Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

very infected!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby tman181 » June 25th, 2005, 3:41 pm

Hi Mike,
I have Googled all these files. The only real information I can find on them is their inclusion in other scans posted among the various sites. In some instances they are deleted,and in others they are not. Nothing lists them as good or useful files. Also, it looks like VSAPI32.DLL might be a component of a packing utility used by several vendors.
Okay, I'm going to assume the list of files will look something like this:

C:\WINDOWS\System32\NVMLNZ.EXE
C:\WINDOWS\System32\DPPSD.DLL
C:\WINDOWS\System32\GZHNGXR.DLL
C:\WINDOWS\System32\OBRXOAM.EXE
C:\WINDOWS\System32\mc-58-12-0000079.exe
C:\WINDOWS\CFindUninst.exe
C:\WINDOWS\TSC.EXE
C:\WINDOWS\XFQTDLL.EXE
C:\WINDOWS\XFQTENC.EXE
C:\WINDOWS\RMAgentOutput.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tnpu.exe

I've not even gotten over to the "Is this safe to post" forum, so I'm not sure of the format expected. I just joined this forum last week, and have not yet made it very far in the first level tutorials. I'm trying to learn in the tutorials but I've also been looking at the other posts in this forum to see how similar problems are being solved.

If you tell me this looks good, I'll post on that forum. In the mean time, I'll go look see what to expect there.

Looking forward to seeing what you and Susan say. I'm getting jazzed since I thought we might have to re-image when I first started trying to clean this one up.

Thanx
Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico
Advertisement
Register to Remove

Unread postby tman181 » June 25th, 2005, 4:15 pm

Hi Mike,
I don't yet have the ability to post on the "Is this safe to post" forum. You'll have to do that. I probably have to get a little further along in my training to do that. I do appreciate you taking the time to make this a training exercise for me though. I really am learning quite a bit. :P
Thanx
Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby Susan528 » June 25th, 2005, 6:11 pm

Hello tman181,

Looks like you are doing a fine job for your friend! Have you tried running Ewido? Maybe it would clear up some of those files. I would be curious to see what it would do.

http://www.malwareremoval.com/forum/viewtop ... t=qoologic

Ewido if up to date and ran in safe mode clears this pest, you will need to mention not to open any folder's or open the windows control panel while the scan is in progress.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Midnight Star » June 25th, 2005, 10:09 pm

Hey Tony!

Looks like you've picked everything out, but this one i'm not sure about. Some are removing it, and some aren't. Let's see if the file's properties will tell us something about it. Right click on TSC.EXE look under the version tab. We're looking to see the original program name, any company, copyright info, or anything else that might give the program away.

Other than that, we should be ready to begin deleting the files, and fixing the last remaining entry using HiJackThis - great job!

==========

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm

Unread postby tman181 » June 25th, 2005, 10:13 pm

Hi Guys,
Okay, Susan thanx for the suggestion. No I had not yet run ewido. When I did run it, it found the five files which were the highest suspects and hopefully took care of them. The file tnpu.exe in the global startup directory had an error when ewido tried to delete it. But it has disappeared. Some of these files have a habit of doing that.
Anyway, I ran ewido twice and then got new logs from both hjt and find-qoologic. Here they are.

Logfile of HijackThis v1.99.1
Scan saved at 7:31:44 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId= ... lcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* UPX! C:\WINDOWS\System32\MC-58-~1.EXE
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\CFINDU~1.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\XFQTDLL.EXE
* UPX! C:\WINDOWS\XFQTENC.EXE
* UPX! C:\WINDOWS\RMAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
DESKTOP.INI

User Startup:
C:\Documents and Settings\Bernie\Start Menu\Programs\Startup
.
..
DESKTOP.INI

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qftsqyxf
<NO NAME> REG_SZ {57cee7bf-5da5-4e72-a21d-31ecdc5f1e85}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin


I guess it looks pretty good. I am going to hook this one up to the internet, update windows and verify we are clean.
Should I do something about any of the registry entries? It looks like the one :

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qftsqyxf
<NO NAME> REG_SZ {57cee7bf-5da5-4e72-a21d-31ecdc5f1e85}

should be removed.

Above all else thanx for all the help. This has beena great experience for me.
Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby Midnight Star » June 25th, 2005, 11:41 pm

Tony - great work again! Just a few files need to be manually deleted, with the registry fix being made that you were thinking below. Here's what 'Kotaguy was thinking also:

==========

TSC.EXE is, most likely, part of Trend's HouseCall scan.

There is still 5 files that need to be turfed:

C:\WINDOWS\System32\MC-58-~1.EXE
C:\WINDOWS\CFINDU~1.EXE
C:\WINDOWS\XFQTDLL.EXE
C:\WINDOWS\XFQTENC.EXE
C:\WINDOWS\RMAGEN~1.DLL

This reg entry might be gone after the rest of the files are deleted. If not, it will need a regfix:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qftsqyxf
<NO NAME> REG_SZ {57cee7bf-5da5-4e72-a21d-31ecdc5f1e85}

Regfix would be this:

Quote:
REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qftsqyxf]

==========

...It's been my pleasure.

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm

Unread postby 'KotaGuy » June 26th, 2005, 12:47 am

Sorry bout this... don't mean to jump in on the thread...

Hi Tony... just to clarify on what I had talked about with Mike...

By turfed, I mean KillBox them.

Close all open windows and programs, then start Killbox. Put a check next to "Delete on Reboot", then copy this line in "Full Path of File to Delete" box:

C:\WINDOWS\System32\MC-58-~1.EXE

Click the red and white "Delete File" button.
Click "Yes" at the first prompt .
Click "No" at the second.

Repeat those same steps for each of these files one at a time:

C:\WINDOWS\CFINDU~1.EXE
C:\WINDOWS\XFQTDLL.EXE
C:\WINDOWS\XFQTENC.EXE
C:\WINDOWS\RMAGEN~1.DLL


Exit Killbox when done.

The regfix... copy/paste the quotebox into a new notepad document.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qftsqyxf]


Name it fixme.reg. Save it to your Desktop. Save it as File Type All Files(not as a text document or it won't work). Double click fixme.reg and merge it into the registry when asked. Reboot to complete the change.

Post a new Qoologic log when done.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby tman181 » June 26th, 2005, 10:16 pm

Hi guys,
Thanx once again for helping me through this one. When I started out, I thought I knew a little something, but soon found out that things just aren't what I thought they were. For years I have sworn by NAV and have always used it faithfully. I got a first hand lesson with this one how much it cannot fix once the infection makes it to the system. I am very impressed with the suite of tools you guys use, and the knowledge you have developed and most especially with the community you have made. You're all great, and I look forward to learning some more as I go through the MWU.
God bless you all.
Tony

ps, I will let you know if any of this gives me trouble, since I have not yet completed the final tasks. I have started downloading windows updates for this computer and scheduling tasks for the owner. He's a good friend but a bit lax on security issues. This was his wakeup call!!!
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby Midnight Star » June 26th, 2005, 10:30 pm

Tony,

Your very welcome!

==========

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware