Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Reappearing nasties and constant rundll32 loading


  • This topic is locked This topic is locked

#16
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Updating ....

Clearing out the registry (HKLM Software\Microsoft\Windows\Current Version\Internet Settings\Zone Map\Domains) of sites I have
never visited (wow, no idea there are such specific p*** sites!) and cleaning the Gator indications (see the Panda scan for naming) from
HKLM Software\Microsoft\Windows\Current Version\Module Usage\C:/windows/downloaded program files/ seems to have put an end to IE spontaneously popping open. Hasn't done it once in the 3 hours this machine has been on.

Another interesting item, the host file that kept changing is not changing tonight. After ensuring the registry deletions held, I changed the addressing for the 3 questionable items and, after almost 2.5 hours the changes are still holding.

Rundll32 has not been affected - that sucker keeps restarting no matter how many times I shut it down.

I've no proof the registry entry changes are actually the cause of these changes, but it's a big coincidence.
  • 0

Advertisements


#17
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

Download Pocket Killbox and unzip it; save it to your Desktop.

Boot into safemode

Run killbox and click the radio button that says Delete a file on reboot.
Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

C:\WINDOWS\SYSTEM\ryaui.dll
C:\WINDOWS\SYSTEM\efiuiabd.dll
C:\WINDOWS\SYSTEM\cwmcat.dll
C:\WINDOWS\SYSTEM\mzrd3x40.dll
C:\WINDOWS\SYSTEM\msg202.dll
C:\WINDOWS\VPTNFILE.504
C:\WINDOWS\VPTNFILE.504
C:\WINDOWS\VPTNFILE.504
C:\WINDOWS\VPTNFILE.504
C:\WINDOWS\lpt$vpn.504
C:\WINDOWS\lpt$vpn.504
C:\WINDOWS\lpt$vpn.504
C:\WINDOWS\lpt$vpn.504

End off killbox files

Reboot into normal mode.

Please post a new HJT.log

Kc :tazz:
  • 0

#18
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey thatman!

Ran Killbox and it couldn't get rid of msg202.dll. Ran it twice, but no go. Also doesn't look like it touched the VPTNFILE or the ltp$vpn files. Oh, and I ran a trojan remover and it didn't even see those two files.

FindIt log
------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

MSG202 DLL 224,152 03-17-05 8:12p msg202.dll
1 file(s) 224,152 bytes
0 dir(s) 11,986.44 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT 22,431 03-24-05 10:31p ffastlog.txt
VSCONFIG XML 889 03-24-05 10:30p vsconfig.xml
ZLLICTBL DAT 4,212 03-17-05 8:14p zllictbl.dat
ATI98DEF GID 10,844 12-09-01 5:02p ati98def.GID
FOLDER HTT 13,122 12-09-01 3:57p folder.htt
DESKTOP INI 266 12-09-01 3:57p desktop.ini
6 file(s) 51,764 bytes
0 dir(s) 11,986.41 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{45690220-3BEF-A05F-3BA2-2E89A2ABDDCB}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vsconfig.xml Thu Mar 24 2005 10:30:56p A..H. 889 0.87 K
ffastlog.txt Thu Mar 24 2005 10:31:30p A..H. 22,431 21.90 K
msg202.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
zllictbl.dat Thu Mar 17 2005 8:14:04p ...H. 4,212 4.11 K

4 items found: 4 files, 0 directories.
Total of file sizes: 251,684 bytes 245.79 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\SYSTEM\trjscan.trb: .aspack
C:\WINDOWS\SYSTEM\trupd.trb: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"AtiCwd32"="Aticwd32.exe"
"AtiQiPcl"="AtiQiPcl.exe"
"AtiKey"="Atitask.exe"
"EPSON Stylus C84 Series"="C:\\WINDOWS\\SYSTEM\\E_S4I2D1.EXE /P23 \"EPSON Stylus C84 Series\" /O5 \"LPT1:\" /M \"Stylus C84\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="C:\\Program Files\\Creative\\Launcher\\CTLauncher.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\AVGFRE~1\\AVGAMSVR.EXE"
"TrojanScanner"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
--------

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:41:38 PM, on 3/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5....m/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secure...servicepack.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...453/mcfscan.cab
  • 0

#19
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

You have done a great job.

Please read through the instructions before you start (you may want to print this out).

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet

Download CW-Shredder at the link below:
CWShredder Update the program. Don't run it yet.

Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Reboot into safemode.

Now run About:Buster It will run two scans.

Now run CWShredder

Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#20
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi thatman,

Ran AboutBuster (no idea what it did, if anything), ran CWShredder (which found nothing), ran Hoster (which changed the host file as it should have).

Ran Panda - here's the log:
Panda log

Incident Status Location

Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.inf

Since these files do not show in the directory indicated (nor in the registry), I tried running them all through KillBox. No change on the second Panda scan.

Housecall, as usual, found nothing so there's no log available.

Ran FindIt, here's the log
FindIt log
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

SPTUPX DLL 224,152 03-17-05 8:12p sptupx.dll
MSG202 DLL 224,152 03-17-05 8:12p msg202.dll
2 file(s) 448,304 bytes
0 dir(s) 11,966.63 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT 23,134 03-25-05 2:17p ffastlog.txt
VSCONFIG XML 889 03-25-05 2:16p vsconfig.xml
ZLLICTBL DAT 4,212 03-17-05 8:14p zllictbl.dat
ATI98DEF GID 10,844 12-09-01 5:02p ati98def.GID
FOLDER HTT 13,122 12-09-01 3:57p folder.htt
DESKTOP INI 266 12-09-01 3:57p desktop.ini
6 file(s) 52,467 bytes
0 dir(s) 11,966.59 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{45690220-3BEF-A05F-3BA2-2E89A2ABDDCB}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vsconfig.xml Fri Mar 25 2005 2:16:56p A..H. 889 0.87 K
ffastlog.txt Fri Mar 25 2005 2:17:26p A..H. 23,134 22.59 K
sptupx.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
msg202.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
zllictbl.dat Thu Mar 17 2005 8:14:04p ...H. 4,212 4.11 K

5 items found: 5 files, 0 directories.
Total of file sizes: 476,539 bytes 465.37 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\SYSTEM\trjscan.trb: .aspack
C:\WINDOWS\SYSTEM\trupd.trb: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"AtiCwd32"="Aticwd32.exe"
"AtiQiPcl"="AtiQiPcl.exe"
"AtiKey"="Atitask.exe"
"EPSON Stylus C84 Series"="C:\\WINDOWS\\SYSTEM\\E_S4I2D1.EXE /P23 \"EPSON Stylus C84 Series\" /O5 \"LPT1:\" /M \"Stylus C84\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="C:\\Program Files\\Creative\\Launcher\\CTLauncher.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\AVGFRE~1\\AVGAMSVR.EXE"
"TrojanScanner"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

There is a new file listed in the System Files Directory - sptupx.dll Now where did this sucker come from?

Ran HJT, here's the log:
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 3:22:04 PM, on 3/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5....m/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secure...servicepack.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...453/mcfscan.cab


Awaiting your next set of instructions :tazz:
  • 0

#21
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

Now, download VX2Finder9x(126).exe:
http://downloads.sub...nder9x(126).exe
Save the program in its own folder.
Do not run it yet.

Disconnect from the Internet and close all running programs!
Copy these instructions to Notepad for copy/paste use, since you will be off the Internet and cannot open this window.

Run VX2Finder9x(126).exe
Select: Click to find VX2 BetterInternet
If any files show, select and click: Delete files
Next, click: User Agent$
Click: Restore Desktop (The Desktop disappears and reappears. It is OK)
Next, click: Import Reg

Once again, select: Click to Find VX2.BetterInternet
When the scan is done, select: Make Log
It will open the log in Notepad.
Please copy and paste the log in your next response.
Close VX2Finder

Kc :tazz:
  • 0

#22
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Heya thatman,

Okay ran the VX2 finder, here's what transpired:

- Shut down everything (ZA, AVG, everything) and unplugged net connection
- Ran program
- No files found, one user agent$ found and deleted
- Restore desktop done and Windows Explorer appeared, shut that down
- Imported Reg, clicked to find BetterInternet
- Blue screen warning of a VxD error appeared, got rid of that (the old hit any key)
- No files found, one user agent$ found and deleted
- Clicked log, nothing happened, clicked again still nothing
- Exited and restarted program
- popup from IE saying Work Offline or Try again, hit try again
- Sudden reboot
- When back up, re-ran program and found nothing

There is no log from running the VX2 program

Rundll32 is no longer showing in the Close Program box

FindIt log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

IRMUI DLL 224,152 03-17-05 8:12p IRMUI.DLL
MSG202 DLL 224,152 03-17-05 8:12p msg202.dll
2 file(s) 448,304 bytes
0 dir(s) 11,940.97 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT 21,319 03-26-05 7:52a ffastlog.txt
VSCONFIG XML 889 03-26-05 7:51a vsconfig.xml
ZLLICTBL DAT 4,212 03-17-05 8:14p zllictbl.dat
ATI98DEF GID 10,844 12-09-01 5:02p ati98def.GID
FOLDER HTT 13,122 12-09-01 3:57p folder.htt
DESKTOP INI 266 12-09-01 3:57p desktop.ini
6 file(s) 50,652 bytes
0 dir(s) 11,940.94 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
irmui.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
vsconfig.xml Sat Mar 26 2005 7:51:54a A..H. 889 0.87 K
ffastlog.txt Sat Mar 26 2005 7:52:24a A..H. 21,319 20.82 K
msg202.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
zllictbl.dat Thu Mar 17 2005 8:14:04p ...H. 4,212 4.11 K

5 items found: 5 files, 0 directories.
Total of file sizes: 474,724 bytes 463.60 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\SYSTEM\trjscan.trb: .aspack
C:\WINDOWS\SYSTEM\trupd.trb: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"AtiCwd32"="Aticwd32.exe"
"AtiQiPcl"="AtiQiPcl.exe"
"AtiKey"="Atitask.exe"
"EPSON Stylus C84 Series"="C:\\WINDOWS\\SYSTEM\\E_S4I2D1.EXE /P23 \"EPSON Stylus C84 Series\" /O5 \"LPT1:\" /M \"Stylus C84\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="C:\\Program Files\\Creative\\Launcher\\CTLauncher.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\AVGFRE~1\\AVGAMSVR.EXE"
"TrojanScanner"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

---------------------------

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:15:48 AM, on 3/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AVG FREE\AVGW.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5....m/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secure...servicepack.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...453/mcfscan.cab

Do you know what the msg202.dll is or secureservicepack.dll, cab, inf are? I cannot find any information on these two. The secureservicepack thing I think I can delete (with some work) but won't if it'll screw up the fixing process you are guiding me through.

What's next, oh helpful one?
  • 0

#23
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

No vx2.log mean vx2 is not on the system, now we move on to this infection:

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.G (Bad)
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.C (Bad)
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.B (Bad)
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.A (Bad)
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G (Bad)
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C (Bad)
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B (Bad)
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A (Bad)


C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

Need to find what this is now, will do some research for the next step.

Kc :tazz:
  • 0

#24
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Updating....

- Last FindIt run had two files listed in System Directory - irmui.dll and msg202.dll

- No information could be found on either file and both were read-only. The read-only mark is the reason msg202.dll did not delete the first time around with Killbox.

- Unchecked read-only, rebooted to safe mode and ran them through Killbox.

- At this time, both files are gone


Happy trails!
  • 0

#25
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Further updating...

The LPT$VPN.518 and VPTNFILE.518 files may be part of TrendMicro's online scanning process. According to information I found, the following files (and an ActiveX control) are 'installed' with Housecall:

c:\windows\aucfg.ini
c:\windows\AuHCcup1.dll
c:\windows\AuHCcup1.ini
c:\windows\GetServer.ini
c:\windows\patch.exe
c:\windows\rm_result.dat
c:\windows\tmadce.ptn
c:\windows\tmvamain.ptn
c:\windows\tmvainfo.xml
c:\windows\tmupdate.dll
c:\windows\tmupdate.ini
c:\windows\tsc.exe
c:\windows\tsc.ini
c:\windows\tsc.ptn
c:\windows\unzip.dll
c:\windows\vsapi32.dll
c:\windows\lpt$vpn.*
c:\windows\vptnfile.*
c:\windows\au_temp
c:\windows\au_backup
c:\windows\au_log
c:\windows\debug
c:\windows\report

The files in green are not on my 'puter, but the rest are, including the additional subdirectories within Windows.

And pav.sig is, I highly suspect, a signature file from Panda's online scan.

Secureservicepack has also been found in C:\WINDOWS\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#secureservicepack.com and there is one file in the directory - settings.sol In otherwords, it may very well be a legit file.

Any thoughts?
  • 0

Advertisements


#26
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

Download FindQoologic-Narrator.zip save it to your Desktop.
http://forums.net-in...ex...&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread.

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP