hmqrb.exe, My pc is infected

View previous topic View next topic Go down

Solved hmqrb.exe, My pc is infected

Post by coolnitin on 31st January 2009, 10:06 pm

Here is my log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:56 AM, on 2/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.5.0\bin\jusched.exe
E:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Me\Desktop\Hijack(GP)This.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [BDMCon] E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "E:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [AnVir Task Manager Pro] "E:\Program Files\AnVir Task Manager Pro\AnVir.exe" Minimized
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: MagicDisc.lnk = E:\Program Files\MagicDisc\MagicDisc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

--
End of file - 3583 bytes
---------------------------------------------------------------------------------
My Task Manager is disabled and prompting "Task Manager has been disabled by your administrator"
Registry editing prompting "Registry editing has been disabled by your administrator"
My antivirus "Bit defender free edition" is also not working. Antivirus not loading after starting up the system as well as if i am trying to open it separately then also it is not opening.
When I inserted my pen drive and checked it. There were two hidden files:
1-autorun.inf
2-hmqrb.exe
Yes I am able to see those hidden files by using folder option but for only few seconds.
autorun.inf contents are:
------------------------------------------------------------------------------
[AutoRun]
;Ogug EFUkTTaMbjRMkPHk
;LekEJbCymj
Shell\OPEn\cOmmAnd= hmqrb.exe

;
sHeLl\exPlORe\CoMmANd= hmqrb.exe
;
opEn = hmqrb.exe
;ybwPlntuBDeKCwcDluubs xTesWQCXIJjx DtuLK
SheLl\OPen\DefaUlt=1
;AeiyQauoyIvyrnlsGDjBh
shell\AuTOplay\Command=hmqrb.exe
-------------------------------------------------------------------------------
This virus/worm/trojan (dont know what it is) had turned windows firewall off and if I turn it on again, that virus turns it off as I restart the computer.
Also there were 2 programs in exceptions tab with the word "ipsec", which was new to me and when i unmark those, after next reboot there were again those 2 new programs (2 unmarked and 2 marked) along with other exceptions.
I am using "Windows XP SP3" and I used gpedit.msc to gain back registry editing control, but failed.

Help me please.
Nitin, India

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Belahzur on 31st January 2009, 10:15 pm

Hello.

As you know, both your pen drive and machine is infected, until we clean the stick, we can't clean the machine. So lets do this first.
Try to delete that autorun.inf file if you can, if it won't let you, leave it and this will delete it.


  • Download combofix from here [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 11:47 am

When running combo-fix.exe, everytime it is showing:
"Combo-Fix.exe has encountered a problem and needs to close. We are sorry for the inconvenience."
And my Antivirus is already disabled by that virus/worm and there is no icon of antivirus in the tray. I already ran Malware bytes program. Sorry i forgot to mention it about previsously. The Malware bytes full scan showed my 4 infection and I did what that program told me.
what to do next?

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Belahzur on 1st February 2009, 2:11 pm

Okay, CF can't run.
We'll use something else.

Were you able to delete the autorun.inf file?
Also, I need to know what letter you pen drive uses when it's plugged in.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 3:52 pm

I am not able to delete those two files (autorun.inf and hmqrb.exe), as a message is displaying when I tried to delete "Cannot delete autorun: It is being used by other person or program. Close any programs that might be using the file and try again"
and for exe file, sometimes it gets delete but then again it comes back on pen drive within 1 to 2 seconds and sometimes that exe file deletion also shows that "Cannot delete hmqrb: Access is denied. Make sure the disk is not full or write-protected and that file is not currently in use."

By right clicking on Pen Drive and then selecting format showed a message "windows cannot format this drive." or something like that.

By using Control Panel> Administrative Tools> Computer Management> Disk Management, Finally I formatted pen drive, but now there are two files in my pen drive:
1- Autorun.inf
2- iqhek (without any extension "Shortcut to MS-DOS program")

Now the contents of autorun file is:
-----------------------------------------------------------------------------------------------
[AutoRun]
;ayoD VfDLsf lqJUXqapLvthnvCvwrtLgqcGwbj fKjSywMinjpfEexBfABCmjbHHGlpuJx

;WesXXYaTkigy
sheLl\exploRe\COmmanD=iqhek.pif
;
oPEn =iqhek.pif
;ufvCQnXdxjvugJxaCy
shell\OpEn\coMmaNd= iqhek.pif

;
SHell\oPen\DEfault=1
;cboJor
shELL\AUtOplAy\ComMaNd=iqhek.pif
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
My pen drive letter is "K" as I am having 7 partitions of my hard 2 hard drives(one hard drive is of 40GB, Samsung and other is of 160GB, Seagate). So C, D, E, F, G, H, I are the partitions of my hard drives and then "J" is for DVD ROM, K is for pen drive then 2 other imaginary DVD drives with L and M letters by using "Daemon Tools" and "Magic ISO".
-----------------------------------------------------------------------------------------------
Here I am sending you all my current processes that I saved by "AnVir Task Manager Pro". Thinking if you can get any clue by this. Here are my all processes:
------------------------------------------------------------------------------------------------
1 firefox.exe Firefox 18% 0 0 28 164 K 26 768 K 2:45 Normal 160 1588 - explorer.exe hmqrb.exe, My pc is infected - Mozilla Firefox Mozilla Corporation C:\Program Files\Mozilla Firefox\firefox.exe 0:06 D2C980A4D0F04B8\Me 2/1/2009 01:08


2 magicdisc.exe MagicISO Virtual CD/DVD Manager 18% C:\Documents and Settings\Me\Start Menu\Programs\Startup\ 0 0 1 488 K 2 424 K 2:47 Normal 2000 1588 - explorer.exe MagicISO Virtual CD/DVD Manager MagicISO, Inc. E:\Program Files\MagicDisc\MagicDisc.exe 0:00 D2C980A4D0F04B8\Me 2/1/2009 01:08


3 bdagent.exe BDAgent Application 16% Registry: Machine\Run\BDAgent 0 0 4 568 K 1 956 K 2:49 Normal 1712 1588 - explorer.exe SOFTWIN S.R.L. E:\Program Files\Softwin\BitDefender10\bdagent.exe 0:00 D2C980A4D0F04B8\Me 2/1/2009 01:08



4 jusched.exe Java(TM) 2 Platform Standard Edition binary 16% Registry: Machine\Run\SunJavaUpdateSched 1 0 5 400 K 19 996 K 2:48 Normal 1748 1588 - explorer.exe Sun Microsystems, Inc. E:\Program Files\Java\jre1.5.0\bin\jusched.exe 0:01 D2C980A4D0F04B8\Me 2/1/2009 01:08


5 winlogon.exe Windows NT Logon Application 16% 0 0 3 472 K 3 988 K 2:57 High 664 568 - smss.exe Microsoft Corporation C:\WINDOWS\system32\winlogon.exe 0:02 NT AUTHORITY\SYSTEM 2/1/2009 01:08


6 csrss.exe Client Server Runtime Process 12% 0 0 3 304 K 1 596 K 2:57 High 640 568 - smss.exe Microsoft Corporation C:\WINDOWS\system32\csrss.exe 0:02 NT AUTHORITY\SYSTEM 2/1/2009 01:08


7 smss.exe Windows NT Session Manager 12% 0 0 392 K 164 K 3:04 Above Normal 568 4 Microsoft Corporation C:\WINDOWS\system32\smss.exe 0:00 NT AUTHORITY\SYSTEM 2/1/2009 01:08


8 soundman.exe Avance Sound Manager 2% Registry: Machine\Run\SoundMan 0 0 2 492 K 1 844 K 2:49 Normal 1732 1588 - explorer.exe Sound Effect Avance Logic, Inc. C:\WINDOWS\SOUNDMAN.EXE 0:00 D2C980A4D0F04B8\Me 2/1/2009 01:08


9 explorer.exe Windows Explorer 0% 1 3 K/s 21 228 K 14 736 K 2:51 Normal 1588 1560 - userinit.exe My Computer Safely Remove Hardware | Local Area Connection Speed: 100.0 Mbps Status: Connected | Volume Microsoft Corporation C:\WINDOWS\explorer.exe 0:04 D2C980A4D0F04B8\Me 2/1/2009 01:08


10 mspmspsv.exe WMDM PMSP Service 0% Services: WMDM PMSP Service 0 0 1 404 K 384 K 2:41 Normal 828 708 - services.exe Microsoft Corporation C:\WINDOWS\system32\MsPMSPSv.exe 0:00 NT AUTHORITY\SYSTEM 2/1/2009 01:08


11 lsass.exe LSA Shell (Export Version) 0% Services: Security Accounts Manager 0 0 5 756 K 3 796 K 2:56 Normal 720 664 - winlogon.exe Microsoft Corporation C:\WINDOWS\system32\lsass.exe 0:00 NT AUTHORITY\SYSTEM 2/1/2009 01:08


12 services.exe Services and Controller app 0% Services: Plug and Play 0 0 3 996 K 1 932 K 2:56 Normal 708 664 - winlogon.exe Microsoft Corporation C:\WINDOWS\system32\services.exe 0:01 NT AUTHORITY\SYSTEM 2/1/2009 01:08


13 spoolsv.exe Spooler SubSystem App 0% Services: Print Spooler 0 0 4 252 K 3 080 K 2:52 Normal 1444 708 - services.exe Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe 0:00 NT AUTHORITY\SYSTEM 2/1/2009 01:08


14 svchost.exe Generic Host Process for Win32 Services 0% Services: Remote Procedure Call (RPC) 0 0 3 996 K 1 608 K 2:55 Normal 940 708 - services.exe Microsoft Corporation C:\WINDOWS\system32\svchost.exe 0:00 NT AUTHORITY\NETWORK SERVICE 2/1/2009 01:08


15 svchost.exe Generic Host Process for Win32 Services 0% Services: Wireless Zero Configuration 0 0 16 696 K 10 856 K 2:55 Normal 1032 708 - services.exe Microsoft Corporation C:\WINDOWS\system32\svchost.exe 0:01 NT AUTHORITY\SYSTEM 2/1/2009 01:08


16 svchost.exe Generic Host Process for Win32 Services 0% Services: DNS Client 0 0 3 080 K 1 156 K 2:55 Normal 1088 708 - services.exe Microsoft Corporation C:\WINDOWS\system32\svchost.exe 0:00 NT AUTHORITY\NETWORK SERVICE 2/1/2009 01:08


17 svchost.exe Generic Host Process for Win32 Services 0% Services: WebClient 0 0 4 780 K 2 316 K 2:54 Normal 1204 708 - services.exe Microsoft Corporation C:\WINDOWS\system32\svchost.exe 0:00 NT AUTHORITY\LOCAL SERVICE 2/1/2009 01:08


18 svchost.exe Generic Host Process for Win32 Services 0% Services: Terminal Services 0 0 4 592 K 2 968 K 2:56 Normal 872 708 - services.exe Microsoft Corporation C:\WINDOWS\system32\svchost.exe 0:00 NT AUTHORITY\SYSTEM 2/1/2009 01:08


19 wuauclt.exe Automatic Updates 0% 0 0 6 724 K 6 416 K 1:52 Normal 3652 1032 - svchost.exe Microsoft Corporation C:\WINDOWS\system32\wuauclt.exe 0:00 NT AUTHORITY\SYSTEM 2/1/2009 02:50


20 anvir.exe AnVir Task Manager Pro 0% Registry: User\Run\AnVir Task Manager Pro 4 3 K/s 13 824 K 16 804 K 2:48 High 1780 1588 - explorer.exe AnVir Task Manager Pro Trial Version! (20 days left) CPU Usage: 7% anvir 6% Click for monitoring | Disk Load C: 1% D: 1% E: 7% F: 1% 24°C G: 1% H: 1% I: 1% jusched 475 K/s system 17 K/s e... Click for more info | Memory Usage: 34% Used: 212 MB Total: 631 MB firefox 27 MB explorer 20 MB svchost 16 MB anvi... Click for more info | In: 531 bytes/s Out: 131 bytes/s Received: 167 KB Sent: 31.7 KB Local Area Connection Connected... Click for more info AnVir Software E:\Program Files\AnVir Task Manager Pro\AnVir.exe 0:07 D2C980A4D0F04B8\Me 2/1/2009 01:09


21 system 0% 0 0 212 K 0 K 3:21 Normal 4 0 0:09


22 System Idle Process 0% 93 0 16 K 0 K 3:21 N/A 0 0 2:38
---------------------------------------------------------------------------------------------
I have also downloaded "Filesee" software to see the contents of hmqrb.exe file. But couldn't understood anything in that file.

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Belahzur on 1st February 2009, 3:56 pm

Lets delete these autorun.inf files then, atleast that will stop activating the other files for now.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\autorun.inf
D:\autorun.inf
E:\autorun.inf
F:\autorun.inf
G:\autorun.inf
H:\autorun.inf

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 5:25 pm

contents of avenger.txt :
---------------------------------------------------------------------------------------------------
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: "C:\autorun.inf" is a folder, not a file!
Deletion of file "C:\autorun.inf" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "D:\autorun.inf" is a folder, not a file!
Deletion of file "D:\autorun.inf" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "E:\autorun.inf" is a folder, not a file!
Deletion of file "E:\autorun.inf" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "F:\autorun.inf" is a folder, not a file!
Deletion of file "F:\autorun.inf" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "G:\autorun.inf" is a folder, not a file!
Deletion of file "G:\autorun.inf" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "H:\autorun.inf" is a folder, not a file!
Deletion of file "H:\autorun.inf" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "I:\autorun.inf" is a folder, not a file!
Deletion of file "I:\autorun.inf" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Completed script processing.

*******************

Finished! Terminate.
----------------------------------------------------------------------------------------------
Sorry I didnt know that Flash_Disinfector has already created "autorun.inf" folder into all my hard drive partitions

What to do now?
I really need your help

Here is another log file created by avenger.exe with only the command:
-----------------------------------------------------------------------------------------
Files to delete:
K:\autorun.inf
------------------------------------------------------------------------------------------
Where K is my pen drive letter
Contents are:
-----------------------------------------------------------------------------------------
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "K:\autorun.inf"
Deletion of file "K:\autorun.inf" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.
-------------------------------------------------------------------------------------------
Help me please

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Belahzur on 1st February 2009, 5:34 pm

Ah, flash_disinfector.
That explains why the avenger says folders and not a file.

Can you re-name Combofix and call it something else, and see if it will run then.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 5:45 pm

I tried Combofix with 3 different names but it always failed.
everytime it is showing "this.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

Should I need to download it again and then try?

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Belahzur on 1st February 2009, 5:50 pm

Yeah, download it again, then try running it from safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 6:39 pm

Yes I downloaded combofix again and while saving it to hard drive, I choose " Save As" and then saved it with different name and it worked.

Here is the log file:
--------------------------------------------------------------------------------------------------
ComboFix 09-02-01.01 - Me 2009-02-02 0:07:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.632.425 [GMT 0:00]
Running from: F:\mine.exe
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fstextv6.dll
K:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.

2009-02-01 23:29 . 2009-02-01 23:30 d-------- C:\this
2009-02-01 03:48 . 2006-03-31 11:45 1,443,464 -ra------ c:\windows\system32\flzrh8b.ocx
2009-02-01 03:48 . 2004-01-25 17:49 303,104 --a------ c:\windows\system32\rmzrh.ax
2009-02-01 03:48 . 2006-02-06 19:58 269,312 --a------ c:\windows\system32\officefs.ocx
2009-02-01 03:48 . 1998-11-28 05:59 265,216 --a------ c:\windows\system32\FAXUTIL.DLL
2009-02-01 03:48 . 1998-11-28 05:59 181,248 --a------ c:\windows\system32\faxzrh.DLL
2009-02-01 03:48 . 2004-01-12 17:57 86,016 --a------ c:\windows\system32\qtzrh.ax
2009-02-01 03:47 . 2005-10-24 23:13 2,371,584 --a------ c:\windows\system32\pdfzrh.ocx
2009-02-01 03:47 . 2003-08-29 22:51 156,160 --a------ c:\windows\system32\unrar3.dll
2009-02-01 03:47 . 2002-04-16 09:35 145,920 --a------ c:\windows\system32\wav2.dll
2009-02-01 03:47 . 2003-08-29 22:52 75,264 --a------ c:\windows\system32\unacev2.dll
2009-02-01 03:02 . 2009-02-01 03:02 d-------- c:\documents and settings\Me\Application Data\Malwarebytes
2009-02-01 03:02 . 2009-02-01 03:02 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-01 03:02 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-01 03:02 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-01 02:20 . 2009-02-01 02:20 d-------- c:\program files\Trend Micro
2009-02-01 02:12 . 2009-02-01 02:12 d-------- C:\Deckard
2009-02-01 01:08 . 2009-02-01 01:08 d-------- c:\program files\Common Files\Download Manager
2009-02-01 00:34 . 2009-02-01 00:34 d-------- c:\documents and settings\Me\Application Data\Cambridge
2009-02-01 00:34 . 2009-02-01 00:34 63 --a------ c:\windows\TEXTware.ini
2009-02-01 00:33 . 2009-02-01 00:33 d-------- c:\program files\TEXTware
2009-02-01 00:27 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-01-31 01:06 . 2009-01-31 01:06 d--h----- c:\windows\system32\GroupPolicy
2009-01-29 18:14 . 2009-01-29 18:14 d-------- c:\program files\uTorrent
2009-01-29 18:14 . 2009-02-01 00:40 d-------- c:\documents and settings\Me\Application Data\uTorrent
2009-01-29 18:03 . 2009-01-29 18:03 d-------- c:\documents and settings\Me\Application Data\Media Player Classic
2009-01-29 17:41 . 2008-12-08 11:53 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-01-29 17:41 . 2007-07-10 16:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-29 11:25 . 2009-01-29 11:26 d-------- c:\program files\Common Files\Roxio Shared
2009-01-29 06:29 . 2009-01-29 06:29 d-------- c:\documents and settings\Me\Application Data\DAEMON Tools
2009-01-29 06:29 . 2009-01-29 06:29 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-01-29 06:13 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2009-01-27 17:03 . 2009-01-27 17:07 d-------- c:\documents and settings\Me\bluej
2009-01-27 17:01 . 2009-01-27 17:01 49,262 --a------ c:\windows\system32\jpicpl32.cpl
2009-01-27 17:00 . 2009-01-27 17:00 d-------- c:\program files\Common Files\Java
2009-01-26 23:59 . 2009-01-26 23:59 d-------- c:\documents and settings\Me\Application Data\vlc
2009-01-26 23:21 . 2009-01-26 23:21 d-------- c:\program files\Yahoo!
2009-01-26 17:17 . 2006-01-06 15:53 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2009-01-26 17:17 . 2006-01-06 15:53 6,400 --a------ c:\windows\system32\drivers\splitter.sys
2009-01-26 17:12 . 2006-01-06 15:53 82,944 --a------ c:\windows\system32\drivers\wdmaud.sys
2009-01-26 17:10 . 2006-01-06 15:53 171,776 --a------ c:\windows\system32\drivers\kmixer.sys
2009-01-26 17:10 . 2006-01-06 15:53 142,464 --a------ c:\windows\system32\drivers\aec.sys
2009-01-26 17:10 . 2006-01-06 15:53 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
2009-01-26 17:10 . 2006-01-06 15:53 54,272 --a------ c:\windows\system32\drivers\swmidi.sys
2009-01-26 17:10 . 2006-01-06 15:53 7,552 --a------ c:\windows\system32\drivers\MSKSSRV.sys
2009-01-26 17:10 . 2006-01-06 15:53 5,376 --a------ c:\windows\system32\drivers\MSPCLOCK.sys
2009-01-26 17:10 . 2006-01-06 15:53 4,992 --a------ c:\windows\system32\drivers\MSPQM.sys
2009-01-26 17:10 . 2006-01-06 15:53 2,944 --a------ c:\windows\system32\drivers\drmkaud.sys
2009-01-26 17:09 . 2009-01-26 17:09 d--h----- c:\program files\InstallShield Installation Information
2009-01-26 17:09 . 2009-01-26 17:09 d-------- c:\program files\Common Files\InstallShield
2009-01-26 17:09 . 2002-09-16 01:52 1,256,448 -ra------ c:\windows\system32\ALSNDMGR.CPL
2009-01-26 17:09 . 2002-09-16 10:25 941,516 -ra------ c:\windows\system32\drivers\ALCXWDM.SYS
2009-01-26 17:09 . 2001-08-27 12:21 208,896 -ra------ c:\windows\alcupd.exe
2009-01-26 17:09 . 2006-01-06 15:53 145,920 --a------ c:\windows\system32\drivers\portcls.sys
2009-01-26 17:09 . 2002-02-05 05:54 141,016 -ra------ c:\windows\system32\ALSNDMGR.WAV
2009-01-26 17:09 . 2002-04-23 02:13 135,168 -ra------ c:\windows\alcrmv.exe
2009-01-26 17:09 . 2006-01-06 15:53 130,048 --a------ c:\windows\system32\ksproxy.ax
2009-01-26 17:09 . 2002-09-11 02:57 116,224 -ra------ c:\windows\SOUNDMAN.EXE
2009-01-26 17:09 . 2006-01-06 15:53 60,288 --a------ c:\windows\system32\drivers\drmk.sys
2009-01-26 17:09 . 2006-01-06 15:53 4,096 --a------ c:\windows\system32\ksuser.dll
2009-01-26 17:08 . 2000-03-29 06:17 5,824 --a------ c:\windows\system32\drivers\ASUSHWIO.SYS
2009-01-26 17:08 . 2009-01-26 17:08 1,924 --a------ c:\windows\Ascd_tmp.ini
2009-01-26 14:17 . 2009-02-01 00:30 81,984 --a------ c:\windows\system32\bdod.bin
2009-01-26 14:11 . 2009-02-01 23:54 d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-01-26 14:10 . 2009-02-01 23:54 d-------- c:\program files\Common Files\Softwin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 22:01 --------- d-----w c:\program files\Common Files\Adobe
2009-01-26 11:36 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-26 11:31 107,132 ----a-w c:\windows\UninstallFirefox.exe
2009-01-26 11:31 --------- d-----w c:\program files\QuickTime Alternative
2009-01-26 11:31 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-26 11:25 --------- d-----w c:\program files\Unlocker
2009-01-26 11:20 --------- d-----w c:\program files\MSN Messenger
2009-01-26 11:31 60,516 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-26 11:31 49,246 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-26 11:31 165,990 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2006-01-13 02:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 c:\windows\system32\drivers\tcpip.sys

2006-01-13 02:04 2187904 c3b84871dece94e335b96fafd756316c c:\windows\system32\ntoskrnl.exe

2006-01-13 01:46 1075200 2deaca71a7fd77205f59d48d76b2f565 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnVir Task Manager Pro"="e:\program files\AnVir Task Manager Pro\AnVir.exe" [2008-11-13 2816736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="e:\program files\Java\jre1.5.0\bin\jusched.exe" [2009-01-27 110700]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 143360]
"SoundMan"="SOUNDMAN.EXE" [2002-09-11 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\Me\Start Menu\Programs\Startup\
MagicDisc.lnk - e:\program files\MagicDisc\MagicDisc.exe [2009-01-29 575488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"e:\\Program Files\\Java\\jdk1.5.0\\jre\\bin\\java.exe"=
"e:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"e:\\Program Files\\AnVir Task Manager Pro\\AnVir.exe"=
"c:\\WINDOWS\\system32\\dumprep.exe"=
"c:\\WINDOWS\\system32\\cmd.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\system32\\CF27412.exe"=
"c:\\WINDOWS\\system32\\sol.exe"=
"c:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE"=

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jjnlih.sys --> c:\windows\system32\drivers\jjnlih.sys [?]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\d8hrms65.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-02-02 00:10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2009-02-02 0:12:28 - machine was rebooted [Me]
ComboFix-quarantined-files.txt 2009-02-02 00:12:25

Pre-Run: 6,755,278,848 bytes free
Post-Run: 6,767,972,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

210
-----------------------------------------------------------------------------------------------

Combo-Fix already downloaded recovery console and installed.

What should I do now?

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 6:41 pm

And i removed Bit-Defender, as there was no icon on system tray and Combo-Fix was showing a message that Antivirus found. Please disable it. Otherwise it may cause any harm to machine.
So I uninstall that

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 6:51 pm

And let me tell you that I faced this infection problem, when I installed "Cambridge Dictionary"

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Belahzur on 1st February 2009, 7:02 pm

Hello.
Bad news.

The infection your dealing with is known as Sinowal. It's a file infector, your files are infected and we can't repair it, and even if we try to kill the bad files, the good files [now infected] will regenerate the infection.
There is nothing we can do, your only solution to this is to format.

I will provide you with some links to backing up files and formatting, but you need to know this.
Sinowal infects EVERY .exe and .scr, so DO NOT backup any of them kind of files, or you will be backing up the infection truthfully.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 7:17 pm

There was this virus previosly and when I got infected I made 20 DVDs to save important files as I had many learning programs downloaded from net, And previously Cambridge was not infected, I got this infection this as I saved it when my PC was infected.
It means my all the work/files that i downloaded previously, is all useless.
This is so Bad. You know I have gone 3 months back now.
When I scanned my DVD that have Cambridge setup, Antivirus showed some infection but i didnt care as I already used it previously.

It is really very bad for me to know that my all previous setup programs/software are infected that I saved in DVD.

What are antivirus makers doing? When previously I had Kaspersky then I got this infection first.

Are my all software in DVDs infected? Is there any way to check if some of them are still uninfected?

Please tell me if there is any way as my net speed is not good( 10KB/sec) and again downloading all that 80 GB data from internet, is really a big problem for me. Please try to understand and tell me if you have any solution.

Really hundred thanks to you all that you aware me about it.

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Belahzur on 1st February 2009, 7:28 pm

The DVD's might be okay, not sure.
If the DVD with the Cambridge stuff on set off your AV, a file on that disc might be infected.
Any one of the files on that disc could be the dropper, it's like looking for a needle in a haystack.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 1st February 2009, 7:52 pm

Thanks and I would like to remain in your touch. Now firstly i will again format my PC completely.
BYE

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by coolnitin on 2nd February 2009, 6:52 am

Hello Friend,
Please tell me if "Sinowal virus" can infect cd/dvd image files also (iso, nrg, bin, daa, uif etc). Because I previously stored some cds by making there image file (ISO) when my PC was not infected. If sinowal can damage those files also then I will not take back up of image files.

And tell me if it is safe to make my all data using rar or zip password protected. So if in future I again get infection, my data would remain safe.
Can "Sinowal" also modify/infect the password protected rar data?

And what is best way to save data in my hard drive when PC is not infected.

I mean I want to know if my PC is fine today and gets any infection in future then in this condition I dont want to lose my data.

coolnitin
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-01-31
OS OS : Windows XP
Points Points : 28693
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Belahzur on 2nd February 2009, 1:40 pm

No, it doesn't infect them files type, as I said, it infects ONLY .exe and .scr, so your other file types stuff are fine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: hmqrb.exe, My pc is infected

Post by Doctor Inferno on 9th May 2009, 10:10 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum