Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Problem: Downloader.Small.37.AQ[CLOSED]


  • This topic is locked This topic is locked

#1
BeerLuver

BeerLuver

    New Member

  • Member
  • Pip
  • 2 posts
Hi, posting this in regards to my sister's PC which has been overrun by spyware & trojans :tazz:

I was able to remove MOST of the crap that has accumulated on her system, but there is one troublesome one left. Tried searching around on google for resolutions, as well as on a few anti-virus/security info/removal sites but was unable to find a working resolution to this. Browsed through and searched around on this site as well for the same issue but mainly only found similiar type trojans; not the exact same one ;)

The file is named rodbrmx.exe located in windows\system32\ however I cannot view this file via windows explorer yet it comes up in anti-virus scans. The trojan is identified as Downloader.Small.37.AQ; but in NOD32 it says it's Downloader.Qoologic.L .... weird heh.

Her PC Specs:
=========
1.3ghz Pentium III
ASUS motherboard
512mb SDRAM
60gb WD hdd
Windows XP Home w/SP1 & SP2


What I have done so far:
================

Turned off System Restore & rebooted into Safe Mode
Ran Panda ActiveScan - antivirus scan
Ran Spybot Search & Destroy - spyware scan
Ran Ad-Aware - spyware scan
Ran SpySubtract - spyware scan
Ran SpywareBlaster
Ran NOD32 scan - antivirus scan
Ran AVG Free scan - anti-virus scan
Cleaned out all temp files, temp. internet files, etc.

Here's a copy of the HijackThis scan:
=======================

Logfile of HijackThis v1.99.1
Scan saved at 8:08:04 AM, on 05/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\avgamsvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\Grisoft\avgcc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\avgupsvc.exe
C:\Program Files\Tweak-XP Pro\TWEAK-XP.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Tweak-XP Pro\popup.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mnivmk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera\Opera.exe
C:\Temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\mnivmk.exe
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro\TWEAK-XP.exe" -ex
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro\popup.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\azaulcj91fo.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton Speed Disk\nopdb.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

=====================

PLEASE, anyone have any clue of how to get rid of this Downloader.Small.37.AQ trojan??? Huge appreciated thanks to anyone who can offer some guidance. Once I get this removed off my sister's pc, I'm gonna take measures to better protect her system.

Edited by BeerLuver, 17 May 2005 - 07:55 PM.

  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello and welcome to GeeksToGo! My name is Kat, and I will be helping you fix your sisters' computer back up and show you how to help her KEEP it that way!! :tazz:

Download FindQoologic from http://forums.net-in...=post&id=134981
Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread.

Edited by ~Kat~, 23 May 2005 - 01:58 AM.

  • 0

#3
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP