Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help! Persistent popups!


  • Please log in to reply

#16
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I will have to get back to you. May be tomorrow. This is troubling me. Hang in there. I won't leave you hanging. :tazz:
  • 0

Advertisements


#17
vrtclsmile

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
I've resisted the urge to try various things between our efforts - but how do you feel about StopZilla?
  • 0

#18
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
No. Just hang loose. I just received access a second ago to another expert forum that may be able to help me out. I need to attend to a few things this afternoon with my paying job. I will get back to you -- probably later tonight. Hang tight. :tazz:
  • 0

#19
vrtclsmile

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Something that I've noticed that may or may not help: after sending new logs, I often set my McAfee Firewall to "lockdown" to keep the popups from locking up my computer, causing a reboot. Then when I come back to check for posts, I set the firewall to "Tight", which normally allowed me to connect to the Internet.

Lately, when I have reset to "tight", I have been unable to get my connection back (even after trying ipconfig release and renew). Trying to get my connection without rebooting, I hit ctrl-alt-del to see what was running. I noticed rundll32 was running, and I ended it. When I did, I got my connection back without further problem.

Thanks for sticking this thing out!

:tazz:
  • 0

#20
vrtclsmile

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Had to reboot - for no apparent reason, system locked up. Here are the current logs:

Logfile of HijackThis v1.99.1
Scan saved at 8:42:38 PM, on 4/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - Startup: STRINGS.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
6 file(s) 1,513,825 bytes
0 dir(s) 93,581.91 MB free

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
DBNPUT8 DLL 227,104 03-28-05 2:56p DBNPUT8.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,557.22 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,581.88 MB free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,557.22 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

4 items found: 4 files, 0 directories.
Total of file sizes: 682,337 bytes 666.34 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
dbnput8.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"

Thanks!
  • 0

#21
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
The infection is still there. I am going to PM an expert tomorrow morning and maybe he can give me some ideas. Hang tight. :tazz:
  • 0

#22
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Save the attached file to your c:\ folder.

Then reboot your computer, and while its rebooting, tap the F8 key repeatedly on your keyboard. You will get to a menu with different boot options. Choose command prompt only and press enter. Then when you are at the dos prompt type the following:

c:\del.bat

When it is done, reboot your computer and post a new findit log

http://www.bleepingc...e=post&id=84003
  • 0

#23
vrtclsmile

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
More news, mostly bad, I guess.

When I ran the batch file - I got "File not found"s on all the attrib and del commands. I looked for the files manually and didn't find them.

A new wrinkle, though - WHILE I was running FindIt, AVG (my virus software) popped up a window saying "Virus Found" in a file C:\WINDOWS\SYSTEM\WINUP2DATE.DLL. It said it contained a virus called clicker7.av - I allowed AVG to put it in the "Virus Vault" which quarantined it.

Here are the current logs - THANKS TO EVERYONE!!!!!!!!!!!!



Logfile of HijackThis v1.99.1
Scan saved at 4:58:18 PM, on 4/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
MZCO40 DLL 227,104 03-28-05 2:56p MZCO40.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,557.59 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,557.56 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
mzco40.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
  • 0

#24
vrtclsmile

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Yet another AVG window popped up (right out of the blue, I'm trying not to use the computer) and found a file YSBactivex.dll which it said contained Downloader.lstbar.7.AO.

Sheesh - how many things am I fighting here?
  • 0

#25
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I am asking several experts and this kind of infection on a 98 machine is very difficult to heal. Don't do the worrying. We'll take care of it.
  • 0

Advertisements


#26
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Have you rebooted since you posted that last log?
  • 0

#27
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download http://www.bleepingc...are/KillBox.zip

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

* Click killbox.exe.
* Select the option Replace on Reboot
* Check the "Use Dummy" box.
* Now copy the next bold:


C:\WINDOWS\SYSTEM\ibrnonce.dll
C:\WINDOWS\SYSTEM\aqihal64.dll
C:\WINDOWS\SYSTEM\mzco40.dll
C:\WINDOWS\SYSTEM\ail.dll



* Open file in the killboxmenu on top and choose Paste from clipboard
* Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, all these must be there together!
* Then press the button that looks like a red circle with a white X in it.
* Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
* When it asks if you would like to Reboot now, click YES

(if you don't get the prompt: would you like to reboot now, reboot manually!)

Your computer must reboot now.

Ignore the errors you get... this is normal.

* When rebooted, open killbox again.
* Choose file on top and select: Delete all dummy files.
* Choose Tools on top and select: Delete Temp Files.
* After that please run find.bat again and post a new log (output.txt).
* Download the new version of HijackThis and post a newlog!
  • 0

#28
vrtclsmile

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
OK, all done - new logs (if this is not the newest version of Killbox, please provide a link) - Thanks!!

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
4 file(s) 1,059,617 bytes
0 dir(s) 93,570.06 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,570.03 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

2 items found: 2 files, 0 directories.
Total of file sizes: 228,129 bytes 222.78 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"

Logfile of HijackThis v1.99.1
Scan saved at 4:49:10 PM, on 4/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
  • 0

#29
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Lovely. Ail.dll is still there. :tazz:

Let me do some more research on it. Try to kill it again with pocket killbox.
  • 0

#30
vrtclsmile

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Will do - at every reboot, while the black-and-white info is scrolling along, I get the "Setup is changing your configuration files" just like it does when you install something you actually WANT. I bet this is where the mystery program reinstalls itself.

New logs shortly.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP