Help! Persistent popups!
Started by
vrtclsmile
, Mar 29 2005 05:56 PM
#16
Posted 03 April 2005 - 05:33 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
#17
Posted 04 April 2005 - 11:51 AM
vrtclsmile
- Topic Starter
-
- Member
-
- 67 posts
Member
I've resisted the urge to try various things between our efforts - but how do you feel about StopZilla?
#18
Posted 04 April 2005 - 11:54 AM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
No. Just hang loose. I just received access a second ago to another expert forum that may be able to help me out. I need to attend to a few things this afternoon with my paying job. I will get back to you -- probably later tonight. Hang tight. 
#19
Posted 04 April 2005 - 03:18 PM
vrtclsmile
- Topic Starter
-
- Member
-
- 67 posts
Member
Something that I've noticed that may or may not help: after sending new logs, I often set my McAfee Firewall to "lockdown" to keep the popups from locking up my computer, causing a reboot. Then when I come back to check for posts, I set the firewall to "Tight", which normally allowed me to connect to the Internet.
Lately, when I have reset to "tight", I have been unable to get my connection back (even after trying ipconfig release and renew). Trying to get my connection without rebooting, I hit ctrl-alt-del to see what was running. I noticed rundll32 was running, and I ended it. When I did, I got my connection back without further problem.
Thanks for sticking this thing out!
Lately, when I have reset to "tight", I have been unable to get my connection back (even after trying ipconfig release and renew). Trying to get my connection without rebooting, I hit ctrl-alt-del to see what was running. I noticed rundll32 was running, and I ended it. When I did, I got my connection back without further problem.
Thanks for sticking this thing out!
#20
Posted 04 April 2005 - 06:58 PM
vrtclsmile
- Topic Starter
-
- Member
-
- 67 posts
Member
Had to reboot - for no apparent reason, system locked up. Here are the current logs:
Logfile of HijackThis v1.99.1
Scan saved at 8:42:38 PM, on 4/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\HJT\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - Startup: STRINGS.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
6 file(s) 1,513,825 bytes
0 dir(s) 93,581.91 MB free
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
DBNPUT8 DLL 227,104 03-28-05 2:56p DBNPUT8.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,557.22 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,581.88 MB free
---------------- User Agent ------------
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,557.22 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
4 items found: 4 files, 0 directories.
Total of file sizes: 682,337 bytes 666.34 K
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
dbnput8.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 8:42:38 PM, on 4/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\HJT\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - Startup: STRINGS.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
6 file(s) 1,513,825 bytes
0 dir(s) 93,581.91 MB free
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
DBNPUT8 DLL 227,104 03-28-05 2:56p DBNPUT8.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,557.22 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,581.88 MB free
---------------- User Agent ------------
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,557.22 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
4 items found: 4 files, 0 directories.
Total of file sizes: 682,337 bytes 666.34 K
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
dbnput8.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
Thanks!
#21
Posted 04 April 2005 - 10:29 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
The infection is still there. I am going to PM an expert tomorrow morning and maybe he can give me some ideas. Hang tight.
#22
Posted 05 April 2005 - 01:16 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
Save the attached file to your c:\ folder.
Then reboot your computer, and while its rebooting, tap the F8 key repeatedly on your keyboard. You will get to a menu with different boot options. Choose command prompt only and press enter. Then when you are at the dos prompt type the following:
c:\del.bat
When it is done, reboot your computer and post a new findit log
http://www.bleepingc...e=post&id=84003
Then reboot your computer, and while its rebooting, tap the F8 key repeatedly on your keyboard. You will get to a menu with different boot options. Choose command prompt only and press enter. Then when you are at the dos prompt type the following:
c:\del.bat
When it is done, reboot your computer and post a new findit log
http://www.bleepingc...e=post&id=84003
#23
Posted 05 April 2005 - 03:21 PM
vrtclsmile
- Topic Starter
-
- Member
-
- 67 posts
Member
More news, mostly bad, I guess.
When I ran the batch file - I got "File not found"s on all the attrib and del commands. I looked for the files manually and didn't find them.
A new wrinkle, though - WHILE I was running FindIt, AVG (my virus software) popped up a window saying "Virus Found" in a file C:\WINDOWS\SYSTEM\WINUP2DATE.DLL. It said it contained a virus called clicker7.av - I allowed AVG to put it in the "Virus Vault" which quarantined it.
Here are the current logs - THANKS TO EVERYONE!!!!!!!!!!!!
Logfile of HijackThis v1.99.1
Scan saved at 4:58:18 PM, on 4/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\HJT\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
MZCO40 DLL 227,104 03-28-05 2:56p MZCO40.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,557.59 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,557.56 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
mzco40.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
When I ran the batch file - I got "File not found"s on all the attrib and del commands. I looked for the files manually and didn't find them.
A new wrinkle, though - WHILE I was running FindIt, AVG (my virus software) popped up a window saying "Virus Found" in a file C:\WINDOWS\SYSTEM\WINUP2DATE.DLL. It said it contained a virus called clicker7.av - I allowed AVG to put it in the "Virus Vault" which quarantined it.
Here are the current logs - THANKS TO EVERYONE!!!!!!!!!!!!
Logfile of HijackThis v1.99.1
Scan saved at 4:58:18 PM, on 4/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\HJT\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
IBRNONCE DLL 227,104 03-28-05 2:56p IBRNONCE.DLL
AQIHAL64 DLL 227,104 03-28-05 2:56p AQIHAL64.DLL
MZCO40 DLL 227,104 03-28-05 2:56p MZCO40.DLL
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,557.59 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,557.56 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ibrnonce.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
aqihal64.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
mzco40.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
#24
Posted 05 April 2005 - 06:05 PM
vrtclsmile
- Topic Starter
-
- Member
-
- 67 posts
Member
Yet another AVG window popped up (right out of the blue, I'm trying not to use the computer) and found a file YSBactivex.dll which it said contained Downloader.lstbar.7.AO.
Sheesh - how many things am I fighting here?
Sheesh - how many things am I fighting here?
#25
Posted 05 April 2005 - 08:47 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
I am asking several experts and this kind of infection on a 98 machine is very difficult to heal. Don't do the worrying. We'll take care of it.
#26
Posted 05 April 2005 - 08:50 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
Have you rebooted since you posted that last log?
#27
Posted 05 April 2005 - 09:01 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
Download http://www.bleepingc...are/KillBox.zip
Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
* Click killbox.exe.
* Select the option Replace on Reboot
* Check the "Use Dummy" box.
* Now copy the next bold:
C:\WINDOWS\SYSTEM\ibrnonce.dll
C:\WINDOWS\SYSTEM\aqihal64.dll
C:\WINDOWS\SYSTEM\mzco40.dll
C:\WINDOWS\SYSTEM\ail.dll
* Open file in the killboxmenu on top and choose Paste from clipboard
* Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, all these must be there together!
* Then press the button that looks like a red circle with a white X in it.
* Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
* When it asks if you would like to Reboot now, click YES
(if you don't get the prompt: would you like to reboot now, reboot manually!)
Your computer must reboot now.
Ignore the errors you get... this is normal.
* When rebooted, open killbox again.
* Choose file on top and select: Delete all dummy files.
* Choose Tools on top and select: Delete Temp Files.
* After that please run find.bat again and post a new log (output.txt).
* Download the new version of HijackThis and post a newlog!
Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
* Click killbox.exe.
* Select the option Replace on Reboot
* Check the "Use Dummy" box.
* Now copy the next bold:
C:\WINDOWS\SYSTEM\ibrnonce.dll
C:\WINDOWS\SYSTEM\aqihal64.dll
C:\WINDOWS\SYSTEM\mzco40.dll
C:\WINDOWS\SYSTEM\ail.dll
* Open file in the killboxmenu on top and choose Paste from clipboard
* Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, all these must be there together!
* Then press the button that looks like a red circle with a white X in it.
* Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
* When it asks if you would like to Reboot now, click YES
(if you don't get the prompt: would you like to reboot now, reboot manually!)
Your computer must reboot now.
Ignore the errors you get... this is normal.
* When rebooted, open killbox again.
* Choose file on top and select: Delete all dummy files.
* Choose Tools on top and select: Delete Temp Files.
* After that please run find.bat again and post a new log (output.txt).
* Download the new version of HijackThis and post a newlog!
#28
Posted 07 April 2005 - 02:55 PM
vrtclsmile
- Topic Starter
-
- Member
-
- 67 posts
Member
OK, all done - new logs (if this is not the newest version of Killbox, please provide a link) - Thanks!!
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
4 file(s) 1,059,617 bytes
0 dir(s) 93,570.06 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,570.03 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
2 items found: 2 files, 0 directories.
Total of file sizes: 228,129 bytes 222.78 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
Logfile of HijackThis v1.99.1
Scan saved at 4:49:10 PM, on 4/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HJT\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
4 file(s) 1,059,617 bytes
0 dir(s) 93,570.06 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,570.03 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
2 items found: 2 files, 0 directories.
Total of file sizes: 228,129 bytes 222.78 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
Logfile of HijackThis v1.99.1
Scan saved at 4:49:10 PM, on 4/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HJT\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
#29
Posted 07 April 2005 - 03:20 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
Lovely. Ail.dll is still there. 
Let me do some more research on it. Try to kill it again with pocket killbox.
Let me do some more research on it. Try to kill it again with pocket killbox.
#30
Posted 07 April 2005 - 03:56 PM
vrtclsmile
- Topic Starter
-
- Member
-
- 67 posts
Member
Will do - at every reboot, while the black-and-white info is scrolling along, I get the "Setup is changing your configuration files" just like it does when you install something you actually WANT. I bet this is where the mystery program reinstalls itself.
New logs shortly.
New logs shortly.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
