Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just Cleared VCMnett11, check log for any other bad news


  • This topic is locked This topic is locked
6 replies to this topic

#1 Smittyktm

Smittyktm

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 23 May 2005 - 04:12 PM

Here's my log, any thing here I need to fix?

Logfile of HijackThis v1.99.1
Scan saved at 3:57:57 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\psoft1.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\ps1.exe
C:\WINDOWS\System32\crerag.exe
C:\WINDOWS\System32\dsound.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dipu.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\windows\system32\chwixra.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteved32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rpmlrr.exe reg_run
O4 - HKLM\..\Run: [AutoLoader0wut1OTLOWLK] "C:\WINDOWS\System32\ctlrops.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [035R34O] ctlrops.exe
O4 - HKLM\..\Run: [rddqvca] c:\windows\system32\chwixra.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H0u5RQiFV] crerag.exe
O4 - HKCU\..\Run: [dsound] C:\WINDOWS\System32\dsound.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:59 PM

Posted 24 May 2005 - 04:16 PM

Hello Smittyktm and welcome to BleepingComputer.

Download and install the trial version of Ewido Security Suite.
  • Launch Ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update; click the OK button.
  • The program will now go to the main screen.
  • On the left hand side of the main screen click update.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido.


Reboot into Safe Mode.


Run Ewido:
  • Click on scanner.
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan.
  • Let the program scan the machine.
While the scan is in progress you will be prompted to clean files, click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
  • Click Save report.
  • Save the report to your desktop.
Reboot normally.


Run a fresh HJT scan and save the log.

Still within Hijackthis 1.99.1
  • Click the Config... button, then go to the Misc Tools section.
  • Click on Open Uninstall Manager. You'll see a list of programs.
  • Click on Save List...
The file uninstall_list.txt will be created.
Copy and paste the contents of this file to your next reply along with the Ewido report and the fresh HJT log.
Derfram
~~~~~~

#3 Smittyktm

Smittyktm
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 01 June 2005 - 12:00 PM

OK, here's the new stuff.

EWIDO Log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:47:29 AM, 6/1/2005
+ Report-Checksum: 1E09412F

+ Date of database: 6/1/2005
+ Version of scan engine: v3.0

+ Duration: 39 min
+ Scanned Files: 62442
+ Speed: 26.37 Files/Second
+ Infected files: 20
+ Removed files: 20
+ Files put in quarantine: 20
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\javex80.vxd/C:/WINDOWS/System32/nvms.dll -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\system32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.ExactSearchBar -> Cleaned with backup
C:\WINDOWS\system32\Ljiaks.exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\WINDOWS\system32\main.exe -> TrojanDownloader.Agent.hw -> Cleaned with backup
C:\WINDOWS\system32\modgxyz.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\system32\nsy53.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack.b -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack.d -> Cleaned with backup
C:\WINDOWS\system32\psoft1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\system32\qenxrf.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\system32\qkbgq.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\Qool.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\WINDOWS\system32\rpmlrr.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\unpack.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\Temp\ClrSch\FNuninstaller.EXE -> Spyware.ClearSearch.n -> Cleaned with backup
C:\WINDOWS\tywcqoxi.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End

HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 11:49:06 AM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.maxifiles.com/toolbar/sidebar.p...id=%AffiliateID
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: MaxiFiles - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\MaxiFiles\maxifiles.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\hfinegb.dll (file missing)
O2 - BHO: SDWin32 Class - {5FAAEEC7-58B7-45FE-BAB5-5771C31873A5} - C:\WINDOWS\System32\qenxr.dll
O2 - BHO: SDWin32 Class - {A689FCA9-FC91-4A8A-A94F-DFC429A74D67} - C:\WINDOWS\System32\qenxr.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: MaxiFiles - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\MaxiFiles\maxifiles.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AutoLoader0wut1OTLOWLK] "C:\WINDOWS\System32\ctlrops.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [035R34O] ctlrops.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7670.exe" /PC=WB.RL /HideUninstall /HideDir
O4 - HKLM\..\Run: [qenxrc] C:\WINDOWS\System32\qenxrc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H0u5RQiFV] crerag.exe
O4 - HKCU\..\Run: [dsound] C:\WINDOWS\System32\dsound.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: hgiueaj - Unknown owner - C:\WINDOWS\system32\hgiueaj.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Uninstall List
Ad-Aware SE Personal
Adobe Acrobat 5.0
Ahead InCD EasyWrite Reader
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Classroom Performance System
Content Delivery Module
CPS Tutorial
Desktop Weather by The Weather Channel
ewido security suite
Google Toolbar for Internet Explorer
GyroTools PC Edition
HijackThis 1.99.1
Hoyle Board Games 3
Hoyle Casino 4
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Java 2 Runtime Environment, SE v1.4.2_04
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand MX
MaxiFiles
Media Access
Microsoft Office 2000 Premium
Nero - Burning Rom
PowerDVD
QuickTime
RealPlayer
The ABI Network- A Division of Direct Revenue
The Weather Channel
Windows XP Hotfix - KB823980
Windows XP Service Pack 1a

Thank you for all the help.

Mion

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:59 PM

Posted 02 June 2005 - 03:51 PM

You have HijackThis running from a temporary or zip folder. Any backup files HJT creates during the repair process will not be secure if left in this folder.

Create a folder on the C: drive called "C:\HJT". You can do this by opening My Computer then double click on Local Disk (C:). In a clear area right click and select New then Folder and name it "HJT". Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder.


Open the Control Panel then double click on Add/Remove Programs. Look for the following and uninstall them if found:

- Media Access
- The ABI Network- A Division of Direct Revenue



Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.maxifiles.com/toolbar/sidebar.p...id=%AffiliateID
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: MaxiFiles - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\MaxiFiles\maxifiles.dll

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\hfinegb.dll (file missing)
O2 - BHO: SDWin32 Class - {5FAAEEC7-58B7-45FE-BAB5-5771C31873A5} - C:\WINDOWS\System32\qenxr.dll
O2 - BHO: SDWin32 Class - {A689FCA9-FC91-4A8A-A94F-DFC429A74D67} - C:\WINDOWS\System32\qenxr.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: MaxiFiles - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\MaxiFiles\maxifiles.dll

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AutoLoader0wut1OTLOWLK] "C:\WINDOWS\System32\ctlrops.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [035R34O] ctlrops.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7670.exe" /PC=WB.RL /HideUninstall /HideDir
O4 - HKLM\..\Run: [qenxrc] C:\WINDOWS\System32\qenxrc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKCU\..\Run: [H0u5RQiFV] crerag.exe

O23 - Service: hgiueaj - Unknown owner - C:\WINDOWS\system32\hgiueaj.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINDOWS\System32\qenxr.dll <--Files
C:\WINDOWS\System32\ctlrops.exe
C:\WINDOWS\System32\qenxrc.exe
C:\WINDOWS\System32\guarnset.exe
C:\WINDOWS\System32\crerag.exe

C:\Program Files\VBouncer\ <--Folder

If any of these resist being deleted, boot into Safe Mode and try from there.


Still within HijackThis, click on the Config... button.
- Click on the Misc Tools.
- Click on Delete an NT Service....
- Copy and paste into the dialog box hgiueaj and click OK.
- Do the same for ZESOFT.
- Close HijackThis.

Reboot normally.

Please download FindQoologic from here:
http://forums.net-integration.net/index.ph...=post&id=134981
Unzip it to the desktop and run Find-Qoologic2.bat. This will generate a log file.

Please post the entire contents of that log file along with a fresh HJT log.

Edited by ddeerrff, 02 June 2005 - 04:00 PM.

Derfram
~~~~~~

#5 Smittyktm

Smittyktm
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 02 June 2005 - 04:58 PM

Alright, here's HJT

Logfile of HijackThis v1.99.1
Scan saved at 4:55:03 PM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HJT\HijackThis\HijackThis.exe

O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [dsound] C:\WINDOWS\System32\dsound.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADE83199-0236-47E2-AD2A-36411E403203}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



and FindQoo log

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
hp psc 1000 series.lnk
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxtsggxt
<NO NAME> REG_SZ {d309f5b4-e79a-4a02-9390-aafac400cbf7}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 16:50
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\INF\unregmp2.exe /ShowWMP" [MS]



THANK YOU.

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:59 PM

Posted 02 June 2005 - 07:43 PM

The lines referencing [DNS] and 'Catcher.dll' have very little info available. They would appear to refer to a Download manager "ReGet Deluxe". If you have ReGet Deluxe installed, do not remove the HJT lines I have coded in orange.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKCU\..\Run: [dsound] C:\WINDOWS\System32\dsound.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

If you DO NOT have "ReGet Deluxe" installed, also mark these lines:

O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe


With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Still within HijackThis, click on the Config... button.
- Click on the Misc Tools.
- Click on Delete an NT Service....
- Copy and paste into the dialog box SvcProc and click OK.
- Close HijackThis.


Ewido seems to have gotten most of your QooLogic infection, just a bit of cleanup to do:

Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gxtsggxt]

[-HKEY_CLASSES_ROOT\CLSID\{d309f5b4-e79a-4a02-9390-aafac400cbf7}]

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as fix.reg. Close Notepad.

Then double-click on the fix.reg file, and when it prompts to merge say yes.


Reboot and post a fresh HJT log please. How are things running?
Derfram
~~~~~~

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:59 PM

Posted 16 June 2005 - 12:11 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users