Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Qcwpung.exe With Autorun.ini


  • Please log in to reply
12 replies to this topic

#1 div_dib

div_dib

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 01 September 2008 - 11:57 AM

hey i am infected by qcwpung.exe

i cant open hijakethis

i also cant boot from safe mode

evan i cant end process of explorer.exe as I end process tree of explorer.exe it starts again in next momment.

and even i cant run msconfig also. but i was success to open hidden files by some reg. tricks.

so finaly I run combofix.exe but i cant disinfect my pc. :thumbsup:

combofix remove all autorun.inf but after finish scan, I found autorun.ini and qcwpung.exe in all local drive.

may i send u combofix log file cos i cant open hijakethis

waiting for positive reply

regards
Divyesh Bardoliwala

Edited by Orange Blossom, 01 September 2008 - 08:19 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


m

#2 div_dib

div_dib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 02 September 2008 - 01:07 PM

please......... helpppppppppppppppp

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:37 AM

Posted 02 September 2008 - 01:25 PM

we will need a healthy computer and a usb drive to work on your broken computer

http://www.bleepingcomputer.com/forums/ind...st&p=913677

you will need to disinfect and immunize your usb drive to prevent spreading the infection further
Chewy

No. Try not. Do... or do not. There is no try.

#4 div_dib

div_dib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 03 September 2008 - 07:58 AM

i already clean my usb drive from laptop.

nw wht to do?

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:37 AM

Posted 03 September 2008 - 08:24 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry932243

would you use the usb drive to download MBAM and the manual definition update file and install and run on the infected computer

you did immunize the usb drive?
Chewy

No. Try not. Do... or do not. There is no try.

#6 div_dib

div_dib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 03 September 2008 - 11:07 AM

yes i done it but it dosent solve my problem

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:37 AM

Posted 03 September 2008 - 11:43 AM

the directions I linked to specified that you post a log into a reply

Removing malware can be a very intricate process

It requires your full cooperation

I am volunteering my time in an effort to repay some of the help I got here, please don't waste my time
Chewy

No. Try not. Do... or do not. There is no try.

#8 div_dib

div_dib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 03 September 2008 - 11:46 AM

ok

my log file is bellow

ComboFix 08-08-30.03 - user 2008-09-01 21:36:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.95 [GMT 5.5:30]
Running from: D:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\meex.exe
D:\Autorun.inf
E:\autorun.inf
F:\Autorun.inf
H:\autorun.inf
.
---- Previous Run -------
.
C:\DOCUME~1\user\LOCALS~1\Temp\tmp2.tmp
C:\Documents and Settings\user\My Documents\My Music\My Music.url
C:\Documents and Settings\user\My Documents\My Pictures\My Pictures.url
C:\Program Files\Applications\iebr.dll
C:\Program Files\Applications\iebu.exe
C:\Program Files\Applications\myd.ico
C:\Program Files\Applications\mym.ico
C:\Program Files\Applications\myp.ico
C:\Program Files\Applications\myv.ico
C:\Program Files\Applications\ot.ico
C:\Program Files\Applications\ts.ico
C:\Program Files\meex.exe
C:\Program Files\UAV
C:\Program Files\UAV\uav.ooo
C:\Program Files\UAV\uav1.dat
C:\WINDOWS\svchost.ini
C:\WINDOWS\system32\377186
C:\WINDOWS\system32\377186\377186.dll
C:\WINDOWS\system32\drivers\msliksurserv.sys
C:\WINDOWS\system32\sexit.dat
C:\WINDOWS\system32\wav.cpl
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
H:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-09-01 21:15 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-09-01 21:15 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-09-01 21:15 . 2008-08-31 00:53 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-01 21:15 . 2008-08-27 15:17 87,040 --a------ C:\WINDOWS\system32\VACFix.exe
2008-09-01 21:15 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-09-01 21:15 . 2008-08-28 22:36 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-09-01 21:15 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-09-01 21:15 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-09-01 21:04 . 2008-08-31 02:18 2,840,693 -ra--c--- C:\ComboFix.exe
2008-08-27 23:10 . 2008-08-27 23:10 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-08-27 04:24 . 2008-09-01 21:07 <DIR> d-------- C:\Program Files\AntToolbar
2008-08-24 22:02 . 2008-09-01 21:01 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 21:59 . 2008-08-31 22:15 <DIR> d-------- C:\Program Files\Malware Removal Tool
2008-08-24 20:55 . 2008-08-22 15:29 165,376 --a------ C:\WINDOWS\system32\uav.cpl
2008-08-22 23:18 . 2008-08-15 19:30 167,424 --a------ C:\WINDOWS\system32\aav.cpl
2008-08-22 22:54 . 2008-08-22 22:54 <DIR> d-------- C:\Documents and Settings\user\Application Data\setup_1096_MTUxOHwzNXww_
2008-08-22 22:47 . 2008-08-31 22:26 <DIR> d-------- C:\Program Files\WAV
2008-08-22 22:15 . 2008-08-22 22:15 <DIR> d-------- C:\Documents and Settings\user\Application Data\setup_1096_MTUxOHwzNXww_[1]
2008-08-22 22:02 . 2008-08-28 23:02 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2008-08-22 22:02 . 2008-08-22 22:02 <DIR> d-------- C:\Documents and Settings\user\Application Data\Sammsoft
2008-08-22 21:45 . 2008-09-01 21:02 <DIR> d-------- C:\Program Files\Cat Computer
2008-08-22 21:45 . 2008-08-22 22:07 12,424 --a------ C:\WINDOWS\system32\drivers\EMLTDI.SYS
2008-08-22 02:42 . 2008-08-22 02:41 30,208 --a------ C:\WINDOWS\system32\ubpr01.exe.ren
2008-08-21 22:47 . 2008-08-21 22:47 <DIR> d---s---- C:\Documents and Settings\user\UserData
2008-08-17 12:02 . 2008-06-13 18:40 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-17 12:02 . 2008-06-13 18:40 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-15 19:25 . 2008-08-18 03:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-09 20:44 . 2008-08-09 20:44 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 16:05 1,732 ----a-w C:\WINDOWS\system32\tmp.reg
2008-09-01 15:37 --------- d-----w C:\Program Files\Google
2008-08-31 16:36 --------- d-----w C:\Program Files\VideoConverter
2008-08-09 15:14 --------- d-----w C:\Program Files\Common Files\Real
2008-08-09 15:13 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-08-09 15:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-28 16:29 38 ----a-w C:\Documents and Settings\user\Application Data\svighost.dll
2008-07-28 16:28 --------- d-----w C:\Program Files\USBScan
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 07:37 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-07-01 06:32 --------- d-----w C:\Program Files\PopCap Games
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-12-04 06:09 57 ----a-w C:\Program Files\InstErr.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AROReminder"="C:\Program Files\Advanced Registry Optimizer\ARO.exe" [2008-04-09 14:22 2135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-13 12:35 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-13 12:35 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-13 12:35 94208]
"qcwpung"="C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe" [2007-09-20 11:47 26483]
"xvxpfgk"="C:\Program Files\Common Files\System\wshmrye.exe" [2007-09-20 11:47 26483]
"Email Protection"="C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROUI.EXE" [2008-08-22 21:45 267640]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 12:32 16116224 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AgentSvr.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AppSvc32.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AST.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastU3.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSvcHst.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FileDsty.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FTCleanerShell.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FYFireWall.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ghost.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\irsetup.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\isPwdSvc.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KaScrScn.SCR]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPF.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSetup.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVStart.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KISLnchr.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMailMon.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMFilter.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRepair.com]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KsLoader.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVCenter.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvfwMcl.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP_1.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvol.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvolself.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvReport.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVScan.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVStub.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvupload.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP_1.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch9x.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchX.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\loaddll.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcconsol.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmqczj.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapw32.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NPFMntor.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QHSET.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQKav.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQLiveUpdate.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQSC.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQUpdateCenter.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RegClean.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safelive.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\shcfg32.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREng.EXE]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\symlcsvc.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SysSafe.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Timwp.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAgent.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAttachment.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxCfg.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxFwHlp.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxPol.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\upiea.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpLive.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\USBCleaner.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsstat.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\webscanx.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zjb.exe]
"Debugger"=C:\Program Files\Common Files\Microsoft Shared\hnkpcwn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S4 VFILT;Quick Heal Kernel Driver;C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\FILTNT.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Movie1.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d41f4c44-6f78-11dd-9653-0019d17b10a6}]
\Shell\AutoRun\command - H:\qcwpung.exe
\Shell\explore\Command - H:\qcwpung.exe
\Shell\open\Command - H:\qcwpung.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\94wgc33u.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 21:39:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-09-01 21:44:00 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-09-01 16:13:54

Pre-Run: 12,879,433,728 bytes free
Post-Run: 12,820,275,200 bytes free

411 --- E O F --- 2008-09-01 16:13:01

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:37 AM

Posted 03 September 2008 - 12:02 PM

My directions were to run Malwarebyte's antimalware not combofix

that was the log I was asking for
Chewy

No. Try not. Do... or do not. There is no try.

#10 div_dib

div_dib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 04 September 2008 - 07:05 AM

i m not able to run any kind of software.

as i run it is close automatically.
i also tried hijackthis but its also closed automatically
so i sent u this log.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:37 AM

Posted 04 September 2008 - 07:30 AM

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.


this is posted in blue at the top of the page for good reason

I can appreciate the dilemna you face

try renaming hijackthis

even change the extension from exe to .com

like divdib.com
Chewy

No. Try not. Do... or do not. There is no try.

#12 div_dib

div_dib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 08 September 2008 - 10:49 AM

sorry for not replying cos internet was not working.

and thanks for support.

I solve this problem by removing hdd and join in another pc and remove all tht bugs now its works ok.

thanks
Divyesh

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:37 AM

Posted 08 September 2008 - 10:55 AM

I am glad that worked, I haven't done that in years, I would still run some scans from within windows after getting the hard drive back as the system one.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users