Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

very infected!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

very infected!!!

Unread postby tman181 » June 22nd, 2005, 7:53 pm

Hi guys,
I have been attempting to clean a friends computer, and having little luck. Stumbled accross this forum and even joined the MWU. I have read through some of the tutorials and can see I'm in over my head. Here's my log. Thanx in advance for your help.


Logfile of HijackThis v1.99.1
Scan saved at 4:16:27 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\nvmlnz.exe
C:\hjt\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: SDWin32 Class - {18F38403-90F2-4CC1-8E55-684926059511} - C:\WINDOWS\System32\xpric.dll (file missing)
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\p0ee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nvmlnz.exe reg_run
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [xpricc] C:\WINDOWS\System32\xpricc.exe
O4 - HKLM\..\Run: [xgecoe] c:\windows\system32\liinld.exe r
O4 - HKLM\..\Run: [XFQTENC] C:\WINDOWS\XFQTENC.EXE
O4 - HKLM\..\Run: [wocem] C:\WINDOWS\System32\wocem.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Ruyrif.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Sysnet] C:\Documents and Settings\Bernie\snuninst.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Wlysww.exe
O4 - HKLM\..\Run: [rvj] C:\WINDOWS\System32\rvj.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [onnwgn] c:\windows\system32\ypuguqq.exe r
O4 - HKLM\..\Run: [oFtk3sW] infre.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [mectmb] c:\windows\system32\bmknehv.exe r
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Iskdps] C:\Program Files\Gjxxqey\Gvkq.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [F5SwFvqKH] C:\WINDOWS\roynyted.exe
O4 - HKLM\..\Run: [cwxicc] C:\WINDOWS\System32\cwxicc.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\RunOnce: [vz8bgty.exe] C:\WINDOWS\System32\vz8bgty.exe /k
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Zo2qRia5O] dsodd.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [dinnsr] C:\WINDOWS\System32\dinnsr.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - HKCU\..\RunOnce: [vz8bgty.exe] C:\WINDOWS\System32\vz8bgty.exe /k
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxy.mht!http://filesharingaccess.com/script/lc.chm::/Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId= ... lcid=0x409
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nosuxxx.mht!http://filesharingaccess.com/script/ysb.chm::/ysb_mp3x.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0035.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: hciiyan - Unknown owner - C:\WINDOWS\system32\hciiyan.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico
Advertisement
Register to Remove

Unread postby Midnight Star » June 22nd, 2005, 8:56 pm

tman,

For starters, can you tell us what you've tried to do so far? Which online anti-virus scans or anti-spyware programs you've ran? This will help the person coming in to help with the cleanup.

==========

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm

Unread postby tman181 » June 22nd, 2005, 9:09 pm

Hi Mike,
I first disabled all the stuff that looked unfamiliar (msconfig) and re-booted. I then burned a cd with AdAware and Spybot and got them on and ran them in default configuration (no updates yet). I then installed NAV2004 after running pre-install scan. After that, updated NAV and re-ran several times. Then I hooked up to the internet and updated all three programs, disconnected and ran them again. Throughout all of this, over 2000 hits were processed in the programs. Some were "sucessfully" removed and others were not. At this point, I ran trendmicro's housecall and panda softwares online scanner. Again, mixed success. While I was running the online scanners, I got popups continually. After disconnecting, I re-ran the three installed programs. This time around 200 hits between them. Today before posting, I ran CWShredder and installed spywareblaster. At this point, I re-enabled the disabled stuff and rebooted, ran hjt and sent out the log file.

Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby tman181 » June 22nd, 2005, 9:12 pm

I'm sorry, I forgot to include that I got several failures when attempting to re-boot after enabling the stuff in msconfig. I also at some point in the whole mess above deleted all temporary files in the user subdirectories and in the windows temp subdirectory.
Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby Midnight Star » June 22nd, 2005, 10:53 pm

Hi tman,

You might also want to post back any unknown item(s), or item(s) you suspect shouldn't be in "Add/Remove programs". Many times, you can find entries there that might uninstall some of the things listed in the log. Here's an example of some of the item(s) you might find (to give you an example):

Bullseye Networks
EZula Toptext
Internet Optimizer
TBPS
Virtual Bouncer
Web Offer
WinTools

If they want to try uninstalling what they find (things they didn't install - but watch out and not uninstall system software or hot fixes), they might want to disconnect from the internet (if they're using broadband), reboot into "Safe Mode" and try uninstalling the program(s) from there.

Some may, or may not be present; i'd also look for entries that have the keywords "Toolbar", "Search" and "180..." in them.

==========

Mike.
Last edited by Midnight Star on June 22nd, 2005, 10:57 pm, edited 2 times in total.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm

Unread postby Midnight Star » June 22nd, 2005, 10:56 pm

I also see a potential QooLogic, residual Nail infection and IST toolbar.

==========

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm

Unread postby tman181 » June 23rd, 2005, 5:56 am

I'm sorry,
I left out of my list of things I had done, I actually did that first. I was able to run uninstallers on a few items from add/remove programs. Several actually ran, but left vestiges of themselves behind. A couple will not actually run anything. The ones left which I cannot remove are:
Maxifiles
TContent
I tried them again this morning and nothing happens. The log file is the same as I posted last night.
T
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby Midnight Star » June 23rd, 2005, 10:19 am

tman,

Ok, so we've removed all the "Add/Remove Programs" that we could find, ran some online scans that was able to clean out quite a few items - so, unless there's a rootkit hiding the running processes, or msfconfig still has many disabled, there doesn't seem to be as many 'bad' programs actually running as there are residual registry entries (looks like you've done very well so far). Hopefully HJT can clear out alot of those rogue registry item(s). Here are the one(s) i picked out by sight, so be sure and look them over and double-check me:

C:\WINDOWS\System32\nvmlnz.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: SDWin32 Class - {18F38403-90F2-4CC1-8E55-684926059511} - C:\WINDOWS\System32\xpric.dll (file missing)
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\p0ee.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nvmlnz.exe reg_run
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [xpricc] C:\WINDOWS\System32\xpricc.exe
O4 - HKLM\..\Run: [xgecoe] c:\windows\system32\liinld.exe r
O4 - HKLM\..\Run: [XFQTENC] C:\WINDOWS\XFQTENC.EXE
O4 - HKLM\..\Run: [wocem] C:\WINDOWS\System32\wocem.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Ruyrif.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Sysnet] C:\Documents and Settings\Bernie\snuninst.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Wlysww.exe
O4 - HKLM\..\Run: [rvj] C:\WINDOWS\System32\rvj.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [onnwgn] c:\windows\system32\ypuguqq.exe r
O4 - HKLM\..\Run: [oFtk3sW] infre.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [mectmb] c:\windows\system32\bmknehv.exe r
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Iskdps] C:\Program Files\Gjxxqey\Gvkq.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [F5SwFvqKH] C:\WINDOWS\roynyted.exe
O4 - HKLM\..\Run: [cwxicc] C:\WINDOWS\System32\cwxicc.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\RunOnce: [vz8bgty.exe] C:\WINDOWS\System32\vz8bgty.exe /k
O4 - HKCU\..\Run: [Zo2qRia5O] dsodd.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [dinnsr] C:\WINDOWS\System32\dinnsr.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - HKCU\..\RunOnce: [vz8bgty.exe] C:\WINDOWS\System32\vz8bgty.exe /k
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxy.mht!http://filesharingaccess.com/script/lc.chm::/Bridge-c139.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nosuxxx.mht!http://filesharingaccess.com/script/ysb.chm::/ysb_mp3x.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0035.exe
O23 - Service: hciiyan - Unknown owner - C:\WINDOWS\system32\hciiyan.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

Have you tried HiJackThis on any of the above log entries? Are the items being removed, or are they still coming back? Also, once the virus scan(s) are able to remove some items, you might want to uncheck all the items disabled using msconfig, just to see what you have left actively running, if anyting. That might give you a better picture of what your cleanup process was able to remove, and which infections seem to be more stubborn.

==========

Potential QooLogic...

C:\WINDOWS\System32\nvmlnz.exe

Which seems to be still active and running. There's usually more than one of the running or present on the harddrive (they're hidden), that's what makes them tough to remove just using HiJackThis.

==========

'IST' infection...

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

Symantec has an IST removal tool, that works in many cases.

==========

Residual Nail infection...

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

Registry fix might be all that's reguired for this one now...

==========

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm

Unread postby tman181 » June 23rd, 2005, 2:58 pm

Hi Mike,
I thought I would get you guys to let me know which entries to try removing with HJT since I had never used it. I will try them tonight when I get home. And let you know what works. Thanx
Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby Midnight Star » June 23rd, 2005, 4:36 pm

Hey Tony!

It was absolutely no problem at all - I was in the neighborhood and glad to help ... :)

-

Those are the entries that I picked out of the log; some I know are bad, others look like randomly named trojans to me. One thing you might want to do, to double-ckeck me, is to do a GOOGLE search on the program names you find in the entries, like:

O4 - HKLM\..\Run: [xgecoe] c:\windows\system32\liinld.exe r

llinld.exe

When GOOGLE doesn't have any information on an entry, like the one above, it's almost always a randomly named trojan. If your not sure about it, ask the user if they know what it is, or let an online virus scan, or a utility like MWAV report back what they find as a known virus or trojan, and see if it's there.

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

wupdt.exe

In this instance, you can see if other experts are fixing and removing the same items. If they are, then it should be safe to remove them here. Be sure to check the program's name/id within the "[...]" to see if it matches also; it's "Win Server Updt" in this example. Some infections can't be fixed with HJT alone; those require running a special set of specific program in a certain order to either diable the malware for cleanup, or to clean it from the victim's system.

Good luck, and I look forward to hearing how everything went.

==========

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm

Unread postby tman181 » June 23rd, 2005, 9:14 pm

Okay Mike,

I fixed the entries you listed (plus the MediaAccK which I found on a google search). It looks like we are much better. The one you think is a Qoologic infestation is still a problem. I can sometimes find the files and sometimes not. I had HJT delete the C:\WINDOWS\System32\nvmlnz.exe file at bootup and the process did not load for that boot. But then a file showed up in allusers/programs/startup named tnpu.exe which only ran at that boot. Next boot, nvmlnz.exe was back. Looks like it re-installs itself. Also, when I look in the reg, the entry to start it is not visible. Is it hidden??? I did not know that was possible, but it would not surprise me. Anyway, I ran nav, adaware and spybot, cleaned all, rebooted, ran the big 3 again, and they all came up clean. Here is the new hjt post.


Logfile of HijackThis v1.99.1
Scan saved at 6:51:49 PM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\nvmlnz.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nvmlnz.exe reg_run
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId= ... lcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Please let me know how to proceed from here.

Thanx
Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby tman181 » June 23rd, 2005, 10:09 pm

Hi again,
Judging by some of the other threads, this is what you might want next (?). I had to run the autoexec.nt fix, but got findQoologic2 to run. Here is the output:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\NVMLNZ.EXE
* KavSvc C:\WINDOWS\System32\DPPSD.DLL
* KavSvc C:\WINDOWS\System32\GZHNGXR.DLL
* aspack C:\WINDOWS\System32\OBRXOAM.EXE
* UPX! C:\WINDOWS\System32\MC-58-~1.EXE
* UPX! C:\WINDOWS\System32\NVMLNZ.EXE
* UPX! C:\WINDOWS\System32\GZHNGXR.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\CFINDU~1.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\XFQTDLL.EXE
* UPX! C:\WINDOWS\XFQTENC.EXE
* UPX! C:\WINDOWS\RMAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\TNPU.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
DESKTOP.INI
tnpu.exe

User Startup:
C:\Documents and Settings\Bernie\Start Menu\Programs\Startup
.
..
DESKTOP.INI

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qftsqyxf
<NO NAME> REG_SZ {57cee7bf-5da5-4e72-a21d-31ecdc5f1e85}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin



I'm out of here for tonight, but will check from work tomorrow. Thanx again for all your help up until now. This has been a great learning opportunity for me. It also looks like everyone here is GREAT!!!

Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby Midnight Star » June 25th, 2005, 10:14 am

Hey Tony!

Sorry for not getting back with you sooner but i'm usually completely tied up for two--three days out of the week. Excellent work in locating and running the 'find' QooLogic utility. Now all we need to do is determine which one of the program(s) that were found, shouldn't be there, and remove them.

Which ones (without removing them), would you suggest need to be removed?

==========

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm

Unread postby tman181 » June 25th, 2005, 11:18 am

Hi Mike,
To me, it looks like the ones that should be removed are these ones.


KavSvc C:\WINDOWS\System32\NVMLNZ.EXE
KavSvc C:\WINDOWS\System32\DPPSD.DLL
KavSvc C:\WINDOWS\System32\GZHNGXR.DLL
aspack C:\WINDOWS\System32\OBRXOAM.EXE

They looked randomly named and are hidden. Even though I have explorer set to show hidden files, I can never find them. When I boot up in safe mode, I can find them once the two of them dissapear if I try to copy them. (I was going to make backups of them then try to delete the originals and see what happened. It didn't work though since when I copied them two of the originals seemed to dissappear).
Any way, I could not copy them onto a cd either so I could submit them to virustotal.
The ones in the windows subdirectory could be found, but when I submitted them on totalvirus, they came back mostly as uninfected. Still, I can find no information on them with a google search. They still seem funny to me, and would probably delete them.

UPX! C:\WINDOWS\System32\MC-58-~1.EXE (mc-58-12-0000079.exe)
UPX! C:\WINDOWS\CFINDU~1.EXE (CFindUninst.exe)
UPX! C:\WINDOWS\TSC.EXE
UPX! C:\WINDOWS\XFQTDLL.EXE
UPX! C:\WINDOWS\XFQTENC.EXE
UPX! C:\WINDOWS\RMAGEN~1.DLL (RMAgentOutput.dll)

The only hits I got were:
This is a report processed by VirusTotal on 06/25/2005 at 02:31:39 (CET) after scanning the file "XFQTDLL.EXE" file.
NOD32v2 1.1153 06.24.2005 probably unknown NewHeur_PE virus

This is a report processed by VirusTotal on 06/25/2005 at 02:33:22 (CET) after scanning the file "tsc.exe" file.
Fortinet 2.36.0.0 06.25.2005 suspicious

This is a report processed by VirusTotal on 06/25/2005 at 02:36:10 (CET) after scanning the file "mc-58-12-0000079.exe" file.
Fortinet 2.36.0.0 06.25.2005 suspicious
Panda 8.02.00 06.24.2005 Adware/Maxifiles

This is a report processed by VirusTotal on 06/25/2005 at 02:38:55 (CET) after scanning the file "CFindUninst.exe" file.
DrWeb 4.32b 06.24.2005 modification of BackDoor.Generic.953


This one looks like a proper windows dll, so I would probably leave it.
UPX! C:\WINDOWS\VSAPI32.DLL

The executable C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tnpu.exe also looks like a randomly name startup used by this infection. I've seen the same pattern of executables and dlls in a couple of the listings.

Okay, it looks like Killbox should be used to delete on reboot the files selected.

Okay, how does that look??
When faced with files we can't get information on do we err on the side of caution, or excess???

Eagerly awaiting your reply!!

Thanx
Tony
User avatar
tman181
Regular Member
 
Posts: 25
Joined: June 20th, 2005, 8:53 am
Location: New Mexico

Unread postby Midnight Star » June 25th, 2005, 2:36 pm

Tony,

Good job and a good analysis ... :) - Since your have your analysis, all we need to do is a way to prove it, so let's look at this:

Err on the side of caution or excess; What is good and what is bad:

On caution:

1) We preserve a 'good' file that we'd otherwise delete, which could cause any number of system problems.
2) We leave a potential running trojan on their system, that will continue to re-infect the system, when we try to take it apart piece by piece.

On excess:

1) We delete a 'good' system file, and cause problems down the line.
2) We remove all the problems in one fell swoop, preventing it from recurring.

So what we need to do, is determine, if any of the files being reported are 'good', and if they are (there's usually one or two), then we need to omit them from deletion.

So, here are a few things we can do:

1) See if another program, such as an online scan from TrendMicro, or MWAV can identify other item(s) that we might have missed.

2) GOOGLE the file name(s) being reported by the QooLogic 'sniffer', and see if any of them are being removed by other experts, if they are, then it's probably safe to remove them here (just note the paths). Also see if GOOGLE reports a file as being good - those we'd definitely want to omit.

3) Finally, let's compile a list of all the files we're going to delete, and let's ask someone in the "Is this safe to post" forum, and get a second opinion on our list - let's get some feedback from our teammates and see what we have.

At this point, all we really need to know are which programs are bad on the system, and which method do we use to remove them. I'd venture to say that your are correct in using "Killbox".

==========

If it's ok, i'm going to see if Susan(528) will step in and give us her input also, since i've seen her post about QooLogic before. Her input might be important in helping us understand what might be the best approach and a good second opinion to match ours against, I'll send her a pm.

==========

Again - excellent work Tony on everything! Teamwork rocks!!! ... :D

-

Mike.
User avatar
Midnight Star
Developer
Developer
 
Posts: 652
Joined: January 7th, 2005, 8:08 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 317 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware