Jump to content

Trojan.BHO - Malware Error


Recommended Posts

Hi,

My girlfriend told me her computer was opening IE whenever she'd open a folder on her HD. For instance if she opened the folder "C:\Test" then it would search Baidu (chinese search engine) for "C:\Test" I figured it was poorly made Spyware so ran Malware which I'd installed on her comp. It came out with a few entries, but removed all but Trojan.BHO which Malware can't remove. When it finds it it gives the following error box: "An Error has occured. Please report the following error code to the Malwarebytes' Anti-Malware support team. Error Code: 731 (0, 6)" This error causes Malware not to recognize the trojan. Here is an example of the log after the trojan is found (doesn't even show up).

I have included a copy of Hijackthis log as well. Please note she is Chinese and so you might not be able to read some of the programs without additional language packs.

She runs the Chinese version of WinXP, from Lenvo. I'm sure (or at least hope) the Trojan is linked to the IE pop ups, so any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 0:41:42, on 2009-8-12

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\lenovo\GUA\GUA.exe

C:\Program Files\lenovo\IGRS\IGRS.exe

C:\Program Files\lenovo\IGRS\Ext\IgrsMonitor.exe

C:\Program Files\lenovo\IGRS\Ext\router.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\lenovo\IGRS\Ext\wmcsvc.exe

C:\Program Files\lenovo\IGRS Profiles\File Profile\IgrsFile.exe

C:\Program Files\lenovo\IGRS EasyShare\FileShare.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\QBU\QkOnBtn.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\CameraFixer.exe

C:\WINDOWS\tsnpstd3.exe

C:\WINDOWS\vsnpstd3.exe

C:\Program Files\Ringz Studio\Storm Downloader\StormDownloader.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Sucop\SecPlugin\SecNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v4.dll (file missing)

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - E:\新建文件夹\ComDlls\TDAtOnce_Now.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - E:\easyMule\modules\IE2EM.dll

O2 - BHO: QvodExtend - {53AC8551-0DE0-4606-8A1E-A51AF20ADD60} - C:\Program Files\Common Files\System\QvodExtend.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - E:\新建文件夹\ComDlls\xunleiBHO_Now.dll

O2 - BHO: ntFilter - {C2EB616C-BFB0-4361-A02C-588F869A0E97} - C:\Program Files\Sucop\SecPlugin\SecPlugin.dll

O3 - Toolbar: 闪联任意通 - {0C9B3AB9-DEDF-11D8-A2D4-0050FC464B19} - C:\Program Files\lenovo\IGRS EasyShare\IgrsAnywhere.dll

O3 - Toolbar: 畅游巡警 - {B057BF9C-55B4-4AA4-938A-FE78617866B8} - C:\Program Files\Sucop\SecPlugin\SecPlugin.dll

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QkOnBtn] C:\Program Files\QBU\QkOnBtn.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe

O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe

O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe

O4 - HKLM\..\Run: [MINI_BFYY] C:\Program Files\Ringz Studio\Storm Downloader\StormDownloader.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [搜狐电视机网页版] C:\Program Files\sohutv_web\SysTrayIcon.exe "C:\Program Files\sohutv_web" "d6d96fcfa7dc8461fb9b42368748714e" "1.0.0.6" ""

O4 - HKLM\..\Run: [secNotifier] C:\Program Files\Sucop\SecPlugin\SecNotifier.exe

O4 - HKLM\..\Run: [Thunder] "E:\新建文件夹\Thunder.exe" /s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot

O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &使用暴风下载器下载 - C:\Program Files\Ringz Studio\Storm Downloader\geturl.htm

O8 - Extra context menu item: 使用电驴下载 - E:\easyMule\IE2EM.htm

O8 - Extra context menu item: 使用迅雷下载 - E:\新建文件夹\Program\GetUrl.htm

O8 - Extra context menu item: 使用迅雷下载全部链接 - E:\新建文件夹\Program\GetAllUrl.htm

O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm

O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - E:\新建文件夹\Thunder.exe

O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - E:\新建文件夹\Thunder.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: 易趣购物 - {EE60714F-AC19-427e-861A-FD60ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)

O9 - Extra 'Tools' menuitem: 易趣购物 - {EE60714F-AC19-427e-861A-FD60ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com

O15 - Trusted Zone: http://www.icbc.com.cn

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O20 - Winlogon Notify: igrswn - C:\Program Files\lenovo\IGRS\Ext\igrswn.dll

O22 - SharedTaskScheduler: corduroyed - {699fabf8-1087-491f-b57c-80a68929d82b} - (no file)

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: dlcf_device - Unknown owner - C:\WINDOWS\system32\dlcfcoms.exe (file missing)

O23 - Service: General Updater/AutoUpdater Service (GUA) - lenovo - C:\Program Files\lenovo\GUA\GUA.exe

O23 - Service: IGRS - Lenovo Group Limited - C:\Program Files\lenovo\IGRS\IGRS.exe

O23 - Service: IGRSFILE - Lenovo Group Limited - C:\Program Files\lenovo\IGRS Profiles\File Profile\IgrsFile.exe

O23 - Service: IgrsFileShare - 联想集团有限公司 - C:\Program Files\lenovo\IGRS EasyShare\FileShare.exe

O23 - Service: IgrsMonitor - Lenovo Group Limited - C:\Program Files\lenovo\IGRS\Ext\IgrsMonitor.exe

O23 - Service: MicroGrid DirectRouter (MicroGrid.DirectRouter) - Lenovo Group Limited - C:\Program Files\lenovo\IGRS\Ext\router.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: WMCSVC - Lenovo Group Limited - C:\Program Files\lenovo\IGRS\Ext\wmcsvc.exe

--

End of file - 7418 bytes

Malwarebytes' Anti-Malware 1.40

Database version: 2608

Windows 5.1.2600 Service Pack 2

2009-8-12 0:54:06

mbam-log-2009-08-12 (00-54-06).txt

Scan type: Quick Scan

Objects scanned: 16019

Time elapsed: 1 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Program Files\Common Files\System\QvodExtend.dll

Select it and click ok:

Then click the Send File button below.

Let me know in this thread once you've uploaded the file

Also, Open HijackThis, click Config, click Misc Tools

Click "Open Uninstall Manager"

Click "Save List" (generates uninstall_list.txt)

Click Save, copy and paste the results in your next post.

Can you also tell me what mbam is exactly detecting as this Trojan.BHO? Because I can't see it in the log here.

Link to post
Share on other sites

I uploaded the file as you asked.

Can you also tell me what mbam is exactly detecting as this Trojan.BHO? Because I can't see it in the log here.

I can'tbe sure, exactly. When Mbam gets the error I listed above, the show result page just has "Trojan.BHO" as the name and nothing else. I can opt to remove it, but it just generates that blank log I showed (I mainly listed that to show the version) and doesn't remove it. When it is scanning, it pauses when it hits the error, which is (I think) the same time it finds the Trojan.BHO file. The scan pauses on the following "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping" and then it will continue scanning after I hit Ok on the error.

The following is the uninstall list:

3ivx MPEG-4 5.0 Decoder (remove only)

Adobe Flash Player 10 ActiveX

Adobe Photoshop 7.0.1

Adobe Reader 6.0 - Chinese Simplified

Agere Systems AC'97 Modem

Audio Browser

Broadcom 440x 10/100 Integrated Controller

Combined Community Codec Pack 2008-09-21 16:18

Cool Edit Pro 2.0

easyMule

EnergyCut

HC PC-Camera

HijackThis 2.0.2

Hotfix for Windows XP (KB915865)

HP Customer Participation Program 7.0

HP Imaging Device Functions 7.0

HP Photosmart and Deskjet 7.0 Software

HP Software Update

HP Solution Center 7.0

Intel® Graphics Media Accelerator Driver for Mobile

LiveUpdate 1.80 (Symantec Corporation)

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Premium

Microsoft Visual C++ 2005 Redistributable

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 Parser and SDK

muvee Plugin 1.0

Nero OEM

PowerDVD

Powerword 2005

PPS网络电视

QQ2007II 正式版

QuickOn Button ( WinXP )

QuickStroke

RealPlayer

Realtek AC'97 Audio

SecureW2 TTLS Client 3.3.3 for Windows

Spybot - Search & Destroy

SupportSoft Assisted Service

Symantec AntiVirus Client

Synaptics Pointing Device Driver

Tencent Media Player by Viewpoint

Texas Instruments PCIxx21/x515 drivers.

Tom - Skype (BETA)

Trillian

TVAnts 1.0

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Internet Explorer 7 安全更新 (KB938127)

Windows Internet Explorer 7 安全更新 (KB942615)

Windows Internet Explorer 7 安全更新 (KB944533)

Windows Internet Explorer 7 安全更新 (KB950759)

Windows Internet Explorer 7 安全更新 (KB953838)

Windows Internet Explorer 7 安全更新 (KB956390)

Windows Internet Explorer 7 安全更新 (KB958215)

Windows Internet Explorer 7 安全更新 (KB960714)

Windows Internet Explorer 7 安全更新 (KB961260)

Windows Internet Explorer 7 安全更新 (KB963027)

Windows Internet Explorer 7 安全更新 (KB969897)

Windows Internet Explorer 7 安全更新 (KB972260)

Windows Internet Explorer 7 修补程序 (KB947864)

Windows Live Messenger

Windows Media Player (KB911564) 安全更新

Windows Media Player (KB952069) 安全更新

Windows Media Player (KB973540) 安全更新

Windows Media Player 6.4 (KB925398) 安全更新

Windows Media Player 9 (KB917734) 安全更新

Windows Media Player 9 (KB936782) 安全更新

Windows XP (KB923689) 安全更新

Windows XP (KB941569) 安全更新

Windows XP 安全更新 (KB890046)

Windows XP 安全更新 (KB893756)

Windows XP 安全更新 (KB896358)

Windows XP 安全更新 (KB896422)

Windows XP 安全更新 (KB896423)

Windows XP 安全更新 (KB896424)

Windows XP 安全更新 (KB896428)

Windows XP 安全更新 (KB899587)

Windows XP 安全更新 (KB899588)

Windows XP 安全更新 (KB899591)

Windows XP 安全更新 (KB900725)

Windows XP 安全更新 (KB901017)

Windows XP 安全更新 (KB901190)

Windows XP 安全更新 (KB901214)

Windows XP 安全更新 (KB902400)

Windows XP 安全更新 (KB903235)

Windows XP 安全更新 (KB904706)

Windows XP 安全更新 (KB905414)

Windows XP 安全更新 (KB905749)

Windows XP 安全更新 (KB908519)

Windows XP 安全更新 (KB911562)

Windows XP 安全更新 (KB911567)

Windows XP 安全更新 (KB911927)

Windows XP 安全更新 (KB912919)

Windows XP 安全更新 (KB913580)

Windows XP 安全更新 (KB914388)

Windows XP 安全更新 (KB914389)

Windows XP 安全更新 (KB916281)

Windows XP 安全更新 (KB917159)

Windows XP 安全更新 (KB917344)

Windows XP 安全更新 (KB917422)

Windows XP 安全更新 (KB917953)

Windows XP 安全更新 (KB918118)

Windows XP 安全更新 (KB918439)

Windows XP 安全更新 (KB918899)

Windows XP 安全更新 (KB919007)

Windows XP 安全更新 (KB920213)

Windows XP 安全更新 (KB920214)

Windows XP 安全更新 (KB920670)

Windows XP 安全更新 (KB920683)

Windows XP 安全更新 (KB920685)

Windows XP 安全更新 (KB921398)

Windows XP 安全更新 (KB921503)

Windows XP 安全更新 (KB921883)

Windows XP 安全更新 (KB922616)

Windows XP 安全更新 (KB922760)

Windows XP 安全更新 (KB922819)

Windows XP 安全更新 (KB923191)

Windows XP 安全更新 (KB923414)

Windows XP 安全更新 (KB923561)

Windows XP 安全更新 (KB923694)

Windows XP 安全更新 (KB923980)

Windows XP 安全更新 (KB924191)

Windows XP 安全更新 (KB924270)

Windows XP 安全更新 (KB924496)

Windows XP 安全更新 (KB924667)

Windows XP 安全更新 (KB925454)

Windows XP 安全更新 (KB925486)

Windows XP 安全更新 (KB925902)

Windows XP 安全更新 (KB926255)

Windows XP 安全更新 (KB926436)

Windows XP 安全更新 (KB927779)

Windows XP 安全更新 (KB927802)

Windows XP 安全更新 (KB928090)

Windows XP 安全更新 (KB928255)

Windows XP 安全更新 (KB928843)

Windows XP 安全更新 (KB929123)

Windows XP 安全更新 (KB929969)

Windows XP 安全更新 (KB930178)

Windows XP 安全更新 (KB931261)

Windows XP 安全更新 (KB931768)

Windows XP 安全更新 (KB931784)

Windows XP 安全更新 (KB932168)

Windows XP 安全更新 (KB933566)

Windows XP 安全更新 (KB933729)

Windows XP 安全更新 (KB935839)

Windows XP 安全更新 (KB935840)

Windows XP 安全更新 (KB936021)

Windows XP 安全更新 (KB937143)

Windows XP 安全更新 (KB938127)

Windows XP 安全更新 (KB938464)

Windows XP 安全更新 (KB938829)

Windows XP 安全更新 (KB939653)

Windows XP 安全更新 (KB941202)

Windows XP 安全更新 (KB941568)

Windows XP 安全更新 (KB941644)

Windows XP 安全更新 (KB941693)

Windows XP 安全更新 (KB942615)

Windows XP 安全更新 (KB943055)

Windows XP 安全更新 (KB943460)

Windows XP 安全更新 (KB943485)

Windows XP 安全更新 (KB944533)

Windows XP 安全更新 (KB944653)

Windows XP 安全更新 (KB945553)

Windows XP 安全更新 (KB946026)

Windows XP 安全更新 (KB946648)

Windows XP 安全更新 (KB948590)

Windows XP 安全更新 (KB948881)

Windows XP 安全更新 (KB950749)

Windows XP 安全更新 (KB950760)

Windows XP 安全更新 (KB950762)

Windows XP 安全更新 (KB950974)

Windows XP 安全更新 (KB951066)

Windows XP 安全更新 (KB951376)

Windows XP 安全更新 (KB951376-v2)

Windows XP 安全更新 (KB951698)

Windows XP 安全更新 (KB951748)

Windows XP 安全更新 (KB952004)

Windows XP 安全更新 (KB952954)

Windows XP 安全更新 (KB953839)

Windows XP 安全更新 (KB954211)

Windows XP 安全更新 (KB954600)

Windows XP 安全更新 (KB955069)

Windows XP 安全更新 (KB956391)

Windows XP 安全更新 (KB956572)

Windows XP 安全更新 (KB956802)

Windows XP 安全更新 (KB956803)

Windows XP 安全更新 (KB956841)

Windows XP 安全更新 (KB957095)

Windows XP 安全更新 (KB957097)

Windows XP 安全更新 (KB958470)

Windows XP 安全更新 (KB958644)

Windows XP 安全更新 (KB958687)

Windows XP 安全更新 (KB958690)

Windows XP 安全更新 (KB959426)

Windows XP 安全更新 (KB960225)

Windows XP 安全更新 (KB960715)

Windows XP 安全更新 (KB960803)

Windows XP 安全更新 (KB960859)

Windows XP 安全更新 (KB961371)

Windows XP 安全更新 (KB961373)

Windows XP 安全更新 (KB961501)

Windows XP 安全更新 (KB968537)

Windows XP 安全更新 (KB969898)

Windows XP 安全更新 (KB970238)

Windows XP 安全更新 (KB971557)

Windows XP 安全更新 (KB971633)

Windows XP 安全更新 (KB971657)

Windows XP 安全更新 (KB973346)

Windows XP 安全更新 (KB973354)

Windows XP 安全更新 (KB973507)

Windows XP 安全更新 (KB973869)

Windows XP 更新 (KB894391)

Windows XP 更新 (KB896727)

Windows XP 更新 (KB898461)

Windows XP 更新 (KB900485)

Windows XP 更新 (KB904942)

Windows XP 更新 (KB908531)

Windows XP 更新 (KB910437)

Windows XP 更新 (KB911280)

Windows XP 更新 (KB916595)

Windows XP 更新 (KB920872)

Windows XP 更新 (KB922582)

Windows XP 更新 (KB927891)

Windows XP 更新 (KB929338)

Windows XP 更新 (KB930916)

Windows XP 更新 (KB931836)

Windows XP 更新 (KB932823-v3)

Windows XP 更新 (KB933360)

Windows XP 更新 (KB936357)

Windows XP 更新 (KB938828)

Windows XP 更新 (KB942763)

Windows XP 更新 (KB942840)

Windows XP 更新 (KB946627)

Windows XP 更新 (KB951072-v2)

Windows XP 更新 (KB955839)

Windows XP 更新 (KB967715)

Windows XP 更新 (KB973815)

Windows XP 修补程序 (KB914440)

Windows XP 修补程序 (KB952287)

Windows XP 修补程序包 - KB834707

Windows XP 修补程序包 - KB867282

Windows XP 修补程序包 - KB873333

Windows XP 修补程序包 - KB873339

Windows XP 修补程序包 - KB885250

Windows XP 修补程序包 - KB885835

Windows XP 修补程序包 - KB885836

Windows XP 修补程序包 - KB886185

Windows XP 修补程序包 - KB886677

Windows XP 修补程序包 - KB887472

Windows XP 修补程序包 - KB887742

Windows XP 修补程序包 - KB888113

Windows XP 修补程序包 - KB888302

Windows XP 修补程序包 - KB890047

Windows XP 修补程序包 - KB890175

Windows XP 修补程序包 - KB890859

Windows XP 修补程序包 - KB891781

Windows XP 修补程序包 - KB894194

WinRAR 压缩文件管理器

暴风下载器

暴风影音

畅游巡警 1.1.0.2 VeryCD专版

金山打字通 2008

金山打字游戏 2008

闪联任意通

闪联通用自动更新

闪联文件交互智能应用框架

闪联运行支撑平台

文件备份

迅雷5

Link to post
Share on other sites

  • Staff

Hi,

That's strange about mbam. Could be a read error though. Can you try to run in developers mode?

1. Click the Start Menu.

2. Click Run.

3. Type in "mbam.exe /developer", without the quotes.

4. Run the same type of scan you did before and save the logfile and post it.

Also, I can't read some of the Chinese characters here, but is there qvod listed anywhere? If so, please uninstall it. I want to see if it's somewhere related with it.

The following programs are not really recommended either since they have a questionable reputation:

easyMule

Tencent Media Player by Viewpoint

QQ2007II 正式版

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v4.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot

O9 - Extra button: ???? - {EE60714F-AC19-427e-861A-FD60ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)

O9 - Extra 'Tools' menuitem: ???? - {EE60714F-AC19-427e-861A-FD60ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)

O22 - SharedTaskScheduler: corduroyed - {699fabf8-1087-491f-b57c-80a68929d82b} - (no file)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Also, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

I ran Mbam in developer mode. Exact same result. Same error code, the logs show as clean, same as the one I posted above.

I removed those files with Hijack and nothing happened. I didn't get that qvod until I asked my gf and she told me that was the name of the movie player that she installed/deleted right before the problem. I went into safe mode and navigated to the .dll and deleted it (normal mode it was in use) and now the computer is working fine. IE: When I open "C:\Test" it simply goes there. It does not open IE to baidu and search for "C:\Test" anymore. So the main problem is fixed apparently.

I got ComboFix and disabled her Symantec and windows firewall, but the program wouldn't run. It would get to where it was trying to make a registry back up, but hung indefinitely after showing the 2 bars as it prepared the system. ComboFix picked up on the native chinese and the text was in Chinese, but she told me it would either hang at "Preparing to make a registry back up" or "Making registry back up." From what I read on the site it shouldn't take over 10 minutes to make the backup, so I don't think it is working for some reason.

I'm a bit at a loss, the computer -seems- to be working fine. If it wasn't for mbam giving that mystery file I'd say it was all fixed. Unless you think there is something still hiding, all the problems seem to be fixed.

She did mention she was worried the QBU folder in her program files (contains QkOnBtn.exe) might be some kind of malware. I looked around and didn't see any evidence one way or another. This post was actually 7th from the top on results. I'm not sure what it does and am not about to run the .exe and the program has a add/remove entry. I'm not sure if it is appropriate I ask in this thread or if I should ask in general help.

Thanks for all of your help.

Link to post
Share on other sites

  • Staff

Hi,

QkOnBtn.exe is from QuickOn Button ( WinXP ) which is installed here, so it's fine.

Yes, I already though qvod was the main problem here, that's why I asked if this reference was in add/remove programs as well to uninstall since a lot of them are in chinese ;)

The error/detection in mbam may be a read detection, same as why Combofix doesn't want to proceed with the scan and hangs when backing up the registry.

You can still try to run Combofix from Windows safe mode - but since the main problem is resolved here, I wouldn't worry about the rest. I'm pretty sure it's just a read error in mbam, same as it's for Combofix.

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.