Thread: Win32: Agent-QNI and Trojan-gen
View Single Post
Old 11-12-2008, 06:00 PM   #1 (permalink)
g2thelow
Registered User
 
Join Date: Nov 2008
Posts: 7
OS: windows XP service pack 2


Win32: Agent-QNI and Trojan-gen
Hello, I appreciate your time and all of the work you do here. This is my first time posting to a Tech Help forum, so hopefully I'll be clear.

The first sign of any problem was when my computer rebooted while I was in the middle of working. No warning whatsoever. When Windows had started back up, there was an icon in the system tray, a red button with a white "X" in it and a balloon popped up, warning of malicious spyware or something along those lines. Knowing better than to click on such a thing, I immediately opened my antivirus to do a scan (AVG, it had been running in the background). To ensure i had the latest protection, I tried running the updater, and was told the server couldn't connect. When i tried to go to AVG's website, no luck.

Things went from bad to worse and eventually I found my AVG not working at all, so I downloaded Avast!, disconnected from my network, and swapped anti-viruses. Using the Avast! Boot-time scan, I discovered the following:

beep.sys in C:\WINDOWS\system32\dllcache (Win32:Agent-QNI [Trj])
beep.sys in C:\WINDOWS\system32\divers (Win32:Agent-QNI [Trj])
karna.dat in C:\WINDOWS (Win32: Trojan-gen {Other})
karna.dat in C:\WINDOWS\system32 (Win32: Trojan-gen {Other})

I was recommended this site by a friend who had suffered the virtumonde (sp?) fiasco. Unfortunately, the virus isn't letting me on there, either, so I'm currently on my backup computer.

I followed the "NEW INSTRUCTIONS" and couldn't get the gmer.exe to run on my infected laptop, so (as per a response i read somewhere) i went to the next step and have pasted the results, and attached the file as requested.

Once again, I thank you for your time!


DDS (Version 1.0) - NTFSx86
Run by G2theLow at 19:18:59.21 on Wed 11/12/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1602 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\KADxMain.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\G2theLow\Desktop\dds.scr
C:\DOCUME~1\G2theLow\LOCALS~1\Temp\RarSFX0\WREGS.EXE

============== Psuedo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080602
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [brastk] c:\windows\system32\brastk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: NoDispScrSavPage = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: gemsafe -c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys
R1 DLARTL_M;DLARTL_M;c:\windows\system32\drivers\DLARTL_M.SYS
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys
R3 NWADI;NWADI Bus Enumerator;c:\windows\system32\drivers\NWADIenum.sys
R0 PBADRV;PBADRV;c:\windows\system32\drivers\PBADRV.sys
R3 WaveFDE;Wave System Power Monitor Device Driver;c:\windows\system32\drivers\WaveFDE.sys
R2 WavxDMgr;WavxDMgr;c:\windows\system32\drivers\WavxDMgr.sys
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe
S3 SecureStorageService;SecureStorageService;c:\program files\wave systems corp\secure storage manager\SecureStorageService.exe
R2 TdmService;TdmService;c:\program files\wave systems corp\trusted drive manager\TdmService.exe
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe
S3 WaveEnrollmentService;WaveEnrollmentService;c:\program files\wave systems corp\authentication manager\WaveEnrollmentService.exe

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2008-11-12 14:38 5,120 a------- c:\windows\brastk.exe
2008-11-12 14:37 5,120 a------- c:\windows\system32\brastk.exe
2008-11-10 23:05 <DIR> --d----- c:\windows\pss
2008-11-10 19:37 28,672 a------- c:\windows\system32\av.dat
2008-11-10 17:16 114 a------- c:\windows\system32\delself.bat
2008-11-07 19:08 1,197,294 -------- c:\windows\system32\dllcache\sysmain.sdb
2008-11-07 19:08 764,868 -------- c:\windows\system32\dllcache\apph_sp.sdb
2008-11-07 19:08 217,118 -------- c:\windows\system32\dllcache\apphelp.sdb
2008-11-07 19:07 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-11-07 19:06 <DIR> --d----- C:\ade79674312a62334d2d8842e16a
2008-11-07 19:06 <DIR> --d----- c:\windows\system32\LogFiles
2008-11-07 19:05 <DIR> --d----- C:\68afb7abcc9f2b8149
2008-11-05 13:26 56 a---h--- c:\windows\system32\ezsidmv.dat
2008-11-05 13:24 <DIR> --d----- c:\program files\Skype
2008-10-23 00:00 <DIR> --d----- c:\documents and settings\g2thelow\.clipbak
2008-10-20 09:58 <DIR> --d----- c:\program files\Verizon Wireless
2008-10-14 20:29 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2008-11-10 21:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-11-10 21:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-10 21:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-05 17:24 59,492 a---h--- c:\windows\system32\mlfcache.dat
2008-11-01 11:43 <DIR> --d----- c:\docume~1\g2thelow\applic~1\Move Networks
2008-10-18 01:56 <DIR> --d----- c:\program files\Yahoo!
2008-10-16 19:36 105,162 a------- c:\windows\system32\nvModes.dat
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-26 14:21 <DIR> --d----- c:\program files\Messenger
2008-09-23 08:13 <DIR> --d----- c:\program files\iTunes
2008-09-23 08:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-23 08:13 <DIR> --d----- c:\program files\iPod
2008-09-23 08:12 <DIR> --d----- c:\program files\Bonjour
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-14 13:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks
2008-09-07 13:34 <DIR> --d----- c:\docume~1\g2thelow\applic~1\DAEMON Tools
2008-09-05 23:30 241,704 -------- c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 23:29 917,032 -------- c:\windows\system32\dllcache\WgaTray.exe
2008-08-29 09:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 a------- c:\windows\system32\dnssd.dll
2008-08-28 05:04 333,056 -------- c:\windows\system32\dllcache\srv.sys
2008-08-27 03:24 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 14:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WinZip
2008-08-25 03:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 03:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-24 17:12 <DIR> --d----- c:\docume~1\g2thelow\applic~1\Canon
2008-08-23 00:56 635,848 -------- c:\windows\system32\dllcache\iexplore.exe
2008-08-23 00:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-07-30 09:13 <DIR> --d----- c:\docume~1\g2thelow\applic~1\Miranda
2008-07-11 17:39 <DIR> --d----- c:\docume~1\g2thelow\applic~1\Malwarebytes
2008-07-11 17:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-07-08 21:39 <DIR> --d----- c:\docume~1\g2thelow\applic~1\Smith Micro
2008-06-26 15:09 <DIR> --d----- c:\docume~1\g2thelow\applic~1\TuneUp Software
2008-06-25 17:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2008-06-13 09:18 <DIR> --d----- c:\docume~1\g2thelow\applic~1\Wave Systems Corp
2008-06-11 18:05 <DIR> --d----- c:\docume~1\g2thelow\applic~1\Dell
2008-06-02 17:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Wave Systems Corp
2008-06-02 17:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NTRU Cryptosystems
2008-06-02 17:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2004-08-11 17:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 19:20:05.06 ===============
Attached Files
File Type: txt Attach.txt (7.1 KB, 1 views)
g2thelow is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here