In fact, I think it's expanded and let in a lot of other viruses, DyFuca and Elite Toolbar among
them.
AVG, Adaware and Spybot Search and Destroy all seem to clean things up until I reboot, at which
point they all come back. I got the ETremover by SimplyTech, which claims to do the right thing
where others will not...but it failed the reboot test, too. I am worried that the malware will eat
away at my machine and cause real damage if I keep rebooting and letting them return, inviting
more malware along the way.
Since all the tools (Adaware, Spybot, AVG and ETremover) seem to at least be able to give me a
clean session so long as I don't reboot, I've decided not to reboot my machine until everything's
solved. Problem is, I can't seem to get on-line anymore, which I'm guessing is a side-effect of
one of the malware's unhappiness with being removed.
After running those free anti-virus apps, I looked at windows\system32 files that had recent dates
of when the virus activated. Some files are definitely bad (like bling.exe which none of the
anti-virus stuff removed for some reason) but I am not sure of the others: I'm guessing the names
that seem jumbo-ed up (like 2p2nqrd4.dat) are auto-generated and are probably bad stuff? I've
moved them all to a flash drive so they're off my system but I am worried I won't be able to
reboot since a couple of the files may not be viral - they just have date stamps that are
suspiciously from a couple of days ago. Could they have been infected? The files are:
msvcp71.dll and winbd32.exe. Should I leave them? In other words, will I have a problem
(rebooting) if I remove them?
Also, I did a HijackThis but cannot easily decipher the log. I'm guessing the O4 qhywaaf.exe is
bad...? Are the O10's and O20's all bad? Can anyone help?
I am on a Windows XP Tablet operating system, my laptop being a Fujitsu T3010 tablet computer with
a 1.4GHz Centrino processor and 760 MB RAM.
I just launched my little startup company a few days ago and have a lot of things to tend to so
the timing for this is really bad! :cry:
Thanks so much for any help!!!
========= HJT log follows =========
Logfile of HijackThis v1.99.1
Scan saved at 3:49:27 AM, on 4/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\QuickTime\qttask.exe
C:\mysql\bin\mysqld.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\qhywaaf.exe
C:\PROGRA~1\Zinio\ZDLM.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\AXMA\Fax-Internet\faxtray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\winlog.exe
C:\Program Files\JGsoft\EditPadPro5\EditPadPro.exe
C:\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
file:///C:/stuff/web/BoxOfCrap/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsupc.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com
idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com
idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com
idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com
idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe"
/resume
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FjEvents] c:\Program Files\Fujitsu\Utils\fjevents.exe
O4 - HKLM\..\Run: [FjDspMon] c:\Program Files\Fujitsu\Utils\FjDspMon.exe
O4 - HKLM\..\Run: [Fujitsu Menu] c:\Program Files\Fujitsu\Utils\FjMnuIco.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey
Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail
Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Shell Logon] C:\winlogon.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Isass.exe
O4 - HKLM\..\RunServices: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - HKLM\..\RunServices: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program
Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: systray for fax applications.lnk = C:\Program
Files\AXMA\Fax-Internet\faxtray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Linksys\Bluetooth
Utility\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program
Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -
C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {10000000-1000-0000-1000-000000000000} -
ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windup...e/bridge-c6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: loginkey - C:\WINDOWS\SYSTEM32\LoginKey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" -
-ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth
Utility\bin\btwdins.exe
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe