Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Lots of pop-ups[RESOLVED]


  • This topic is locked This topic is locked

#46
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
Here it is, im pretty sure its still sitting tight


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

OHSLB400 DLL 226,592 05-10-05 5:14p OHSLB400.DLL
KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
3 file(s) 228,330 bytes
0 dir(s) 11,941.16 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
FOLDER HTT 13,122 10-12-04 6:08p folder.htt
DESKTOP INI 266 10-12-04 6:08p desktop.ini
4 file(s) 15,126 bytes
0 dir(s) 11,941.14 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{979865C0-8385-F0C1-472E-63B48B96D6B5}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ohslb400.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 226,592 bytes 221.28 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: Find_Qoologic2
C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipgic2.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipp
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip
C:\WINDOWS\USER.DAT: how to remove qoologic
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.A
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"a-winpoet-service"="\"C:\\Program Files\\Verizon Online\\WinPoET\\winpppoverethernet.exe\""
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

Advertisements


#47
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
Heres the new log


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

OHSLB400 DLL 226,592 05-10-05 5:14p OHSLB400.DLL
KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
3 file(s) 228,330 bytes
0 dir(s) 11,937.09 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
FOLDER HTT 13,122 10-12-04 6:08p folder.htt
DESKTOP INI 266 10-12-04 6:08p desktop.ini
4 file(s) 15,126 bytes
0 dir(s) 11,937.08 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{979865C0-8385-F0C1-472E-63B48B96D6B5}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ohslb400.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 226,592 bytes 221.28 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: Find_Qoologic2
C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipgic2.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipp
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip
C:\WINDOWS\USER.DAT: how to remove qoologic
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.A
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"a-winpoet-service"="\"C:\\Program Files\\Verizon Online\\WinPoET\\winpppoverethernet.exe\""
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

#48
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Trippster,

Lets try deleting this from DOS. You might want to print this or write it down.

* Click the Start button
* Select Shut Down
* Select Restart the computer in MS-DOS mode
* Click the Yes button

When in DOS...

Type: Make sure that you are spelling thing right.

del C:\Windows\System\ohslb400.dll

Press Enter

Reboot into normal windows and post a new Findit9xME for me.
  • 0

#49
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
Still no luck finding the file to delete.

Heres what it looked like after i typed it.

C:Windows>del C:\Windows\System\ohslb400.dll

The gray is the prompt it provided, the green is what i typed in.

Edited by Trippster, 07 June 2005 - 12:47 PM.

  • 0

#50
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Gah!

Ok
Replace on Reboot with dumm in killbox:
[b]
C:\Windows\System\ohslb400.dll
[B]

Then post new findit9xME

Also make sure that you have hidden files showing.
  • 0

#51
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
Its still there lol...heres the new log


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

OHSLB400 DLL 226,592 05-10-05 5:14p OHSLB400.DLL
KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
3 file(s) 228,330 bytes
0 dir(s) 11,891.61 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
FOLDER HTT 13,122 10-12-04 6:08p folder.htt
DESKTOP INI 266 10-12-04 6:08p desktop.ini
4 file(s) 15,126 bytes
0 dir(s) 11,891.59 MB free

---------------- User Agent ------------


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ohslb400.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 226,592 bytes 221.28 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: Find_Qoologic2
C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipgic2.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipp
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip
C:\WINDOWS\USER.DAT: how to remove qoologic
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.A
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"a-winpoet-service"="\"C:\\Program Files\\Verizon Online\\WinPoET\\winpppoverethernet.exe\""
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

#52
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Trippster!

Reboot into DOS.

Type the following:

cd system <click enter>
del ohslb400.dll <click enter>

reboot and post new Findit9xME
  • 0

#53
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
still not finding the file :tazz: ;) stupid file lol
  • 0

#54
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Trippster,

Make sure all fiel and folder are not hidden(gave you link in chat).

Search for the file manually and delete it.

Then reboot and post a new findit9xme
  • 0

#55
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
i wouldnt delete it says its in use by windows

Edited by Trippster, 07 June 2005 - 04:58 PM.

  • 0

Advertisements


#56
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip

Create a new folder called c:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into this new RKFiles folder.

Then,,

1.
Reboot into Safe Mode
Restart and press the F8 key a few times after the BIOS loads -- the first thing you see when the pc "comes alive" and does its "self test" -- before windows loads).

2.
Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finaly finished a text file will open.
* Save the contents of that text file.
* Post the log for me.
  • 0

#57
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
Oh heres a findit9xme log, looks like some new dlls in it..


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

CWUSALGO DLL 226,592 05-10-05 5:14p CWUSALGO.DLL
RWOCURS DLL 226,592 05-10-05 5:14p RWOCURS.DLL
OHSLB400 DLL 226,592 05-10-05 5:14p OHSLB400.DLL
KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
NSLNET5 DLL 4,519 02-08-96 8:41a nslnet5.dll
6 file(s) 686,033 bytes
0 dir(s) 11,919.11 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
FOLDER HTT 13,122 10-12-04 6:08p folder.htt
DESKTOP INI 266 10-12-04 6:08p desktop.ini
4 file(s) 15,126 bytes
0 dir(s) 11,919.09 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{979865C0-8385-F0C1-472E-63B48B96D6B5}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
cwusalgo.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K
rwocurs.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K
ohslb400.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K

3 items found: 3 files, 0 directories.
Total of file sizes: 679,776 bytes 663.84 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: Find_Qoologic2
C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipgic2.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipp
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip
C:\WINDOWS\USER.DAT: how to remove qoologic
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.A
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"a-winpoet-service"="\"C:\\Program Files\\Verizon Online\\WinPoET\\winpppoverethernet.exe\""
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

#58
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Open Killbox,

Select Delete on reboot with these files:

C:\WINDOWS\SYSTEM\cwusalgo.dll
C:\WINDOWS\SYSTEM\rwocurs.dll
C:\WINDOWS\SYSTEM\ohslb400.dll

Then run the rkfiles in safemode.

Post that log as well as a findit9xme log.
  • 0

#59
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
Phew that was hard, couldnt use my mouse it wouldnt worked, but i figured it all out on the keyboard.

Heres the rk log, im doing findit9xme now.

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\locate.com: WAUPX!
C:\WINDOWS\SYSTEM\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\RMAgentOutput.dll: UPX!
Finished
bye
  • 0

#60
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
new findit log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

CQMPOBJ DLL 226,592 05-10-05 5:14p CQMPOBJ.DLL
VIHW9X DLL 226,592 05-10-05 5:14p Vihw9x.dll
DGNET DLL 226,592 05-10-05 5:14p dgnet.dll
OHSLB400 DLL 226,592 05-10-05 5:14p OHSLB400.DLL
KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
NSLNET5 DLL 4,519 02-08-96 8:41a nslnet5.dll
7 file(s) 912,625 bytes
0 dir(s) 11,993.27 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
FOLDER HTT 13,122 10-12-04 6:08p folder.htt
DESKTOP INI 266 10-12-04 6:08p desktop.ini
4 file(s) 15,126 bytes
0 dir(s) 11,993.25 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{979865C0-8385-F0C1-472E-63B48B96D6B5}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
cqmpobj.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K
vihw9x.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K
dgnet.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K
ohslb400.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K

4 items found: 4 files, 0 directories.
Total of file sizes: 906,368 bytes 885.13 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: Find_Qoologic2
C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipgic2.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipp
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip
C:\WINDOWS\USER.DAT: how to remove qoologic
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.A
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"a-winpoet-service"="\"C:\\Program Files\\Verizon Online\\WinPoET\\winpppoverethernet.exe\""
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP