Help, Please (Problem with malware/drsmartload)

Discussion in 'Malware Help (A Specialist Will Reply)' started by brainiac9x, Apr 2, 2006.

  1. brainiac9x

    brainiac9x Private E-2

    So the other day I accidentally downloaded and ran a program called 'drsmartload,' which from what I could gather is some kind of virus which download a whole crap load of spyware and other programs that run in the background on my computer, using up anywhere from 85-100% of my CPU memory. I managed to get rid of most of the pop-ups myself, but the computer was still running extremely slow. While perusing the web, I found this site and read the 'READ & RUN ME FIRST Before Asking for Support' thread and gave it a shot. I went through the instructions pretty much to a T and, I think, got a lot of crap off my computer. However, once I rebooted into normal windows mode, some of the programs/processes that were running 'in the background' and hogging my CPU space were still there.

    I've included my panda scan and hijack this logs. I did run bitdefender, but accidentally closed the window after the scan, not realizing I had to save my log file through that same window.

    If anyone could offer me some help, I would really appreciate it. Thank you.
     

    Attached Files:

    brainiac9x, Apr 2, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You did not follow the directions in step 7 of the READ ME and as a result you have HJT here:

    C:\Documents and Settings\HP_Administrator\My Documents\SpywareRem\hijackthis\HijackThis.exe

    This is exactly where we ask that it not be run from. Please install it correctly.

    You have the new form of a Qoologic infection. It hides a bunch of other files on your system that we need to locate before we can fix the problem. Please follow the directions below and attach the log:

    Please download FindQool by LonnyRJones
    • Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
    • Open the folder and run Qlocate.bat
    • Post the contents of the txt.log which will open wen the scan is finished.
    Also answer a question! Do you know what the below items Panda found are for?
    Virus:Trj/Agent.BQG C:\Documents and Settings\HP_Administrator\My Documents\Emulators\ffx_nes_jp.zip[FF10.exe]
    Virus:Trj/Agent.BQG C:\Documents and Settings\HP_Administrator\My Documents\ffx_nes_jp\FF10\FF10.exe

    Are these something for Nintendo? If so, they may be infected! Do you really need them?
     
    chaslang, Apr 2, 2006
    #2
  3. brainiac9x

    brainiac9x Private E-2

    ah...sorry about step #7. I just installed it after step 4...guess I should have read #7 more carefully before I started.

    As for the nintendo things, that was a fan made version of FFX for NES emulators. I deleted it as soon as panda showed it.

    Alright, thank you, I will try using FindQool and get back to you.
     
    brainiac9x, Apr 2, 2006
    #3
  4. brainiac9x

    brainiac9x Private E-2

    I ran FindQool and have attached the log.

    I also moved HijackThis! and ran another long, although I don't know if you need that.
     

    Attached Files:

    brainiac9x, Apr 2, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Downloading - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\SYSTEM32\LRHGULN.EXE
    C:\WINDOWS\SYSTEM32\QUIXBOX.DLL
    C:\WINDOWS\SYSTEM32\PKXBV.DAT
    C:\WINDOWS\SYSTEM32\KNJXKG.EXE
    C:\WINDOWS\SYSTEM32\AWACK.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cuuyq.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Now run HijackThis and select any of the following lines (if they still exist) and then click Fix checked:

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\awack.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lrhguln.exe

    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\WINDOWS\SYSTEM32\LRHGULN.EXE
    C:\WINDOWS\SYSTEM32\QUIXBOX.DLL
    C:\WINDOWS\SYSTEM32\PKXBV.DAT
    C:\WINDOWS\SYSTEM32\KNJXKG.EXE
    C:\WINDOWS\SYSTEM32\AWACK.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cuuyq.exe

    Then reboot into normal mode and attach a new HJT log and a new log from FindQool
     
    Last edited: Apr 3, 2006
    chaslang, Apr 2, 2006
    #5
  6. brainiac9x

    brainiac9x Private E-2

    Alright, I did everything as stated, though I had one question. I turned off 'Disable System Restore' (in other words, system restore was enabled) after I did everything in 'READ & RUN ME FIRST Before Asking for Support' (before I did everything in your first post above). Was I supposed to have that enabled for these steps?
     

    Attached Files:

    brainiac9x, Apr 2, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well actually you should not have done anything with System Restore until we finished all malware removal. We appear to be finished now so, read below.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 2, 2006
    #7
  8. brainiac9x

    brainiac9x Private E-2

    Alright thank you very much.

    The slowdown appears to be much, much reduced. However, I checked my Windows Task Manager and a lot of processes (around 50) are still running...including multiple versions of 'svchost.exe', ati2evxx.exe', and a couple others that seem just to be gibberish letters.

    I'm going to run through the entire 'READ & RUN ME FIRST Before Asking for Support' thread tonight/tomorrow to hopefully eliminate everything.

    Thanks again!
     
    brainiac9x, Apr 2, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Normal for most users especially since most load lots or junk they will never need. svchost.exe always has multiple 3 to 6 is pretty typical.

    Is your copy of Spy Sweeper a paid subscription?

    Be specific!!
     
    chaslang, Apr 2, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds