Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

BHO malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

BHO malware

Unread postby greg214 » February 5th, 2007, 6:00 pm

===============================================
1.) Hello here is my Hijackthis log.
2.) When I first open Explorer it trys to connect to IP 85.12.25.105 or 89.188.16.18 , however

SpySweeper prevents this.
3.) When I delete BHO in hijackthis it returns as annoyance.
4.) The registry key is located here: registry key that keeps coming back located here

HKEY_CLASSES_ROOT\CLSID\{6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450}\InprocServer32
5.) I used 2 online scanners and neither one detected this BHO (Kapersky & Trend Micro)
6.) This BHO resets privacy settings in explorer (all cookies become enabled)
7.) C:\WINDOWS\system32\rqrrqon.dll does not exist when I search for the file. (folder settings set to

show hidden files)
8.) Ad-Aware deleted initial trojans this BHO is a remnant of the trojan.
9.) CAN SOMEONE PLEASE HELP ME !! THANKS IN ADVANCE !!
===============================================
Logfile of HijackThis v1.99.1
Scan saved at 10:58:40 AM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Compaq_Administrator\Desktop\SOFTWARE\HijackThis 1.99.1.exe

O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} -

C:\WINDOWS\system32\rqrrqon.dll
O20 - Winlogon Notify: rqrrqon - C:\WINDOWS\SYSTEM32\rqrrqon.dll
============================================
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm
Advertisement
Register to Remove

Unread postby Vino Rosso » February 5th, 2007, 7:00 pm

Hi greg214 and welcome to Malware Removal

To allow me to help you, can you please run a new HijackThis scan and post the full HijackThis log
  • Start HijackThis and click on Do a system scan and save a log file
  • When Notepad opens, click the Format menu and make sure that Wordwrap is NOT ticked. If it is then click on it to UNtick it.
  • Click Edit > Select All then Edit > Copy
  • Paste (Ctrl+V) the content with your next reply.
Do not try to fix anything yet! HijackThis shows lots of good files as well as bad.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

thanks for help

Unread postby greg214 » February 5th, 2007, 7:46 pm

Logfile of HijackThis v1.99.1
Scan saved at 3:44:53 PM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\FlashFXP\FlashFXP.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LIvVE\System\mIC.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\SOFTWARE\HijackThis 1.99.1.exe

O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\system32\rqrrqon.dll
O20 - Winlogon Notify: rqrrqon - C:\WINDOWS\SYSTEM32\rqrrqon.dll
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm

Unread postby greg214 » February 5th, 2007, 7:47 pm

thanks for the help
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm

Unread postby Vino Rosso » February 6th, 2007, 3:12 am

Hi

1 - VundoFix
Please download VundoFix.exe from >here< and save it to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run again on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

When VundoFix has finished, use Windows Explorer to go to C:\vundofix.txt and double-click on the file - Notepad will open.
In Notepad, click the Format menu and make sure that Wordwrap is NOT ticked. If it is then click on it to UNtick it.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the content with your next reply.

2 - Check on status
After you have completed the above, please provide:
  • the vundofix.txt report
  • a new HijackThis log
Good Luck
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

wow

Unread postby greg214 » February 6th, 2007, 10:49 am

Wow !! That is exactly what I did yesterday, and it deleted it off my computer; How ironic it is that you told me to do what seems to be the only thing to fix it. I deep scanned thereafter, and now everything seems to be ok, but I can only wonder if I managed to get everything off.

Thanks so much for your help.
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm

Unread postby greg214 » February 6th, 2007, 12:17 pm

My rootkit revealer 1.47 scan reveals these entries. any suggestions ?

Image
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm

better scan

Unread postby greg214 » February 6th, 2007, 12:45 pm

Here's a more detailed scan

Image
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm

Unread postby Vino Rosso » February 6th, 2007, 2:05 pm

Hi greg214

I'll only be able to help you if you stick to following my instructions and do not run any other tools, scans, etc. until I ask you to.

Would you still like my help?
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby greg214 » February 6th, 2007, 10:04 pm

yes I apologize for jumping the gun. so far you helped me a lot as my hijackthis log is now showing no suspicious items. Is there anything else I should do ?
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm

Unread postby Vino Rosso » February 7th, 2007, 4:46 am

Hi

Can you please post the vundofix.txt report and a new HijackThis log.

Thanks
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby greg214 » February 7th, 2007, 12:27 pm

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\rqrrqon.dll

The second filepath entered was C:\WINDOWS\system32\rqrrqon.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 596 'smss.exe'

Killing PID 1468 'explorer.exe'


Killing PID 676 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\rqrrqon.dll Deleted sucessfully.
C:\WINDOWS\system32\rqrrqon.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:26:42 AM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\SOFTWARE\HijackThis 1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm

Unread postby Vino Rosso » February 7th, 2007, 12:50 pm

Hi greg214

1 - Antivirus
It appears from your log that you are not running any antivirus application. You could get infected immediately after we clean you up. I suggest that you download and install ONLY ONE of these free Antivirus programs:After installing, make sure the program updates itself then allow it to scan your system.

2 - Firewall
I cannot see any sign that you are using a firewall. Have you got Windows XP firewall running? If not, please turn it on via Start > Control Panel > Security Center > Windows Firewall. This is better than nothing but it only protects against incoming traffic. It doesn't protect you against outgoing baddies trying to "phone home". I strongly recommend that you install a firewall that monitors traffic in both directions. Please have a look at this article >here< which provides good information and links to free firewalls.

3 - Clean Out Temporary Files
Download ATF Cleaner by Atribune © from >here<
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • UNtick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
4 - Scan With AVG Anti-Spyware
Download the trial version of AVG Anti-Spyware from >here< and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.
Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
You will need to change the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under How to act? click Recommended actions and select Quarantine from the menu.
You can now close AVG Anti-Spyware. Do not scan yet.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

5 - Boot to Safe Mode
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan? - Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Reboot in Normal Mode.

6 - Check on status
After you have completed the above, please reboot and provide:
  1. the AVG Anti-Spyware Scan report
  2. a new HijackThis log
  3. and a description of how your PC is behaving - what problems are you now experiencing?
Remember, if you can, it's worth printing these instructions out before you start.

Good Luck
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby Vino Rosso » February 11th, 2007, 12:11 pm

Hi greg214

How are you doing?
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby greg214 » February 11th, 2007, 12:53 pm

hi vino all is well thanks again for the help.
greg214
Active Member
 
Posts: 10
Joined: February 5th, 2007, 5:58 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware