Qoologic.bj

R

RaynmanAS

New member
This trojan owns me right now, it's very frustrating.

I searched the archive and found out about FindQool and followed the instructions in that thread, but ewido still finds it after it runs.

Here is my present Hijackthis logfile:

________________________________________________________________________________________

Logfile of HijackThis v1.98.2
Scan saved at 12:39:39 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pop-Up Stopper\PSFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\FindQool\sub\md5deep.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cwkbv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,mrrfhya.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: PSFree.lnk = C:\Program Files\Pop-Up Stopper\PSFree.exe
O4 - Global Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142724329984
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 199.191.128.103
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 199.191.128.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 199.191.128.103

_____________________________________________________________________________________________

And the report from FindQool:

_____________________________________________________________________________________________

Tue 08/01/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....
C:\WINDOWS\system32\ruswnck.dll
C:\WINDOWS\system32\mrrfhya.exe

Files found with locate com.
C:\WINDOWS\SYSTEM32\MRRFHYA.EXE
C:\WINDOWS\SYSTEM32\RUSWNCK.DLL
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\DUFXD.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
07/31/2006 11:24 PM 127,488 dufxd.exe
...

HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"kexovr"="C:\\WINDOWS\\system32\\lntwvt.exe reg_run"
HKCU
"hbepx"="C:\\WINDOWS\\system32\\lntwvt.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\cwkbv.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,mrrfhya.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 17/05/2006

_____________________________________________________________________________________


Additional info, that I am not sure if it matters, the FindQool program keeps saying the following while it is running:

md5deep: C:\WINDOWS\system32\vtsqn.dll: Permission denied.


______________________________________________________________________________________

So, any thoughts?? :blush:
 
I forgot to mention that as soon as FindQoll finishes, and I startup ewido, it immediately finds Qlogic.bj again.
 
Welcome to the forum, your HJT version is old. Use this link: http://www.merijn.org/files/HijackThis.exe and download to the same folder where it is now: C:\Program Files\HijackThis\ HJT will replace the old version. Post a new HJT log and I will respond as soon as possible after that.

Thanks...pskelley
Safer Networking Forums
 
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.
 
You must log in or register to reply here.
Back
Top