Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Lots of pop-ups[RESOLVED]


  • This topic is locked This topic is locked

#61
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Killbox the following with delete on reboot:

C:\WINDOWS\SYSTEM\cqmpobj.dll
C:\WINDOWS\SYSTEM\vihw9x.dll
C:\WINDOWS\SYSTEM\dgnet.dll
C:\WINDOWS\SYSTEM\ohslb400.dll

Then post a new findit log
  • 0

Advertisements


#62
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

OHSLB400 DLL 226,592 05-10-05 5:14p OHSLB400.DLL
KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
NSLNET5 DLL 4,519 02-08-96 8:41a nslnet5.dll
4 file(s) 232,849 bytes
0 dir(s) 11,943.44 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
FOLDER HTT 13,122 10-12-04 6:08p folder.htt
DESKTOP INI 266 10-12-04 6:08p desktop.ini
4 file(s) 15,126 bytes
0 dir(s) 11,943.42 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{979865C0-8385-F0C1-472E-63B48B96D6B5}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ohslb400.dll Tue May 10 2005 5:14:00p ..S.R 226,592 221.28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 226,592 bytes 221.28 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: Find_Qoologic2
C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipgic2.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipp
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip
C:\WINDOWS\USER.DAT: how to remove qoologic
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.A
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"a-winpoet-service"="\"C:\\Program Files\\Verizon Online\\WinPoET\\winpppoverethernet.exe\""
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

#63
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Killbox the following with delete on reboot:

C:\WINDOWS\SYSTEM\ohslb400.dll

post 1 more findit log, and then we call it quits for the night, and ill ask around for more advice.
  • 0

#64
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
i did it and the ohslb400.dll is still showing in the log so i wont post it, there wasnt any other .dlls showing though. So take your time, no rush, just make a post when you find a different solution.
  • 0

#65
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Tripster,

Boot into DOS and type the following at the prompt:


attrib -r -h -s C:\WINDOWS\SYSTEM\ohslb400.dll
<click enter>

del C:\WINDOWS\SYSTEM\ohslb400.dll
<click enter>
  • 0

#66
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
Well i guess it found the file, was i just suppose to reboot by alt+ctrl+del after i did those two commands because thats what i did lol. Oh and on start-up my toolbar was a tincy bit messed up, there was 2 quicklaunch bars and one bar that was blank. Anyways...

Heres the new findit.


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
NSLNET5 DLL 4,519 02-08-96 8:41a nslnet5.dll
3 file(s) 6,257 bytes
0 dir(s) 11,950.69 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3939-1903
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 1,682 11-24-04 3:00a KGyGaAvL.sys
D55526~1 SYS 56 11-24-04 3:00a D55526893A.sys
FOLDER HTT 13,122 10-12-04 6:08p folder.htt
DESKTOP INI 266 10-12-04 6:08p desktop.ini
4 file(s) 15,126 bytes
0 dir(s) 11,950.67 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{979865C0-8385-F0C1-472E-63B48B96D6B5}"=""


------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: Find_Qoologic2
C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipgic2.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zipp
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip.zip
C:\WINDOWS\USER.DAT: filemenu4C:\WINDOWS\Desktop\Find_Qoologic2.zip
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.663: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.663: TROJ_QOOLOGIC.A
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"a-winpoet-service"="\"C:\\Program Files\\Verizon Online\\WinPoET\\winpppoverethernet.exe\""
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


  • 0

#67
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Awesome!

Post a new HiJackThis log for me to look at.

Also let me know of any problems you see.
  • 0

#68
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
here you go, yea no pop-ups yet, ill wait like 2hrs before i see if its resolved.


Logfile of HijackThis v1.99.1
Scan saved at 7:34:45 PM, on 6/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\PC\LUKE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....007/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
  • 0

#69
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Trippster,

I dont see anything obvious in your log. Play around and let me know how things go.
  • 0

#70
Trippster

Trippster

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 356 posts
I think everything is A O.K.

Ill find you in chat sometime if something else comes up.

Thanks for your 2-3 weeks of time, im surprised you stuck with me. I still cant believe that pesky little .dll file caused so much havoc. Well i hope you know how to get rid of it now if someone else gets that.
  • 0

Advertisements


#71
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Trippster,

Thank you for sticking with me, and not reformating. That file must have been hidden and archived or something. I appreciate your patience in getting this solved.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Feel free to PM me or find me in chat if something comes up.

Edited by Jfcap, 08 June 2005 - 07:03 PM.

  • 0

#72
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP