stubinstaller malware?

confusion · Jan 4, 2009

I short while ago I noticed some strange files directly in my c: drive. One of them was hell.exe, another was stubinstaller.exe and then there's a bunch of strange .sqm files. I googled hell.exe first since it sounded the most interesting. I found some sites saying it's was a bad file so I deleted it. Then I googled stubinstaller.exe and found contradicting information. I read stubinstaller is installed when you install limewire and it helps the user connect to other users. But I also found sites which said that stubinstaller is malware which will send out information about your internet browsing habits. I left stubinstaller on because I suddenly realised that if I deleted all suspicious files I might not be able to figure out what was causing them to appear on my pc. I did have limewire installed once just to try it out but I didn't like it so I uninstalled it. That was over a year ago and I don't think stubinstaller could have been on my C: drive for that long without me noticing it.

So I googled some more and found this forum. I went through the Windows XP cleaning procedure you recommend. SuperAntiSpyware found a trojan hidden as a media-codec which I've now removed. I already had Spybot S&D on my pc and had run it after finding the suspicious files. Spybot had found nothing so I skipped that step. I went through the rest of the cleaning procedure but nothing special happened. I will attach the logs to this post.

Despite the trojan and the suspicious files I haven't encountered any problems on my PC yet. There are no pop-ups, everything is running smoothly including the internet. I just wanna be safe about this, that's why I'm posting this here. Should I just delete the suspicious files? Can anyone tell me more about them? Thanks in advance.

The weird .sqm files are:
sqmdata00.sqm
sqmdata01.sqm
sqmdata02.sqm
(goes on until sqmdata19.sqm)

sqmnoopt00.sqm
sqmnoopt01.sqm
sqmnoopt02.sqm
(goes on until sqmnoopt19.sqm)

This is the SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/03/2009 at 11:46 PM

Application Version : 4.24.1004

Core Rules Database Version : 3694
Trace Rules Database Version: 1670

Scan type : Complete Scan
Total Scan Time : 00:53:32

Memory items scanned : 529
Memory threats detected : 0
Registry items scanned : 6315
Registry threats detected : 1
File items scanned : 25633
File threats detected : 0

Trojan.Media-Codec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#none [ C:\Program Files\Video ActiveX Object\pmsngr.exe ]

I've attached the other logs here:

TimW · Jan 7, 2009

Your logs are clean...those files in question are just from you using Windows Live messenger, bot something to be concerned about.

We can do a little cleaning:

Use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 10"
J2SE Runtime Environment 5.0 Update 11"
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2"
Java(TM) 6 Update 3"
Java(TM) 6 Update 5"
Java(TM) 6 Update 7"
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player

Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

Click to expand...

Now use windows explorer to find and delete:
C:\Documents and Settings\All Users\Application Data\Avg7

If you are not having any other malware issues, then:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection, but are effective as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

confusion · Jan 7, 2009

Thanks, I guess my PC is safe now. I deleted the stubinstaller file and nothing happened, maybe it was left over from a previous install of limewire. I still have no idea where the hell.exe file came from but all scans are telling me my system is clean now.
But I'm having some problems with uninstalling combofix. I copied and pasted the command "%userprofile%\Desktop\combofix" /u and tried to run it but it tells me the file can't be accessed. I did install combofix on my desktop, how do I get rid of it now? Thanks again.

TimW · Jan 9, 2009

You can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.

confusion · Jan 11, 2009

Ok, I did all that now. Thanks for the help. There's just one last thing: it's still showing hidden folders and stuff like that. For instance on my C: and E: drive it's showing a System Volume Information folder and a RECYCLER folder. How do I disable seeing these or should they have disappeared by now?

TimW · Jan 11, 2009

Yes they should have reverted. Just open My Computer and click on Tools / Folder Options / View and uncheck the hidden files and folders.

Log in or Sign up

stubinstaller malware?

confusion Private E-2

Attached Files:

mbam-log-2009-01-04 (00-01-10).txt

MGlogs.zip

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

confusion Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

confusion Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member