Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

KFSmyth515

5 Posts

280

August 24th, 2005 18:00

Cannot remove Trojan.Qhosts - HJT Log File - Help

I have tried multiple virus scans, i have also used the Qhosts removal tool multiple times.  Both the virus scan and Qhosts removal tool detect nothing.  Any help would be appreciated.
 
Logfile of HijackThis v1.99.1
Scan saved at 2:58:18 PM, on 8/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
C:\DBASQL\dbasvr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\Dell\OPENMA~1\OLDiags\bin\java.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\csmrs.exe
C:\WINNT\System\msveup.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Administrator.TP\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WindowsInstaller] C:\WINNT\system32\csmrs.exe
O4 - HKLM\..\Run: [.msfupdate] C:\WINNT\System\msveup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - Startup: AutoAdmin II.lnk = C:\Program Files\ASDS\AA2\AA2.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3) - http://192.168.0.110:7273/j2re1_3_0-win.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://activex.microsoft.com/activex/controls/macromedia/Swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pinpoint.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B11D284-5F19-4403-8C42-03835FABE6A3}: NameServer = 172.16.1.25,4.2.2.1,4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tp.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tp.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - C:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Backup Agent RPC Server (DbaRpcService) - Unknown owner - C:\DBASQL\dbasvr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dellw3c - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
O23 - Service: WiredContact Service App (WiredService) - Practical Sales - D:\INETPUB\WiredX3\WiredSvc.exe

RKinner

2 Intern

 • 

5.9K Posts

August 24th, 2005 18:00

Download the Hoster from:


http://www.funkytoad.com/

Unpack to your desktop and run it.  If you have green print at the top then just press Restore Original Hosts then OK. 
IF you have red print then press make Hosts Writeable first.
 


Get DelDomain.inf from:
 
http://www.mvps.org/winhelp2002/restricted.htm  and then right click on it and Install. 

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Check then Fix
Checked the following:

O4 - HKLM\..\Run: [WindowsInstaller] C:\WINNT\system32\csmrs.exe
O4 - HKLM\..\Run: [.msfupdate] C:\WINNT\System\msveup.exe

 

Reboot into regular mode and make a new log and post it as a reply.

 

Ron

 

PS:  These are your bugs:

 

http://securityresponse.symantec.com/avcenter/venc/data/w32.allocup.a.html

 

http://www.sophos.com/virusinfo/analyses/w32dedlerb.html

Message Edited by RKinner on 08-24-2005 02:45 PM

KFSmyth515

5 Posts

August 24th, 2005 19:00

Thanks alot RKinner, that seems to have done the trick.
 
Logfile of HijackThis v1.99.1
Scan saved at 4:48:35 PM, on 8/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
C:\DBASQL\dbasvr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\Dell\OPENMA~1\OLDiags\bin\java.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\ASDS\AA2\AA2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\INETPUB\WiredX3\WiredSvc.exe
C:\Documents and Settings\Administrator.TP\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - Startup: AutoAdmin II.lnk = C:\Program Files\ASDS\AA2\AA2.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3) - http://192.168.0.110:7273/j2re1_3_0-win.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://activex.microsoft.com/activex/controls/macromedia/Swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pinpoint.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B11D284-5F19-4403-8C42-03835FABE6A3}: NameServer = 172.16.1.25,4.2.2.1,4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tp.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tp.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - C:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Backup Agent RPC Server (DbaRpcService) - Unknown owner - C:\DBASQL\dbasvr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dellw3c - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
O23 - Service: WiredContact Service App (WiredService) - Practical Sales - D:\INETPUB\WiredX3\WiredSvc.exe

RKinner

2 Intern

 • 

5.9K Posts

August 24th, 2005 20:00

Glad to hear it.

 

Ron

 

Make sure you have System Restore running (toggle it off and On today to get rid of any bad stuff it may have retained) and then you can just go back to an earlier time if you hit a bad site.  One way to make this more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
 
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm

Never hurts to do one of the free on line scans from Panda or Trend.  They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
In addition to Microsoft AntiSpy
http://www.microsoft.com/athome/security/downloads/default.mspx
I like to run Spybot S&D. 
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while. 
http://www.lavasoftusa.com/software/adaware/

 

Message Edited by RKinner on 08-24-2005 04:09 PM

Was this post helpful?

View All

Top