There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
.dbx file audio automatic updates avg avg 8 blue screen brand new codec computer conversion crash dbx file dell desktop display dos driver dvd error error message excel explorer external file game hardware hijackthis log install installation internet itunes javascript lan laptop macro malware msn music network outlook outlook 2003 outlook express php problem random rundll32 security seo sound sp3 spyware switch tag cloud trojan usb video virus vista visual basic vundo wallpaper windows windows vista windows xp winxp wireless word xp service pack xp sp3 youtube
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Qhost.apd trojan - HJT log inside.


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
bigfish99's Avatar
Junior Member with 1 posts.
  
Join Date: May 2008
Experience: Intermediate
06-May-2008, 10:09 PM #1
Qhost.apd trojan - HJT log inside.
Hi Guys. Good day. Need your help badly.

I have this server that I control remotely via RealVNC and Radmin. This server is on a different geographical location from me and I have no physical access to it.

McAfee VirusScan detects Qhost.apd and several other viruses:

W32/Sdbot.worm!ftp
W32/Nachi!tftpd
W32/Nachi.worm.a

among many others.

Everytime Qhost.apd is detected, it is deleted by McAfee. However, it is back again after reboot/power reset.

Here is the HJT's logfile. Anybody with a kind heart who wants to help me save my job (LOL), please take a look and tell me which can be removed.

Logfile of HijackThis v1.99.1
Scan saved at 8:56:50 AM, on 5/6/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\algs.exe
C:\WINNT\System32\spoolsvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINNT\System32\oqsas.exe
C:\WINNT\VoipSwitchConSole.exe
c:\Program Files\VoipBox 1.0\Voipbox.exe
c:\Program Files\VoipSwitch\VoipSwitch 2.0\VoipSwitch.exe
C:\WINNT\System32\sgxgwewe.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\rundll32.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis\hijackthis1991.exe

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {1E33CA77-A304-4284-B3D9-BE474569DE8B} - C:\WINNT\System32\pmnliJaA.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINNT\system32\ssqQkKcb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Winamp Agent] C:\WINNT\System32\winamp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\System32\igfxpers.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINNT\System32\algs.exe
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\System32\explorer.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spoolsvc.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\Isass.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINNT\System32\sgxgwewe.exe
O4 - HKLM\..\Run: [BMbb0b5c88] Rundll32.exe "C:\WINNT\System32\perpspij.dll",s
O4 - HKLM\..\Run: [b8386f14] rundll32.exe "C:\WINNT\System32\quoywofu.dll",b
O4 - Startup: VoipSwitchConSole.lnk = C:\WINNT\VoipSwitchConSole.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{31BF7F50-B138-4ED8-833C-43871E928DFA}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AF80D0A-F97F-4A6E-A10C-072A264A1F26}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{799EA123-84B4-416E-B71A-89B2B2560BC2}: NameServer = 192.168.20.52,192.168.20.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B0613F6-CE54-4ABB-AB80-19D2078E4B4E}: NameServer = 203.167.102.1,203.167.102.2
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ssqQkKcb - C:\WINNT\SYSTEM32\ssqQkKcb.dll
O20 - Winlogon Notify: tuvTnLfD - C:\WINNT\SYSTEM32\tuvTnLfD.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Calls reader service - - c:\program files\voipswitch\cfreader\cfreader.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINNT\System32\urdvxc.exe" /service (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\winvnc4.exe" -service (file missing)

Thank you very much. Any help would be deeply appreciated.

/BF
cybertech's Avatar
Computer Specs
Moderator with 53,851 posts.
  
Join Date: Apr 2002
Location: Washington State
08-May-2008, 03:48 PM #2
Hi, Welcome to TSG!!

Why in the world don't you have any service packs on this machine???


Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re-enable the protection again afterwards before connecting to the Internet.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
  • Instead of Windows loading as normal, the Advanced Options Menu should appear
  • Select the first option, to run Windows in Safe Mode, then press Enter
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to the clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
Reply

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are Off
Refbacks are Off

Related Sites: Support.com | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 08:43 AM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.