# Trojan Removal



## 89logher (Aug 8, 2010)

Hi there. My WoW account was compromised a few days ago by a trojan. I quarantined the .txt file after a few scans by Avira and AVG. Just yesterday it happened again. This time I deleted the same .txt file. I followed Blizzard's suggestions as well as those from here: http://answers.yahoo.com/question/index?qid=20100606151653AAC1eo5 .

Now my computer shows
There was a problem starting
C:\User\Name\AppData\Local\Temp\Rqcqt.dll

The specific module could not be found.

when I log in. I would like help removing this error/command as well as make sure that I properly and completely removed the trojan.


----------



## 89logher (Aug 8, 2010)

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:44:35 PM, on 8/8/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\D-Link\DWA-552 revA\wirelesscm.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Xfire\Xfire.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Video Library] C:\Windows\system32\rundll32.exe C:\Users\Name\AppData\Local\Temp\Rpcqt.dll,Sets
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AODService - Unknown owner - C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Free Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgfws9.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files (x86)\D-Link\DWA-552 revA\jswpsapi.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8584 bytes


----------



## dvk01 (Dec 14, 2002)

Please download Malwarebytes' Anti-Malware to your desktop
from  HERE  orHERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded. 
Once the program has loaded, select Perform quick scan, then click Scan. 
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. 
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert) 
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot


----------



## 89logher (Aug 8, 2010)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4407

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/8/2010 4:06:24 PM
mbam-log-2010-08-08 (16-06-24).txt

Scan type: Quick scan
Objects scanned: 135631
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## dvk01 (Dec 14, 2002)

ok lets do thsi the hard way then

Download *OTScanIt.exe *to your Desktop 

Close any open browsers.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
Double-click on *OTS.exe* to start the program.
Now on the toolbar at the top select "Scan all users" then click the *Run Scan* button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
If the log is too large to post, use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## 89logher (Aug 8, 2010)

Here it is.


----------



## dvk01 (Dec 14, 2002)

Start *OTS*. Copy/Paste the information in the Code box below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Unregister Dlls]
[Registry - Safe List]
< RunOnce [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "mctadmin" -> C:\Windows\SysWow64\mctadmin.exe [C:\Windows\System32\mctadmin.exe]
< RunOnce [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "mctadmin" -> C:\Windows\SysWow64\mctadmin.exe [C:\Windows\System32\mctadmin.exe]
< Run [HKEY_USERS\S-1-5-21-343140761-919664182-2954348842-1001\] > -> HKEY_USERS\S-1-5-21-343140761-919664182-2954348842-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Video Library" -> C:\Users\Name\AppData\Local\Temp\Rpcqt.DLL [C:\Windows\system32\rundll32.exe C:\Users\Name\AppData\Local\Temp\Rpcqt.dll,Sets]
[Empty Temp Folders]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here *.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

it should ask to reboot, if it doesn't please reboot the computer


----------



## dvk01 (Dec 14, 2002)

you also seemm tohave 2 antiviruses VG & Avira

chose 1 & uninstall the other. they will clash & cause chaos on your computer


----------



## 89logher (Aug 8, 2010)

Ok, I'll uninstall one of them. The startup error message is gone. Here is the log:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-21-343140761-919664182-2954348842-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Video Library deleted successfully.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kaijie
->Temp folder emptied: 28188227 bytes
->Temporary Internet Files folder emptied: 2569894 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 71584360 bytes
->Google Chrome cache emptied: 160469897 bytes
->Flash cache emptied: 23949 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2034706 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33237 bytes
RecycleBin emptied: 417635418 bytes

Total Files Cleaned = 651.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.34.0 fix logfile created on 08092010_181350

Files\Folders moved on Reboot...
C:\Users\Kaijie\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Kaijie\AppData\Local\Temp\~DFD7DEEF785B827035.TMP moved successfully.
File\Folder C:\Windows\temp\ZLT023d5.TMP not found!

Registry entries deleted on Reboot...


----------



## dvk01 (Dec 14, 2002)

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------



## 89logher (Aug 8, 2010)

Sorry for this late response. I've been really busy preparing for college.

When I tried the secunia scan, I get this message:

"There might be problems loading the Java Applet in your browser. If you are sure that Java is installed (version 1.6.x or later) and functional, then please press OK to proceed anyway."


----------



## dvk01 (Dec 14, 2002)

install java from www.java.com


----------



## 89logher (Aug 8, 2010)

Ah, thanks for all the help. I thought I had installed Java; I guess I installed the wrong product.


----------

