.

How to remove qwerty12.exe?

<<

real.whitehat

User avatar

Newbie
Newbie

Posts: 18

Joined: Mon Apr 23, 2007 5:50 am

Post Thu Jul 26, 2007 8:55 am

How to remove qwerty12.exe?

I'm using Windows Live One Care, Every time it shows pop-up that Live "One Care has blocked qwerty12",

after getting this pop-up, I just Searched for file with name qwerty12 n found two file in my system one in "windows\system32\qwerty12.exe" & second in "WINDOWS\Prefetch\QWERTY12.EXE-29BA6945.pf".
Then I tried to delete that files but got one error because service for qwerty12 was running in background which cant be stopped, n finally I deleted after booting in safe mode but it didn't helped me as it reappear after rebooting my system.

Even "HijackThis" didn't helped me n then I used HijackRemote(www.hijackremote.com) to solve my problem...Still waiting for there Response.


Please help me to permanently remove qwerty12 from my PC?
Level of Risk?
<<

jimbob

Post Thu Jul 26, 2007 9:23 am

Re: How to remove qwerty12.exe?

Hi,
There are lots of ways a process can be restarted following a reboot. I'd check those locations for your suspect file. The Microsoft utility autoruns (formerly from sysinternals) will show you most of these locations..

http://www.microsoft.com/technet/sysint ... oRuns.mspx

Also, check your virus scanner is up to date. If you don't have one there are some free ones available e.g. Avast, AVG, clamav.

Regards,
Jim
<<

real.whitehat

User avatar

Newbie
Newbie

Posts: 18

Joined: Mon Apr 23, 2007 5:50 am

Post Thu Jul 26, 2007 9:48 am

Re: How to remove qwerty12.exe?

Hi jim
Thanks for ur answer

I'm using Microsoft Live One Care and it is upto-date.

Thanku very much for such a good tool,  I found one service with name "Domain Service" running in backgrount with Image path as "windows\system32\qwerty12.exe" n unchecked it, but Qwerty12.exe is still running, I'm not able to determine its exact autorun service,

I tried Trend-Micro,Live oneCare, and spyware doctor but non of them helped me to fix this problem.

Pls tell me if thr is any Spyware tool that can help me by automatically detacting its services..
Last edited by real.whitehat on Thu Jul 26, 2007 4:11 pm, edited 1 time in total.
<<

jimbob

Post Fri Jul 27, 2007 10:41 am

Re: How to remove qwerty12.exe?

Hi,
I suggest you read the usage information on the website to learn how to use autoruns. Then look for any suspect processes being started at boot time. Check out the registry and services first of all and also check for browser helper object (BHO).

It would be safest to wipe your system, reinstall the OS and restore your data from a know good backup. Otherwise you're not going to be sure that you've removed all traces of the malware.

Regards,
Jim
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Fri Jul 27, 2007 10:16 pm

Re: How to remove qwerty12.exe?

Hey, not sure if you've removed the nasty critter but I would like to see your HijackThis log for analysis. If you decide to post the log, make sure to do the following first:

1- Clean your Internet and Temporary files from your system. You can do it manually:

Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:

- Temporary Files
- Temporary Internet Files
- Recycle Bin

or you can also use CCleaner which I like very much.

2- Scan your computer with free Anti-Spyware tools to detect and remove any adware/spyware. I usually use the following:

- Ad-Aware 2007
- Spybot - Search & Destroy 1.4
- Windows Defender

3- Scan for malware infection using free anti-virus/anti-trojan tools such as what jimbob mentioned earlier. I use Avast and been using it for years, like it a lot:

- Avast! 4 Home Edition
- BitDefender8 Free Edition
- AVG Anti-Virus Free Edition

4- Run McAfee AVERT Stinger. This will remove most common malware that are in the wild:

- McAfee AVERT Stinger

5- Make sure to enable your Windows firewall and to download and install the latest OS patches to your system.

6- Use HijackThis to scan your system and post your complete log for further assistance.
Security+, OSCP, CEH
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Sat Jul 28, 2007 6:57 am

Re: How to remove qwerty12.exe?

real.whitehat:

Prevx has some more information on qwerty12.exe (http://www.prevx.com/filenames/X1385008 ... 2.EXE.html) that might be helpful to you, as well as a download that supposedly removes it as well as other malware (I've never heard of Prevx before, but they seem legit).

If you Google for 'qwerty12' you'll also find a bunch of forums containing steps to remove it, most of which seem to use a combination of Hijack This and ComboFix.
<<

real.whitehat

User avatar

Newbie
Newbie

Posts: 18

Joined: Mon Apr 23, 2007 5:50 am

Post Wed Aug 01, 2007 12:21 am

Re: How to remove qwerty12.exe?

Hi Everyone

I tried everything u mentioned even deleted some suspicious file but nothing helped me. Here I'm posting a Log from TrendMicro Hijackthis, pls hav a look n tell me if u find any suspicious file that is running in background, However "Qwerty12.exe" is not thr in log because I Fixed it using hijackthis but it is not going to help me, it will reappear when I reboot my system...

Here in this LOG I highlited/Comment on some of the running services with bold+Italic, pls tell me what is it for?

PLEASE! HELP ME

Logfile of HijackThis v1.99.1
Scan saved at 10:44:12 AM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
G:\WINDOWS\System32\nvsvc32.exe
G:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
G:\Program Files\Microsoft Windows OneCare Live\winss.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\D-Tools\daemon.exe
G:\WINDOWS\RTHDCPL.EXE
G:\WINDOWS\system32\rundll32.exe why more then one service for RUNDLL32.exe?
G:\WINDOWS\System32\svchost.exe why more then one service for svchost.exe?
G:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
G:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
G:\WINDOWS\system32\ctfmon.exe?
G:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
G:\WINDOWS\system32\wuauclt.exe?
G:\Program Files\FlashGet\flashget.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Program Files\Internet Explorer\iexplore.exe
G:\WINDOWS\explorer.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... #058;blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Protected by "real.whitehat" 512bit SSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - G:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {6b46f8f0-fc54-4a8d-b7f0-d4ec7e978c46} - G:\WINDOWS\system32\com863.dll?
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - G:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "G:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &Clean Traces - G:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download All with FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - G:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with FlashGet - G:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - G:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - G:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - G:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\WINDOWS\System32\shdocvw.dll?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3957275656
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E8A6DE3-5F92-4B20-B5F9-F76DCC56687E}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: AutorunsDisabled - G:\WINDOWS\?
O20 - Winlogon Notify: com863 - G:\WINDOWS\SYSTEM32\com863.dll?
O23 - Service: APC UPS Service - American Power Conversion Corporation - G:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe
Last edited by real.whitehat on Wed Aug 01, 2007 12:56 am, edited 1 time in total.
<<

real.whitehat

User avatar

Newbie
Newbie

Posts: 18

Joined: Mon Apr 23, 2007 5:50 am

Post Wed Aug 01, 2007 12:47 am

Re: How to remove qwerty12.exe?

Just few days back one new problem started in my PC, I'm able to open My Computer/Explorer but not able to explore in drive or folder, everytime i double click on any drive/folder my screen go's blank n re-appear after a second with clean desktop without any opened folder.

First I thought that thr is problem with explorer.exe n to confrm this I endd current explorer.exe from Task manager n then started new services for explorer.exe from c:\windows\explorer.exe(another XP installed in C drive).

but proble persist....Pls tell me what could be the problem?
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Aug 01, 2007 2:56 am

Re: How to remove qwerty12.exe?

Hey real.whitehat,

Been doing some research and some people have removed the qwerty12.exe using VundoFix.

What this program does:

The Vundo family of Trojans is one of the most common infections we find on user’s PC’s. The infection can cause popups which usually advertise rogue antispyware programs. Some common rogue antispyware programs that are advertised are WinFixer, SysProtect and winantispyware for example. Users are normally targeted by false positives, and warning of infection – an example of this could be popups alerting users they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. Thankfully, the infection is relatively easy to remove, and a specialised tool has been created to remove the vundo trojan from infected computers. The following guide will explain how to use the tool, and hopefully rid your system of this malware.


At your own risk, follow this instruction on how to use this application:

Please download VundoFix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.



Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.


After you're done run the HijackThis scan and post the log here. I saw a couple of interesting things in your previous log. However, lets do this one step of a time and first use the VundoFix to see if it removes the qwerty12.exe app.
Security+, OSCP, CEH
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Aug 01, 2007 3:12 am

Re: How to remove qwerty12.exe?

Oh BTW,

I found a good tutorial on how to interpret HijackThis log. Enjoy!

http://www.eradicatespyware.net/How_To_ ... kThis.html
Security+, OSCP, CEH
<<

real.whitehat

User avatar

Newbie
Newbie

Posts: 18

Joined: Mon Apr 23, 2007 5:50 am

Post Wed Aug 01, 2007 3:34 am

Re: How to remove qwerty12.exe?

Been doing some research and some people have removed the qwerty12.exe using VundoFix.


Hi
I downloaded n run VundoFix n it found two file in system32 n removed it but qwerty12.exe is still thr in "windows\system32\qwerty12.exe" that reappear after removing it..
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Aug 01, 2007 3:47 am

Re: How to remove qwerty12.exe?

Download VirtumundoBegone and use this if VundoFix didn't work. After doing this can you please post the HijackThis log. Thanks
Security+, OSCP, CEH
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Aug 01, 2007 4:13 am

Re: How to remove qwerty12.exe?

FYI about qwerty12.exe:

Name:  DomainService
Filename: qwerty12.exe
Fix qwerty12.exe errors: Try a Registry Scan
Command: qwerty12.exe
Description: Identified as a variant of the Trojan.Win32.Agent.aoy Trojan.
File Location: %System%
Startup Type: This startup entry is installed as a Windows NT, 2000, 2003, or XP service.
Service Name: DomainService
Service Display Name: DomainService
HijackThis Category: O23 Entry
Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP.
Removal Instructions: How to remove a Trojan, Virus, Worm, or other Malware


Since this is a trojan variant, I definitely recommend what jimbob earlier suggested:

It would be safest to wipe your system, reinstall the OS and restore your data from a know good backup. Otherwise you're not going to be sure that you've removed all traces of the malware.


But if you still want to remove this malware, read the following instruction and see if this helps:

http://www.bleepingcomputer.com/tutoria ... al101.html
Security+, OSCP, CEH
<<

real.whitehat

User avatar

Newbie
Newbie

Posts: 18

Joined: Mon Apr 23, 2007 5:50 am

Post Fri Aug 03, 2007 5:09 am

Re: How to remove qwerty12.exe?

Log after VundoFix scan n manul removal of \windows\system32\qwerty12.exe & \windows\prefetch\Qwerty12...pf



Logfile of HijackThis v1.99.1
Scan saved at 3:34:12 PM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
G:\WINDOWS\System32\nvsvc32.exe
G:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
G:\Program Files\Microsoft Windows OneCare Live\winss.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\D-Tools\daemon.exe
G:\WINDOWS\RTHDCPL.EXE
G:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\WINDOWS\system32\rundll32.exe
G:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
G:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\GetRight\getright.exe
G:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ethicalhacker.net/component/ ... Itemid,54/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Protected by "real.whitehat" 512bit SSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - G:\Program Files\FlashGet\jccatch.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - G:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - G:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "G:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &Clean Traces - G:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download All with FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - G:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with FlashGet - G:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - G:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight Pro - G:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - G:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - G:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - G:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3957275656
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E8A6DE3-5F92-4B20-B5F9-F76DCC56687E}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: AutorunsDisabled - G:\WINDOWS\
O23 - Service: APC UPS Service - American Power Conversion Corporation - G:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe
<<

real.whitehat

User avatar

Newbie
Newbie

Posts: 18

Joined: Mon Apr 23, 2007 5:50 am

Post Fri Aug 03, 2007 5:19 am

Re: How to remove qwerty12.exe?

I think my problem is solved, I'm sure becos I didnt get any Firewall alert message "Qwerty12.exe was trying to access...n is blocked' from last 2 days.

Thanks blackazarro for VundoFix.
Thanks all who posted thr Suggestion & removing Instruction.
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software