hijacked by Aurora (ABI) party poker and more

Question

techtard 0 Newbie Poster

19 Years Ago

Hi-
I've read many related posts on this and followed the instructions on getting logs from Ewido and Hijack This. Is there anyone that can take a look at the logs and advise what I should/should not delete? I'm not very good at this and worried about messing up my computer even more.

I've also scanned repeatedly with Ad-Aware and Microsoft AntiSpyware with no luck...As soon as I reboot my computer, the pop-ups are everywhere.

Thanks so much.

here are the logs:

 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          9:48:00 PM, 6/29/2005
 + Report-Checksum:     C2B21AF3

 + Date of database:        6/30/2005
 + Version of scan engine:  v3.0

 + Duration:                29 min
 + Scanned Files:           48865
 + Speed:               27.65 Files/Second
 + Infected files:          39
 + Removed files:           3
 + Files put in quarantine:     3
 + Files that could not be opened:  0
 + Files that could not be cleaned: 0

 + Binder:      Yes
 + Crypter:     Yes
 + Archives:        Yes

 + Scanned items:
    C:\

 + Scan result:
    C:\Documents and Settings\dardana\Cookies\dardana@35487201[1].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\dardana\Cookies\dardana@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dardana\Cookies\dardana@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dardana\Cookies\dardana@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dardana\Cookies\dardana@atdmt[2].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\dardana\Cookies\dardana@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\dardana\Cookies\dardana@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\dardana\Cookies\dardana@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\dardana\Cookies\dardana@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\dardana\Cookies\dardana@zedo[2].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\Cookies\dardana@search.msn[1].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\D3968\abiuninst.exe -> Spyware.BetterInternet -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\Del4285.tmp -> TrojanDownloader.Small.asf -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\f294823.exe -> TrojanDownloader.Qoologic.n -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\IFG\aurareco.exe -> Spyware.BetterInternet -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\nst4281.EXE -> Spyware.SmartPops -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\pcs_0002.exe -> Spyware.Pacer.b -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\ptf_0002.exe -> Spyware.Pacer -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\ptf_0009.exe -> Spyware.Pacer -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\temp.fr1633 -> Spyware.BetterInternet -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\temp.fr4627 -> Spyware.MediaPass -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\temp.fr560A -> Trojan.Agent.db -> Ignored
    C:\Documents and Settings\dardana\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Ignored
    C:\Documents and Settings\guest1\Cookies\guest1@S005-01-5-9-246403-73932[2].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\guest1\Cookies\guest1@search.msn[1].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Documents and Settings\guest1\Cookies\guest1@xiti[1].txt -> Spyware.Tracking-Cookie -> Ignored
    C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Spyware.Pacer -> Ignored
    C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Ignored
    C:\WINDOWS\system\rbuudnolp.exe -> TrojanDownloader.Small.ayh -> Ignored
    C:\WINDOWS\system32\cdmdownld\uvbbqlgffh.dll -> Spyware.SmartPops -> Ignored
    C:\WINDOWS\system32\cdmdownld\uvbbqlgffh.exe -> Spyware.SmartPops -> Ignored
    C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg -> Ignored
    C:\WINDOWS\system32\eliteisp32.exe -> Spyware.Hijacker.Generic -> Ignored
    C:\WINDOWS\system32\elitesav32.exe -> Spyware.Hijacker.Generic -> Ignored
    C:\WINDOWS\system32\fxdsxd.exe -> Spyware.BetterInternet -> Ignored
    C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Ignored
    C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Ignored
    C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl -> Ignored
    C:\WINDOWS\System320nsv100 -> Spyware.HotSearchBar -> Ignored


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 9:51:55 PM, on 6/29/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\dardana\Desktop\HJT1991.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mrurrk.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [oFnj3mU] dsoole32.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteisp32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zo4tRgYmV] dpwace.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Client Manager.lnk = ?
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: tncn.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104729538241[/url]
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - [url]http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab[/url]
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - [url]https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx[/url]
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326[/url]
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

windows-virus

Edited 11 Years Ago by mike_2000_17 because: Fixed formatting

3 Contributors
10 Replies
241 Views
1 Week Discussion Span
Latest Post 19 Years Ago Latest Post by DMR

crunchie 990 Most Valuable Poster

19 Years Ago

techtard,

Hi and welcome to the Daniweb forums :).

===============

When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.

===============

Please visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you tick Auto Clean.
When it completes, post back the full filename of any files that cannot be cleaned or deleted.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u richedtr.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll

O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mrurrk.exe reg_run
O4 - HKLM\..\Run: [oFnj3mU] dsoole32.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteisp32.exe
O4 - HKCU\..\Run: [Zo4tRgYmV] dpwace.exe
O4 - Global Startup: Compaq Client Manager.lnk = ?

Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\System32\richedtr.dll
C:\WINDOWS\System32\richup.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\mrurrk.exe
C:\windows\system32\eliteisp32.exe

Search for...

dsoole32.exe
dpwace.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

crunchie 990 Most Valuable Poster

19 Years Ago

Please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.

C:\log.txt
C:\win.txt
C:\start.txt

====

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

To save some time, could you please have each of the files that rkfiles finds, uploaded for an online scan here;

http://virusscan.jotti.org/

Post the contents of C:\log.txt in your next reply.

crunchie 990 Most Valuable Poster

19 Years Ago

You definitely uploaded the found files one at a time, yes?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

techtard 0 Newbie Poster · Answer 1 · 2005-07-01T09:23:04+00:00

I did all of the things you suggested in your reply.
Below is the new hijack log followed by the filenames that Housecall at TrendMicro could not get rid of...

Logfile of HijackThis v1.99.1
Scan saved at 7:59:57 PM, on 6/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tncn.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\dardana\Desktop\HJT1991.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteisp32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mrurrk.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104729538241
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Housecall at TrendMicro
VIRUS FILE
TROJ AGENT.RS C:\Documents and Settings\dar...
TROJ DLOADER.OS C:\Documents and Settings\dar...
TROJ BUDDY.F C:\Documents and Settings\dar...
CHM PSYME.AX C:\Documents and Settings\dar...
TROJ SMALL.APE C:\WINDOWS\system\rbuudnol...

As of right this moment,unfortunately, I still seem to be experiencing quite a few pop ups...
I'm going to install the critical windows updates from Microsoft that you recommended and I will wait to hear from you.

Again, thank you so much for helping me with this!

techtard 0 Newbie Poster · Answer 2 · 2005-07-02T03:53:16+00:00

Hi-
I've completed the steps you've outlined. When I uploaded the rk files to the URL you gave me below, the scanner results were 'found nothing' for all of the files.
In addition, here are the contents of the 'qoologic' log:

C:\Documents and Settings\dardana\Local Settings\Temporary Internet Files\Content.IE5\4LEJWHQV\findqoologic[1]

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\mrurrk.exe: .aspack
C:\WINDOWS\system32\obqbbcc.exe: .aspack
C:\WINDOWS\system32\redit.cpl: .aspack
C:\WINDOWS\system32\urcrree.dll: .aspack
C:\WINDOWS\system32\vpypp.dat: .aspack

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tncn.exe: .aspack

I am still seeing party poker pop-ups and a few others but it is at least 80-90% better than it was before. Again, thanks so much.

Please let me know, if/what the next steps are.

Please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.
C:\log.txt
C:\win.txt
C:\start.txt
====
Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.
Reboot in Safe mode.
Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.
To save some time, could you please have each of the files that rkfiles finds, uploaded for an online scan here;
http://virusscan.jotti.org/
Post the contents of C:\log.txt in your next reply.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2005-07-02T11:39:30+00:00

Download Killbox v 2.0.0.175 and unzip the file to your Desktop and have it ready to use.

-

Save all the below files to a text document (notepad) to be used shortly.

C:\WINDOWS\system32\mrurrk.exe
C:\WINDOWS\system32\obqbbcc.exe
C:\WINDOWS\system32\redit.cpl
C:\WINDOWS\system32\urcrree.dll
C:\WINDOWS\system32\vpypp.dat
C:\windows\system32\eliteisp32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tncn.exe

-

Reboot into safe mode following the instructions here.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteisp32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mrurrk.exe reg_run

Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

techtard 0 Newbie Poster · Answer 4 · 2005-07-07T10:50:54+00:00

I did as you suggested.
First, when I ran hijack this, neither of these files were found:

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteisp32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mrurrk.exe reg_run

So, I proceeded to the next step. There were the 7 files that I saved in notepad to my desktop

C:\WINDOWS\system32\mrurrk.exe
C:\WINDOWS\system32\obqbbcc.exe
C:\WINDOWS\system32\redit.cpl
C:\WINDOWS\system32\urcrree.dll
C:\WINDOWS\system32\vpypp.dat
C:\windows\system32\eliteisp32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tncn.exe

When I did the copy and paste to the clipboard in Killbox, the only one that listed in the drop down box was: (they were all highlighted though)

C:\WINDOWS\system32\redit.cpl

I went ahead and checkmarked the "Delete on Reboot" etc...

Does that sound right/possible or did I not do something correctly?
Please advise.

Thanks.

Download Killbox v 2.0.0.175 and unzip the file to your Desktop and have it ready to use.
-
Save all the below files to a text document (notepad) to be used shortly.
C:\WINDOWS\system32\mrurrk.exe
C:\WINDOWS\system32\obqbbcc.exe
C:\WINDOWS\system32\redit.cpl
C:\WINDOWS\system32\urcrree.dll
C:\WINDOWS\system32\vpypp.dat
C:\windows\system32\eliteisp32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tncn.exe
-
Reboot into safe mode following the instructions here.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteisp32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mrurrk.exe reg_run
Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

DMR 152 Wombat At Large Team Colleague · Answer 5 · 2005-07-07T15:10:15+00:00

Run Find-Qoologic and HijackThis again and post a new log from both. That will llet us know if the items were truly deleted.

techtard 0 Newbie Poster · Answer 6 · 2005-07-07T20:14:24+00:00

Run Find-Qoologic and HijackThis again and post a new log from both. That will llet us know if the items were truly deleted.

Thanks so much...see results below

Find Qoologic

log.txt
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK

win.txt
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK

start.txt
NOTHING FOUND

Here is the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:11:35 AM, on 7/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\dardana\Desktop\HJT1991.exe

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120188319426
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

DMR 152 Wombat At Large Team Colleague · Answer 7 · 2005-07-08T00:56:18+00:00

Both logs look good to me now, but since crunchie was driving this ship, I'd suggest waiting for his OK on things.

I did notice one thing in your logs that's got you just asking for trouble, though:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

The above entries indicate that you are seriously behind on your Winodws updates, which means that your missing a number of security patches and overall bug fixes.

Go to the Windows Update site and at least get Service Pack 1 and all related updates. You can update to SP2 if you want; the choice is yours.