PDA

View Full Version : Need Help with TROJ_QHOST.BE & Downloader.agent.uj



amrbriecmr
2006-08-23, 03:47
I ran HiJackThis and removed what I know is junk. The log after removal of junk follows:

Also ran fixware and that log follows the HiJackThis log:

HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 5:43:35 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PrintKey\Printkey.exe
C:\Program Files\Trillian\trillian.exe
C:\HiJackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [aqrmp.exe] C:\WINDOWS\system32\aqrmp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: Printkey.lnk = C:\PrintKey\Printkey.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://srv-app01/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://srv-app01/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://srv-app01/officescan/clientinstall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://srv-app01/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://peoplecube.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlantis.ceosoft.com
O17 - HKLM\Software\..\Telephony: DomainName = atlantis.ceosoft.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlantis.ceosoft.com
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

And now the Fixwareout Log:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6D6E5AE3A3F1-EB2B-F824-158B-EE19A5C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5183DD4E93A0-EEEA-AE94-02FA-4F2702D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CA2ECEDBF635-B0D9-8CC4-49E5-7F608608{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B891E04D5A6A-EA8A-ACB4-4B55-787E04AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F16B9EF4738-DD5A-0A94-81A3-0E0C3520{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93C180FB0CC9-06B9-11E4-1B0A-3CA9FC28{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4FD74438BCF0-DE49-9604-6883-D7996F5D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D2C472652927-18BA-1744-1788-D2AB7716{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E6581DE385A-D82B-F7D4-2685-5C68EE12{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}957A3FB508F3-680A-F3F4-BEF4-564FA88F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DFE86F6E311F-127A-7134-4FF9-677B834D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\fizmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD740F6E0295-988B-01F4-A882-388AAA77{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4D5A97A060D9-F78B-0434-FBE1-ED6EFD50{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}81886A2269EF-4CD8-DE94-18D9-01A99425{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}201E6D66E79C-0028-B444-F6C0-1C05F8B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}907FD0FED632-77FB-A9A4-DEB0-12060A38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD3959292058-5728-C9E4-01D7-E0789A59{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B255773BEAE6-82E9-7F04-482B-810DB9DA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}83450426623D-ECC8-9274-684E-178CCDC6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93AA45A7B972-09D8-C934-8006-41C8C8F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC4554B4D1A8-B4A9-F434-E77B-B5E05B1A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E451B0DB4836-CF4B-7054-225D-9D54EDC4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}62B2A68FDC0D-DE39-F4B4-AE70-458D8248{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5DF835C65B7F-B4DB-B264-4583-C75E733C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6E16610EACE7-A629-6E04-FC37-4599EF06{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}09B3DAA29E56-35B8-FB14-F602-E33BE4E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A81371419093-F579-22A4-AB22-3DD3EF1B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}20D27120B2F2-57EA-3BC4-46EB-5A4A663B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}343351B8E3C5-2198-7CF4-3523-29F3A093{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71A38025B9CB-BD69-F904-A600-6269DBE8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}17E1D928A533-8EEB-A604-E8FC-3C4D9DA8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8FDEE8B45AB1-BBC9-3E74-B31E-C7800EE7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4A986A004400-09BA-0B84-72FB-8BDE7750{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}450FB5F9BFF4-C8AB-11C4-3172-9436B11C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}05478E1C17B5-1EFB-E854-55E4-D9AFAB0B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A0D17EC4BBB9-D169-7C74-89E1-C05C2559{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}38564A90DE68-FB38-BA24-22A9-BA8D2797{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}914C81F35B5C-30CA-8A34-811D-19C7125D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}174BECD863E7-A008-7EA4-C6BA-88A34FC7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2DF7EC673DED-C959-4D84-4F41-4E4C2843{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FE51F35A77F4-398B-0A74-4467-E6D7115B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3EB89F885839-5439-5894-FCCC-F1144441{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2A76035042FD-9348-31D4-3280-F92CA744{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0AFE958D40FC-991A-D284-99A5-CF59DA46{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6800A6BAA0DD-4DA8-5734-30B5-63CC09F5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D1989682B50C-16CA-4764-D632-C76E49F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1B45B1250B55-AB9B-5D54-24A9-AE662A59{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}48A593185D31-DEBA-3334-42E1-6AD8482E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2A2158620C37-AE98-F974-757A-98E61A1A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CEADB9F07D22-142A-CE04-53B6-0CA0CBFB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8113275D8FDD-689B-4D74-819B-D44C6C17{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EB429086416D-96C9-E084-06B8-C5606C12{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}26B0D5BF65FE-43C8-0AE4-8285-D0401159{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6806CE5F51BC-177B-D114-955B-E0F2E47F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}90710371D219-148B-F754-5AA4-E4B3D37B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FFE9D49E8852-22F8-F984-A18B-0FC4972C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C2201318F228-359B-2434-A130-ECAA1594{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}05405C715150-760A-8FD4-CBB0-5644D41F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1D899F0BE550-A81A-3774-446E-8C9E4CBE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6652BC5CA20B-28EB-5504-D8CE-8C956942{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2D5053FFC6DB-D7DB-7064-4D23-A00B3A18{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E45CEF92C42-C1CA-20E4-ACAC-AA66BA03{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C6D22B3901F2-BCA8-8624-667A-719A836F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}620A2033D4BD-B9DB-8004-D7FB-CD31A68D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B1363696E8BD-6D3B-5DA4-82A3-4C87B7DA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A59962EA9769-FF3B-33F4-FACC-3B7B152D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AFC7A95BA729-45EA-6314-55EB-8014169F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmzif.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSXFR.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSXFR.EXE 51,214 2006-08-21
C:\WINDOWS\SYSTEM32\DMZIF.EXE 62,026 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32
{82CF9AC3-A0B1-4E11-9B60-9CC0BF081C39}.exe
{EA40E787-55B4-4BCA-A8AE-A6A5D40E198B}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Seems to have gone away...Have I excersised the demons?

Mark

pskelley
2006-08-23, 04:14
Hello Mark, welcome to the forum. Let's hope Fixwareout got it all, it can be a real pain at times.
C:\WINDOWS\SYSTEM32\CSXFR.EXE
C:\WINDOWS\SYSTEM32\DMZIF.EXE
C:\WINDOWS\system32\{82CF9AC3-A0B1-4E11-9B60-9CC0BF081C39}.exe
C:\WINDOWS\system32\{EA40E787-55B4-4BCA-A8AE-A6A5D40E198B}.exe

Check those if you want, I am 99.9% sure they are Wareout, but it does not hurt to check:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

You will need to delete them is Safe Mode, or use this:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
How to use the Delete on Reboot tool

At times you may find a file that stubbornly refuses to be deleted by conventional means. HijackThis introduced, in version 1.98.2, a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this follow these steps:

Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.
__________________________________________________

Looking at the HJT log now:
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
O4 - HKLM\..\Run: [aqrmp.exe] C:\WINDOWS\system32\aqrmp.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\aqrmp.exe <<< delete this file

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

To be sure, would you update ewido and run a scan with it then post the ewido scan results and a new HJT log. Let me know how the computer is running. I need to know you had no trouble with the files at the top from Wareout.

Thanks...pskelley
Safer Networking Forums

amrbriecmr
2006-08-24, 02:13
pskelley,

It's a clean machine again..Thanks for the info.

You Rock!

:bigthumb:

pskelley
2006-08-24, 02:16
Please follow the posted directions and let's be sure:

To be sure, would you update ewido and run a scan with it then post the ewido scan results and a new HJT log. Let me know how the computer is running. I need to know you had no trouble with the files at the top from Wareout.
Thanks

amrbriecmr
2006-08-25, 03:48
Thanks again pskelley..I'll try to get you one tomorrow..this is on one of my main work machines and today was not a good day to halt production and get the logs to you..again I'll give it a shot and post tomorrow!

:beerbeerb:

tashi
2006-08-29, 09:39
How is it going amrbriecmr

tashi
2006-09-03, 01:00
http://forums.spybot.info/showthread.php?t=288

Towards the end of a cleanup please make sure you follow through with any final log requested even if it appears to you that your computer is back to normal operation.
As much as we like our members ;) we would rather not see you back in a few weeks because there was no follow up with the helper.

Still with us amrbriecmr?

tashi
2006-09-05, 07:53
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.