From: N Cook on
Very little about this set of rogue diallers / trojans / virii or whatever
it would seem on the net
so if any use placed here.
Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports
, and creating ever growing files comreads.dbg and comused.dbg
First 2 lines of comreads reading (edited)
Port opened, internal buffer = 0x007... to 0x00..
Overlapped Read -- 24 bytes 0x007... to 0x007... :

Disabled those but could not track down where q387.exe was hiding.
In Task Manager the name would blip up on Processes and disappear again
every 10 seconds or so,
the cursor dipping at same times and in other appls.
Every now and then CMD.EXE (as upper case) would do the same in TM .

I updated spybot search & destroy but it told me congratulations for
having no immediate threats.

Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has
disappeared, apparently, since.
That is distinct from cmd.exe (lower case) files which I left in place.

Perhaps q387.exe has been converted so it can hide itself.
previous net references to it have precise locations
eg
hidden in \countrydial.exe
or as
.... \Local Settings\Temp\q387.exe
....\WINDOWS\q387.exe

Anyone know what q387 was doing ?

Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in
Processes, for the moment





From: David H. Lipman on
From: "N Cook" <diverse(a)tcp.co.uk>

| Very little about this set of rogue diallers / trojans / virii or whatever
| it would seem on the net
| so if any use placed here.
| Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports
| , and creating ever growing files comreads.dbg and comused.dbg
| First 2 lines of comreads reading (edited)
| Port opened, internal buffer = 0x007... to 0x00..
| Overlapped Read -- 24 bytes 0x007... to 0x007... :
|
| Disabled those but could not track down where q387.exe was hiding.
| In Task Manager the name would blip up on Processes and disappear again
| every 10 seconds or so,
| the cursor dipping at same times and in other appls.
| Every now and then CMD.EXE (as upper case) would do the same in TM .
|
| I updated spybot search & destroy but it told me congratulations for
| having no immediate threats.
|
| Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has
| disappeared, apparently, since.
| That is distinct from cmd.exe (lower case) files which I left in place.
|
| Perhaps q387.exe has been converted so it can hide itself.
| previous net references to it have precise locations
| eg
| hidden in \countrydial.exe
| or as
| ... \Local Settings\Temp\q387.exe
| ...\WINDOWS\q387.exe
|
| Anyone know what q387 was doing ?
|
| Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in
| Processes, for the moment
|

You are infected with at least one Trojan and the RBot/SDBot worm.



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

References:
http://spl.haxial.net/viruses.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


From: N Cook on
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:EBbtf.2$yW1.0(a)trnddc05...
> From: "N Cook" <diverse(a)tcp.co.uk>
>
> | Very little about this set of rogue diallers / trojans / virii or
whatever
> | it would seem on the net
> | so if any use placed here.
> | Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading
ports
> | , and creating ever growing files comreads.dbg and comused.dbg
> | First 2 lines of comreads reading (edited)
> | Port opened, internal buffer = 0x007... to 0x00..
> | Overlapped Read -- 24 bytes 0x007... to 0x007... :
> |
> | Disabled those but could not track down where q387.exe was hiding.
> | In Task Manager the name would blip up on Processes and disappear again
> | every 10 seconds or so,
> | the cursor dipping at same times and in other appls.
> | Every now and then CMD.EXE (as upper case) would do the same in TM .
> |
> | I updated spybot search & destroy but it told me congratulations for
> | having no immediate threats.
> |
> | Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has
> | disappeared, apparently, since.
> | That is distinct from cmd.exe (lower case) files which I left in place.
> |
> | Perhaps q387.exe has been converted so it can hide itself.
> | previous net references to it have precise locations
> | eg
> | hidden in \countrydial.exe
> | or as
> | ... \Local Settings\Temp\q387.exe
> | ...\WINDOWS\q387.exe
> |
> | Anyone know what q387 was doing ?
> |
> | Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in
> | Processes, for the moment
> |
>
> You are infected with at least one Trojan and the RBot/SDBot worm.
>
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode.
> This way all the components can be downloaded from each AV vendor's web
site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
or you can
> download the files and perform a scan in Normal Mode. Once you have
downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
>
> * * * Please report back your results * * *
>
> References:
> http://spl.haxial.net/viruses.html
> http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Unzipped ok into
C:\AV-CLS\
with 21 files
but whether on or off line would not start,
returning
"Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)"
despite double-clicking on its label

Running
C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
opens but fails to find material also

Windows 2000 if relevant






From: David H. Lipman on
From: "N Cook" <diverse(a)tcp.co.uk>


| Unzipped ok into
| C:\AV-CLS\
| with 21 files
| but whether on or off line would not start,
| returning
| "Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)"
| despite double-clicking on its label
|
| Running
| C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
| opens but fails to find material also
|
| Windows 2000 if relevant
|

I don't uderstand the problem you are having.

If all 21 files are in the folder C:\AV-CLS the it should all work.

Verify that C:\AV-CLS does indeed have 21 files.

Open a Command Prompt.

Type the following commands...

cd\av-cls
kix32 menu.kix

Any error messages displayed ?
If yes, what are they ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


From: N Cook on
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:CQwtf.743$0c.490(a)trnddc07...
> From: "N Cook" <diverse(a)tcp.co.uk>
>
>
> | Unzipped ok into
> | C:\AV-CLS\
> | with 21 files
> | but whether on or off line would not start,
> | returning
> | "Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its
components)"
> | despite double-clicking on its label
> |
> | Running
> | C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
> | opens but fails to find material also
> |
> | Windows 2000 if relevant
> |
>
> I don't uderstand the problem you are having.
>
> If all 21 files are in the folder C:\AV-CLS the it should all work.
>
> Verify that C:\AV-CLS does indeed have 21 files.
>
> Open a Command Prompt.
>
> Type the following commands...
>
> cd\av-cls
> kix32 menu.kix
>
> Any error messages displayed ?
> If yes, what are they ?
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

I went into command prompt to start
about 5 hours ago, before seeing your latest post . Took about 5 hours to
scan C:

starting with "DOS" command.
C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
selected McAfee , scanned WINNT and then remainder of C: after ********
Q_Z_Q(+incrementing number) is my renaming of suspect files to temporarily,
if necessary, nullify

...... is my edits

Virus Scan Results
----------------------------------------------------------------------------
----
C:\WINNT\adsldpbf.dll\adsldpbf.dll ... Found the Downloader-ASC trojan !!!
The file or process has been deleted.
C:\WINNT\alt.exe ... Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\WINNT\Q_Z_Q2alex6.exe\Q_Z_Q2alex6.exe ... Found potentially unwanted
program Dialer-Generic.c.
The file or process has been deleted.
C:\WINNT\Q_Z_Q2alt.exe ... Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\WINNT\Q_Z_Qalt.exe ... Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\WINNT\Q_Z_Qgcac.exe\Q_Z_Qgcac.exe ... Found the Generic Downloader.k
trojan !!!
The file or process has been deleted.
C:\WINNT\q461042.dll\q461042.dll ... Found the Generic Downloader.t trojan
!!!
The file or process has been deleted.
Scanning C:\WINNT\*.*
C:\WINNT\Downloaded Program Files\dai.exe ... Found potentially unwanted
program Dialer-gen.
The file or process has been deleted.

Summary report on C:\WINNT\*.*
File(s)
Total files: ........... 21833
Clean: ................. 21812
Possibly Infected: ..... 9
Cleaned: ............... 0
Deleted: ............... 14
Non-critical Error(s): 1

***********************

C:\Documents and Settings\Administrator\Application

Data\Q_Z_Qsgrunt\Q_Z_QIE4321.exe\Q_Z_QIE4321.exe ... Found the QLowZones-15
trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temp\whatever (1).exe
.... Found the W32/Aliz(a)MM

virus !!!
The file or process has been deleted.

Deleted 50 or so numbered repeats up to

C:\Documents and Settings\Administrator\Local Settings\Temp\whatever (9).exe
.... Found the W32/Aliz(a)MM

virus !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temp\whatever.exe ...
Found the W32/Aliz(a)MM

virus !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\4L.....MN\299[1].exe\299[1].exe ... Found potentially
unwanted program Dialer-188.
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\4.....CTMN\w[1].exe\w[1].exe ... Found the Generic
Downloader.k trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\4.....818N\alex6[1].exe\alex6[1].exe ... Found potentially
unwanted program

Dialer-Generic.c.
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\G.....AD0T\dai[1].exe ... Found potentially unwanted
program Dialer-gen.
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\G.....AD0T\w[1].exe\w[1].exe ... Found the Generic
Downloader.k trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\U.....6HAW\archive[1].jar\A.CLASS ... Found the
Exploit-ByteVerify trojan !!!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\U.....HAW\archive[1].jar\BEYOND.CLASS ... Found the
Exploit-ByteVerify trojan !!!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\U.....6HAW\archive[1].jar\BLACKBOX.CLASS ... Found the
Exploit-ByteVerify trojan !!!





 |  Next  |  Last
Pages: 1 2
Prev: Decompression bomb?
Next: mrtstub.exe advice needed