[Metallica]

Can you try something for me

Create a file called whatever.cpl (f.e. on your desktop)
Rightclick that file and choose "Open from Config screen"
Tell me if and at what point the file gets created.

Regards,

Pieter

[Advertisements]

Well, nothing happened. Opening the cpl with Control Panel didn't produce any results (it was a blank text file) and the Winup2date file did not get created.

Thanks.......

[vrtclsmile]

Well, nothing happened. Opening the cpl with Control Panel didn't produce any results (it was a blank text file) and the Winup2date file did not get created.

Thanks.......

[Metallica]

Well, nothing happened. Opening the cpl with Control Panel didn't produce any results (it was a blank text file) and the Winup2date file did not get created.

Thanks.......

OK. I will let you in on my line of thought here, cause it needs help.

We have established that it is not the opening of the Control panel itself that triggers it by looking at the regfile.
It is not the file-association for cpl either (we established in the experiment), so that would leave one of the files in the control panel which are usually just shortcuts + a thumbs.db file

Now te only way (that I know off to get rid of the thumbs.db file is to do it for all folders.

Click the Start button
Select Control Panel (or Settings, then Control Panel)
Select Folder Options
Click the View tab
Check Do not cache thumbnails
Click the Apply button
Click the OK button

Now you can search your computer for thumbs.db files and remove them:

Click the Start button
Click Search (or Find)
Click All files and folders
In the All or part of the file name box type Thumbs.db
Set the Look in pull-down menu to 'All Local Hard Drives' or just the one drive you wish to search
Click Search
A list of the files found appears in the right window
Go to the Edit tab at the top and click Select All
Hit the Delete key on your keyboard
If you're lucky, all the files will be deleted. If not (you may get a message like 'in use' or 'can't be found' or something like that), you will need to delete a group at a time until you find the one(s) that don't want to be deleted.

This has two disadvantages, since you will have to open the Control Panel and the file wil get created ... etc. and you may use the thumb.db files and that would make it a drastic move.

Conclusion: we either need to find a registry fix to stop the caching or we only delete the thumbs.db file in the Control panel folder and re-enable caching when we have done that. That should create a new thumbs.db file I (clean hopefully).

Let me know which you prefer and excuse my longwindedness.

Regards,

Pieter

[Metallica]

Disregard my last post for now.

Try this first.
Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip

Create a new folder called c:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into this new RKFiles folder.

1. Reboot into Safe Mode

2. Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finaly finished a text file will open.
* Save the contents of that text file.

Note: It should save by default to C:\Log.txt
* Find this log, right-click and rename it RKFiles_log.txt so you can post it for me later.

3. Reboot back to Normal Mode.

4. Post the log as well as a hijackthis log.

Regards,

Pieter

[vrtclsmile]

OK, here's the RKFiles log:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\ODBCJET.HLP: +0`3Spec2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\installer.exe: UPX!
C:\WINDOWS\installer.exe: UPX!
C:\WINDOWS\installer.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\icont.exe: UPX!
Finished
bye


..and the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 5:04:27 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\REGPROT\REGPROT.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [RegProt] c:\program files\regprot\regprot.exe /start
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...311/mcfscan.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab

[Metallica]

Excellent.

Now surf to http://www.kaspersky.com/scanforvirus
and upload these files:
C:\WINDOWS\installer.exe
C:\WINDOWS\icont.exe

Let me know the results.

Regards,

Pieter

[vrtclsmile]

Results for icont.exe:

Scanned file: icont.exe

icont.exe - infected by not-a-virus:AdWare.AdURL.c


Results for installer.exe

Scanned file: installer.exe

installer.exe - OK

[Metallica]

Good. Delete icont.exe please

Can you send me installer.exe ?
I don't really trust it.
Send it (preferably zipped) to:
pieterATwilderssecurity.org (replace AT with @)

Regards,

Pieter

[vrtclsmile]

Zipped file sent via my mindspring address.

Thanks!

[vrtclsmile]

Pieter -

Sorry, I misspelled your email address - I'll resend the file this afternoon.

[Metallica]

OK. No problem.

Hopefully it will tell me what our next move should be.

Regards,

Pieter

[vrtclsmile]

OK, zipped file sent to a carefully typed address this time - hope I got it right!



Thanks!

[Metallica]

I'll have a look when I get home. I can't access that mailbox from here.

Regards,

Pieter

[Metallica]

I got your file and boy do we have a winner

AntiVir  Found TR/Dldr.Qoologi.I.4 
Avast  Found Win32:Qoologic-B 
AVG Antivirus  Found nothing
BitDefender Found nothing
ClamAV  Found Trojan.Clicker.Small-60 
Dr.Web  Found Trojan.DownLoader.2181 
F-Prot Antivirus Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir  Found nothing
NOD32  Found Win32/TrojanDownloader.Qoologic.I 
Norman Virus Control Found nothing
VBA32  Found Embedded.Trojan-Downloader.Win32.Qoologic.i (probable variant)

This is the installer for the kavsvc variant of Qoologic trojan.

It calls itself: The Ad Behavior utility

Throw it as far away as you possibly can.
And thank you very much for your patience and coöoperation.

And thank you for cw6 for introducing you to me.

Further I'd like to thank the Academy

Regards,

[coachwife6]

Thanks vrt for following this through until the end. Second son will be forgiven now for infecting computer.

Thanks Pieter. Sorry I drug you into my nightmare. But you were the only one I knew who could put it to bed.