July 6, 2008 03:10am pdt

1. souseran 20,488
2. IndiGenus 7,500
3. BillDL 7,100
4. and235100 6,400
5. LeeTutor 5,100
6. war1 4,768
7. rpggamer... 3,950
8. SpYd3r05 3,500
9. johnb6767 3,440
10. nobus 3,402
11. apache09 3,000
12. Oslove 2,400
13. alikaz3 2,200
14. arnold 2,000
14. shasunder 2,000
14. scottdorsey 2,000
14. hlarse 2,000
14. smurf_ki... 2,000
14. VortexAdmin 2,000
14. GaryStevens 2,000
14. cpaglee 2,000
14. oBdA 2,000
14. qz8dsw 2,000
14. speshalyst 2,000
14. r-k 2,000
14. hypercat 2,000
14. HadleyR 2,000
14. vadimrapp1 2,000
14. Nyah247 2,000
14. ipcipher 2,000

1. souseran 31,553
2. rpggamer... 15,334
3. and235100 10,470
4. war1 9,228
5. IndiGenus 7,500
6. LeeTutor 7,300
7. BillDL 7,100
8. Sheharya... 6,125
9. orangutang 6,080
10. r-k 5,950
11. PeteLong 5,600
12. johnb6767 4,640
13. rindi 3,775
14. younghv 3,560
15. SpYd3r05 3,500
15. jkr 3,500
15. PUNKY 3,500
15. sramesh2k 3,500

04.25.2007 at 08:30AM PDT, ID: 22533430

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.8

How to remove infostealer - mquteng.dll

Zones: Windows Registry Cleaners, Anti-Virus Applications

Tags: infostealer, remove, how, virus

Hi Experts,
My PC (Windows XP -Pro) infected with virus call "Infostealer". Each time I open up my IE Symantec Antivirus will prompt me but it not able to quarantine or delete it. Detail information as below:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Infostealer
File: C:\WINDOWS\system32\mquteng.dll
Location: C:\WINDOWS\system32
Computer: SERVER02
User: Administrator
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wednesday, April 25, 2007 11:22:11 PM

- I had updated the latest virus defination and perform a full system scan in safe mode but it detected the "Infostealer" but failed to clean it.
-I try to manual delete the file C:\WINDOWS\system32\mquteng.dll but failed.
-I had run VundoFix to scan the system but nothing found
- Run hijackThis but everytime I try to fix the entry for "O2 - BHO: (no name) - {eb85bdf1-152d-4303-817f-ec27107b0b4b} - C:\WINDOWS\system32\mquteng.dll" it will come back later.
- Tried to find "mquteng.dll" at registry and delete all entry related to it cannot work. It will come back by itself.

PLease advice what I need to do others then format the machine. Thanks so much in advance.

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: newbies1512

Solution Provided By: rindi

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

04.25.2007 at 08:33AM PDT, ID: 18974498

newbies1512:

Below is the hijackThis Log for your reference:

Logfile of HijackThis v1.97.7
Scan saved at 10:51:05 PM, on 4/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {eb85bdf1-152d-4303-817f-ec27107b0b4b} - C:\WINDOWS\system32\mquteng.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172301443640
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A72E7D5-F2BD-4694-B2F2-A518CA0A230D}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A72E7D5-F2BD-4694-B2F2-A518CA0A230D}: NameServer = 10.0.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A72E7D5-F2BD-4694-B2F2-A518CA0A230D}: NameServer = 10.0.0.2

04.25.2007 at 08:54AM PDT, ID: 18974711

rindi:

Try booting the PC with a UBCD4WIN, then rename or move the file "C:\WINDOWS\system32\mquteng.dll". Then reboot to check if the problem has gone. You can of course also use the AV software on the UBCD to scan your disk.

http://ubcd4win.com

04.25.2007 at 08:55AM PDT, ID: 18974725

rindi:

Also download a current version of hijackthis. yours isn't the newest...

04.25.2007 at 09:10AM PDT, ID: 18974877

newbies1512:

New version of hijackThis Download and run. This is the Log file but seem like I still not able to fix the problem. Please help~

Logfile of HijackThis v1.99.1
Scan saved at 12:09:15 AM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {eb85bdf1-152d-4303-817f-ec27107b0b4b} - C:\WINDOWS\system32\mquteng.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172301443640
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A72E7D5-F2BD-4694-B2F2-A518CA0A230D}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A72E7D5-F2BD-4694-B2F2-A518CA0A230D}: NameServer = 10.0.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A72E7D5-F2BD-4694-B2F2-A518CA0A230D}: NameServer = 10.0.0.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mquteng - C:\WINDOWS\SYSTEM32\mquteng.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

04.25.2007 at 10:14AM PDT, ID: 18975442

rindi:

Did you follow my instructions above, booting to a live CD that can access your disk so you can copy that file off or rename it?

04.25.2007 at 10:45AM PDT, ID: 18975671

newbies1512:

I am downloading UBCD4WIN now as it will need to take few hours to complete. Before that, any others solution?

04.25.2007 at 11:07AM PDT, ID: 18975875

rindi:

You could also use an XP CD and boot into the recovery console, then rename or move the file manually. This only a bit more of a hassle, as you need to do everything from the command prompt. A further way would be to connect the disk to another PC running windows and then do the renames.

Accepted Solution

04.25.2007 at 11:13PM PDT, ID: 18979522

newbies1512:

Rindi,
I am downloaded the window live CD " UBCD4WIN " but however I tried to use XP CD and boot into recovery console. I successed to rename and delete the file. Right now the pop out seem like disappear.

Thans so much for your advices and helps.

04.25.2007 at 11:46PM PDT, ID: 18979610

rindi:

your welcome

20080236-EE-VQP-29