Poll

Do you have trojan, what you can't delete?

Yes, I do
4 (80%)
no, I don't
0 (0%)
I had trojan, what can't delete.
1 (20%)

Total Members Voted: 0

« previous next »
Pages: 1 [2] 3   Go Down

Author Topic: Help me delete trojan win32:BHO-MQ  (Read 20126 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Help me delete trojan win32:BHO-MQ
« Reply #15 on: March 14, 2008, 04:12:15 PM »
You will probably end up with more if you don't start removing them.   ???
Logged

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #16 on: March 21, 2008, 11:34:05 AM »
when i scan cryptsv.dll it doesnt find anything. Is trojan deleted by his/her maker or something
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33921
  • malware fighter
Re: Help me delete trojan win32:BHO-MQ
« Reply #17 on: March 21, 2008, 01:17:28 PM »
Hi Trojanhater666,

This is a BHO trojan with the following components:
Processes :      *
CRYPTSV.DLL
     
CLSID List :    {F0E5F564-BA65-4181-AD5A-F868F08D0480}
{85BE6BA5-6732-4A71-B48E-82AFCC24639C}

All the hidden components should be removed, else you still have it. Follow oldman's instructions to the dot, and you have a chance of removing them for good. And for the future you have to go online with a fully patched windows, service packs and all, and the most recent Sun Java version and previous versions manually removed, else you will be a sitting duck again waiting for reinfection, and use a normal users account only to surf after your comp is clean, 90% of malware can no longer make changes to your OS, which is more secure by enormous leaps,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

CharleyO

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #18 on: March 22, 2008, 09:58:22 AM »
***

I think what is not being understood is that even though CRYPTSV.DLL is scanned as not infected (because it is not), the infection uses this dll in it's work of infecting your computer. It is only a single part of the infection and all parts of the infection must be removed. It is also a dll that is not needed on your computer so why have it?

As Polonus stated, please follow oldman's instructions to the dot.


***
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33921
  • malware fighter
Re: Help me delete trojan win32:BHO-MQ
« Reply #19 on: March 22, 2008, 10:32:53 AM »
Hi CharleyO,

You are right, only a full scan and a log file txt will show what the infection could be, as you have experienced lately that there is so much infestations with "hidden" malware, that need special measures for being able to remove it properly. Also important is that av scanners have to adjust also to their new role as spyware scanners. Oldman will come up with the right formula for Trojanhater666's problem,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #20 on: April 25, 2008, 03:33:18 PM »
Damm! My computer is Very infected by spyware. I scanned my computer super anti-antispyware. It found 7 trojan downloader, some adwares and tracking cookies and unclassiefied.Oreans32
Logged

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #21 on: April 25, 2008, 05:43:04 PM »
ComboFix 08-02-21 - Antti 2008-02-21 20:33:58.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1035.18.556 [GMT 2:00]
Running from: C:\Documents and Settings\Antti.PERHEKONE\Työpöytä\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((   Muut poistot   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MWHTMLMU.DLL
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MyWay\myBar\1.bin\MYPOPSWT.DLL
C:\Program Files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\myBar\Cache\01137F77.bin
C:\Program Files\MyWay\myBar\Cache\011383EB.bin
C:\Program Files\MyWay\myBar\Cache\01138D13.bin
C:\Program Files\MyWay\myBar\Cache\files.ini
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\Cache\0113213A
C:\Program Files\MyWay\SrchAstt\Cache\files.ini
C:\Program Files\MyWay\SrchAstt\Settings\prevcfg.htm

----- BITS: Possible infected sites -----

hxxp://au.downlo
.
(((((   Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-01-21 to 2008-02-21  )))))))))))))))))
.

2008-02-21 15:27 . 2008-02-21 15:29   226   --a------   C:\Gunner3.ini
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\soundtrack
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\rock
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\reggae
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\newage
2008-02-20 16:17 . 2008-02-20 16:21   <KANSIO>   d--------   C:\Documents and Settings\Antti\misc
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\jazz
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\folk
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\data
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\country
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\classical
2008-02-20 16:17 . 2008-02-20 16:17   <KANSIO>   d--------   C:\Documents and Settings\Antti\blues
2008-02-20 16:09 . 2008-02-20 16:31   <KANSIO>   d--------   C:\Documents and Settings\Antti\Status
2008-02-16 16:07 . 2008-02-16 16:07   <KANSIO>   d--------   C:\Program Files\Common Files\Motion Playground Inc
2008-02-16 14:51 . 2008-02-16 14:51   <KANSIO>   d--------   C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-13 16:48 . 2008-02-15 20:06   1,374   --a------   C:\WINDOWS\imsins.BAK
2008-02-11 21:22 . 2008-02-11 21:22   <KANSIO>   d--------   C:\Program Files\Niels Bauer Software Design
2008-02-10 13:40 . 2008-02-10 13:40   <KANSIO>   d--------   C:\Sierra
2008-02-09 23:11 . 2008-02-09 23:11   <KANSIO>   d--------   C:\Documents and Settings\Antti.PERHEKONE\Application Data\GRETECH
2008-02-09 22:35 . 2008-02-09 22:35   <KANSIO>   d--------   C:\Program Files\GRETECH
2008-02-09 21:37 . 2008-02-09 21:47   5,382   --a------   C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-02-09 21:05 . 2008-02-09 21:47   72,074   --a------   C:\WINDOWS\BricoPackUninst.cmd
2008-02-09 21:04 . 2008-02-09 21:46   2,359,350   --a------   C:\WINDOWS\BricoPack Wallpaper.bmp
2008-02-09 20:53 . 2008-02-09 21:36   <KANSIO>   d--------   C:\WINDOWS\BricoPacks
2008-02-08 16:52 . 2008-02-08 16:52   335,872   --a------   C:\WINDOWS\system32\mysidesearch_sidebar.dll
2008-02-07 09:06 . 2008-02-07 09:06   <KANSIO>   d--------   C:\Program Files\eidos Interactive
2008-02-06 11:20 . 2008-02-06 11:20   <KANSIO>   d--------   C:\Program Files\3DO
2008-02-06 10:39 . 2008-02-06 10:39   <KANSIO>   d--------   C:\Documents and Settings\All Users\Application Data\Chat Republic Games
2008-02-05 21:29 . 2008-02-05 21:29   31,361   --a------   C:\WINDOWS\3DSTATE_logo.jpg
2008-02-05 21:09 . 2008-02-07 12:55   <KANSIO>   d--------   C:\Program Files\StarportGE
2008-02-05 21:08 . 2008-02-18 21:57   <KANSIO>   d--------   C:\Program Files\My Worst Day WW2
2008-02-05 16:19 . 2008-02-05 16:19   <KANSIO>   d--------   C:\Program Files\Infogrames
2008-01-31 19:15 . 2008-01-31 19:21   <KANSIO>   d--------   C:\Documents and Settings\pommi tommi\Application Data\Mount&Blade
2008-01-30 13:21 . 2008-01-30 13:21   <KANSIO>   d--------   C:\Program Files\D-Tools
2008-01-30 13:21 . 2004-08-22 16:31   155,136   --a------   C:\WINDOWS\system32\drivers\d347bus.sys
2008-01-30 13:21 . 2004-08-22 16:31   5,248   --a------   C:\WINDOWS\system32\drivers\d347prt.sys
2008-01-28 22:13 . 2008-01-28 22:16   <KANSIO>   d--------   C:\Documents and Settings\Antti.PERHEKONE\Application Data\Mount&Blade
2008-01-27 16:28 . 2008-02-21 20:59   5,042,208   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-27 16:28 . 2008-02-21 16:16   59,852   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-27 16:20 . 2008-01-27 16:20   <KANSIO>   d--------   C:\Program Files\ZoneAlarmSB
2008-01-27 16:17 . 2008-01-27 16:17   <KANSIO>   d--------   C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-27 16:17 . 2007-11-14 16:05   75,248   --a------   C:\WINDOWS\zllsputility.exe
2008-01-27 16:17 . 2004-04-27 04:40   11,264   --a------   C:\WINDOWS\system32\SpOrder.dll
2008-01-27 16:17 . 2008-01-27 16:20   4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2008-01-27 16:16 . 2008-01-27 16:16   <KANSIO>   d--------   C:\Program Files\Zone Labs
2008-01-27 16:15 . 2008-02-21 20:53   <KANSIO>   d--------   C:\WINDOWS\Internet Logs
2008-01-21 14:02 . 2008-02-09 17:39   84,729   --a------   C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
Logged

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #22 on: April 25, 2008, 05:43:31 PM »
((((((((((((((((((((((((((((((((((((   Find3M-raportti   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 13:30   4,120   ----a-w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\wklnhst.dat
2008-02-20 18:07   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\LimeWire
2008-02-17 18:45   24,008   ----a-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\wklnhst.dat
2008-02-17 17:28   ---------   d-----w   C:\Program Files\ExtraFilm Kotona
2008-02-16 12:34   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-02-15 20:53   168,960   ----a-w   C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-15 20:53   1,619,456   ----a-w   C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-15 17:05   ---------   d-----w   C:\Program Files\Mount&Blade
2008-02-14 18:08   1,613,312   ----a-w   C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-14 09:00   1,481   ---ha-w   C:\Documents and Settings\SALME NEUVONEN\hpothb07.dat
2008-02-11 20:34   273,920   ----a-w   C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-11 20:34   1,590,784   ----a-w   C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-10 11:45   ---------   d-----w   C:\Program Files\Sierra On-Line
2008-02-10 09:26   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\uTorrent
2008-02-09 19:05   219,136   ----a-w   C:\WINDOWS\system32\uxtheme.dll
2008-02-09 18:58   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\MSN6
2008-02-08 11:47   ---------   d-----w   C:\Program Files\ProPilkki2
2008-02-08 06:12   ---------   d-----w   C:\Documents and Settings\pommi tommi\Application Data\LimeWire
2008-02-06 13:23   ---------   d-----w   C:\Program Files\KotiMikron Hakemisto
2008-02-06 10:55   499,200   ----a-w   C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-06 08:55   ---------   d-----w   C:\Program Files\CoolBasic
2008-02-06 08:53   ---------   d-----w   C:\Program Files\Jollygood Games
2008-02-06 08:52   ---------   d-----w   C:\Program Files\Beamer
2008-02-06 06:56   1,469,440   ----a-w   C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-30 11:08   ---------   d-----w   C:\Program Files\Jets'n'Guns Demo
2008-01-29 13:08   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\wsInspector
2008-01-28 14:21   ---------   d-----w   C:\Program Files\Deadhunt Demo
2008-01-26 17:42   ---------   d-----w   C:\Program Files\EA Games
2008-01-26 17:10   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-01-26 10:59   ---------   d-----w   C:\Documents and Settings\SALME NEUVONEN\Application Data\wsInspector
2008-01-25 19:43   ---------   d-----w   C:\Program Files\LEGO Media
2008-01-21 10:57   ---------   d-----w   C:\Program Files\eMule
2008-01-19 21:16   ---------   d-----w   C:\Program Files\LimeWire
2008-01-18 21:24   ---------   d-----w   C:\Program Files\Paint.NET
2008-01-18 16:34   ---------   d-----w   C:\Program Files\Microsoft Games
2008-01-18 11:41   ---------   d-----w   C:\Documents and Settings\pommi tommi\Application Data\InterVideo
2008-01-17 16:47   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\LEGO Media
2008-01-17 16:43   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\eMule
2008-01-17 14:31   ---------   d-----w   C:\Documents and Settings\SALME NEUVONEN\Application Data\Grisoft
2008-01-17 12:13   ---------   d-----w   C:\Documents and Settings\pommi tommi\Application Data\LEGO Media
2008-01-17 11:59   720,896   -c--a-w   C:\WINDOWS\iun6002.exe
2008-01-17 11:37   ---------   d-----w   C:\Documents and Settings\pommi tommi\Application Data\Grisoft
2008-01-16 18:58   ---------   d-----w   C:\Documents and Settings\Pekka\Application Data\Grisoft
2008-01-16 15:09   ---------   d-----w   C:\Program Files\Freeciv-2.1.0-gtk2
2008-01-16 14:28   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\Grisoft
2008-01-16 11:29   ---------   d-----w   C:\Program Files\EndlessOnline
2008-01-14 05:22   ---------   d-----w   C:\Program Files\AGEIA Technologies
2008-01-13 18:31   ---------   d-----w   C:\Program Files\XMoto
2008-01-13 13:35   ---------   d-----w   C:\Program Files\Common Files\Blizzard Entertainment
2008-01-13 08:01   ---------   d-----w   C:\Program Files\Elävät Kirjat
2008-01-13 06:47   162   ----a-w   C:\Documents and Settings\Pekka\Application Data\wklnhst.dat
2008-01-11 18:06   ---------   d-----w   C:\Documents and Settings\pommi tommi\Application Data\Microsoft Games
2008-01-11 11:01   ---------   d-----w   C:\Program Files\TuxPaint
2008-01-08 20:48   ---------   d-----w   C:\Program Files\Eraser
2008-01-08 12:57   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\Skype
2008-01-06 15:10   ---------   d-----w   C:\Program Files\Google
2008-01-06 14:32   ---------   d-----w   C:\Documents and Settings\pommi tommi\Application Data\AdobeUM
2008-01-06 13:57   0   ----a-w   C:\Documents and Settings\pommi tommi\Application Data\wklnhst.dat
2008-01-05 11:57   ---------   d-----w   C:\Program Files\GameSpy Arcade
2008-01-04 12:20   ---------   d-----w   C:\Documents and Settings\Pekka\Application Data\Hewlett-Packard
2008-01-04 12:19   82,380   ----a-w   C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-03 16:28   110,648   ----a-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\GDIPFONTCACHEV1.DAT
2008-01-02 13:14   ---------   d-----w   C:\Program Files\Elma
2008-01-02 12:27   ---------   d-----w   C:\Program Files\Skype
2008-01-02 12:27   ---------   d-----w   C:\Program Files\Common Files\Skype
2008-01-02 12:27   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Skype
2008-01-01 19:37   110,648   ----a-w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\GDIPFONTCACHEV1.DAT
2007-12-31 12:50   19,456   ----a-w   C:\WINDOWS\system32\drivers\cryskmuh.dat
2007-12-30 10:32   ---------   d-----w   C:\Program Files\Nstorm
2007-12-22 10:31   ---------   d-----w   C:\Program Files\Everest Poker
2007-12-07 02:14   824,832   ----a-w   C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41   550,912   ------w   C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-22 13:40   21,840   -c--atw   C:\WINDOWS\system32\SIntfNT.dll
2007-11-22 13:40   17,212   -c--atw   C:\WINDOWS\system32\SIntf32.dll
2007-11-22 13:40   12,067   -c--atw   C:\WINDOWS\system32\SIntf16.dll
2007-11-21 11:21   40,731   ----a-w   C:\WINDOWS\system32\superiorads-uninst.exe
2007-09-16 10:49   22   ----a-w   C:\Program Files\Uusi WinRAR ZIP-arkisto.zip
2006-11-23 14:08   8,704   --sha-w   C:\Program Files\Thumbs.db
2006-02-21 18:57   348   ----a-w   C:\Program Files\HitListe.dat
2006-01-13 12:57   3,418   ----a-w   C:\Program Files\INSTALL.LOG
2004-12-17 15:35   2,755   ----a-w   C:\Program Files\Uninst.isu
2004-12-01 11:50   524,300   ----a-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\position.bin
2004-10-22 15:54   561   ---ha-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\hpothb07.dat
2004-10-01 12:00   40,960   ----a-w   C:\Program Files\Uninstall_CDS.exe
2003-09-27 09:24   18,762   ----a-w   C:\Program Files\gametext.txt
2002-10-29 19:31   589,824   ----a-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\book.bin
1998-03-19 10:58   8,962   ----a-w   C:\Program Files\Terning.wav
1998-03-03 09:29   176   ----a-w   C:\Program Files\Pop.wav
1998-03-03 09:29   1,078   ----a-w   C:\Program Files\Face03.ico
1997-02-12 21:17   19,426   -c----w   C:\Program Files\Applaus.wav
1995-01-01 00:51   44   ----a-w   C:\Program Files\Track14.cda
.
Logged

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #23 on: April 25, 2008, 05:43:56 PM »
------- Sigcheck -------

"C:\WINDOWS\explorer.exe"
----a-w           975,872 2007-06-13 13:22:06  C:\WINDOWS\explorer.exe
----a-w         1,033,728 2007-06-13 13:10:34  C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w         1,004,544 2002-09-16 12:00:00  C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
-c----w         1,032,704 2004-09-14 13:12:04  C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
----a-w           975,872 2007-06-13 13:22:06  C:\WINDOWS\ServicePackFiles\i386\explorer.exe
-c----w         1,033,728 2007-06-13 13:22:06  C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((   Rekisterin käynnistyskohteet   )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A60DCFC-6B26-427E-9B62-86A38966BBF9}]
2004-09-14 15:11   84992   --a------   C:\WINDOWS\system32\cryptsv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-27 16:20   262144   --a------   C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{C11483F7-D7D8-4804-98D8-6055470BB989}
{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-27 16:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-15 20:16 68856]
"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [2006-07-31 13:33 36864]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 15:12 15360]
"VMCL"="C:\Program Files\vodafone\vmclite\DongleEnumerator.exe" [2007-04-16 11:56 131072]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wizard"="" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-07-01 12:02 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-07-01 11:58 118784]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 02:11 50688]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 12:01 1397760]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"ExtraFilmHemmaAgent"="C:\Program Files\ExtraFilm Kotona\Agent.exe" [2004-05-21 13:16 290816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-14 15:12 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]

C:\Documents and Settings\SALME NEUVONEN\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Uusi InterActual Skin.iti [2007-04-17 15:44:03 0]

C:\Documents and Settings\Antti.PERHEKONE\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
PowerReg Scheduler V3.exe [2007-09-19 17:51:39 225280]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 00:05:02 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 21:41:18 65536]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 09:43:08 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 09:43:14 155648]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-05 17:47:46 113664]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 21:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

R0 wblhobme;wblhobme;C:\WINDOWS\system32\drivers\cryskmuh.dat []
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-10-05 14:33]
R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2005-09-05 13:10]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2003-04-18 13:45]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe []
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Antti\LOCALS~1\Temp\iMSPCLOj.sys []
S3 Webcam Corp. Service Starter;Webcam Corp. Service Starter;C:\Program Files\Webcam\Webcam123\dogsvc.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3796bfba-7cd2-11dc-b68e-003005673e3a}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

.
'Ajoitetut tehtävät'-kansion sisältö
"2008-02-14 12:20:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1199449175.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-02-21 18:26:00 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-21 12:20:00 C:\WINDOWS\Tasks\WebReg 20080214142048.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exeQ/TaskName 20080214142048 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 20:58:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-21 21:01:46
ComboFix-quarantined-files.txt  2008-02-21 19:01:39
.
2008-02-15 18:06:02   --- E O F --- 
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Help me delete trojan win32:BHO-MQ
« Reply #24 on: April 26, 2008, 03:39:33 AM »
That combofix log is 2 months old. Please delete combofix.exe from your desktop and download a new one. Please follow the instructions. A new HJT log will also be required after you run combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logged

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #25 on: April 26, 2008, 06:35:16 PM »
sorry! My bad. There is my latest combofix .
ComboFix 08-04-24.1 - Antti 2008-04-25 17:45:26.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1035.18.602 [GMT 3:00]
Running from: C:\Documents and Settings\Antti.PERHEKONE\Työpöytä\Lataukset\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((   Muut poistot   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Antti.PERHEKONE\Application Data\urlredir.cfg
C:\Documents and Settings\pommi tommi\Application Data\urlredir.cfg
C:\WINDOWS\system32\el32.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XPROTECTOR
-------\Service_XPROTECTOR


(((((   Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-03-25 to 2008-04-25  )))))))))))))))))
.

2008-04-25 15:55 . 2008-04-25 15:55   <KANSIO>   d--------   C:\Program Files\Windows Live
2008-04-25 15:55 . 2008-04-25 16:03   <KANSIO>   d--hsc---   C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-25 15:54 . 2008-04-25 15:54   <KANSIO>   d--------   C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-23 16:56 . 2008-04-24 18:38   <KANSIO>   d--------   C:\Program Files\DC++
2008-04-22 19:10 . 2008-04-22 19:12   <KANSIO>   d--------   C:\Program Files\Defcon
2008-04-22 16:59 . 2008-04-24 15:59   <KANSIO>   d--------   C:\Program Files\eMule
2008-04-21 19:51 . 2008-04-21 19:51   <KANSIO>   d--------   C:\Program Files\kiihdytys
2008-04-19 12:01 . 2008-04-19 12:20   <KANSIO>   d--------   C:\Documents and Settings\Antti.PERHEKONE\Application Data\gtk-2.0
2008-04-19 12:00 . 2008-04-19 12:00   <KANSIO>   d--------   C:\Documents and Settings\Antti.PERHEKONE\.thumbnails
2008-04-19 11:56 . 2008-04-19 22:47   <KANSIO>   d--------   C:\Documents and Settings\Antti.PERHEKONE\.gimp-2.4
2008-04-19 11:50 . 2008-04-19 11:50   <KANSIO>   d--------   C:\Program Files\GIMP-2.0
2008-04-18 17:09 . 2008-04-18 17:09   <KANSIO>   d--------   C:\Program Files\M&BMapEditor
2008-04-14 16:02 . 2008-04-14 16:03   <KANSIO>   d--------   C:\58cf48308acbc95a35
2008-04-10 22:30 . 2008-04-10 22:30   <KANSIO>   d--------   C:\Harry Potter and The Chamber of the secret
2008-04-10 19:18 . 2007-08-24 19:45   101,120   -ra------   C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-04-10 19:18 . 2007-08-24 19:45   24,448   -ra------   C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-04-10 19:17 . 2008-04-10 19:19   <KANSIO>   d--------   C:\Program Files\Mobile Partner
2008-04-10 17:24 . 2008-04-10 17:24   <KANSIO>   d--------   C:\GENIUS
2008-04-10 17:24 . 2008-04-10 17:24   65   --a------   C:\WINDOWS\GENIUS.INI
2008-04-10 16:43 . 2008-04-10 16:43   1,126   --a------   C:\Documents and Settings\Antti.PERHEKONE\Application Data\filterclsid.dat
2008-03-31 20:56 . 2008-03-31 20:56   <KANSIO>   d--------   C:\Program Files\Frets on Fire
2008-03-30 23:25 . 2008-03-30 23:28   <KANSIO>   d--------   C:\Documents and Settings\Antti.PERHEKONE\Application Data\fretsonfire
2008-03-26 15:43 . 2008-04-11 17:06   <KANSIO>   d--------   C:\WINDOWS\.mpr_file_store_32
2008-03-25 16:12 . 2008-03-25 16:12   <KANSIO>   d--------   C:\Program Files\Running with scissors
Logged

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #26 on: April 26, 2008, 06:35:45 PM »
((((((((((((((((((((((((((((((((((((   Find3M-raportti   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 15:13   13,776,928   --sha-w   C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-25 14:56   162,404   --sha-w   C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-25 14:24   5,356   ----a-w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\wklnhst.dat
2008-04-24 19:26   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2008-04-24 19:05   ---------   d-----w   C:\Program Files\Fish Tycoon
2008-04-23 13:42   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\LimeWire
2008-04-20 17:16   ---------   d-----w   C:\Program Files\Rockstar Games
2008-04-20 17:15   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-04-18 14:16   ---------   d-----w   C:\Program Files\Mount&Blade
2008-04-18 12:59   ---------   d-----w   C:\Program Files\Paint.NET
2008-04-17 07:33   24,624   ----a-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\wklnhst.dat
2008-04-11 08:03   88,502   -c--a-w   C:\WINDOWS\E220AutoRunLog.tmp
2008-04-09 12:06   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\Ahead
2008-04-08 17:45   ---------   d-----w   C:\Program Files\Diablo
2008-04-08 08:05   ---------   d-----w   C:\Program Files\ExtraFilm Kotona
2008-03-23 13:47   ---------   d-----w   C:\Program Files\Empire Chess
2008-03-21 10:49   ---------   d-----w   C:\Program Files\Pure Motion
2008-03-20 14:49   ---------   d-----w   C:\Program Files\LEGO Island
2008-03-17 18:09   720,896   ----a-w   C:\WINDOWS\iun6002ev.exe
2008-03-17 16:46   ---------   d-----w   C:\Program Files\Warcraft III
2008-03-17 14:25   ---------   d-----w   C:\Program Files\Bejeweled 2 Deluxe
2008-03-14 11:49   ---------   d-----w   C:\Documents and Settings\Pekka\Application Data\InterVideo
2008-03-13 12:41   1,382,282   ----a-w   C:\Program Files\gta_mod_installer_v5.0_beta.zip
2008-03-13 12:39   ---------   d-----w   C:\Program Files\Lemonade Tycoon 2
2008-03-12 11:06   ---------   d-----w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\wsInspector
2008-03-07 15:38   ---------   d-----w   C:\Program Files\Everest Poker
2008-03-06 08:14   ---------   d-----w   C:\Program Files\Raptisoft
2008-03-04 12:07   ---------   d-----w   C:\Program Files\Winamp
2008-02-29 16:31   ---------   d-----w   C:\Program Files\IObit
2008-02-29 11:15   ---------   d-----w   C:\Documents and Settings\pommi tommi\Application Data\LimeWire
2008-02-28 20:11   ---------   d-----w   C:\Program Files\Ant War
2008-02-28 20:00   2,829   ----a-w   C:\WINDOWS\War3Unin.pif
2008-02-28 20:00   126,976   ----a-w   C:\WINDOWS\War3Unin.exe
2008-02-28 18:16   148   ----a-w   C:\Documents and Settings\pommi tommi\Application Data\wklnhst.dat
2008-02-28 13:50   ---------   d-----w   C:\Program Files\MP3 Player Utilities
2008-02-28 13:17   ---------   d-----w   C:\Program Files\Ski Jump International
2008-02-28 08:56   446   ----a-w   C:\Documents and Settings\Pekka\Application Data\wklnhst.dat
2008-02-26 14:38   ---------   d-----w   C:\Program Files\Zone.com Deluxe Games
2008-02-26 13:06   ---------   d-----w   C:\Program Files\Injoy Games
2008-02-14 09:00   1,481   ---ha-w   C:\Documents and Settings\SALME NEUVONEN\hpothb07.dat
2008-02-09 19:47   72,074   ----a-w   C:\WINDOWS\BricoPackUninst.cmd
2008-02-09 19:47   5,382   ----a-w   C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-01-03 16:28   110,648   ----a-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\GDIPFONTCACHEV1.DAT
2008-01-01 19:37   110,648   ----a-w   C:\Documents and Settings\Antti.PERHEKONE\Application Data\GDIPFONTCACHEV1.DAT
2007-09-16 10:49   22   ----a-w   C:\Program Files\Uusi WinRAR ZIP-arkisto.zip
2006-11-23 14:08   8,704   --sha-w   C:\Program Files\Thumbs.db
2006-02-21 18:57   348   ----a-w   C:\Program Files\HitListe.dat
2006-01-13 12:57   3,418   ----a-w   C:\Program Files\INSTALL.LOG
2005-12-07 23:59   1,572,307   ----a-w   C:\Program Files\war3.exe
2004-12-17 15:35   2,755   ----a-w   C:\Program Files\Uninst.isu
2004-12-01 11:50   524,300   ----a-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\position.bin
2004-10-22 15:54   561   ---ha-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\hpothb07.dat
2004-10-01 12:00   40,960   ----a-w   C:\Program Files\Uninstall_CDS.exe
2003-09-27 09:24   18,762   ----a-w   C:\Program Files\gametext.txt
2002-10-29 19:31   589,824   ----a-w   C:\Documents and Settings\SALME NEUVONEN\Application Data\book.bin
1998-03-19 10:58   8,962   ----a-w   C:\Program Files\Terning.wav
1998-03-03 09:29   176   ----a-w   C:\Program Files\Pop.wav
1998-03-03 09:29   1,078   ----a-w   C:\Program Files\Face03.ico
1997-02-12 21:17   19,426   -c----w   C:\Program Files\Applaus.wav
1995-01-01 00:51   44   ----a-w   C:\Program Files\Track14.cda
.
Logged

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #27 on: April 26, 2008, 06:36:14 PM »
------- Sigcheck -------

2007-06-13 16:22  975872  bfb589091060c9e3c5e6f55c6881ed78   C:\WINDOWS\explorer.exe
2007-06-13 16:10  1033728  fb53c3b1e17f62e8fcb07caaf4c4272e   C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2002-09-16 15:00  1004544  d6c6bfea41800fd67d3c08f73478065e   C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-09-14 16:12  1032704  43c0b3d357f319875a51bc111f393147   C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 16:22  975872  bfb589091060c9e3c5e6f55c6881ed78   C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 16:22  1033728  0f88a5b1ca666754c4c62ad3db4730ef   C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((   Rekisterin k„ynnistyskohteet   )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-27 17:20   262144   --a------   C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-01-27 17:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-27 17:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]
"VMCL"="C:\Program Files\vodafone\vmclite\DongleEnumerator.exe" [2007-04-16 12:56 131072]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-07-01 13:02 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-07-01 12:58 118784]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 03:11 50688]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 13:01 1397760]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2008-01-16 01:54 37376]
"ExtraFilmHemmaAgent"="C:\Program Files\ExtraFilm Kotona\Agent.exe" [2004-05-21 14:16 290816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-14 16:12 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 00:18 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 20:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 20:35]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2003-04-18 14:45]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Antti\LOCALS~1\Temp\iMSPCLOj.sys []
S3 zlportio;zlportio;C:\Documents and Settings\Antti.PERHEKONE\Työpöytä\Lataukset\ultrastardx-101a-lite\zlportio.sys []
S4 Webcam Corp. Service Starter;Webcam Corp. Service Starter;C:\Program Files\Webcam\Webcam123\dogsvc.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{006565cf-06cf-11dd-94df-003005673e3a}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09d81075-06e9-11dd-94e2-003005673e3a}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3796bfba-7cd2-11dc-b68e-003005673e3a}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

.
'Ajoitetut teht„v„t'-kansion sis„lt”
"2008-04-25 11:20:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1199449175.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-03-29 10:37:09 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1204193333.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-10 09:03:28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1204273610.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-25 14:26:00 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
Logged

Trojanhater666

  • Guest
Re: Help me delete trojan win32:BHO-MQ
« Reply #28 on: April 26, 2008, 06:41:14 PM »
THank You! THat trojan is now deleted my computer. There is no cryptsv.dll and drivers/crychmuh something like that. Thank you very much. You are the best!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Help me delete trojan win32:BHO-MQ
« Reply #29 on: April 26, 2008, 09:02:58 PM »
This is looking pretty good. There is a directory that is strange. Do you recognize this?

C:\Program Files\kiihdytys

Please post a new HJT log

Thanks
Logged
Pages: 1 [2] 3   Go Up
« previous next »