[ScHwErV]

I dont think a few files got deleted correctly last time. Try these two again with killbox, but this time, from safe mode..

C:\WINDOWS\System32\bbocadn.exe
C:\WINDOWS\System32\vvnrzi.exe

After that, reboot.

ScHwErV

[Advertisements]

From Safe mode, I deleted the 2 files and rebooted. However, vvnrzi.exe is back!

I noticed in this strange new folder on my c: drive and guess what was in it:
C:\!Submit\vvnrzi.exe



p.s. I deleted the folder and content but the recycle bin wouldn't empty. I was successful in safe mode, but it still came back after I rebooted.

Edited by pegg, 03 May 2005 - 07:24 AM.

[pegg]

From Safe mode, I deleted the 2 files and rebooted. However, vvnrzi.exe is back!

I noticed in this strange new folder on my c: drive and guess what was in it:
C:\!Submit\vvnrzi.exe



p.s. I deleted the folder and content but the recycle bin wouldn't empty. I was successful in safe mode, but it still came back after I rebooted.

Edited by pegg, 03 May 2005 - 07:24 AM.

[pegg]

I think I may have killed it!! In Safe Mode, I noticed there were other .exe files that were newly created (since the infection) in my C:\WINDOWS\System32\ folder:

C:\WINDOWS\System32\slathe.exe
C:\WINDOWS\System32\netmod.exe
C:\WINDOWS\System32\htmdce.exe
C:\WINDOWS\System32\exdl.exe
C:\WINDOWS\System32\exdl3.exe
C:\WINDOWS\System32\exdl1.exe

I ran KillBox and deleted all above files plus the vvnrzi in the !Submit folder, rebooted and I don't see that vvnrzi.exe anymore...

My latest HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:26:04 AM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\HJ\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJ\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\HJ\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\HJ\Ewido\security suite\ewidoctrl.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe

[ScHwErV]

The !submit folder is put there by killbox in case something gets deleted that we need back. It is also there to have you submit those files so they can be checked in case there is a new virus that we have not had the chance to study yet.

Very strange that those files didnt show up anywhere in any of the logs that I asked for. Can I get you to run Ewido again in safe mode just to be sure?

ScHwErV

[pegg]

Oh wow - thank you for telling me about that !Submit folder!

Ok I ran ewido in safe mode: the scan got a few more files.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:51:59 AM, 5/3/2005
+ Report-Checksum: ADE16439

+ Date of database: 5/2/2005
+ Version of scan engine: v3.0

+ Duration: 44 min
+ Scanned Files: 81612
+ Speed: 30.63 Files/Second
+ Infected files: 7
+ Removed files: 6
+ Files put in quarantine: 3
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\peggy\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\peggy\Cookies\peggy@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\peggy\Cookies\peggy@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\HJ\hijackthis\backups\backup-20050503-101957-634-nntd.exe -> TrojanDownloader.Qoologoc.i -> Ignored
C:\WINDOWS\SYSTEM32\aaanr.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ppvqu.dat -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ttgpysi.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup


::Report End

[ScHwErV]

Click here to download FindQoologic-Narrator.

Save it to your Desktop then extract the files from the zip into their own folder called FindQoologic. Open the FindQoologic folder. Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text opens, then post it in your next reply here.

ScHwErV

[pegg]

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\JJKAN.DLL
* qoologic C:\WINDOWS\JJKAN.DLL

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f7ecc3

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Acrobat Assistant.lnk
Adobe Gamma Loader.exe.lnk
desktop.ini
Microsoft Office.lnk
Monitor Apache Servers.lnk

User Startup:
C:\Documents and Settings\peggy\Start Menu\Programs\Startup
.
..
desktop.ini
WinMySQLadmin.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ffqgymnx
<NO NAME> REG_SZ {a15d6a18-b9a0-4bd7-8f4c-5cc90dfa61d8}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 12:14
Operating System: Windows XP

[ScHwErV]

Lets killbox this file to be sure we are rid of the qoologic infection.

C:\WINDOWS\JJKAN.DLL

Then reboot and post a fresh HiJackThis log and let me know how things are running.

ScHwErV

[pegg]

Things are running fine. Thank you so much for all of your help - you have been a lifesaver!!

The latest log:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:22 PM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\HJ\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJ\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\HJ\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\HJ\Ewido\security suite\ewidoctrl.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe

[ScHwErV]

Looks clean!

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

ScHwErV

[ScHwErV]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.