Highjack this logfile for wifes computer

[DREDIOCK]

Dunno what she did but either my wife or my daughter picked up something thats completely ignored Nod32
And isnt showing up on any other scans.

This one is FUNKY nasty.

Nod32 got rid of a couple of things. as did AVG anti spyware.
but something is still there neither are seeing.

Explorer keeps opening up randomly taking them to a variety of different sites

Ran Highjack this and this is what its showing


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:16 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\QdrModule\QdrModule13.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QdrPack\QdrPack14.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[DREDIOCK]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1344C694-5C56-2AAA-5762-5D00B8B0DABB} - C:\WINDOWS\system32\peifg.dll (file missing)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [QdrPack14] "C:\Program Files\QdrPack\QdrPack14.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm025YYUS
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_games/playtime/mahjongescape/PTGameLauncher.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.ghostgirlonred.com/images/buddy_icon/buddy_icon2.gif
O24 - Desktop Component 1: (no name) - http://lua.weblog.com.pt/Renoiro-MoonCat.jpg

--
End of file - 9459 bytes

[Hungry]

I recognize the QDR loader and module as something my son had a few weeks ago.  At that time I used a program called Combo Fix, but now when I do a Google search for Combo Fix it looks like the latest version may have its own Spyware.  The root virus was Vundo something.  Combo Fix did however cure my son's problem.

For what its worth I suppose.

Good Luck

[Wingnutt]

a while back I had a nasty bug that was similar to what you describe..

anytime I would open I.E. my homepage was changed to some site that said I had a virus, and that I needed to buy their software to fix it..  if I tried to type in google or anything else I would just get redirected back to their site.

I had to..

1: run AVG scan.. ir found and removed some of it..

DO NOT OPEN I.E.

2: run hijackthis, let it do its thing..

3: reboot.. 

4: run AVG scan again, if it found anything repet steps 2 and 3 again..  over and over till AVG is no longer finding anything.

if nothing found..  open I.E. reset homepage..

[Caz1]

Drediock:

My girlfriend's mother had something like this on her PC last month.  Tried multiple times to get the thing OFF her machine, and the thing that finally did it was a little app I came across called "VundoFix.exe".  Wish I still had the link for it. :\

If you have been hit with the Vundo bug that Hungry described, VundoFix may be a quick and relatively painless way to get you back up and running.

If you're interested in pursuing this suggestion - try Googling "VundoFix.exe" and do some reading on the hits you get.  As I recall, it only worked on some variations of the Vundo critter, so it's not a guaranteed fix.  However, if you're lucky (like I was) it may work on whichever one you have, and get this issue behind you relatively quickly and without any additional financial cost -- just be sure to scan any fixes you find & download before you try them out.  Those malware guys are sneaky bastards.

Other than that, the only other things I can really recommend that you try are other virus scanning utilities, and/or a drive wipe & reinstall (hellishly painful & time consuming - as you probably already know).

Dunno if you know about these guys are not, but here's a few links to free Antivirus programs that work well (though I still use AVG as my primary AV software on my main machine):

Free Regular Antivirus programs:

http://www.free-av.com/
http://www.avast.com/

This next link is a free app that doesn't just look for virus patterns, but pays attention to what running processes on your machine are doing and preempts suspicious activities (like catching a process that's trying to capture your keystrokes, for example).  I really like this one because I've run it alongside AVG for a while now without all the headaches that are typically associated with running multiple AV programs on the same machine:

http://www.threatfire.com/

And here's a free online virus meta-scanner.  Word of warning with this one though - it tends to bring back a lot of false positives:

http://www.virustotal.com/

Dunno if any of this will help out your specific situation, I just figured I'd try the shotgun approach and hope that something I toss up here might help out.  If you get a good analysis of your HJT log from a real pro, I'd recommend that you defer to his suggestions over mine (I don't know much about HJT).

Anyway, again, I hope something here helps out and good luck! 

-Caz1

[MrRiplEy[H]]

The only advice you need is DO NOT OPEN IE. Period.

[Roscoroo]

malware ->>>> QdrPack14.exe ,QdrModule13.exe ,this is the main ugly pos there . it sneaks in thru java and some game sites . its part of web enhancer type junk too ..

this will get ya going in the right direction ...

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t134606.html

http://forums.techguy.org/malware-removal-hijackthis-logs/694431-pop-up-problem-when-using.html

[DREDIOCK]

malware ->>>> QdrPack14.exe ,QdrModule13.exe ,this is the main ugly pos there . it sneaks in thru java and some game sites . its part of web enhancer type junk too ..

this will get ya going in the right direction ...

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t134606.html

http://forums.techguy.org/malware-removal-hijackthis-logs/694431-pop-up-problem-when-using.html

Ahh thank you much.
I figured that was at least part of it as it was something I didnt recognise.
I try to keep track as to what they install so when I go to clean that system up I know what Im looking at without having to google every last process but I've been lax as of late.

What got me was Nod32 didnt even notice anything till it was too late. and doesnt see it on scan.
Nor did AVG antispyware. Nor did Microsofts Malware removal tool.
Yet its still there I just checked.

Yes I know about explorer. But telling them to use Firefox instead then them actually doing it is two different things LOL
Now Im gonna make em suffer a day or two with it so they learn to listen to me when I try to tell them something

[Hungry]

"and that I needed to buy their software to fix it" 


Wingnutt

There was one similar to what you describe, it was called Awola.  Combo Fix would eliminate that one as well

[Getback]

Try going to NAV or some AV site and see if they have an alert and the fix.

Good luck. I'm glad I read this!

[Coshy]

Go here:

http://forums.majorgeeks.com/forumdisplay.php?f=35. You may need to register.

Read and follow the instructions in the "READ & RUN ME FIRST malware removal guide" sticky.

Post the logs they ask for and shortly someone will help you out.

I've gone there several times with several different problems on various computers and in each and every case they came through with the answer.

Good luck!

[humble]

One of the problems you have here is stuff like this is often an executed file. The best thing to do is uninstall explorer and only have firefox or similiar program available.

Another solution is setting up a "sandbox" for internet use. This is actually very effective and relatively easy to do. Here is a link describing it to some degree. There are a number of excellent free sandbox utilities, its also a part of acronis 11.0 (highly recommended)...

http://www.pacaonline.org/Downloads/sandbox.PDF

This goes back to the earlier thread, no single program or integrated suite is going to be 100% effective and once your infected no single program will detect and correct everything either. As a general rule a layered defense will catch roughly 99% of potential problems. As I mentioned earlier an initial clean hijackthis (or asquared hijackfree) log gives you a great starting point to deal with this stuff. Combining that with a clean image backup and then a once a week scan/log/incremental backup routine makes recovery alot easier.

Personally I think the sandbox utilities are going to take off pretty quickly...

[MrRiplEy[H]]

I think the main problem is that this thing is not classified as a virus but some kind of ad/malware. Virus scanners won't catch it then unless they include a special malware function.

[DREDIOCK]

After making them suffer for a couple of days

Combofix seems to have done the trick

Thank you gentleman

And now they both agree to use firefox LOL