Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS, VX2, Qoolaid serious problems removing


  • Please log in to reply
4 replies to this topic

#1 jdbaker82

jdbaker82

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 30 December 2004 - 03:25 PM

Ok so I found out I have the latest VX2 infection, along with some Qoolaid trojan and for the life of me I cannot seem to kill this infection. I will post my SilentRunner, hijack this, and dllcompare log's as well as a partial log from Qoollogic find(which does not seem to finish running) also I tried to run findit which also seemed to never finish so I could not generate a log from this either.

1. I have already booted into safe boot and deleted all temp files etc..
2. I attempted to kill the following with killbox in normal AND safe boot:

C:\WINNTOLD\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll

3. I attempted to run Adaware's add on tool VX2 cleaner in normal and safe boot but it just stalls at cleaning system....
4. I've updated and ran SB S&D as well as adaware but the things just keep coming back
5. Tried running trojan remover and it only finds the C:\WINNTOLD\system32\viyrrv.exe in the registry and says it is going to rename it.
6. Ran CWS shredder in safe and normal boot, and it seems to remove 3 things that just come back.

My dll compare log which seems clean now:

.l* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,030 items found: 1,030 files, 0 directories.
Total of file sizes: 179,465,749 bytes 171.15 M

Administrator Account = True

--------------------End log---------------------



My Silentrunner log:

"Silent Runners.vbs", revision 28, launched at: 06:05
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
\StubPath = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]


Enabled Scheduled Tasks:
------------------------

"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------



----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.


And when I tried to runner Qoologic it never seemed to finish and I managed to find this in Win.txt:

C:\WINNTOLD\system32\lygool.dll updates.qoologic.com
C:\WINNTOLD\system32\iozbbi.dll updates.qoologic.com
C:\WINNTOLD\system32\lzpwwl.ex$ updates.qoologic.com (which I think Trojan remover renamed it .ex$)
C:\WINNTOLD\system32\lzpwwl.exe updates.qoologic.com
C:\WINNTOLD\system32\viyrre.exe .aspack
C:\WINNTOLD\system32\waqbbw.dat .aspack
C:\WINNTOLD\system32\trjscan.trb .aspack
C:\WINNTOLD\system32\trupd.trb .aspack
C:\WINNTOLD\system32\vyrbv.txt.exe .aspack
C:\WINNTOLD\system32\installer.exe .aspack

and finally my Hijackthis.log which seems to be clean now :

Logfile of HijackThis v1.99.0
Scan saved at 6:11:01 AM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\Explorer.EXE
C:\Documents and Settings\All Users.WINNTOLD\Start Menu\Programs\Startup\kuyttk.exe
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\Documents and Settings\Thom\Desktop\DllCompare.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe


Any advice help would be GREATLY appreciated as I am stumped and do not know what to do next.

Edited by jdbaker82, 30 December 2004 - 03:28 PM.


BC AdBot (Login to Remove)

 


#2 jdbaker82

jdbaker82
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 30 December 2004 - 04:13 PM

Bump please.

#3 jdbaker82

jdbaker82
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 30 December 2004 - 05:08 PM

Bumppy !

#4 jdbaker82

jdbaker82
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 30 December 2004 - 06:20 PM

Any mods on this forum? :thumbsup:

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:35 PM

Posted 27 January 2005 - 02:50 PM

This was missed because most logs are found by a unanswered search and as you answered it yourself, it didnt show. Are you still having probs?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users