PDA

View Full Version : Qoologic.bj



RaynmanAS
2006-08-01, 19:41
This trojan owns me right now, it's very frustrating.

I searched the archive and found out about FindQool and followed the instructions in that thread, but ewido still finds it after it runs.

Here is my present Hijackthis logfile:

________________________________________________________________________________________

Logfile of HijackThis v1.98.2
Scan saved at 12:39:39 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pop-Up Stopper\PSFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\FindQool\sub\md5deep.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cwkbv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,mrrfhya.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: PSFree.lnk = C:\Program Files\Pop-Up Stopper\PSFree.exe
O4 - Global Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142724329984
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 199.191.128.103
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 199.191.128.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 199.191.128.103

_____________________________________________________________________________________________

And the report from FindQool:

_____________________________________________________________________________________________

Tue 08/01/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....
C:\WINDOWS\system32\ruswnck.dll
C:\WINDOWS\system32\mrrfhya.exe

Files found with locate com.
C:\WINDOWS\SYSTEM32\MRRFHYA.EXE
C:\WINDOWS\SYSTEM32\RUSWNCK.DLL
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\DUFXD.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
07/31/2006 11:24 PM 127,488 dufxd.exe
...

HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"kexovr"="C:\\WINDOWS\\system32\\lntwvt.exe reg_run"
HKCU
"hbepx"="C:\\WINDOWS\\system32\\lntwvt.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\cwkbv.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,mrrfhya.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 17/05/2006

_____________________________________________________________________________________


Additional info, that I am not sure if it matters, the FindQool program keeps saying the following while it is running:

md5deep: C:\WINDOWS\system32\vtsqn.dll: Permission denied.


______________________________________________________________________________________

So, any thoughts?? :blush:

RaynmanAS
2006-08-01, 19:46
I forgot to mention that as soon as FindQoll finishes, and I startup ewido, it immediately finds Qlogic.bj again.

pskelley
2006-08-04, 03:39
Welcome to the forum, your HJT version is old. Use this link: http://www.merijn.org/files/HijackThis.exe and download to the same folder where it is now: C:\Program Files\HijackThis\ HJT will replace the old version. Post a new HJT log and I will respond as soon as possible after that.

Thanks...pskelley
Safer Networking Forums

tashi
2006-08-08, 08:16
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.