\WINDOWS\system32\jeqyeuxy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jxrbmenr.dll
C:\WINDOWS\system32\jxrbmenr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mhteuhud.dll
C:\WINDOWS\system32\mhteuhud.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnetmnka.dll
C:\WINDOWS\system32\mnetmnka.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nbxnrdho.dll
C:\WINDOWS\system32\nbxnrdho.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nebuvuhx.dll
C:\WINDOWS\system32\nebuvuhx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oiofhxts.dll
C:\WINDOWS\system32\oiofhxts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ojjvnaxc.dll
C:\WINDOWS\system32\ojjvnaxc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\omkxmhml.dll
C:\WINDOWS\system32\omkxmhml.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\orwiowmy.dll
C:\WINDOWS\system32\orwiowmy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pdjmpnwo.dll
C:\WINDOWS\system32\pdjmpnwo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmppcrtw.dll
C:\WINDOWS\system32\pmppcrtw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qptuamww.dll
C:\WINDOWS\system32\qptuamww.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qymcqgbb.dll
C:\WINDOWS\system32\qymcqgbb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rycmyrtx.dll
C:\WINDOWS\system32\rycmyrtx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\scwkwacv.dll
C:\WINDOWS\system32\scwkwacv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\spboskyx.dll
C:\WINDOWS\system32\spboskyx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrp.exe
C:\WINDOWS\system32\ssqrp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tjsboeft.dll
C:\WINDOWS\system32\tjsboeft.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tlanxxaj.dll
C:\WINDOWS\system32\tlanxxaj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\toghfawf.dll
C:\WINDOWS\system32\toghfawf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttgcsaum.dll
C:\WINDOWS\system32\ttgcsaum.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ueumackb.dll
C:\WINDOWS\system32\ueumackb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uoanhuje.dll
C:\WINDOWS\system32\uoanhuje.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\usgsdxco.dll
C:\WINDOWS\system32\usgsdxco.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vbppcwog.dll
C:\WINDOWS\system32\vbppcwog.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vkjvbsln.dll
C:\WINDOWS\system32\vkjvbsln.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vxqcwwpm.dll
C:\WINDOWS\system32\vxqcwwpm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\welehaoh.dll
C:\WINDOWS\system32\welehaoh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wwlmehbc.dll
C:\WINDOWS\system32\wwlmehbc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xjmhethj.dll
C:\WINDOWS\system32\xjmhethj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xufmqlnf.dll
C:\WINDOWS\system32\xufmqlnf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xwevjtaf.dll
C:\WINDOWS\system32\xwevjtaf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xydbhljf.dll
C:\WINDOWS\system32\xydbhljf.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 9:00:36 AM 2/20/2008

Listing files found while scanning....

C:\WINDOWS\system32\vkjvbsln.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vkjvbsln.dll
C:\WINDOWS\system32\vkjvbsln.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vkjvbsln.dll
C:\WINDOWS\system32\vkjvbsln.dll Has been deleted!

Performing Repairs to the registry.
Done!

#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 20 February 2008 - 05:45 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Using My Computer, navigate to where you have HijackThis saved.
Right-click on the HijackThis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

Please download Malwarebytes' Anti-Malware from here.
Double click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click "Finish".
  • If an update is found, it will download and install the latest version.
  • Once the programme has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click "OK", then "Show Results" to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab in MBAM.
Please include the MBAM log with a fresh HijackThis log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 SanguinaryBoy

SanguinaryBoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 20 February 2008 - 08:14 PM

Hi Charles.

I followed your instructions. I ended up running MBAM a couple of times as it said it was going to delete files at reboot, but all I got was an error message everytime with the heading "Hotkey.exe" and that the ssqrp.dll was not a valid image file and could not be opened. Here are the logs on that and on the "fluffybunny" log.

Thanks!!

N.

P.S. After trying all of these options I am suddenly getting a popup from adnetserver. I also failed to mention that shortly after getting infected a month ago that my IE was rendered nearly inoperable because of popups or being routed to other sites, so I am running only firefox now and get way less of that. Thanks again!

Malwarebytes' Anti-Malware 1.04
Database version: 385

Scan type: Quick Scan
Objects scanned: 24364
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\lbcbjoqe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ssqrp.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d706187-908c-4499-ac16-fa8adc3c0974} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d706187-908c-4499-ac16-fa8adc3c0974} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Vundo) -> Data: c:\windows\system32\ssqrp.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lbcbjoqe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\eqojbcbl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqrp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ssqrp.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prqss.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prqss.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.







Malwarebytes' Anti-Malware 1.04
Database version: 385

Scan type: Quick Scan
Objects scanned: 24219
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ssqrp.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52a7e7fb-5117-4d93-92eb-650c3ea65d5e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{52a7e7fb-5117-4d93-92eb-650c3ea65d5e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Vundo) -> Data: c:\windows\system32\ssqrp.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ssqrp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ssqrp.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prqss.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prqss.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.





Malwarebytes' Anti-Malware 1.04
Database version: 385

Scan type: Quick Scan
Objects scanned: 24153
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ssqrp.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d125680d-9959-41a8-94af-81a020107bad} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d125680d-9959-41a8-94af-81a020107bad} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Vundo) -> Data: c:\windows\system32\ssqrp.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ssqrp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ssqrp.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prqss.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prqss.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:33 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.yahoo.com/help/us/music/yme/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrp.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {DFC60B75-82B7-430E-A761-686114666573} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: {65a87d82-21fc-edcb-e864-edff63d549af} - {fa945d36-ffde-468e-bcde-cf1228d78a56} - C:\WINDOWS\system32\cmxrtasa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\wuuhdvgn.dll",s
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\uuhkylpw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 7670 bytes

Edited by SanguinaryBoy, 20 February 2008 - 09:52 PM.


#5 SanguinaryBoy

SanguinaryBoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 21 February 2008 - 02:30 AM

Sorry to keep adding things, but I encountered some new problems this evening.

I went to watch a DVD and got no response when I hit play. I opened Device Manager and discovered that my IDE ATA/ATAPI Controllers had an error in the Secondary IDE Channel (something I wasn't necessarily surprised at since I had issues with my DVD rom before and Toshiba techs had me uninstall and reinstall that driver.) However, this time after uninstalling and reinstalling the driver it keeps on getting an error on the CD/DVD drive saying that "A driver (service) for this device has been disabled. An alternate driver may be providing this functionality. (Code 32)" and when I try to update the driver, it says the current driver is up to date.
Another item on my device driver list that has a bright yellow exclamation point on it is under Network Adapters, WAN miniport (ATW). I don't even know what this does so I have yet to try to repair it. I decided when I discovered all this to return to a system restore point I created this morning, but when I did it was gone. There was only one listed from this evening that was probably automatically created when I downloaded MBAM. Does MBAM, HJT, or Spybot remove old restore points or is this part of my virus? Sorry to keep posting more info, but I'm not sure if this is all coincidence, but seems like maybe not?

Thanks again for your time!

N.

P.S. just in case:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:01 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.yahoo.com/help/us/music/yme/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrp.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {484BBEEB-74FF-47BE-BFA0-223BED8A705B} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {b2d383b8-cb42-6428-a5c4-ab0c550a54bb} - {bb45a055-c0ba-4c5a-8246-24bc8b383d2b} - C:\WINDOWS\system32\slovwyxx.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\xjxlnrhb.dll",b
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\daxbpcwq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 7641 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 22 February 2008 - 05:10 PM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your Desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrp.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {484BBEEB-74FF-47BE-BFA0-223BED8A705B} - C:\WINDOWS\system32\ssqrp.dl
O2 - BHO: {b2d383b8-cb42-6428-a5c4-ab0c550a54bb} - {bb45a055-c0ba-4c5a-8246-24bc8b383d2b} - C:\WINDOWS\system32\slovwyxx.dll
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\xjxlnrhb.dll",b
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\daxbpcwq.dll",s


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Find and delete the following files (if present):

C:\WINDOWS\system32\xjxlnrhb.dll
C:\WINDOWS\system32\daxbpcwq.dll

Reboot into Normal Mode again.

Then I'd like to see a new HijackThis log, please.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users