regsvr.exe and q387.exe
in [Anti-Virus]
|
Prev: Decompression bomb?
Next: mrtstub.exe advice needed
From: N Cook on 30 Dec 2005 03:59 Very little about this set of rogue diallers / trojans / virii or whatever it would seem on the net so if any use placed here. Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports , and creating ever growing files comreads.dbg and comused.dbg First 2 lines of comreads reading (edited) Port opened, internal buffer = 0x007... to 0x00.. Overlapped Read -- 24 bytes 0x007... to 0x007... : Disabled those but could not track down where q387.exe was hiding. In Task Manager the name would blip up on Processes and disappear again every 10 seconds or so, the cursor dipping at same times and in other appls. Every now and then CMD.EXE (as upper case) would do the same in TM . I updated spybot search & destroy but it told me congratulations for having no immediate threats. Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has disappeared, apparently, since. That is distinct from cmd.exe (lower case) files which I left in place. Perhaps q387.exe has been converted so it can hide itself. previous net references to it have precise locations eg hidden in \countrydial.exe or as .... \Local Settings\Temp\q387.exe ....\WINDOWS\q387.exe Anyone know what q387 was doing ? Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in Processes, for the moment
From: David H. Lipman on 30 Dec 2005 09:36 From: "N Cook" <diverse(a)tcp.co.uk> | Very little about this set of rogue diallers / trojans / virii or whatever | it would seem on the net | so if any use placed here. | Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports | , and creating ever growing files comreads.dbg and comused.dbg | First 2 lines of comreads reading (edited) | Port opened, internal buffer = 0x007... to 0x00.. | Overlapped Read -- 24 bytes 0x007... to 0x007... : | | Disabled those but could not track down where q387.exe was hiding. | In Task Manager the name would blip up on Processes and disappear again | every 10 seconds or so, | the cursor dipping at same times and in other appls. | Every now and then CMD.EXE (as upper case) would do the same in TM . | | I updated spybot search & destroy but it told me congratulations for | having no immediate threats. | | Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has | disappeared, apparently, since. | That is distinct from cmd.exe (lower case) files which I left in place. | | Perhaps q387.exe has been converted so it can hide itself. | previous net references to it have precise locations | eg | hidden in \countrydial.exe | or as | ... \Local Settings\Temp\q387.exe | ...\WINDOWS\q387.exe | | Anyone know what q387 was doing ? | | Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in | Processes, for the moment | You are infected with at least one Trojan and the RBot/SDBot worm. Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm * * * Please report back your results * * * References: http://spl.haxial.net/viruses.html http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: N Cook on 31 Dec 2005 08:21 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:EBbtf.2$yW1.0(a)trnddc05... > From: "N Cook" <diverse(a)tcp.co.uk> > > | Very little about this set of rogue diallers / trojans / virii or whatever > | it would seem on the net > | so if any use placed here. > | Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports > | , and creating ever growing files comreads.dbg and comused.dbg > | First 2 lines of comreads reading (edited) > | Port opened, internal buffer = 0x007... to 0x00.. > | Overlapped Read -- 24 bytes 0x007... to 0x007... : > | > | Disabled those but could not track down where q387.exe was hiding. > | In Task Manager the name would blip up on Processes and disappear again > | every 10 seconds or so, > | the cursor dipping at same times and in other appls. > | Every now and then CMD.EXE (as upper case) would do the same in TM . > | > | I updated spybot search & destroy but it told me congratulations for > | having no immediate threats. > | > | Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has > | disappeared, apparently, since. > | That is distinct from cmd.exe (lower case) files which I left in place. > | > | Perhaps q387.exe has been converted so it can hide itself. > | previous net references to it have precise locations > | eg > | hidden in \countrydial.exe > | or as > | ... \Local Settings\Temp\q387.exe > | ...\WINDOWS\q387.exe > | > | Anyone know what q387 was doing ? > | > | Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in > | Processes, for the moment > | > > You are infected with at least one Trojan and the RBot/SDBot worm. > > > > Download MULTI_AV.EXE from the URL -- > http://www.ik-cs.com/programs/virtools/Multi_AV.exe > > To use this utility, perform the following... > Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } > Choose; Unzip > Choose; Close > > Execute; C:\AV-CLS\StartMenu.BAT > { or Double-click on 'Start Menu' in C:\AV-CLS } > > NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your > FireWall to allow it to download the needed AV vendor related files. > > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} > This will bring up the initial menu of choices and should be executed in Normal Mode. > This way all the components can be downloaded from each AV vendor's web site. > The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. > > You can choose to go to each menu item and just download the needed files or you can > download the files and perform a scan in Normal Mode. Once you have downloaded the files > needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key > during boot] and re-run the menu again and choose which scanner you want to run in Safe > Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. > > When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help > file. http://www.ik-cs.com/multi-av.htm > > > * * * Please report back your results * * * > > References: > http://spl.haxial.net/viruses.html > http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > Unzipped ok into C:\AV-CLS\ with 21 files but whether on or off line would not start, returning "Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)" despite double-clicking on its label Running C:\AV-CLS\kix32 C:\AV-CLS\menu.kix opens but fails to find material also Windows 2000 if relevant
From: David H. Lipman on 31 Dec 2005 09:45 From: "N Cook" <diverse(a)tcp.co.uk> | Unzipped ok into | C:\AV-CLS\ | with 21 files | but whether on or off line would not start, | returning | "Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)" | despite double-clicking on its label | | Running | C:\AV-CLS\kix32 C:\AV-CLS\menu.kix | opens but fails to find material also | | Windows 2000 if relevant | I don't uderstand the problem you are having. If all 21 files are in the folder C:\AV-CLS the it should all work. Verify that C:\AV-CLS does indeed have 21 files. Open a Command Prompt. Type the following commands... cd\av-cls kix32 menu.kix Any error messages displayed ? If yes, what are they ? -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: N Cook on 31 Dec 2005 12:12
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:CQwtf.743$0c.490(a)trnddc07... > From: "N Cook" <diverse(a)tcp.co.uk> > > > | Unzipped ok into > | C:\AV-CLS\ > | with 21 files > | but whether on or off line would not start, > | returning > | "Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)" > | despite double-clicking on its label > | > | Running > | C:\AV-CLS\kix32 C:\AV-CLS\menu.kix > | opens but fails to find material also > | > | Windows 2000 if relevant > | > > I don't uderstand the problem you are having. > > If all 21 files are in the folder C:\AV-CLS the it should all work. > > Verify that C:\AV-CLS does indeed have 21 files. > > Open a Command Prompt. > > Type the following commands... > > cd\av-cls > kix32 menu.kix > > Any error messages displayed ? > If yes, what are they ? > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > I went into command prompt to start about 5 hours ago, before seeing your latest post . Took about 5 hours to scan C: starting with "DOS" command. C:\AV-CLS\kix32 C:\AV-CLS\menu.kix selected McAfee , scanned WINNT and then remainder of C: after ******** Q_Z_Q(+incrementing number) is my renaming of suspect files to temporarily, if necessary, nullify ...... is my edits Virus Scan Results ---------------------------------------------------------------------------- ---- C:\WINNT\adsldpbf.dll\adsldpbf.dll ... Found the Downloader-ASC trojan !!! The file or process has been deleted. C:\WINNT\alt.exe ... Found the Generic AdClicker.c trojan !!! The file or process has been deleted. C:\WINNT\Q_Z_Q2alex6.exe\Q_Z_Q2alex6.exe ... Found potentially unwanted program Dialer-Generic.c. The file or process has been deleted. C:\WINNT\Q_Z_Q2alt.exe ... Found the Generic AdClicker.c trojan !!! The file or process has been deleted. C:\WINNT\Q_Z_Qalt.exe ... Found the Generic AdClicker.c trojan !!! The file or process has been deleted. C:\WINNT\Q_Z_Qgcac.exe\Q_Z_Qgcac.exe ... Found the Generic Downloader.k trojan !!! The file or process has been deleted. C:\WINNT\q461042.dll\q461042.dll ... Found the Generic Downloader.t trojan !!! The file or process has been deleted. Scanning C:\WINNT\*.* C:\WINNT\Downloaded Program Files\dai.exe ... Found potentially unwanted program Dialer-gen. The file or process has been deleted. Summary report on C:\WINNT\*.* File(s) Total files: ........... 21833 Clean: ................. 21812 Possibly Infected: ..... 9 Cleaned: ............... 0 Deleted: ............... 14 Non-critical Error(s): 1 *********************** C:\Documents and Settings\Administrator\Application Data\Q_Z_Qsgrunt\Q_Z_QIE4321.exe\Q_Z_QIE4321.exe ... Found the QLowZones-15 trojan !!! The file or process has been deleted. C:\Documents and Settings\Administrator\Local Settings\Temp\whatever (1).exe .... Found the W32/Aliz(a)MM virus !!! The file or process has been deleted. Deleted 50 or so numbered repeats up to C:\Documents and Settings\Administrator\Local Settings\Temp\whatever (9).exe .... Found the W32/Aliz(a)MM virus !!! The file or process has been deleted. C:\Documents and Settings\Administrator\Local Settings\Temp\whatever.exe ... Found the W32/Aliz(a)MM virus !!! The file or process has been deleted. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4L.....MN\299[1].exe\299[1].exe ... Found potentially unwanted program Dialer-188. The file or process has been deleted. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4.....CTMN\w[1].exe\w[1].exe ... Found the Generic Downloader.k trojan !!! The file or process has been deleted. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4.....818N\alex6[1].exe\alex6[1].exe ... Found potentially unwanted program Dialer-Generic.c. The file or process has been deleted. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G.....AD0T\dai[1].exe ... Found potentially unwanted program Dialer-gen. The file or process has been deleted. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G.....AD0T\w[1].exe\w[1].exe ... Found the Generic Downloader.k trojan !!! The file or process has been deleted. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\U.....6HAW\archive[1].jar\A.CLASS ... Found the Exploit-ByteVerify trojan !!! C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\U.....HAW\archive[1].jar\BEYOND.CLASS ... Found the Exploit-ByteVerify trojan !!! C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\U.....6HAW\archive[1].jar\BLACKBOX.CLASS ... Found the Exploit-ByteVerify trojan !!! |