Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

malware returns after reboot

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
Hi. A virus appeared on my computer a few days ago and I've not been able to get rid of it, yet.

In fact, I think it's expanded and let in a lot of other viruses, DyFuca and Elite Toolbar among


AVG, Adaware and Spybot Search and Destroy all seem to clean things up until I reboot, at which

point they all come back. I got the ETremover by SimplyTech, which claims to do the right thing

where others will not...but it failed the reboot test, too. I am worried that the malware will eat

away at my machine and cause real damage if I keep rebooting and letting them return, inviting

more malware along the way.

Since all the tools (Adaware, Spybot, AVG and ETremover) seem to at least be able to give me a

clean session so long as I don't reboot, I've decided not to reboot my machine until everything's

solved. Problem is, I can't seem to get on-line anymore, which I'm guessing is a side-effect of

one of the malware's unhappiness with being removed.

After running those free anti-virus apps, I looked at windows\system32 files that had recent dates

of when the virus activated. Some files are definitely bad (like bling.exe which none of the

anti-virus stuff removed for some reason) but I am not sure of the others: I'm guessing the names

that seem jumbo-ed up (like 2p2nqrd4.dat) are auto-generated and are probably bad stuff? I've

moved them all to a flash drive so they're off my system but I am worried I won't be able to

reboot since a couple of the files may not be viral - they just have date stamps that are

suspiciously from a couple of days ago. Could they have been infected? The files are:

msvcp71.dll and winbd32.exe. Should I leave them? In other words, will I have a problem

(rebooting) if I remove them?

Also, I did a HijackThis but cannot easily decipher the log. I'm guessing the O4 qhywaaf.exe is

bad...? Are the O10's and O20's all bad? Can anyone help?

I am on a Windows XP Tablet operating system, my laptop being a Fujitsu T3010 tablet computer with

a 1.4GHz Centrino processor and 760 MB RAM.

I just launched my little startup company a few days ago and have a lot of things to tend to so

the timing for this is really bad! :cry:

Thanks so much for any help!!!

========= HJT log follows =========
Logfile of HijackThis v1.99.1
Scan saved at 3:49:27 AM, on 4/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\Program Files\Google\Gmail Notifier\G001-\gnotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\AXMA\Fax-Internet\faxtray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\JGsoft\EditPadPro5\EditPadPro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsupc.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com

idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com

idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com

idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com

idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FjEvents] c:\Program Files\Fujitsu\Utils\fjevents.exe
O4 - HKLM\..\Run: [FjDspMon] c:\Program Files\Fujitsu\Utils\FjDspMon.exe
O4 - HKLM\..\Run: [Fujitsu Menu] c:\Program Files\Fujitsu\Utils\FjMnuIco.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Shell Logon] C:\winlogon.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Isass.exe
O4 - HKLM\..\RunServices: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - HKLM\..\RunServices: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: systray for fax applications.lnk = C:\Program

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Linksys\Bluetooth

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {10000000-1000-0000-1000-000000000000} -

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: loginkey - C:\WINDOWS\SYSTEM32\LoginKey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" -

-ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth

O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0


Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP