|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
12-31-2007, 01:19 PM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: Vista
|
DMQHO.exe Trojan Infection
What a way to end the old year. I apparently have a DMQHO trojan that I can't remove. When I goodled dmqho.exe, it looks like I really should get rid of it.
http://spywarefiles.prevx.com/RRIHBC...DMQHO.EXE.html I followed all the steps recommended in this Forum and dmqho.exe still shows up in Windows Defender. I am running Vista Home Basic, and am really stuck now. If you can help I'd really appreciate it. Thanks, franks59 |
|
     |
|
12-31-2007, 03:08 PM
|
#2 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: Vista
|
Re: DMQHO.exe Trojan Infection
I should have added the log to this post; here it is:
Deckard's System Scanner v20071014.68 Run by Frank on 2007-12-31 15:57:03 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Frank.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:58:26 PM, on 12/31/2007 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16575) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Windows\WindowsMobile\wmdc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\ProgramData\U3\U3Launcher\LaunchU3.exe C:\Program Files\Quick ShutDown\qsd.exe C:\Windows\system32\taskeng.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Windows\System32\mobsync.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Transfz\transfz.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe C:\Windows\notepad.exe C:\Windows\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8W1IU7S\dss[1].exe C:\Windows\system32\SearchFilterHost.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Frank.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [dmqho.exe] C:\Windows\system32\dmqho.exe O4 - HKLM\..\Run: [AdwareRemoval_tray] C:\Program Files\EAdwareRemoval\tray.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{BD7B4FFB-5625-4094-A4E5-6EA01FB87BB8} O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Quick ShutDown.lnk = C:\Program Files\Quick ShutDown\qsd.exe O4 - Startup: Transfz.lnk = C:\Program Files\Transfz\transfz.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: LaunchU3.exe.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\DRM Converter\YouTubeRipper.dll O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\DRM Converter\YouTubeRipper.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O15 - Trusted IP range: http://192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEE700-4373-42EB-ACD0-0CB6CD1EFD41}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFEEE23-4461-4B08-B55B-86C7900CB4C8}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{733504EA-25BD-4366-AD0E-A5118496B0A0}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{7DCF27CE-A732-47DD-8ABE-9F9191C4F735}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC8B69-726C-49D1-A421-2AF35C370531}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6476A2-F96B-4B65-AFA5-F272FBC3C908}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: System Guard(AdwareRemoval) (AdwareRemovalSysGuardService) - Unknown owner - C:\Program Files\EAdwareRemoval\SysGuard.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: SoundMovieServer - SoundMovieServer - C:\Windows\system32\snmvtsvc.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9605 bytes -- Files created between 2007-11-30 and 2007-12-31 ----------------------------- 2007-12-31 15:58:07 0 d-------- C:\Program Files\Trend Micro 2007-12-31 11:44:37 0 d-------- C:\Program Files\Common Files\BitDefender 2007-12-31 10:02:30 0 d-------- C:\Windows\system32\HouseCall 6.6 2007-12-31 08:31:28 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com 2007-12-31 08:31:19 0 d-------- C:\Program Files\SUPERAntiSpyware 2007-12-30 19:09:27 0 d-------- C:\Program Files\McAfee 2007-12-30 15:01:13 2015 -r-h----- C:\Windows\system32\drivers\hosts 2007-12-30 09:02:12 0 d-------- C:\Users\All Users\Lavasoft 2007-12-30 09:02:12 0 d-------- C:\Program Files\Lavasoft 2007-12-30 09:00:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-30 08:59:19 0 d-------- C:\Program Files\RogueRemover PRO 2007-12-30 07:56:10 0 dr-h----- C:\$VAULT$.AVG 2007-12-30 07:19:18 0 d-------- C:\Users\All Users\Grisoft 2007-12-30 07:19:18 0 d-------- C:\Users\All Users\avg7 2007-12-29 19:34:07 0 d-------- C:\AdwareRemovalBin 2007-12-29 17:57:50 0 d-------- C:\Program Files\a-squared Free 2007-12-29 16:32:46 164 --a------ C:\install.dat 2007-12-29 11:39:26 0 d-a------ C:\Users\All Users\TEMP 2007-12-29 11:39:06 0 d-------- C:\Users\All Users\PC Tools 2007-12-29 10:19:28 0 d-------- C:\Users\All Users\Prevx 2007-12-29 08:24:35 0 d-------- C:\Users\All Users\Spybot - Search & Destroy 2007-12-29 07:56:25 155648 -----n--- C:\Windows\system32\ssleay32.dll 2007-12-29 07:56:22 684032 -----n--- C:\Windows\system32\libeay32.dll 2007-12-28 09:01:03 0 d-------- C:\Program Files\Vista Start Menu 2007-12-21 15:51:25 0 d-------- C:\Program Files\QuickTime 2007-12-21 15:46:47 0 d-------- C:\Program Files\Apple Software Update 2007-12-21 15:45:07 0 d-------- C:\Program Files\Common Files\Apple 2007-12-21 15:45:05 0 d-------- C:\Users\All Users\Apple 2007-12-21 12:03:17 0 d-------- C:\Program Files\Noopod 2007-12-21 11:58:59 0 d-------- C:\Program Files\VIP Rumor RSS Reader 2007-12-21 11:56:58 0 d-------- C:\Program Files\YeahReader 2007-12-21 11:01:17 0 d-------- C:\Program Files\Juice 2007-12-19 17:48:29 0 d-------- C:\Windows\Application Data 2007-12-19 17:10:26 0 d-------- C:\Program Files\LG PC Suite 2007-12-04 12:10:35 0 d-------- C:\Program Files\IrfanView 2007-12-04 07:56:35 0 d-------- C:\Users\Frank\Bluetooth Software 2007-12-04 07:41:19 0 d-------- C:\Program Files\WIDCOMM 2007-12-04 07:35:05 67384 --a------ C:\Windows\system32\drivers\btwusb.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 5.1.0.1700> 2007-12-04 07:35:05 77824 --a------ C:\Windows\system32\btw_ci.dll <Not Verified; Broadcom Corporation.; Bluetooth Software 5.1.0.1700> -- Find3M Report --------------------------------------------------------------- 2007-12-31 15:26:12 12 --a------ C:\Windows\bthservsdp.dat 2007-12-31 15:21:34 0 d-------- C:\Users\Frank\AppData\Roaming\SUPERAntiSpyware.com 2007-12-31 11:44:37 0 d-------- C:\Program Files\Common Files 2007-12-31 11:38:59 0 d-------- C:\Users\Frank\AppData\Roaming\AVG7 2007-12-31 08:23:40 0 d-------- C:\Program Files\Real 2007-12-31 07:56:31 0 d-------- C:\Program Files\Virtuosa 2007-12-31 07:56:30 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-12-30 11:14:26 0 d-------- C:\Users\Frank\AppData\Roaming\Grisoft 2007-12-29 15:43:44 0 d-------- C:\Users\Frank\AppData\Roaming\Vista Start Menu 2007-12-29 12:02:23 0 d-------- C:\Users\Frank\AppData\Roaming\COWON 2007-12-29 10:19:57 0 d-------- C:\Users\Frank\AppData\Roaming\PrevxCSI 2007-12-29 10:13:57 0 d-------- C:\Program Files\AWS 2007-12-29 07:24:35 0 d-------- C:\Program Files\Transfz 2007-12-21 15:55:34 0 d-------- C:\Users\Frank\AppData\Roaming\Apple Computer 2007-12-21 11:30:19 0 d-------- C:\Users\Frank\AppData\Roaming\iPodder 2007-12-19 17:52:59 0 d-------- C:\Users\Frank\AppData\Roaming\U3 2007-12-19 17:12:45 0 d-------- C:\Users\Frank\AppData\Roaming\LG Electronics 2007-12-18 16:52:08 0 d-------- C:\Users\Frank\AppData\Roaming\GoodSync 2007-12-16 10:11:37 0 d-------- C:\Program Files\BitPim 2007-12-08 09:11:52 0 d-------- C:\Users\Frank\AppData\Roaming\Adobe 2007-11-24 11  30 0 d-------- C:\Program Files\DRM Converter2007-11-24 11:01:53 0 d-------- C:\Program Files\4Musics WMA to MP3 Converter 2007-11-23 17:14:37 0 d-------- C:\Program Files\Common Files\InstallShield 2007-11-23 14:33:10 184320 --a------ C:\Windows\system32\snmvtsvc.exe <Not Verified; SoundMovieServer; SoundMovieServer> 2007-11-22 11:40:25 0 d-------- C:\Users\Frank\AppData\Roaming\Canon 2007-11-21 11:04:44 38422 --a------ C:\Users\Frank\AppData\Roaming\Microsoft Excel.ADR 2007-11-16 16:07:27 0 d-------- C:\Program Files\Verizon 2007-11-16 16 31 0 d-------- C:\Users\Frank\AppData\Roaming\vol_toolbar2007-11-16 16 31 0 d-------- C:\Program Files\vol_toolbar2007-11-15 06:59:44 0 d-------- C:\Program Files\Windows Mail 2007-11-09 11:05:40 0 d-------- C:\Program Files\Common Files\PestPatrol 2007-11-09 11:01:29 0 d-------- C:\Program Files\Common Files\Command Software 2007-11-06 10:30:45 0 d-------- C:\Users\Frank\AppData\Roaming\PCF-VLC 2007-11-06 07:30:10 0 d-------- C:\Users\Frank\AppData\Roaming\Mozilla 2007-11-06 07:30:09 0 d-------- C:\Users\Frank\AppData\Roaming\Participatory Culture Foundation 2007-11-06 07:27:03 0 d-------- C:\Program Files\Participatory Culture Foundation -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}] 05/25/2007 08:15 AM 1904128 --a------ C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}"= C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL [05/25/2007 08:15 AM 1904128] [-HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}] [HKEY_CLASSES_ROOT\vol_toolbar.VOL_TOOLBAR] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [08/17/2007 08:44 AM] "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [10/16/2006 08:40 PM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/17/2007 06:34 AM] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 02:06 AM] "WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [] "Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 10:56 AM] "dmqho.exe"="C:\Windows\system32\dmqho.exe" [] "AdwareRemoval_tray"="C:\Program Files\EAdwareRemoval\tray.exe" [] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [11/02/2006 04:45 AM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 07:34 AM] C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Quick ShutDown.lnk - C:\Program Files\Quick ShutDown\qsd.exe [2/18/2003 12:19:06 PM] Transfz.lnk - C:\Program Files\Transfz\transfz.exe [12/28/2007 2:25:36 PM] Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [7/20/2007 12:57:16 PM] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [6/7/2006 5:05:38 PM] LaunchU3.exe.lnk - C:\Windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [10/18/2007 6:39:58 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}] @="IEEE 1394 Bus host controllers" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}] @="SBP2 IEEE 1394 Devices" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}] @="SecurityDevices" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum LocalServiceNoNetwork PLA DPS BFE mpssvc bthsvcs BthServ WindowsMobile wcescomm rapimgr LocalServiceRestricted WcesComm RapiMgr [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10ea897b-4fd7-11dc-a60a-0013464c1079}] AutoRun\command- K:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34479fef-5169-11dc-a7d7-0013464c1079}] AutoRun\command- M:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d6b8c3c-7010-11dc-aa59-0013464c1079}] AutoRun\command- G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83f7fea5-4d85-11dc-8df0-0013464c1079}] AutoRun\command- G:\setupSNK.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] C:\Windows\system32\unregmp2.exe /ShowWMP [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}] %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI -- End of Deckard's System Scanner: finished at 2007-12-31 15:59:04 ------------ |
|
|
|
|
12-31-2007, 03:54 PM
|
#3 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: DMQHO.exe Trojan Infection
Welcome franks59
Start Hijackthis Scan and place a check next to these items If there. O4 - HKLM\..\Run: [dmqho.exe] C:\Windows\system32\dmqho.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEE700-4373-42EB-ACD0-0CB6CD1EFD41}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFEEE23-4461-4B08-B55B-86C7900CB4C8}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{733504EA-25BD-4366-AD0E-A5118496B0A0}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{7DCF27CE-A732-47DD-8ABE-9F9191C4F735}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC8B69-726C-49D1-A421-2AF35C370531}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6476A2-F96B-4B65-AFA5-F272FBC3C908}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 sometimes a legit 017 shows, were are fixing that becouse of the paticular address ==================================== Hit fix checked and close Hijackthis. when spybots tea timer alerts you need to choose alow without ticking remember decision. Restart the PC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Do a full system scan with your updated antivirus and let it deal with anything found, afterwards post a new hijackthis log (not dds) |
|
|
|
|
12-31-2007, 07:36 PM
|
#4 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: Vista
|
Re: DMQHO.exe Trojan Infection
OK, I fixed the lines you indicated, then ran AVG Anti-Spyware 7.5, and deleted the stuff it found.
Here is the Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:37:14 PM, on 12/31/2007 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16575) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Windows\WindowsMobile\wmdc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\ProgramData\U3\U3Launcher\LaunchU3.exe C:\Program Files\Quick ShutDown\qsd.exe C:\Windows\system32\taskeng.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Windows\System32\mobsync.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Transfz\transfz.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\notepad.exe C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\NOTEPAD.EXE C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8W1IU7S\dss[1].exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Frank.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [dmqho.exe] C:\Windows\system32\dmqho.exe O4 - HKLM\..\Run: [AdwareRemoval_tray] C:\Program Files\EAdwareRemoval\tray.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{BD7B4FFB-5625-4094-A4E5-6EA01FB87BB8} O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Quick ShutDown.lnk = C:\Program Files\Quick ShutDown\qsd.exe O4 - Startup: Transfz.lnk = C:\Program Files\Transfz\transfz.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: LaunchU3.exe.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\DRM Converter\YouTubeRipper.dll O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\DRM Converter\YouTubeRipper.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O15 - Trusted IP range: http://192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEE700-4373-42EB-ACD0-0CB6CD1EFD41}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFEEE23-4461-4B08-B55B-86C7900CB4C8}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{733504EA-25BD-4366-AD0E-A5118496B0A0}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{7DCF27CE-A732-47DD-8ABE-9F9191C4F735}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC8B69-726C-49D1-A421-2AF35C370531}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6476A2-F96B-4B65-AFA5-F272FBC3C908}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: System Guard(AdwareRemoval) (AdwareRemovalSysGuardService) - Unknown owner - C:\Program Files\EAdwareRemoval\SysGuard.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: SoundMovieServer - SoundMovieServer - C:\Windows\system32\snmvtsvc.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9670 bytes |
|
|
|
|
12-31-2007, 07:47 PM
|
#5 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: DMQHO.exe Trojan Infection
Turn off SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode Check yes to next window. Click on Tools in bottom left hand corner. Click on Resident icon and Uncheck the box next to Teatimer. Run Hijackthis click >"config" then "misc tools" >"delete file on reboot" (exact spelling counts!!! so dont browse to the files) Copy/Paste the bolded line below into the File name box then click Open, C:\Windows\system32\dmqho.exe Answer yes to the prompt to reboot the PC Once windows has restarted start Hijackthis scan place a check next to these items O4 - HKLM\..\Run: [dmqho.exe] C:\Windows\system32\dmqho.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEE700-4373-42EB-ACD0-0CB6CD1EFD41}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFEEE23-4461-4B08-B55B-86C7900CB4C8}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{733504EA-25BD-4366-AD0E-A5118496B0A0}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{7DCF27CE-A732-47DD-8ABE-9F9191C4F735}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC8B69-726C-49D1-A421-2AF35C370531}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6476A2-F96B-4B65-AFA5-F272FBC3C908}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 Close all browsers and Hit fix checked, exit hijackthis after using the pc for about three hours post a new hijackthis log |
|
|
|
|
01-01-2008, 08:29 AM
|
#6 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: Vista
|
Re: DMQHO.exe Trojan Infection
Drat. I just checked with Windows Defender and it is still there, even though I followed your instructions.
Here is the log file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:37:14 PM, on 12/31/2007 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16575) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Windows\WindowsMobile\wmdc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\ProgramData\U3\U3Launcher\LaunchU3.exe C:\Program Files\Quick ShutDown\qsd.exe C:\Windows\system32\taskeng.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Windows\System32\mobsync.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Transfz\transfz.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\notepad.exe C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\NOTEPAD.EXE C:\Users\Frank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8W1IU7S\dss[1].exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Frank.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [dmqho.exe] C:\Windows\system32\dmqho.exe O4 - HKLM\..\Run: [AdwareRemoval_tray] C:\Program Files\EAdwareRemoval\tray.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{BD7B4FFB-5625-4094-A4E5-6EA01FB87BB8} O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Quick ShutDown.lnk = C:\Program Files\Quick ShutDown\qsd.exe O4 - Startup: Transfz.lnk = C:\Program Files\Transfz\transfz.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: LaunchU3.exe.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\DRM Converter\YouTubeRipper.dll O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\DRM Converter\YouTubeRipper.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O15 - Trusted IP range: http://192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEE700-4373-42EB-ACD0-0CB6CD1EFD41}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFEEE23-4461-4B08-B55B-86C7900CB4C8}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{733504EA-25BD-4366-AD0E-A5118496B0A0}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{7DCF27CE-A732-47DD-8ABE-9F9191C4F735}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC8B69-726C-49D1-A421-2AF35C370531}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6476A2-F96B-4B65-AFA5-F272FBC3C908}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: System Guard(AdwareRemoval) (AdwareRemovalSysGuardService) - Unknown owner - C:\Program Files\EAdwareRemoval\SysGuard.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: SoundMovieServer - SoundMovieServer - C:\Windows\system32\snmvtsvc.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9670 bytes |
|
|
|
|
01-01-2008, 04:47 PM
|
#7 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: DMQHO.exe Trojan Infection
It appears you didnt turn off teatimer as was suggested, why is that ?
Deacivate it Please disable SpybotSD TeaTimer for now To disable SpybotSD TeaTimer: Open Spybot and click on Mode and check Advanced Mode Check yes to next window. Click on Tools in bottom left hand corner. Click on Resident icon and Uncheck the box next to Teatimer. "resident tea timer"protection of all-over system settings) active" Close SpyBot. We will remind you to turn it on later Disable AVG Anti-Spyware guard since it may interfere with our cleaning (We can enable it when you're clean)
Open Windows Defender. Click on Tools, Settings. In the left pane, click on Real-time Protection. Under Startup Options uncheck Enable real-time spyware threat protection (recommended). click on the Save button and close Microsoft AntiSpyware. Right click on the Windows Defender icon on the taskbar and select Shutdown Windows Defender. Uninstall EAdwareRemoval Run Hijackthis click >"config" then "misc tools" >"delete file on reboot" (exact spelling counts!!! so dont browse to the files) Copy/Paste the bolded line below into the File name box then click Open, C:\Windows\system32\dmqho.exe Answer yes to the prompt to reboot the PC Once windows has restarted start Hijackthis scan place a check next to these items O4 - HKLM\..\Run: [dmqho.exe] C:\Windows\system32\dmqho.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEE700-4373-42EB-ACD0-0CB6CD1EFD41}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFEEE23-4461-4B08-B55B-86C7900CB4C8}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{733504EA-25BD-4366-AD0E-A5118496B0A0}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{7DCF27CE-A732-47DD-8ABE-9F9191C4F735}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC8B69-726C-49D1-A421-2AF35C370531}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6476A2-F96B-4B65-AFA5-F272FBC3C908}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABBD4F7-903A-4259-B8EA-0FAE065FBC85}: NameServer = 208.67.220.220,208.67.222.222 ======================================= Close all browsers and Hit fix checked, exit hijackthis after using the pc for about three hours post a new hijackthis log Last edited by LonnyRJones : 01-01-2008 at 04:48 PM. |
|
|
|
|
01-01-2008, 05:40 PM
|
#8 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: Vista
|
Re: DMQHO.exe Trojan Infection
I thought I did turn it off. Anyway, I went into Spybot, the TeaTimer box was unchecked; I checked it to make sure I had control, then unclecked it and closed Spybot. I'm using the free version of AVG Anti-Spyware, so the resident shield is not active (or available). In my version of Windows Defender, there is no left panel. There is a panel on the top that has Tools. This gives me the following choices: Operions (Automatically scan my computer; Check for updated definitions before scanning; and Apply default actions to items detected during a scan); Microsoft SpyNet; Quarantined Items; and Software Explorer. I unchecked the box for Automatically scan my computer. I hope this is what I'm supposed to do.
I uninstalled Ad-Aware. I did all the Hijackthis steps. I'll probably get back to you tomorrow morning. Thanks very much for sticking with me on this, especially on New Years! |
|
|
|
|
01-01-2008, 06:16 PM
|
#9 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: Vista
|
Re: DMQHO.exe Trojan Infection
I know you said to let the computer run for 3 hours and then post a new log, but I did a scan after I checked the items in Hijackthis, and they reappeared. I checked them again and did "Fix checked", exited Hijackthis, and then restarted the computer. Then I went back to Hijackthis, did a scan and the lines were still there.
I'll continue using the computer and post a scan tomorrow morning. |
|
|
|
|
01-02-2008, 12:04 AM
|
#10 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: DMQHO.exe Trojan Infection
Well part of the problem is i dont know enough about vista
Lets get a looks at a catchme report http://www.gmer.net/catchme.php save it (not open) to your desktop then run |
|
|
|
|
01-02-2008, 06:56 AM
|
#11 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: Vista
|
Re: DMQHO.exe Trojan Infection
I just ran catchme but I couldn't find a .log file after it finished. The catchme.exe screen said: scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Here is the latest hijackthis log file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:37:14 PM, on 12/31/2007 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16575) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Windows\WindowsMobile\wmdc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\ProgramData\U3\U3Launcher\LaunchU3.exe C:\Program Files\Quick ShutDown\qsd.exe< |
