Malware/Spyware on my machine

Discussion in 'Malware Help (A Specialist Will Reply)' started by ankmig, Apr 5, 2006.

  1. ankmig

    ankmig Private E-2

    My system got hit by some kind of serious virus/spyware/Ad-ware( i don't what is it ). After having suspecion that my system is hit, i tried, all possible options in my hand to clean it.
    In my Task Manager, i see multiple msyuc.exe running. Also vjhqcq.exe running. Every time i try to kill any of these, they get started again.
    In order to clean my system, i have already ran Norton AntiVirus 2005 under safe mode, but no virus/spyware detected.
    Later i scanned with Microsoft Antispyware , which detected few adware and deleted them , but didnt fix msyuc.exe or vjhqcq.exe.
    Then i ran Windows Defender and scan my system, it didn't detect anything.
    Then i ran System Mechanic 6, which found some adware Elite Media Group and removed it, it also found a keyloger but didnt fix it.
    Through System Mechanic 6, i tried to manage Startup Items, but of no use, there i can not see msyuc.exe or vjhqcq.exe . if i boot my system in safe mode, i didnt see these files at location where they are running from.
    I scanned my system with Lavasoft Ad-Aware SE Personal and Spybot Search and Distroy, but of no use.
    I spent more than 2 days on researching this issue and tried another software, PREVX1, Only this software found out that my system is having above mentioned exes and few more dlls, But problem is that it didnt clean them, and put them into somekind of Jail/Cells.
    Once i reboot my machine, my system CPU keep on 100% usage as Prevx1 keep on killing msyuc.exe and these exes keep on coming up . So finaly i had to remove prevx1 from my system from safe mode.

    Right now, i have installed ZoneAlarm , thinking , it may block any data transfer from my system to whomever wriitten that spyware/virus/worm/malware.
    Zonealarm keep on giving me messages of various application trying to access internet. One such message is " Microsoft Office Excel is trying to set 'vblhbo' to run eachtime your computer started; this vblhbo thing keep on coming with evey application i open.

    I am in urgent need of your help ,as i have tried my best to deal with this on my own.
    I will greatly appreciate your help.
    Thanks
    Ankur
     

    Attached Files:

    ankmig, Apr 5, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have the latest form of Qoologic infection.

    Now download FindQool by LonnyRJones
    • Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
    • Open the folder and run Qlocate.bat
    • Post the contents of the txt.log which will open wen the scan is finished.
    Did you put the below entries in your Hosts file?
    O1 - Hosts: 172.19.208.38 rebsapp1.awiweb.com
    O1 - Hosts: 172.19.208.37 rebsdb1.awiweb.com
    O1 - Hosts: 172.19.208.12 rebsapp2.awiweb.com
    O1 - Hosts: 172.19.208.6 rebsdb2.awiweb.com

    Note for future reference, HijackThis logs must not be posted without having follow all of the instructions in the below sticky thread:

    READ & RUN ME FIRST Before Asking for Support
     
    Last edited: Apr 5, 2006
    chaslang, Apr 5, 2006
    #2
  3. ankmig

    ankmig Private E-2

    chaslang,

    Thanks for helping me fixing this problem.
    Yes, those hosts file entries are added by me and are of use for me to connect to our servers.

    here is the inline details of log file created by Qlocate.bat,

    Edit by chaslang: Inline log removed.

    Also i have understood the correct procedure for future refernce and i will abide by it next time.

    Please advice future steps to clean my system.
    Once again,
    Thanks for Helping
     

    Attached Files:

    Last edited by a moderator: Apr 5, 2006
    ankmig, Apr 5, 2006
    #3
  4. ankmig

    ankmig Private E-2

    i am sorry for inlne log file, i tried to edit it , but was not able too.
    Surely next time , wont make the mistake.

    thanks
     
    ankmig, Apr 5, 2006
    #4
  5. ankmig

    ankmig Private E-2

    chaslang,

    Refering your document, i have gone to the following link( special removal procedures)


    http://forums.majorgeeks.com/showthread.php?t=74501

    For Qoologic,i have done all the processes by the text, attached are the log files as mentioned, please check the findqool log attached above.

    Please advice future actions.

    Ankur
     

    Attached Files:

    ankmig, Apr 5, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\system32\chwtn.dat
    C:\WINDOWS\system32\vjhqcq.exe
    C:\WINDOWS\system32\msyuc.exe
    C:\WINDOWS\system32\cqhqsyr.dll
    C:\WINDOWS\system32\xofxmvg.exe
    C:\WINDOWS\system32\dwdsregt.exe
    C:\WINDOWS\system32\owinsraf.exe
    c:\windows\system32\qrdsregq.exe
    C:\Documents and Settings\Ankur\Start Menu\Programs\Startup\Z_Start.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oqtri.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\PROGRA~1\ASEMBL~1\wowexec.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\msyuc.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xofxmvg.exe
    O2 - BHO: Yvakt Class - {1FF787DD-4FC7-4C7C-AE4D-74012A0ECAAC} - C:\WINDOWS\system32\de6ypog.dll (file missing)
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
    O18 - Filter: text/html - {24E2468B-9FA2-4D7A-8D0A-C9A1359269D0} - C:\WINDOWS\system32\de6ypog.dll

    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\WINDOWS\system32\de6ypog.dll
    C:\WINDOWS\system32\chwtn.dat
    C:\WINDOWS\system32\vjhqcq.exe
    C:\WINDOWS\system32\msyuc.exe
    C:\WINDOWS\system32\cqhqsyr.dll
    C:\WINDOWS\system32\xofxmvg.exe
    C:\WINDOWS\system32\dwdsregt.exe
    C:\WINDOWS\system32\owinsraf.exe
    c:\windows\system32\qrdsregq.exe
    C:\Documents and Settings\Ankur\Start Menu\Programs\Startup\Z_Start.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oqtri.exe

    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!
     
    chaslang, Apr 5, 2006
    #6
  7. ankmig

    ankmig Private E-2

    chaslang,

    Thanks a lot for your help in cleaning my system. I had followed all steps mentioned by you and now my system is up and running.
    Still to be sure that all infections are clear, i am attaching both log files for your kind inspection.
    In find qool , i still see that vj...exe ; i don't know how to interpret it. Please advice .

    Also, during fighting this trojan, i have installed a number of software on my machine, here is the list :
    a-squared Trial
    Zone Alarm Pro Trial
    Lavasoft Ad-Aware SE Personal
    System Mechanic 6 Trial
    Windows Defender Beta

    Spybot Search & Destroy

    Norton Antivirus 2005
    HiJack This
    KillBox
    FindQool
    RKTOOL
    WINPFIND
    TrojanHunter
    ewido trial


    Can you kindly suggest me what software to keep ? And how can i prevent such attacks on my system in future and how to do regular maitenance.

    I am also getting messages from zone alarm that
    ALUSchdulerSvc.exe is trying to access 204.11.109.63.DNS and
    69.45.79.74.DNS to update, i am not sure if i allow whats going to happen. Please advice.

    chaslang , I really appreciate your help.
    Thanks Again
    God Bless You

    Ankur
     

    Attached Files:

    ankmig, Apr 6, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run HijackThis and select the below two lines and then click Fix checked:

    O4 - HKLM\..\Run: [vblhbo] C:\WINDOWS\system32\vjhqcq.exe reg_run
    O4 - HKCU\..\Run: [rxsjd] C:\WINDOWS\system32\vjhqcq.exe reg_run

    Make sure they are gone by checking another log.

    Do you plan on buying any of the tools you installed?
    Does the Symantec software you have installed already have a firewall?
    Does the firewall tell you where the ALUSchdulerSvc.exe is located? If not, see if you can find where it is located. I'm not sure what this is right now.
     
    chaslang, Apr 6, 2006
    #8
  9. ankmig

    ankmig Private E-2

    Chaslang,

    Thanks for your quick reply,
    I have deleted both registry entries as suggested by you using HiJack This.
    I searched ALUSchdulerSvc.exe and found out that its a exe of Symantec Live update module.Regarding the softwares, i have bought Norton 2005 , which has inbuilt worm protection; but not firewall ; also i had Spybot Search and destroy, Microsoft Antispyware ,that i use to scan my system every 2-3 days.
    I had problem with Zone alarm personal firewall earlier , as it was not allowing some vpns to work on my machine.
    I am open to buy softwares, but what is the best way of protecting my system, please advice.

    Can i delete backup folder created by HiJack and !KillBox folder by Killbox ?

    Thanks Again
    Ankur
     
    ankmig, Apr 6, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below:
    a-squared Trial
    System Mechanic 6 Trial
    Microsoft Antispyware (this has been replaced by Windows Defender).
    KillBox
    FindQool
    RKTOOL
    WINPFIND
    TrojanHunter
    ewido trial

    Keep the below:
    Zone Alarm Pro Trial
    Lavasoft Ad-Aware SE Personal
    Windows Defender Beta
    Spybot Search & Destroy (without Teatimer)
    Norton Antivirus 2005
    HiJack This


    I'm not sure exactly what your problem is but if you are connectiing via a secure VPN perhaps you can just disable ZoneAlarm during this time frame.

    Yes you can remove these now that we have finished removing malware.


    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    Last edited: Apr 8, 2006
    chaslang, Apr 6, 2006
    #10
  11. ankmig

    ankmig Private E-2

    Chaslang
    thanks for your help.

    One last thing i need to ask is, after cleaning up my system, its preformance has degraded with significant amount. Windows bootup take 2 mins, while earlier it used to take 30 mins. Also any application take a long time to open. Opening mozila takes 30-35 secs , Yahoo messenger login in takes 5-10 mins; similarly any program opening or closing , system takes significant amount of time.

    Just curious, if there any fix exists.

    Thanks a lot for your help
    Ankur
     
    ankmig, Apr 8, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This one sounds like a significant improvement.

    Which of my previous instructions have you followed? When and why did you install System Mechanic and what exactly did you do with it? It is not something that we asked to have run in this forum.
     
    chaslang, Apr 8, 2006
    #12
  13. ankmig

    ankmig Private E-2

    Chaslang,

    thanks for replying back.

    I had follow up all your instruction, i.e. Creating Restore point by your method, Uninstalling all the softwares that you mentioned and having got through the link, "How to Protect yourself from malware" ; i had taken care of all steps.

    To answer your question of System Mechanic, I installed it only once i suspected spyware on my machine, It has a spyware removal system, that i wanted to use to try cleaning up Qoologic, which was unknown to me.It also helped cleaning up registry. Apart from it i am not much aware of its functionality.
    Though i have uninstalled it as per your direction, Does it is hiding in my system and creating my compter to be slow ??

    Please Advice

    Thanks again for your help

    Ankur
     
    ankmig, Apr 8, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No it is not malware! I'm just worried about what you may have deleted from your registry with it.

    Let's get an installed programs list from HijackThis!
    • Run HijackThis, click Open the Misc Tools section
    • Click Open Uninstall Manager
    • Click Save List (generates uninstall_list.txt)
    • Click Save, to save it to a file where you can find it.
    • Attach the uninstall_list.txt file to your next message.

    Then also attach a current HJT log.
     
    chaslang, Apr 9, 2006
    #14
  15. ankmig

    ankmig Private E-2

    Chaslang ,

    Thanks for Answering back. Please find attached the two logs.

    Please advice future actions.

    Thanks
    Ankur
     

    Attached Files:

    ankmig, Apr 9, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto Add/Remove programs and uninstall these old Sun Java programs:

    Java 2 Runtime Environment, SE v1.4.2_10
    Java 2 SDK, SE v1.4.2_10

    Also you need to get the current version of Mozilla FireFox installed.

    Have HijackThis fix the below line:

    O4 - HKLM\..\Run: [ioloDelayModule] e:\Program Files\iolo\System Mechanic 6\delay.exe

    Now reboot! Is there any improvement? If not, all I can suggest is uninstalling all of your Norton/Symantec software and using something different like in the How to protect thread. This would not be the first time that it was the problem.
     
    chaslang, Apr 10, 2006
    #16
  17. ankmig

    ankmig Private E-2

    Chaslang,

    I have done all steps mentioned, but i cant remove Antivirus. I suppose i have to live by it. Anyway, thanks for helping me in all these days.

    I appreciate your help.

    You may close this Thread if you wish .

    Thanks Again

    God Bless You
    Ankur
     
    ankmig, Apr 10, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Apr 10, 2006
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds