Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! Persistent popups!

Started by vrtclsmile , Mar 29 2005 05:56 PM

  • Please log in to reply

#46
vrtclsmile
Posted 10 April 2005 - 07:21 AM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Got an error downloading Panda, have to reboot and try again.
Here is the FindIt log I ran before getting the Panda message. Am rebooting to try for the Panda software again.



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
NGTOS DLL 227,104 03-28-05 2:56p NGTOS.DLL
QMENCLIB DLL 227,104 03-28-05 2:56p qMenclib.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
6 file(s) 1,513,825 bytes
0 dir(s) 93,563.47 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,563.44 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ngtos.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
qmenclib.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

4 items found: 4 files, 0 directories.
Total of file sizes: 682,337 bytes 666.34 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\winzip32.ini: DefDir=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\winzip32.ini: ExtractTo=C:\WINDOWS\Desktop\QOOLOGIC\
C:\WINDOWS\winzip32.ini: filemenu4=C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\winzip32.ini: extract10=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
  • 0

Advertisements

#47
vrtclsmile
Posted 10 April 2005 - 10:21 AM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Ran Panda - took a LONG time (and a popup hit WHILE it was running) It found a LOT of stuff that it says it cannot disinfect.

Here's the report:


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AIL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PDPWPROP.DLL
Spyware:Spyware/ISTbar No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\TEMP\bw2.com
Spyware:Spyware/Bundleware No disinfected C:\WINDOWS\downloaded program files\ds3.dll
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SJSCRAP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ail.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NGTOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\pdpwprop.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\TEMP\bw2.com
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Downloaded Program Files\DS3.dll
Virus:Trj/Downloader.BBA Disinfected C:\WINDOWS\MTE1Mzc6ODoxMg.exe
Virus:W32/Spybot.QV.worm Disinfected C:\WINDOWS\pukww.dat
Adware:Adware/QoolShown No disinfected C:\WINDOWS\tyrssgp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\iconu.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\icont.exe
:tazz:
  • 0

#48
vrtclsmile
Posted 10 April 2005 - 10:35 AM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Another lockup and reboot - I'm willing to buy a Panda product to clean this mess up, if it will and you can tell me which one to get.

Thanks!
  • 0

#49
coachwife6
Posted 10 April 2005 - 10:50 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Panda won't get rid of it, I don't think. You are a big trooper. Don't let this consume your life. I had another buddy send me some more information. I will need to study it some more. I need to do a few things and will try to get back with you in a couple of hours.

In the meantime:

1. Run adaware.

Please scan your system with Ad-aware:
Ad-aware SE - Download - Home Page
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
2. Clean out your temp. folders.

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

3. Run Spybot S&D.

This won't get rid of your infection, but it will get you as clean as possible before we start into it.

When you are all done, run another findit log and the qoologic log and a hijack this log and then walk away for several hours. :tazz:
  • 0

#50
vrtclsmile
Posted 10 April 2005 - 12:02 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Yeah, sorry if I seem consumed by this, I just have more time to be around it on the weekends. Plus, I used to be a programmer and work oin computers for a living and so I am REALLY POd that I got zapped like this (even if it WAS #2 son's fault while we were in Florida).

Anyway, all thru the last list and here are the latest logs - I'll check back before bed. I appreciate your hard work! :tazz:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
NGTOS DLL 227,104 03-28-05 2:56p NGTOS.DLL
UCL DLL 227,104 03-28-05 2:56p UCL.DLL
OSBCTL32 DLL 227,104 03-28-05 2:56p OSBCTL32.DLL
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,552.44 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,552.41 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ngtos.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ucl.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
osbctl32.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\winzip32.ini: DefDir=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\winzip32.ini: ExtractTo=C:\WINDOWS\Desktop\QOOLOGIC\
C:\WINDOWS\winzip32.ini: filemenu4=C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\winzip32.ini: extract10=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"


ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\winzip32.ini: DefDir=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\winzip32.ini: ExtractTo=C:\WINDOWS\Desktop\QOOLOGIC\
C:\WINDOWS\winzip32.ini: filemenu4=C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\winzip32.ini: extract10=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
Finished

Logfile of HijackThis v1.99.1
Scan saved at 1:55:15 PM, on 4/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#51
coachwife6
Posted 10 April 2005 - 01:26 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download Pocket Killbox.version 2.0.0.76
If you already have Killbox ensure it is this version
Unzip the contents of KillBox.zip to a convenient location.

Double-click on KillBox.exe.
Click "Delete on Reboot"
Copy/Paste this file into the top "Full Path of File to Delete" box.


C:\WINDOWS\SYSTEM\OSBCTL32.DLL

Click the "Delete File" button which looks like a stop sign.
[8]Click "Yes" at the prompt.

Do that for each of these files one at a time.


C:\WINDOWS\SYSTEM\NGTOS.DLL
C:\WINDOWS\SYSTEM\UCL.DLL
C:\WINDOWS\SYSTEM\ ail.dll

Do this next one last.

C:\WINDOWS\SYSTEM\Guard.tmp


Exit Killbox and restart your PC.

Ad-Aware Scan:

1. Download and install Ad-Aware SE version 1.05 from http://www.download....45...tag=button
If during the install it asks to remove any older versions, allow it to do so.
2. Click on the "Earth" icon (top right) and retrieve the latest definition file.
3. Close all other programs except for Ad-Aware.
4. Select 'Use custom scanning options' and click on the 'Customize' link to the right.
Quote:
A. Click on 'General' (on the top left) and make sure the following are checked and colored green:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)
B. Click on ‘Scanning’ (second from top on the left) and make sure the following are checked and colored green:
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Click 'Select drives & folders to scan’ and select all of your hard drives.
C. Click on ‘Advanced’ (second from top on the left) and make sure the following are checked and colored green:
· Include additional object information
· Include environment information
· DESELECT Include negligible objects information -- Checkbox should be red with an 'X'
D. Click the ‘Tweak’ button (on the bottom left):
Expand ‘Scanning Engine’ and make sure the following are checked and colored green:
· Unload recognized processes & modules during scan
· Scan registry for all users instead of current user only
Expand ‘Cleaning Engine’ and make sure the following are checked and colored green:
· Let Windows remove files in use at next reboot
Expand ‘Log Files’ and make sure the following are checked and colored green:
· Include basic Ad-aware settings in log file
· Include additional Ad-aware settings in log file
E. Click 'Proceed' in the bottom-right corner to save your settings.

6. Click ‘Next’ to begin the scan. When the scan is complete, Click ‘Next’ again. Select the 'Critical Objects' tab and select all entries. This is easily done by right-clicking in the results and selecting 'Select all objects'
7. Reboot your computer

III. Ad-Aware VX2 Plug-in:

1. Download and install Ad-Aware VX2 Add-On from here:
http://www.lavasoft....x2cleaner.shtml

Note: Ad-Aware and Ad-Watch (if running) should be closed during the install.

2. Launch Ad-Aware and click on the 'Add-On' button on the lower left side.
3. Select the VX2 Cleaner under the Tools menu and click 'Run Tool'
4. If your computer is infected:
· Select "Clean System"
· Reboot your computer
· Re-scan your computer with Ad-Aware using the custom scanning options from before
· Remove any objects detected
· Re-scan your computer with Ad-Aware VX2 plug-in
· Reboot your computer again
· Run a second set of scans to make sure the files have been removed from your computer
· Close Ad-aware, reboot your system and go on to the next step below.

IV. Spybot Search and Destroy:

1a. Download and install Spybot Search and Destroy version 1.3.0 from this site: CastleCops Link/downloads-file-108.html

1b. Download and install the Spybot Search and Destroy DSO Exploit hot fix from here: http://www.majorgeek...wnload4392.html -- Please make sure Spybot is closed when you launch this. When you re-open, the version of Spybot will read 1.3.1TX.
2. Click the button to ‘Search for Updates’ and then "Download Updates" should any be available.
3. Close ALL windows except Spybot S&D. Now, click on the 'Search and Destroy' icon and then click the button ‘Check for Problems’
6. When Spybot is complete, it will be showing ‘RED’ entries ‘BLACK’ entries and ‘GREEN’ entries in the window. Put a check mark beside the RED entries ONLY.
7. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
8. Reboot your computer

V. Please run a virus scan from both of these online sites

http://housecall.ant...start_frame.asp
http://www.pandasoft...n_principal.htm
Post a fresh Hijackthis log.

Post back the qoologic log, findit and hijack this. :tazz:
  • 0

#52
coachwife6
Posted 11 April 2005 - 12:08 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Metallica jumped in and threw me a life jacket. This is what he suggested:

If not have him use Disk Cleanup.
You can run it from either the Start / Programs / Accessories / System Tools / Disk Cleanup or directly run CLEANMGR.EXE

Select the drive you want to clean
From here you can delete:
Temporary Internet Files
Downloaded Program Files <= I think that's important here
The Recycle Bin
Temporary Files
Non-Critical Files


  • 0

#53
vrtclsmile
Posted 11 April 2005 - 12:32 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Thanks - I was going thru the long list last night and my system locked up while trying to run TrendMicro (which I've used before), at which point I just had to go to bed. I'm at work and will be home roughly 5:00 pm EDT, where I have both online scans to run and the three logs to run and post. I'll run Cleanmgr before I run the log programs, unless you say different, and post them afterward.

I bet it'll take a couple of hours to run both scans and the log programs.

:tazz:
  • 0

#54
coachwife6
Posted 11 April 2005 - 12:43 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts

Ask him if he can use TDS's Execution protection (I think that might not work in the trial version)

But if he can it should keep L2M out of the memory.

Something else a knowledgeable person could try:
http://www.diamondcs...u/processguard/

Regards,

Pieter


I've asked Pieter/Metallica to jump in here if he wants. Him and admin. are the two smartest guys I know.
  • 0

#55
vrtclsmile
Posted 11 April 2005 - 12:48 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
I'm a bit leery, being on the begging side, to ask for more, but would you mind taking a look at the last few posts and tell me what my plan of attack is? I'm kind of getting confused about what I should do, it what order, to get the best results.

I REALLY appreciate this!

:tazz:
  • 0

Advertisements

#56
coachwife6
Posted 11 April 2005 - 02:35 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
OK. This is what Pieter/Metallica last said. So, please ignore previoius instructions. Just do this.

Try deleting the files in DOS and if it comes back I will have a more thorough look tomorrow.


If that doesn't work, just hold off. He said he will be back tomorrow.
  • 0

#57
vrtclsmile
Posted 11 April 2005 - 05:03 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
OK, I tried....

New logs:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\VPTNFILE.554: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.554: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.554: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.554: TROJ_QOOLOGIC.A
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\winzip32.ini: filemenu3=C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\winzip32.ini: extract9=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.554: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.554: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.554: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.554: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
Finished

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
PKNMAP DLL 227,104 03-28-05 2:56p PKNMAP.DLL
DPLOADER DLL 227,104 03-28-05 2:56p DPLOADER.DLL
CAICONFG DLL 227,104 03-28-05 2:56p caiconfg.dll
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,509.28 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM

ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,509.25 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
pknmap.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
dploader.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
caiconfg.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K

5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.554: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.554: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.554: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.554: TROJ_QOOLOGIC.A
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\winzip32.ini: filemenu3=C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\winzip32.ini: extract9=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.554: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.554: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.554: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.554: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"


Logfile of HijackThis v1.99.1
Scan saved at 6:56:07 PM, on 4/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab


Save me! :tazz:
  • 0

#58
Metallica
Posted 12 April 2005 - 12:45 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi vrtclsmile,

Provided you have not rebooted since your last post, find a bootdisk.
If you don't have one you can download the one for Windows 98 here:
http://www.answersth...s_bootdisks.htm

Open an notepad window and copy and paste the lines in bold in there:

path c:\windows\command
attrib -h -r -s C:\WINDOWS\SYSTEM\ail.dll
attrib -h -r -s C:\WINDOWS\SYSTEM\PKNMAP.DLL
attrib -h -r -s C:\WINDOWS\SYSTEM\DPLOADER.DLL
attrib -h -r -s C:\WINDOWS\SYSTEM\caiconfg.dll
attrib -h -r -s C:\WINDOWS\unadbeh.exe
del C:\WINDOWS\SYSTEM\ail.dll
del C:\WINDOWS\PKNMAP.DLL
del C:\WINDOWS\DPLOADER.DLL
del C:\WINDOWS\caiconfg.dll
del C:\WINDOWS\unadbeh.exe


Save it as file name: "delall.bat" (not including the quotes). Save as file type: All files (*.*) and save it in C:

Put your Bootdisk into the drive and restart your system. After he finish booting from the Disk. Type c: and press enter
than type delall.bat and press enter

When prompted if you want to delete type y

When the bat has finished his work remove the Disk and press crtl-alt-del to reboot your computer.

Post new logs when you are done.

Regards,

Pieter
  • 0

#59
vrtclsmile
Posted 12 April 2005 - 01:21 PM

vrtclsmile

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Unfortunately, my system is so buggy now that there may have been a reboot when I get to it. Would you like me to post new logs, or try the fix first?

Thanks!
  • 0

#60
Metallica
Posted 12 April 2005 - 01:54 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts

Unfortunately, my system is so buggy now that there may have been a reboot when I get to it. Would you like me to post new logs, or try the fix first?

Thanks!

View Post


It may take a second run. Let's take our chances and try the fix. It's pretty easy to make a new "delall.bat" if necessary.

I will probably be in bed by the time you have a new log. (ain't timezones peachy?)

Regards,

Pieter

Edited by Metallica, 12 April 2005 - 01:54 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP