Hello all,

I hope this is the right place to post this message.

I just recently cleaned up this computer that had tons of trojans, spyware, malware, and other nasties. Unfortunately I was unable to totally fix it. I am quite confident that the system has no more viruses or other malware, but I keep getting an error message that I think is caused by damage left over by a virus that I have removed.

The error message indicates that Internet Explorer has crashed and has to close, but I don't use Internet Explorer. The message appears irregardless of what program is running, and even if I do have Internet Explorer running the message doesn't mean anything because Internet Explorer does not close. I ran a HijackThis scan with the error message up and without the error message up.

The major difference is that when the error message is on the screen two programs are running.
C:\Program Files\Roxstroy\mqbshuta.exe
C:\WINDOWS\system32\dwwin.exe

What makes this more confusing is that there is no directory called "Roxstroy" in my Program Files directory and therefore no program named mqbshuta.exe. I even did a search of the harddrive and found no trace of any file with the term "Roxstroy" or "mqbshuta" in the filename. I can't even find any references to those terms on the Internet anywhere!

I've attached two files. One is named "hijackthis with crash.txt" and the other is "hijackthis without crash.txt" The titles are pretty self-explanitory. I would attach the results of an online scan, but they don't seem to be working for me...

Any suggestions would be greatly appreciated.

Thanks,
-Jon

Hi SpikeBoy and welcome to Safer Networking Forums :)

Ok, lets see...

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Go to virustotal.com (http://www.virustotal.com)
Click on the Browse button
Browse to the following file: C:\Program Files\Roxstroy\mqbshuta.exe
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Please RIGHT-CLICK HERE (http://www.silentrunners.org/Silent%20Runners.vbs) and Save As (in IE it's "Save Target As") to download Silent Runners.
Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Sorry, I guess I should have specified that I always have the folder options set to show hidden files and folders. I wasn't kidding when I said the program does not exist. I searched my hard drive for any reference to either Roxstroy or mqbshuta and have not found any file or folder any where on the computer (including hidden and system files and folders) that contain either term anywhere in their filename. I do have the Dr Watson log referencing the error if that will help. It lists all the loaded modules and the error data. It can't load the debug symbols though (probably because they don't exist or because the program doesn't exist at that point). I also ran the Silent Runners scan and have attached those results as well. As you can see I have AVG Free installed (it's up to date with the latest definitions), which does not currently detect any viruses.

Ok but the file is definately on your computer, it was visible in the running "processes"...It may be hidden though...

Lets try this:

Go to virustotal.com (http://www.virustotal.com)
Copy the following path to the box next to Browse button:
C:\Program Files\Roxstroy\mqbshuta.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Then, please do the following...

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

Still there SpikeBoy ?:scratch:

This topic is closed due to lack of a response :spider:

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread.

Applies only to the original topic starter.