Solved

AVG Finds: Trojan horse Downloader.Generic3.OAE

Posted on 2007-03-21
13
1,569 Views
Last Modified: 2009-12-16
AVG 7.5 running under Win XP finds: Trojan horse Downloader.Generic3.OAE

I'm not sure if AVG can heal this as I can find no real info on what it actually is. Any help would be appreciated.
0
Comment
Question by:psd_steve
  • 6
  • 4
13 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Every scanners has different definitions/names, what AVG calls "Downloader.Generic3.OAE" can be called something else by another scanners. It sounds to me it could be an SDBot variant, let's check if it shows up in the hijackthis scan.

Can you show us a hijackthis log?
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
0
 

Author Comment

by:psd_steve
Comment Utility
Logfile of HijackThis v1.99.1
Scan saved at 9:26:15 AM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Elantech\Ktp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\CPUTray.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Documents and Settings\Bruce\Desktop\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.averatec.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\mljghge.dll
O2 - BHO: (no name) - {3260FDEF-35B0-49BF-9E32-0D7B575B801E} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\offijmta.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {D45B66AB-AD8C-4D11-93CC-738FB64855Db} - C:\WINDOWS\system32\axfwqymd.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\Ktp.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CPUTray] C:\WINDOWS\system32\CPUTray.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\vqwmnptv.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O20 - Winlogon Notify: mljghge - C:\WINDOWS\SYSTEM32\mljghge.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe


Sorry I was out of the area so closed this, but still would appreciate a look thanks

Steve
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Hi,

How come you closed your question, other experts will not look into this, thinking it's all been resolved.
Shall I open it for you so others can participate as well?

Just what I thought it would be, this entry below belongs to an SDBot variant.
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE

Vundo and conhook are also showing in your logfile.(we'll fix the hijackthis  entries later after you've run vundofix and SDFix)

1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encounters a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.


2. If vundofix doesn't find any files, run this alternative.
 Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
 and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.


3. Also download SDFix pelase.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back

After you've done those. please show us a fresh hijackthis log to review, thanks!
0
 

Author Comment

by:psd_steve
Comment Utility
I will do as you suggested. I closed it as I thought I was not going to be around to finish it and hate to leave an open question. If you can open it again it would be very nice thank you
0
 

Author Comment

by:psd_steve
Comment Utility
Alright i did as directed and here is what i have come up with.

Vundo FIx

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:27:39 PM 3/29/2007

Listing files found while scanning....

C:\Documents and settings\Bruce\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Bruce\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\mljghge.dll
C:\WINDOWS\system32\offijmta.dll
C:\WINDOWS\system32\qqtwa.bak1
C:\WINDOWS\system32\qqtwa.bak2
C:\WINDOWS\system32\qqtwa.ini2
C:\WINDOWS\system32\qqtwa.tmp
C:\WINDOWS\system32\tqxknxav.exe
C:\WINDOWS\system32\tuvsqno.dll
C:\WINDOWS\system32\tuvvurq.dll
C:\WINDOWS\system32\urqqrss.dll
C:\WINDOWS\system32\vqwmnptv.dll
C:\WINDOWS\system32\vtpnmwqv.ini

Beginning removal...

 Attempting to delete C:\Documents and settings\Bruce\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Bruce\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

 Attempting to delete C:\Documents and settings\Bruce\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Bruce\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

 Attempting to delete C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\awtqq.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\mljghge.dll
C:\WINDOWS\system32\mljghge.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\offijmta.dll
C:\WINDOWS\system32\offijmta.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\qqtwa.bak1
C:\WINDOWS\system32\qqtwa.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\qqtwa.bak2
C:\WINDOWS\system32\qqtwa.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\qqtwa.ini2
C:\WINDOWS\system32\qqtwa.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\qqtwa.tmp
C:\WINDOWS\system32\qqtwa.tmp Has been deleted!

 Attempting to delete C:\WINDOWS\system32\tqxknxav.exe
C:\WINDOWS\system32\tqxknxav.exe Has been deleted!

 Attempting to delete C:\WINDOWS\system32\tuvsqno.dll
C:\WINDOWS\system32\tuvsqno.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\tuvvurq.dll
C:\WINDOWS\system32\tuvvurq.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\urqqrss.dll
C:\WINDOWS\system32\urqqrss.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\vqwmnptv.dll
C:\WINDOWS\system32\vqwmnptv.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\vtpnmwqv.ini
C:\WINDOWS\system32\vtpnmwqv.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:52:58 PM 3/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\mljghge.dll

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\mljghge.dll
C:\WINDOWS\system32\mljghge.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 4:45:01 PM 3/30/2007

Listing files found while scanning....

No infected files were found.



SDfix

SDFix: Version 1.75

Run by Bruce - Thu 03/29/2007 - 14:15:51.79

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:





Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\Bruce\LOCALS~1\Temp\hdw8.tmp - Deleted
C:\WINDOWS\svchost.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Bruce\Local Settings\Temp\~WRL0165.tmp

                                 Finished



And finally my new hijackthis


Logfile of HijackThis v1.99.1
Scan saved at 3:14:05 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Elantech\Ktp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\CPUTray.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Bruce\Desktop\alternativ.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.averatec.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3260FDEF-35B0-49BF-9E32-0D7B575B801E} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\offijmta.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {D45B66AB-AD8C-4D11-93CC-738FB64855Db} - C:\WINDOWS\system32\axfwqymd.dll (file missing)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\Ktp.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CPUTray] C:\WINDOWS\system32\CPUTray.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\vqwmnptv.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe





Since I have run these programs whenever I start up I get two of the exact same Run DLL problems


Run DLL

C:\WINDOWS\system32\vqwmnptv.dll

The specific module could not be found.

I do not believe that my issue is fixed. I still find (though under a different name) a Trojan virus which AVG has supposedly healed.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
>>Since I have run these programs whenever I start up I get two of the exact same Run DLL problems
Run DLL
C:\WINDOWS\system32\vqwmnptv.dll

The specific module could not be found.<<


You really need to get back to us as soon as you can while we're trying to clean your pc, it's been awhile since those scans were run, and these nasties can respawn quickly if some files are still left behind.
The logs showed, Vundo and conhook had been removed by vundofix and SDFix also removed SDBot.


As for the error that you're getting, it's because the file is gone but the registry entry is still there, for the error to go you need to fix this entrybelow in hijackthis.
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\vqwmnptv.dll",setvm


Please run Hijackthis and checkmark these entries while all browsers and other windows are closed, click "Fix Checked" button:
O2 - BHO: (no name) - {3260FDEF-35B0-49BF-9E32-0D7B575B801E} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\offijmta.dll (file missing)
O2 - BHO: (no name) - {D45B66AB-AD8C-4D11-93CC-738FB64855Db} - C:\WINDOWS\system32\axfwqymd.dll (file missing)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\vqwmnptv.dll",setvm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


try this good scanner, SUPERAntispyware:
http://www.superantispyware.com/


0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>>I still find (though under a different name) a Trojan virus which AVG has supposedly healed.<<<

Can you please post the location of the location of the trojan that AVG finds?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Once you fixed that entry in Hijackthis, the error will go away.

As you can see from the vundofix log, that file has been deleted, but the registry entry is still intact that's why the error comes up.
C:\WINDOWS\system32\vqwmnptv.dll Has been deleted!


Once hijackthis removes the registry entry(below) then error should go away.
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\vqwmnptv.dll",setvm


0
 

Author Comment

by:psd_steve
Comment Utility
Again I apologize for the delay in a response but it appears as though you have fixed my problem I'm going to post another hijack this just so you can make sure you see nothing nasty and then i shall accept the solution. Thanks again!!

Logfile of HijackThis v1.99.1
Scan saved at 9:41:30 AM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Elantech\Ktp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\CPUTray.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bruce\Desktop\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.averatec.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\Ktp.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CPUTray] C:\WINDOWS\system32\CPUTray.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

Again Sorry for the Delay


0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Hi,

Sorry, I was away for a week with no internet access.
Thanks for posting another hijackthis log, no malware entry there, it looks clean!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now