Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection(s) with Qhost / redirect


  • This topic is locked This topic is locked
3 replies to this topic

#1 Trishax

Trishax

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 11 June 2012 - 06:46 AM

Hi,

Recently I had a few warnings about qhost malware from ESET smart security. The hostfile was in use for a long time and never had any problems with it before. Had it from author site [hxxp://winhelp2002.mvps.org/hosts.zip]. Have installed a new version from this site and received no warning anymore. A few weeks ago connection with sites were slow sometimes or got timeout while other times it went very fast like it should.. Now it seems okay again.

Using 1 pc (win 7 [x64]] connected to fritzbox. Running ESET smart security/Malwarebytes/Spywareblaster and Firefox running in Sandboxie except for FF updates. I am not sure if possible infections are handled and removed. Maybe an expert can have a look at it.



DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Sapphire at 12:28:03 on 2012-06-11
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1043.18.4094.2631 [GMT 2:00]
.
AV: ESET Smart Security 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\SysWOW64\HsMgr.exe
C:\Windows\system\HsMgr64.exe
C:\Program Files\ASUS Xonar DS Audio\Customapp\ASUSAUDIOCENTER.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Users\Sapphire\AppData\Roaming\7 Taskbar Tweaker\7 Taskbar Tweaker.exe
C:\Program Files (x86)\BitMeter\BitMeter2.exe
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Totalcmd\TOTALCMD64.EXE
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit=userinit.exe,
uRun: [7 Taskbar Tweaker] "C:\Users\Sapphire\AppData\Roaming\7 Taskbar Tweaker\7 Taskbar Tweaker.exe" -hidewnd
uRun: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass\KeePass.exe" --preload
StartupFolder: C:\Users\Sapphire\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FASTST~1.LNK - C:\Program Files (x86)\FastStone Capture\FSCapture.exe
StartupFolder: C:\Users\Sapphire\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Totalcmd.lnk - C:\Totalcmd\TOTALCMD64.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BITMET~1.LNK - C:\Program Files (x86)\BitMeter\BitMeter2.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{8CCAF3FB-C7D5-444D-9A26-FF107C8C2ED0} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8CCAF3FB-C7D5-444D-9A26-FF107C8C2ED0} : DhcpNameServer = 192.168.178.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass\KeePass.exe" --preload
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sapphire\AppData\Roaming\Mozilla\Firefox\Profiles\vtdnc5os.default\
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=dcf278605cba6777265f5a641276aacb
FF - prefs.js: keyword.URL - hxxps://ixquick.com/do/search?language=english&cat=web&query=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Users\Sapphire\AppData\Roaming\Mozilla\Firefox\Profiles\vtdnc5os.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.urlbar.hideGoButton - false
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;C:\Windows\system32\DRIVERS\epfwwfp.sys --> C:\Windows\system32\DRIVERS\epfwwfp.sys [?]
R1 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\Windows\system32\DRIVERS\EpfwLWF.sys --> C:\Windows\system32\DRIVERS\EpfwLWF.sys [?]
R1 HWiNFO32;HWiNFO32/64 Kernel Driver;C:\Program Files (x86)\HWiNFO32\HWiNFO64A.SYS [2012-5-11 30592]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2012-3-7 913144]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-5-11 654408]
R3 afcdp;afcdp;C:\Windows\system32\DRIVERS\afcdp.sys --> C:\Windows\system32\DRIVERS\afcdp.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 cmudaxp;ASUS Xonar DS Audio Interface;C:\Windows\system32\drivers\cmudaxp.sys --> C:\Windows\system32\drivers\cmudaxp.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-5-31 166576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-5-3 158856]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-11 113120]
S3 pwdrvio;pwdrvio;\??\C:\Windows\system32\pwdrvio.sys --> C:\Windows\system32\pwdrvio.sys [?]
S3 pwdspio;pwdspio;\??\C:\Windows\system32\pwdspio.sys --> C:\Windows\system32\pwdspio.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
.
=============== File Associations ===============
.
.txt=PolyEdit Lite
.
=============== Created Last 30 ================
.
2012-06-11 09:41:30 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-10 15:44:43 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-08 21:48:54 19936 ------w- C:\Windows\System32\pwdrvio.sys
2012-06-08 21:48:54 1013320 ----a-w- C:\Windows\System32\pwNative.exe
2012-06-08 21:48:53 13280 ------w- C:\Windows\System32\pwdspio.sys
2012-06-08 21:28:41 4244744 ----a-w- C:\Windows\SysWow64\qtp-mt334.dll
2012-06-08 21:28:41 247560 ----a-w- C:\Windows\SysWow64\prgiso.dll
2012-06-08 21:28:41 13576 ----a-w- C:\Windows\SysWow64\wnaspi32.dll
2012-06-08 06:12:23 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B256E10C-921A-4926-97DF-AEAE1FFB52B1}\mpengine.dll
2012-06-06 17:20:39 -------- d-----w- C:\Program Files\ESET
2012-06-06 08:42:01 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-06 08:42:01 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-02 15:27:54 -------- d-----w- C:\Users\Sapphire\AppData\Roaming\XnView
2012-06-02 15:22:21 84992 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNBPP4.DLL
2012-06-01 08:45:03 -------- d-----w- C:\Temp
2012-05-13 21:58:36 -------- d-----w- C:\Program Files (x86)\OneLoupe
2012-05-13 19:38:41 -------- d-----w- C:\Program Files (x86)\Depends
2012-05-13 18:58:42 -------- d-----w- C:\Users\Sapphire\AppData\Roaming\Kaleider
2012-05-13 18:58:41 -------- d-----w- C:\ProgramData\Kaleider
2012-05-13 18:58:41 -------- d-----w- C:\Program Files (x86)\Kaleider
2012-05-13 18:51:33 -------- d-----w- C:\Program Files\SysTracer
2012-05-13 18:29:58 626688 ----a-w- C:\Windows\System32\msvcr80.dll
2012-05-13 18:02:18 -------- d-----w- C:\Users\Sapphire\AppData\Roaming\Digiarty
2012-05-13 17:59:34 160281 ----a-w- C:\Windows\Photo Pos Pro Uninstaller.exe
2012-05-13 17:59:12 -------- d-----w- C:\Program Files (x86)\Common Files\Thraex Software
2012-05-13 17:51:34 506368 ----a-w- C:\Windows\SysWow64\sqlite3.dll
2012-05-13 17:51:26 -------- d-----w- C:\Program Files (x86)\Radio Online
2012-05-12 19:44:44 -------- d-----w- C:\Program Files (x86)\Common Files\Blizzard Entertainment
2012-05-12 19:20:50 -------- d-----w- C:\Program Files\IconViewer
2012-05-12 10:46:48 -------- d-----w- C:\Users\Sapphire\AppData\Roaming\Anthropics
.
==================== Find3M ====================
.
2012-06-08 16:00:57 419840 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-06-08 16:00:57 413696 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-06-08 16:00:57 111616 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-06-08 16:00:57 102400 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-05-12 08:53:31 33 ----a-w- C:\Windows\SysWow64\mnprxpd2f.bin
2012-05-11 13:17:26 285280 ----a-w- C:\Windows\System32\drivers\afcdp.sys
2012-05-11 13:17:20 1263200 ----a-w- C:\Windows\System32\drivers\tdrpm273.sys
2012-05-11 13:17:16 970336 ----a-w- C:\Windows\System32\drivers\timntr.sys
2012-05-11 13:17:08 277088 ----a-w- C:\Windows\System32\drivers\snapman.sys
2012-05-11 12:44:44 230864 ----a-w- C:\Windows\System32\drivers\truecrypt.sys
2012-05-11 10:31:09 0 ----a-w- C:\Windows\ativpsrm.bin
2012-04-27 06:00:00 545 ----a-w- C:\Windows\UC.PIF
2012-04-27 06:00:00 545 ----a-w- C:\Windows\RAR.PIF
2012-04-27 06:00:00 545 ----a-w- C:\Windows\PKZIP.PIF
2012-04-27 06:00:00 545 ----a-w- C:\Windows\PKUNZIP.PIF
2012-04-27 06:00:00 545 ----a-w- C:\Windows\LHA.PIF
2012-04-27 06:00:00 545 ----a-w- C:\Windows\ARJ.PIF
2012-04-26 11:47:48 71680 ----a-w- C:\Windows\System32\frapsv64.dll
2012-04-26 11:47:46 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
2012-04-04 13:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-31 06:05:57 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-31 04:39:37 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-31 04:39:37 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-31 03:10:03 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-03-30 11:35:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-03-17 07:58:57 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-03-14 06:40:04 62496 ----a-w- C:\Windows\System32\drivers\epfwwfp.sys
2012-03-14 06:40:04 38288 ----a-w- C:\Windows\System32\drivers\EpfwLWF.sys
2012-03-14 06:40:04 187632 ----a-w- C:\Windows\System32\drivers\epfw.sys
2012-03-14 06:40:02 209768 ----a-w- C:\Windows\System32\drivers\eamonm.sys
2012-03-14 06:40:02 148528 ----a-w- C:\Windows\System32\drivers\ehdrv.sys
.
============= FINISH: 12:28:42,20 ===============


[No GMER log because of x64 system]
Thank you

Attached Files


Edited by Trishax, 11 June 2012 - 06:49 AM.


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:12:21 AM

Posted 12 June 2012 - 09:01 AM

Trishax,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

 

:step1: MiniToolBox
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

:step2: Farbar Service Scanner
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

:step3: Combofix
Please download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • MiniToolBox log
  • FSS log
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:12:21 AM

Posted 15 June 2012 - 11:02 AM

Trishax,

It has been three days since my last post. Do you still need help?

If you do, please follow my previous instructions. :thumbup2:
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:12:21 AM

Posted 16 June 2012 - 11:39 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users