Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Horse And Bho Pop-up Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 Johnio

Johnio

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 03 May 2006 - 03:34 PM

I have literally tried everything from Hijack this to spybot to avast to ad-aware as well as in safe mode safe mode....cleared temp folder and temp internet directories. Sometimes the log file shows things go bye bye and then their right back again once I get back to loading windows in normal mode. I desperately need some help with this please. I have literally run out of options to try. Heres my HJ log file below:

Logfile of HijackThis v1.99.1
Scan saved at 1:21:32 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\oqqsc.exe
C:\WINDOWS\system32\oqqsc.exe
C:\WINDOWS\system32\oqqsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Johnio\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\oqqsc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,alwwmar.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [xxdgcs] C:\WINDOWS\system32\yhyocu.exe reg_run
O4 - HKCU\..\Run: [uukhd] C:\WINDOWS\system32\yhyocu.exe reg_run
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: qolpi.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: iniwin32.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\l0l6la3s1d.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Edited by Johnio, 03 May 2006 - 03:35 PM.


BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 03 May 2006 - 05:38 PM

Hello and Welcome, Johnio, to the BC HijackThis Forum.

You have a couple of infections going on in there. First, you'll have to place HijackThis.exe in a folder of its own for it to function properly. Right click on an empty space on your desktop. Go to New>Folder to create a new folder. Name it HijackThis. Drag and drop HijackThis.exe into the folder. Then, we'll have to start with L2Me infection:

1. Please download F-Secure 'Look2Me' Remover

2. Unzip f-look2me.zip (if you don't know how look in here)
3. Run f-look2me.exe ( You must be logged in as Administrator)
4. Reboot

=============================================

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text in bold contained in the code box below to your Clipboard by highlighting it and right clicking and then copy:

Files to delete:

c:\windows\system32\qolpi.exe
C:\Program Files\E2G\IeBHOs.dll
c:\windows\system32\iniwin32.dll

Folders to delete:
C:\Program Files\E2G

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) [*] On reboot, briefly open a black command window on your desktop, this is normal.[*] After the restart, create a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.[/list]
5. Please copy/paste the content of avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Edited by amateur, 03 May 2006 - 08:59 PM.


#3 Johnio

Johnio
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 03 May 2006 - 08:59 PM

OK, before I could even get to your above directions, Upon reboot after I downloaded that Look2me remover, my computer no longer will even let me log into it. I type in my password and everything and it says logging in and then for 2 seconds I see my desktop background and then it logs me out. I have no idea whats going on and I tried to turn off computer and load in safe mode etc. and still all the same thing. what can I do?

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 03 May 2006 - 09:03 PM

Are you logging in as Administrator?

#5 Johnio

Johnio
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 03 May 2006 - 09:08 PM

yes, my account is the administrator, however for safe mode it actualluy shows a diff account called administrator than my personal account and so since my personal account didn't work I tried to log into the administrator account for safe mode and same thing. it logs in for 2 seconds and immediately says logging off and back the login screen i go

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 03 May 2006 - 09:12 PM

Hmm. shouldn't be doing that. Let me do a little researching. I'll get back to you.

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 03 May 2006 - 09:40 PM

Hi Johnio,

I contacted the company F-Secure, which is a reliable company. They will get back to me as soon as possible. In the mean time, can you please shut down and restart and see if you can log in.

#8 Johnio

Johnio
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 03 May 2006 - 09:47 PM

I powered down and rebooted and I still can't get in. It says loading personal settings and then immediately says logging off. I am so confused

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 03 May 2006 - 10:24 PM

Do you have your XP CD?

#10 Johnio

Johnio
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 03 May 2006 - 10:29 PM

I have an XP standard edition cd with me, but the one on my comp is professional XP. will that work or no?

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 03 May 2006 - 10:43 PM

No, I don't think so. Do you have another computer that you can use until I hear from F-secure? I am afraid they too will be asking for the installation CD. I don't know when they will come back. We could try system restore as a last resort.

#12 Johnio

Johnio
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 03 May 2006 - 10:49 PM

Yes, I am currently using a different computer to correspond with you since I can't even boot up the other computer now. I don't think I actually have the xp professional cd on me thats on the "broken" computer. I only have a disk for XP standard. Do I have any other options?

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 03 May 2006 - 10:55 PM

Without the XP installation CD, I cannot think of any. :thumbsup: Let's wait and see what F-secure comes up with. I don't think they will contact me tonight though. If you want to contact them directly, their telephone no is:
1-866-295 2725 and case # 1-53358405.

Edited by amateur, 04 May 2006 - 09:47 AM.


#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 09 May 2006 - 11:26 AM

Hi Johnio,

I got the following message from F-Secure.

Thank you for contacting F-Secure.

With regards to your enquiry, we would appreciate if you could
send the us the "f-look2me.log" file for analysis.
1. Click on Start -> Search.
2. Type in "f-look2me.log" and click Search.
3. When you find the file, go to the location where the file is
found.
4. Please reply to this email and attach the f-look2me.log file
to us.

Please feel free to contact us again should you need further
assistance.


I am not sure if you are able to get to the stage where you would see the "Start" button. If I understand you correctly, you are able to reach the logon screen and able to type in your password but not able to stay logged, and get logged off almost immediately. Eventhough I explained that, they seem to not have understood it. Obviously they need that log to understand what went wrong. By the way, the first line of instructions in their message should be "right click start >Search. It must have been a typo.

I didn't want to try any options before we heard from them, but I think we might as well go ahead since their suggestion will not be possible unless you are logged in properly. Here are the options:

You mention that you used Adaware SE. Please read this article: http://support.microsoft.com/kb/892893/?sd=RMVP
It's possible that you had the said browser helper object and adaware SE removed it. If you happened not to reboot until after using the F-secure look2me tool, you may not have realised it. So let's try that first:

Option # 1

Please read this first about recovery console as we'll be using it to do the repair: http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/

Boot using your winxp cd.

Put the XP disk in the drive and restart the computer. (I think you can use your XP cd since we'll only use it to get to the command prompt to do repair)

As it begins booting up you should see towards the bottom of the screen some text that says, "Press any key to boot from CD".

Press any key and it will begin booting to the disk.

After it goes through setup you will arrive at a blue screen with three options. The second one is what you want. It says:

To repair a Windows XP installation using the Recovery Console, press R.

1. At the Recovery Console command prompt, type cd system32, and then press ENTER.
2. Type copy userinit.exe wsaupdater.exe, and then press ENTER.
3. Type exit, and then press ENTER.

Modify the registry
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, expand
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
.
3. In the right pane, right-click userinit, and then click Modify.
4. Replace wsaupdater.exe with userinit.exe, (make sure to include the comma, as shown), and then click OK.
5. Restart your computer.

Delete the Wsaupdater.exe file
1. Log on to the computer by using an account that has administrator-level permissions.
2. Click Start, click Run, type%Windir%\system32, and then click OK.
3. Right-click wsaupdater.exe, click Delete, and then click OK.

That should solve the problem of logging in, if that malware was the one that caused the issue. If that doesn't work, try the same steps, but replacing all instances of wsaupdater.exe with alwwmar.exe, which was present in your log.

Option # 2

At the XP log on screen, press ctrl + alt + delete simultaneously. This should bring up the classic windows log in screen that allows you to type in a user name and password.

See if that works.

Option # 3

Put in your Windows CD and go to Start>Run>sfc /scannow

Option #4

You could probably try the "last known good configuration" to login instead of "safe mode", by using the same method but selecting the "last known good configuration".

Option # 5

You can slave your "broken" computer to the working one in the network and reach the files and folders through Windows Explorer.

If you manage to get logged in, please post back a new HijackThis log. Thanks.

#15 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:58 AM

Posted 18 May 2006 - 02:19 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me or a moderator with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users