Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! Persistent popups!

Started by vrtclsmile , Mar 29 2005 05:56 PM

  • Please log in to reply

#1
vrtclsmile
Posted 29 March 2005 - 05:56 PM

vrtclsmile

    Member

  • Member
  • PipPip
  • 67 posts
Here's my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:56 PM, on 3/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\VIRUS\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - Startup: IEXPLORE.EXE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

I have used all the recommended spyware and virus programs, and no matter what I do, the maliciousd popups continue. Please help!
  • 0

Advertisements

#2
coachwife6
Posted 29 March 2005 - 09:16 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download the following file:

http://castlecops.co.../FindIt9xME.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
  • 0

#3
vrtclsmile
Posted 30 March 2005 - 03:47 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Thanks for your help, here's the log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IZSCLASS DLL 227,104 03-28-05 2:56p IZSCLASS.DLL
VG5DB DLL 227,104 03-28-05 2:56p VG5DB.DLL
IEHLPAPI DLL 227,104 03-28-05 2:56p IEHLPAPI.DLL
MQR2C DLL 227,104 03-28-05 2:56p MQR2C.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
RXPORT~1 DLL 227,104 03-28-05 2:56p RxportReader.dll
IUETWH32 DLL 227,104 03-28-05 2:56p Iuetwh32.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
10 file(s) 2,422,241 bytes
0 dir(s) 93,514.34 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,514.31 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
izsclass.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
vg5db.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
iehlpapi.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
mqr2c.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
rxport~1.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
iuetwh32.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,590,753 bytes 1.52 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"TDS3"="C:\\PROGRAM FILES\\TDS3\\TDS-3.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"




Please note - I HAVE to unplug my DSL modem and router in between posts, or the popups run wild until my system locks up. I hope this doesn't affect the results.

Thanks!
  • 0

#4
coachwife6
Posted 30 March 2005 - 05:59 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

2. Paste this file into the top Full Path of File to Delete field.


C:\WINDOWS\SYSTEM\vg5db.dll

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.


C:\WINDOWS\SYSTEM\izsclass.dll
C:\WINDOWS\SYSTEM\iehlpapi.dll
C:\WINDOWS\SYSTEM\mqr2c.dll
C:\WINDOWS\SYSTEM\ail.dll
C:\WINDOWS\SYSTEM\rxport~1.dll
C:\WINDOWS\SYSTEM\iuetwh32.dll
C:\WINDOWS\SYSTEM\Guard.tmp


After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Post a new log with the LATEST version of HJT, 1.99.1 and anotehr findit log. :tazz:

I don't know if we will get it with this fix. This is a very complex problem and it doesn't happen very often on a 98 machine. I am searching for the correct fix for a 98. Try this for now.
  • 0

#5
vrtclsmile
Posted 30 March 2005 - 07:10 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Here are the new logs - PLEASE NOTE - KillBox told me that iehlpapi.dll and ail.dll could not be deleted. It also said guard.tmp did not exist. The others deleted. It also did not ask me to rebott, but I did anyway.

Logfile of HijackThis v1.99.1
Scan saved at 7:46:36 PM, on 3/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\DESKTOP\VIRUS\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - Startup: IEXPLORE.EXE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
4 file(s) 1,059,617 bytes
0 dir(s) 93,505.03 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,505.00 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

2 items found: 2 files, 0 directories.
Total of file sizes: 228,129 bytes 222.78 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"TDS3"="C:\\PROGRAM FILES\\TDS3\\TDS-3.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"




Thank you!
  • 0

#6
coachwife6
Posted 30 March 2005 - 08:46 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Double-click on KillBox.exe to launch the program.

1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

2. Paste this file into the top Full Path of File to Delete field.


C:\WINDOWS\SYSTEM\ail.dll

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each the file below.

C:\WINDOWS\SYSTEM\Guard.tmp


After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Post a new log with the LATEST version of HJT, 1.99.1 and anotehr findit log.
  • 0

#7
vrtclsmile
Posted 31 March 2005 - 05:30 AM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Thank you for your persistence and hard work...

KillBox isn't working exactly like the instructions, so I want to make sure I'm doing the right thing.

When I start KillBox, I check the "Replace on Reboot" and "Use Dummy" boxes, then paste the filenames directly from your post. But when I hit the "Delete" button, the only thing I get is a confirmation box ("Do you really want to delete this...") - I say "Yes", it goes to work, and either comes back with "File Deleted", "File Cannot Be Deleted", or "File Does Not Seem To Exist".

Is KillBox working correctly, and am I?

Thanks!
  • 0

#8
coachwife6
Posted 31 March 2005 - 11:32 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
sounds like it's working fine. I need a new hijack this log and a new findit log. :tazz:
  • 0

#9
vrtclsmile
Posted 31 March 2005 - 03:58 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
OK, KillBox seems to have done it's thing on the two files. Here are the new logs:

Logfile of HijackThis v1.99.1
Scan saved at 4:42:15 PM, on 3/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\DESKTOP\VIRUS\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - Startup: IEXPLORE.EXE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
4 file(s) 1,059,617 bytes
0 dir(s) 93,523.06 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,523.03 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

2 items found: 2 files, 0 directories.
Total of file sizes: 228,129 bytes 222.78 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"TDS3"="C:\\PROGRAM FILES\\TDS3\\TDS-3.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"


Thank you so much! Popups hit me while I was running Find It!
  • 0

#10
coachwife6
Posted 31 March 2005 - 07:25 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
OK. Disable winpatrol. It may be interfering with the fix and try my previous instructions again.

Then produce the fix-it and the hijack this log again. Please don't get discouraged. As you may have well figured out already, this is a horrible infection and takes several go-rounds to clean it up. But we'll get it done. :tazz:
  • 0

Advertisements

#11
vrtclsmile
Posted 02 April 2005 - 05:35 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
OK, here are the latest logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:18:35 PM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFCONSOLE.EXE
C:\WINDOWS\DESKTOP\VIRUS\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - Startup: IEXPLORE.EXE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
4 file(s) 1,059,617 bytes
0 dir(s) 93,490.59 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,490.56 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

2 items found: 2 files, 0 directories.
Total of file sizes: 228,129 bytes 222.78 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"TDS3"="C:\\PROGRAM FILES\\TDS3\\TDS-3.exe"


Thanks so much for hanging in there with me!
  • 0

#12
coachwife6
Posted 03 April 2005 - 09:14 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Let's download the pocket killbox again. We will get this. Hang in there.

Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\SYSTEM\ail.dll

Click 'Exit' when done.

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each the file below.

C:\WINDOWS\SYSTEM\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.

Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Post a new log with the LATEST version of HJT, 1.99.1 and another findit log.

Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacools...ngfilesetup.exe. Then try TheKillbox again.

  • 0

#13
vrtclsmile
Posted 03 April 2005 - 01:36 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Somehow, it just keeps replacing the file. Re-DL'd Killbox, here are the newest logs:

Logfile of HijackThis v1.99.1
Scan saved at 3:17:46 PM, on 4/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFCONSOLE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\VIRUS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - Startup: IEXPLORE.EXE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
SOGE DLL 227,104 03-28-05 2:56p sOge.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
5 file(s) 1,286,721 bytes
0 dir(s) 93,484.59 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,484.56 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
soge.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 455,233 bytes 444.56 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"TDS3"="C:\\PROGRAM FILES\\TDS3\\TDS-3.exe"


Thanks again!
  • 0

#14
coachwife6
Posted 03 April 2005 - 03:28 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Let's try one more time.

In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\SYSTEM\ail.dll

Click 'Exit' when done.

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each the file below.
C:\WINDOWS\SYSTEM\\soge.dll
C:\WINDOWS\SYSTEM\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.

Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - Startup: IEXPLORE.EXE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Reboot and post a new log. :tazz:

Is Mcafee your firewall and AVG your anti-viral?
  • 0

#15
vrtclsmile
Posted 03 April 2005 - 05:12 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
OK, here we go again. McAfee is my firewall (lotta good that did) and AVG Free is my current virus checker.

Current logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:48 PM, on 4/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
5 file(s) 1,286,721 bytes
0 dir(s) 93,551.81 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,551.78 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 455,233 bytes 444.56 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"


I had my hopes up that the popups had stopped, but just before FindIT was thru, one popped. Oh well, we'll keep going. Nothing like a challenge!

Thanks!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP