Spyware Guru's - at your mercy :)[resolved]

RyderRyder Kalamazoo, Mi Icrontian
edited August 2006 in Spyware & Virus Removal
I am thoroughly impressed with this Forums spyware/adware/trojan knowledge. Since I myself understand most of it, but being fairly new to HJT, etc. I thought I would post my log and see what you can tell me.

I have no major problems, except I do have something running causing a single popup to occur at various times while surfing.

I suspect the culprit to be the 2 lines marked F2 in my log, but have as yet to work really hard at getting rid of them.

Thanks for your anaylsis :)

Cheers

Logfile of HijackThis v1.99.1
Scan saved at 1:11:19 PM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SAV\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BOINC\projects\boinc.bakerlab.org_rosetta\rosetta_5.25_windows_intelx86.exe
C:\Documents and Settings\Administrator.THEMATRIX\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\hqemw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,rllqhwb.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {C7648BB8-7FF5-4192-886A-6C542051A522} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thematrix.redpill
O17 - HKLM\Software\..\Telephony: DomainName = thematrix.redpill
O17 - HKLM\System\CCS\Services\Tcpip\..\{693EE7A4-B0C9-43A3-AB06-C84436CA6DA7}: NameServer = 10.83.8.13,67.36.55.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thematrix.redpill
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thematrix.redpill
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FAH@C:+Program Files+F@H+FAH502-Console.exe - Stanford University - C:\Program Files\F@H\FAH502-Console.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Comments

  • TroganTrogan London, UK
    edited July 2006
    Hey Ryder! Yep, the F2 entries are from the Qoologic infection.

    Before we begin to fix that, I see HijackThis is on your desktop. Can you put HijackThis into its own folder so backups can be created. This step is important!

    Next, we need to DISABLE SpyBots TeaTimer as it may interfere with the fix.

    1) Run Spybot Search & Destroy
    2) Go to the Mode menu, and make sure "Advanced Mode" is selected
    3) On the left hand side, choose Tools -> Resident
    4) Uncheck "Resident TeaTimer" and OK any prompts
    5) Exit SpyBot

    =====

    Download Qoofix by RubbeR DuckY from one of the following locations:

    http://www.malwarebytes.org/Qoofix.zip or
    http://www.besttechie.net/tools/Qoofix.zip
    1. Unzip all files to a convenient location such as C:\Qoofix.
    2. Go to the folder you unzipped all files and run Qoofix.exe.
    3. Click Begin Removal and wait for the scan to finish.
    4. If an infection has been found, select yes to restart your computer.

    Finally post a new Hijack This log and the contents of the Qoofix logfile. :)
  • RyderRyder Kalamazoo, Mi Icrontian
    edited July 2006
    No Wonder that little bugger is so hard to remove.....from the way the fix app was running....the dll file was embedded in almost every process :(

    Thanks again for the help :)

    BTW....HJT was on the desktop and it does create a backup folder and it was there as well ;)

    Qoofix Log:

    Qoofix v1.03 by http://www.malwarebytes.org
    Scan started on [7/30/2006] at [7:34:14 PM]
    Terminated module: wominym.dll found in Qoofix.exe (5568)
    Terminated module: wominym.dll found in qhniwq.exe (980)
    Terminated module: wominym.dll found in explorer.exe (1068)
    Terminated module: wominym.dll found in hqemw.exe (1112)
    Terminated module: wominym.dll found in hqemw.exe (1124)
    Terminated module: wominym.dll found in VPTray.exe (1872)
    Terminated module: wominym.dll found in ctfmon.exe (888)
    Terminated module: wominym.dll found in boincmgr.exe (1084)
    Terminated module: wominym.dll found in SetPoint.exe (544)
    Terminated module: wominym.dll found in KHALMNPR.exe (2296)
    Terminated module: wominym.dll found in msnmsgr.exe (3248)
    Terminated module: wominym.dll found in MailWasher.exe (2172)
    Terminated module: wominym.dll found in IEXPLORE.EXE (4716)
    Terminated module: wominym.dll found in hqemw.exe (5080)
    Terminated module: wominym.dll found in rosetta_5.25_windows_intelx86.exe (4932)
    Terminated module: wominym.dll found in Skype.exe (4864)
    C:\WINDOWS\system32\hqemw.exe will be deleted on reboot!
    C:\WINDOWS\system32\qhniwq.exe will be deleted on reboot!
    C:\WINDOWS\system32\rllqhwb.exe will be deleted on reboot!
    C:\WINDOWS\system32\vecli.dat will be deleted on reboot!
    C:\WINDOWS\system32\wominym.dll will be deleted on reboot!
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ioyjd.exe will be deleted on reboot!

    User prompted YES to reboot, system now rebooting...
    Scan COMPLETED SUCCESSFULLY on [7/30/2006] at [7:35:05 PM]

    Note: Some registry keys may have been removed.


    New HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:39:35 PM, on 7/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\SAV\DefWatch.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\SAV\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SAV\vptray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BOINC\boincmgr.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    C:\Program Files\BOINC\boinc.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} -
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
    O16 - DPF: {C7648BB8-7FF5-4192-886A-6C542051A522} -
    O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thematrix.redpill
    O17 - HKLM\Software\..\Telephony: DomainName = thematrix.redpill
    O17 - HKLM\System\CCS\Services\Tcpip\..\{693EE7A4-B0C9-43A3-AB06-C84436CA6DA7}: NameServer = 10.83.8.13,67.36.55.26
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thematrix.redpill
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thematrix.redpill
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: FAH@C:+Program Files+F@H+FAH502-Console.exe - Stanford University - C:\Program Files\F@H\FAH502-Console.exe
    O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • TroganTrogan London, UK
    edited July 2006
    RyderOCZ wrote:
    Thanks again for the help :)
    Your welcome! :thumbsup:
    BTW....HJT was on the desktop and it does create a backup folder and it was there as well ;)
    Thanks for that bit of info. :)

    =====

    Your log is clean, but you need to update your Java. However, there seems to be a problem at Sun Java's end as they are listing the wrong version for download. Latest Java version is 5.0.7, but they have it as 5.0.6. :skeptic:

    I can let you know when or if the problem get sorted, if you would like. :)
  • TroganTrogan London, UK
    edited July 2006
    Hi Ryder,

    Java's website is still listing an older version here. Click on Download Now at the site. Not sure whats going on there.

    Can we mark this resolved if everything is back to normal? :)
  • RyderRyder Kalamazoo, Mi Icrontian
    edited July 2006
    Yea....everything is great.

    Thanks

    I even went into Java through the control panel and it says I am up to date with Version 5.0.6....not sure where this 5.0.7 is supposed to be.

    I am not really concerned though :)
  • TroganTrogan London, UK
    edited August 2006
    lol...I might need to downgrade. :D

    This is v5.0.7...

    attachment.php?attachmentid=20810&stc=1&d=1154433374


    I'l mark this resolved. :)
This discussion has been closed.