Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Qakbot _qbotinj.exe: have ID'd some files & registry entries

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 21st, 2009, 8:04 pm

Found c:\documents and settings\all users\_qbothome folder which contains
_qbot.cb
_qbot.dll
_qbot_installed
_qbotinj.exe
~efd945.tmp
crontab.cb
nbl_Owner.txt
ps_dump_Owner.kcb
ps_dump_Owner.txt
q1.4446 (hidden)
seclog.kcb
seclog.txt
updates.cb

All files modified & created between 20:55 and 20:57 last night.

Found 2 registry entries (regedit - find qbot) -
one which loads _qbotinj.exe and _qbot.dll "in front of" quicktime, and
one which put _qbot.dll in Comodo firewall's white list at key 0 - this has stayed there even after I first blocked and then removed its entry from Comodo's Component Control Rules.

Alerted to the problem about 21:00 last night when Quicktime within Maxthon said file associations had been changed & did I want to change back. I said "no", the page stopped loading, and I thought it was strange, and I looked in process explorer. Found a _qbot file running, didn't recognize it and killed its process tree. Comodo said something had modified IE so I said deny access. I closed Maxthon, and ran the AVG anti-rootkit which found nothing. Reopened Maxthon and page loaded fine. Went to other laptop to search for info, and terminated the infected laptop's internet connection about 15 minutes later.

I found this thread at WildersSecurity very informative:
hxxp://www.wilderssecurity.com/showthread.php?t=156461

Searched files modifed at the same time, and searched the registry. Terminated some other processes that I thought *might* be used by _qbot and I thought I could do without for a bit - IAANTMON.exe (which took another similar filename with it) and PRISMXL.SYS. Looked in the log file and changed passwords at sites potentially compromised, as well as bank cards (just in case). Very little info in the logs, but much more and not so legible in the seclog.kcb. Checked Comodo logs and found a lot of denials of outgoing access to a private IP address in Los Angeles.

Resisted the temptation to make any changes before I consult you, and have spent hours downloading the many tools you often use to USB drive from my clean laptop (I'm on dialup). The infected one is just sitting and waiting - doing nothing. I have hopes that I caught it before it could do too much damage. I would be inclined to search the harddrive and the registry more thoroughly, but I think your tools may do that more efficiently.

I do not want to reboot until we at least take out the know bad crap I've already identified. Didn't want to move the USB drive back and forth too much either.

One question on that - I can't tell if bad laptop has XP Pro or XP Home - both have Tablet XP SP2 or better. HP said the clean one is XP Pro and both say the same in the sys info. So I downloaded the Pro version of the bootdisks for the Windows Recovery Console. Do you know any other way to check, or if I need to find an XP Tablet bootdisk set (if I need the Recovery Console)?

HJT log follows (keep in mind a few running processes were manually killed):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:36 PM, on 21 May 09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Quicken\qw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX2724
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "c:\documents and settings\all users\_qbothome\_qbotinj.exe" "c:\documents and settings\all users\_qbothome\_qbot.dll" /c "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 11509 bytes
PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am
Advertisement
Register to Remove

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby MikeSwim07 » May 24th, 2009, 7:41 am

Hello, and Image to the Malware Removal forums.
My name is Michael I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.

Please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 5 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

Thanks, Michael
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 24th, 2009, 10:25 am

Hi, Michael. I'm glad to have a student.

Please note that I am using a thumb drive to transfer files from the infected laptop to an uninfected laptop. I made a blank file in the thumb drive's root called autorun.inf and made most folders read only, but I don't know if that is enough protection. Any advice on this I will gladly take.

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Agilix GoBinder Lite
AI RoboForm (All Users)
AI RoboForm Adapter for Firefox/Mozilla/Netscape
Alibre Design
Alt-Tab Task Switcher Powertoy for Windows XP
Art Tool for Tablet PC
Artweaver 0.3.9.9
AusLogics Disk Defrag
AVG 7.5
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
BugOff 1.10
Calculator for Tablet PC
Calculator Powertoy for Windows XP
CmdHere Powertoy For Windows XP
COMODO Firewall Pro
CutePDF Writer 2.7
DeLorme Earthmate GPS PN-20 Update
DeLorme Topo USA 6.0
DeLorme Topo USA 6.0 DVD Data
DeLorme Topo USA 7.0
Dictionary Tool for Tablet PC
Drawing Animator Toy for Tablet PC
DVD Solution
Earthmate Image Tagger
FileAlyzer 1.1i
Google Desktop
Google Gmail Notifier
Google Toolbar for Internet Explorer
gtw_logo
Handwriting Analysis Tool for Tablet PC
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hold Tool for Tablet PC
Hoop Strategy Game for Tablet PC
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Image Resizer Powertoy for Windows XP
Ink Art
Intel Matrix Storage Manager
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
J2SE Runtime Environment 5.0 Update 2
Magnifier Powertoy for Windows XP
Maxthon Browser (remove only)
Maze Game for Tablet PC
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Digital Image Starter Edition 2006
Microsoft Dots! PowerToy
Microsoft Education Pack for Windows XP Tablet PC Edition
Microsoft Energy Blue Theme Pack
Microsoft Experience Pack for Tablet PC
Microsoft Ink Crossword
Microsoft Ink Desktop
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Letteris PowerToy
Microsoft Media Transfer
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft Phraseology PowerToy
Microsoft Physics Illustrator for Tablet PC
Microsoft Snipping Tool 2.0
Microsoft Tablet PC Ink Screen Saver PowerToy
Microsoft Tablet Pool
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIWA
mLogView
mMHouse
Motorola SM56 Data Fax Modem
Mozilla Firefox (2.0.0.11)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
My Font Tool for Tablet PC
mZConfig
Napster
Napster Burn Engine
Picasa 2
PL-2303 USB-to-Serial
Power Paint Tool for Tablet PC
Power2Go 4.0
PowerDVD
PureVoice
Puzzle Game
Quicken 2007
QuickTime
RealPlayer Basic
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SigmaTel Audio
Slideshow Generator Powertoy for Windows XP
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Switch
Synaptics Pointing Device Driver
Tablet PC Composition Tool
Tablet PC Tutorials for Microsoft Windows XP SP2
Texas Instruments PCIxx21/x515/xx12 drivers.
The Extractor
Thumbnail View
Tic-Tac-Toe
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Virtual Desktop Manager Powertoy for Windows XP
WavePad Uninstall
WeatherBug 7.0
Web Search Power Tool For Tablet PC
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Word Search Game For Tablet PC
Writing Practice Tool For Tablet PC
Writing Recognition Game

I just got a virus alert from clean laptop's Avira for a MyWebSearch. Also I cannot get my laptop to "see" my thumbdrive - had to use search function. So now I'm worried.

Can we please remove the bad stuff I already identified? Zip it up safely or something?

Thanks
PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby MikeSwim07 » May 25th, 2009, 2:24 pm

I am afraid we have some bad news,

This file, c:\documents and settings\all users\_qbothome\_qbotinj.exe belongs to a family of Rootkits which is a Downloader Trojan and has backdoor capabilities. This means that this file is connecting to the internet without you knowing and download more malware to infect your computer. This type of infection is extremely dangerous and because it is a rootkit, we may never be sure if it is removed from your computer fully.

Therefore, I recommend that you reformat and reinstall your computer. Please let me know what you decide on your next post.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 25th, 2009, 3:05 pm

Thanks for that advice. I think I mentioned that in my first post. :D

I have fixed my thumbdrive problem, and the virus alert on the clean laptop was unrelated - it was an old item quarantined by spybot S&D - sorry for the alarm due to my unfamiliarity with Avira's interface. Interesting, though, that AVG never alarmed on it.

As I said, I *think* I caught it right away and will not connect that computer to the network until I'm 99% sure it is clean. My husband would be unhappy if we had to reformat it, so I consider that a last resort.

I have done some detecting on my own, though, and I will tell you I am very suspicious of two QTFont files created just before the _qbothome folder. I am hoping that one of your tools will reveal files also created around that time that may be "hiding" in the Internet Files. I also ran Sysinternal's Rootkit Revealer and none of the few entries alarmed me as they were very similar to entries on the "clean" laptop. I'm hopeful that it has not had a chance to install the rootkit yet as the processes and files were still visible.

So... Can we work together to detect as completely as possible and hopefully kill it all in one fell swoop with a minimum of rebooting. At least my experience with Klez years ago showed me that most of the file changing, copying, renaming, hiding after removals seemed to occur during boots (even in safe mode). Once I discovered the "root" file, though, it was basically gone and fairly easy to clean up. I am just not familiar with the tools you folks use beyond HijackThis, though I have been reading a lot.

To clarify - I am not using the infected laptop, it cannot connect to the internet, and it has not slept or hibernated nor has the user logged off since my initial discovery of this malware, which (if the file creation dates are valid) was within minutes of its creation. The qbot process (and a couple others) were killed right away, and none of the currently running processes seem suspect to me. Let's take a deeper look first and see if there is hope.
PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 25th, 2009, 3:27 pm

p.s. I considered signing up for the University to learn how to use these tools myself, and to be able to help others later. I actually find it interesting to read thru the HijackThis logs others post and try to guess what the problems might be. However, it seemed that you folks would prefer I didn't do that until this problem was cleared. Just sayin' :D
PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 26th, 2009, 6:15 pm

PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby MikeSwim07 » May 26th, 2009, 7:48 pm

Don't worry, I will have some instructions for you soon :)
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 26th, 2009, 8:44 pm

I really, really, really want to run all those diagnostic programs you-all use so that both I and you can look at them ;) (such as RSIT and GMER)
PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby MikeSwim07 » May 26th, 2009, 10:12 pm

Please don't run anything on your own :)
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 26th, 2009, 10:30 pm

I won't :) I'm just eager (and anxious) (and curious) (and determined). ;)
PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby MikeSwim07 » May 27th, 2009, 3:26 pm

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found here.
    The ones that need to be closed/disabled are:

    AVG
    Comodo Firewall
    TeaTimer

  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 27th, 2009, 10:30 pm

Well, Combofix removed autorun.inf and desktop.ini from the Gateway restore partition (D:\)

After reboot & Combofix completed _qbotinj was running, so I terminated it again, along with some other processes. I hope that allowing it to load at boottime was not a mistake.

Something removed the hidden autorun.inf folder on my flash drive and the text file inside that were created by Flash_Disinfector.exe (obtained from bleepingcomputer.com in an effort to protect my "good" laptop). I didn't see Combofix say that it deleted it, as it said it deleted the files in D:\ I suspect it may have been on reboot when windows did a scandisk on drive G. And now I again can't "see" my flash drive in explorer, though I can "see" it in Notepad - open file.

Here are the files:
ComboFix 09-05-26.05 - Owner 27 May 09 21:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.523 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-21 23:58 . 2009-05-21 23:58 -------- d-----w c:\program files\Trend Micro
2009-05-21 00:55 . 2009-05-21 01:16 -------- d-----w c:\documents and settings\All Users\_qbothome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 06:50 . 2007-07-22 22:48 -------- d-----w c:\program files\OpenOffice.org1.1.3
2009-05-21 18:30 . 2007-08-06 22:22 -------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-05-21 17:32 . 2007-07-22 21:22 -------- d-----w c:\program files\Quicken
2009-05-21 03:52 . 2007-08-06 22:49 -------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2009-05-21 00:55 . 2006-09-26 18:30 -------- d-----w c:\program files\Maxthon
2009-03-30 21:18 . 2006-09-21 12:04 37056 ----a-w c:\documents and settings\Anniepoo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 00:05 . 2006-09-20 20:12 37056 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-20 23:39 . 2005-06-22 10:30 94291 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-06 14:22 . 2005-06-22 10:11 284160 ----a-w c:\windows\system32\pdh.dll
2008-12-26 21:59 . 2006-10-20 00:07 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-12-07 21:45 . 2006-09-21 22:50 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-12-07 21:45 . 2006-09-21 22:50 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-12-07 21:45 . 2007-08-15 20:44 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-12-07 21:45 . 2007-08-15 20:44 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-12-07 21:45 . 2006-09-21 22:50 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-09-26 144448]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-26 29744]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\CPF.exe" [2007-10-03 1115728]
"QuickTime Task"="c:\documents and settings\all users\_qbothome\_qbotinj.exe" [2009-05-21 13312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-09-26 144448]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\documents and settings\Anniepoo\Start Menu\Programs\Startup\
Gmail Notifier.lnk - c:\program files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe [2006-9-21 479232]
Hold Tool for Tablet PC.lnk - c:\program files\PowerToys for Tablet PC\Hold Tool for Tablet PC\HoldTool.exe [2003-3-3 53248]
OpenOffice.org 1.1.3.lnk - c:\program files\OpenOffice.org1.1.3\program\quickstart.exe [2004-9-10 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=c:\program files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
"MSKDetectorExe"=c:\program files\McAfee\SpamKiller\MSKDetct.exe /uninstall
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"Reminder"=%WINDIR%\Creator\Remind_XP.exe
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [02 Aug 06 1:30 PM 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [02 Aug 06 1:30 PM 9600]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [28 Sep 06 4:59 PM 20160]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [21 Jun 05 11:25 PM 69692]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [02 Aug 06 1:41 PM 29744]
S3 ZCBF;ZCBF;c:\docume~1\Owner\LOCALS~1\Temp\ZCBF.exe --> c:\docume~1\Owner\LOCALS~1\Temp\ZCBF.exe [?]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html ... B&M=CX2724
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 21:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5932)
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Comodo\Firewall\cmdagent.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\QuickTime\qttask.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-05-28 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-28 01:34

Pre-Run: 59,506,335,744 bytes free
Post-Run: 59,726,155,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

186 --- E O F --- 2009-04-24 23:16


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:02 PM, on 27 May 09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\taskswitch.exe
C:\documents and settings\all users\_qbothome\_qbotinj.exe
c:\program files\quicktime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=CX2724
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "c:\documents and settings\all users\_qbothome\_qbotinj.exe" "c:\documents and settings\all users\_qbothome\_qbot.dll" /c "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ZCBF - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\ZCBF.exe (file missing)
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 11739 bytes
PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby MikeSwim07 » May 30th, 2009, 3:33 pm

I am sorry for the delay, my teacher will not be back until tomorrow. Please be patient - I will have a post ready for you tomorrow.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Qakbot _qbotinj.exe: have ID'd some files & registry entries

Unread postby PRG » May 30th, 2009, 5:24 pm

Thank you for the update. I am a bit baffled as to why we have not used any of the scanning tools available to make a report, and maybe discover where the "trigger" file that I suspect may be hiding. RSIT comes to mind...
PRG
Active Member
 
Posts: 14
Joined: May 21st, 2009, 9:52 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 13 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware