regsvr.exe and q387.exe

  • Thread starter Thread starter N Cook
  • Start date Start date
N

N Cook

Very little about this set of rogue diallers / trojans / virii or whatever
it would seem on the net
so if any use placed here.
Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports
, and creating ever growing files comreads.dbg and comused.dbg
First 2 lines of comreads reading (edited)
Port opened, internal buffer = 0x007... to 0x00..
Overlapped Read -- 24 bytes 0x007... to 0x007... :

Disabled those but could not track down where q387.exe was hiding.
In Task Manager the name would blip up on Processes and disappear again
every 10 seconds or so,
the cursor dipping at same times and in other appls.
Every now and then CMD.EXE (as upper case) would do the same in TM .

I updated spybot search & destroy but it told me congratulations for
having no immediate threats.

Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has
disappeared, apparently, since.
That is distinct from cmd.exe (lower case) files which I left in place.

Perhaps q387.exe has been converted so it can hide itself.
previous net references to it have precise locations
eg
hidden in \countrydial.exe
or as
.... \Local Settings\Temp\q387.exe
....\WINDOWS\q387.exe

Anyone know what q387 was doing ?

Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in
Processes, for the moment
 
From: "N Cook" <[email protected]>

| Very little about this set of rogue diallers / trojans / virii or whatever
| it would seem on the net
| so if any use placed here.
| Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports
| , and creating ever growing files comreads.dbg and comused.dbg
| First 2 lines of comreads reading (edited)
| Port opened, internal buffer = 0x007... to 0x00..
| Overlapped Read -- 24 bytes 0x007... to 0x007... :
|
| Disabled those but could not track down where q387.exe was hiding.
| In Task Manager the name would blip up on Processes and disappear again
| every 10 seconds or so,
| the cursor dipping at same times and in other appls.
| Every now and then CMD.EXE (as upper case) would do the same in TM .
|
| I updated spybot search & destroy but it told me congratulations for
| having no immediate threats.
|
| Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has
| disappeared, apparently, since.
| That is distinct from cmd.exe (lower case) files which I left in place.
|
| Perhaps q387.exe has been converted so it can hide itself.
| previous net references to it have precise locations
| eg
| hidden in \countrydial.exe
| or as
| ... \Local Settings\Temp\q387.exe
| ...\WINDOWS\q387.exe
|
| Anyone know what q387 was doing ?
|
| Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in
| Processes, for the moment
|

You are infected with at least one Trojan and the RBot/SDBot worm.



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

References:
http://spl.haxial.net/viruses.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
 
David H. Lipman said:
From: "N Cook" <[email protected]>

| Very little about this set of rogue diallers / trojans / virii or whatever
| it would seem on the net
| so if any use placed here.
| Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports
| , and creating ever growing files comreads.dbg and comused.dbg
| First 2 lines of comreads reading (edited)
| Port opened, internal buffer = 0x007... to 0x00..
| Overlapped Read -- 24 bytes 0x007... to 0x007... :
|
| Disabled those but could not track down where q387.exe was hiding.
| In Task Manager the name would blip up on Processes and disappear again
| every 10 seconds or so,
| the cursor dipping at same times and in other appls.
| Every now and then CMD.EXE (as upper case) would do the same in TM .
|
| I updated spybot search & destroy but it told me congratulations for
| having no immediate threats.
|
| Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has
| disappeared, apparently, since.
| That is distinct from cmd.exe (lower case) files which I left in place.
|
| Perhaps q387.exe has been converted so it can hide itself.
| previous net references to it have precise locations
| eg
| hidden in \countrydial.exe
| or as
| ... \Local Settings\Temp\q387.exe
| ...\WINDOWS\q387.exe
|
| Anyone know what q387 was doing ?
|
| Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in
| Processes, for the moment
|

You are infected with at least one Trojan and the RBot/SDBot worm.



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

References:
http://spl.haxial.net/viruses.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
Click to expand...

I've downloaded the multi_av but before trying it I
thought i'd do a bit more dective work

on IE startup this file alt.exe seems to emerge and
send a 1KB file to
http://musah.info/st3d/uprav.php

which URL would seem to be connected with Dlstwoyle Trojan
 
David H. Lipman said:
From: "N Cook" <[email protected]>

| Very little about this set of rogue diallers / trojans / virii or whatever
| it would seem on the net
| so if any use placed here.
| Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports
| , and creating ever growing files comreads.dbg and comused.dbg
| First 2 lines of comreads reading (edited)
| Port opened, internal buffer = 0x007... to 0x00..
| Overlapped Read -- 24 bytes 0x007... to 0x007... :
|
| Disabled those but could not track down where q387.exe was hiding.
| In Task Manager the name would blip up on Processes and disappear again
| every 10 seconds or so,
| the cursor dipping at same times and in other appls.
| Every now and then CMD.EXE (as upper case) would do the same in TM .
|
| I updated spybot search & destroy but it told me congratulations for
| having no immediate threats.
|
| Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has
| disappeared, apparently, since.
| That is distinct from cmd.exe (lower case) files which I left in place.
|
| Perhaps q387.exe has been converted so it can hide itself.
| previous net references to it have precise locations
| eg
| hidden in \countrydial.exe
| or as
| ... \Local Settings\Temp\q387.exe
| ...\WINDOWS\q387.exe
|
| Anyone know what q387 was doing ?
|
| Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in
| Processes, for the moment
|

You are infected with at least one Trojan and the RBot/SDBot worm.



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

References:
http://spl.haxial.net/viruses.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
Click to expand...

Unzipped ok into
C:\AV-CLS\
with 21 files
but whether on or off line would not start,
returning
"Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)"
despite double-clicking on its label

Running
C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
opens but fails to find material also

Windows 2000 if relevant
 
From: "N Cook" <[email protected]>


| Unzipped ok into
| C:\AV-CLS\
| with 21 files
| but whether on or off line would not start,
| returning
| "Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)"
| despite double-clicking on its label
|
| Running
| C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
| opens but fails to find material also
|
| Windows 2000 if relevant
|

I don't uderstand the problem you are having.

If all 21 files are in the folder C:\AV-CLS the it should all work.

Verify that C:\AV-CLS does indeed have 21 files.

Open a Command Prompt.

Type the following commands...

cd\av-cls
kix32 menu.kix

Any error messages displayed ?
If yes, what are they ?
 
David H. Lipman said:
From: "N Cook" <[email protected]>


| Unzipped ok into
| C:\AV-CLS\
| with 21 files
| but whether on or off line would not start,
| returning
| "Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)"
| despite double-clicking on its label
|
| Running
| C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
| opens but fails to find material also
|
| Windows 2000 if relevant
|

I don't uderstand the problem you are having.

If all 21 files are in the folder C:\AV-CLS the it should all work.

Verify that C:\AV-CLS does indeed have 21 files.

Open a Command Prompt.

Type the following commands...

cd\av-cls
kix32 menu.kix

Any error messages displayed ?
If yes, what are they ?
Click to expand...

I went into command prompt to start
about 5 hours ago, before seeing your latest post . Took about 5 hours to
scan C:

starting with "DOS" command.
C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
selected McAfee , scanned WINNT and then remainder of C: after ********
Q_Z_Q(+incrementing number) is my renaming of suspect files to temporarily,
if necessary, nullify

...... is my edits

Virus Scan Results
----------------------------------------------------------------------------
----
C:\WINNT\adsldpbf.dll\adsldpbf.dll ... Found the Downloader-ASC trojan !!!
The file or process has been deleted.
C:\WINNT\alt.exe ... Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\WINNT\Q_Z_Q2alex6.exe\Q_Z_Q2alex6.exe ... Found potentially unwanted
program Dialer-Generic.c.
The file or process has been deleted.
C:\WINNT\Q_Z_Q2alt.exe ... Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\WINNT\Q_Z_Qalt.exe ... Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\WINNT\Q_Z_Qgcac.exe\Q_Z_Qgcac.exe ... Found the Generic Downloader.k
trojan !!!
The file or process has been deleted.
C:\WINNT\q461042.dll\q461042.dll ... Found the Generic Downloader.t trojan
!!!
The file or process has been deleted.
Scanning C:\WINNT\*.*
C:\WINNT\Downloaded Program Files\dai.exe ... Found potentially unwanted
program Dialer-gen.
The file or process has been deleted.

Summary report on C:\WINNT\*.*
File(s)
Total files: ........... 21833
Clean: ................. 21812
Possibly Infected: ..... 9
Cleaned: ............... 0
Deleted: ............... 14
Non-critical Error(s): 1

***********************

C:\Documents and Settings\Administrator\Application

Data\Q_Z_Qsgrunt\Q_Z_QIE4321.exe\Q_Z_QIE4321.exe ... Found the QLowZones-15
trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temp\whatever (1).exe
.... Found the W32/Aliz@MM

virus !!!
The file or process has been deleted.

Deleted 50 or so numbered repeats up to

C:\Documents and Settings\Administrator\Local Settings\Temp\whatever (9).exe
.... Found the W32/Aliz@MM

virus !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temp\whatever.exe ...
Found the W32/Aliz@MM

virus !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\4L.....MN\299[1].exe\299[1].exe ... Found potentially
unwanted program Dialer-188.
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\4.....CTMN\w[1].exe\w[1].exe ... Found the Generic
Downloader.k trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\4.....818N\alex6[1].exe\alex6[1].exe ... Found potentially
unwanted program

Dialer-Generic.c.
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\G.....AD0T\dai[1].exe ... Found potentially unwanted
program Dialer-gen.
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\G.....AD0T\w[1].exe\w[1].exe ... Found the Generic
Downloader.k trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\U.....6HAW\archive[1].jar\A.CLASS ... Found the
Exploit-ByteVerify trojan !!!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\U.....HAW\archive[1].jar\BEYOND.CLASS ... Found the
Exploit-ByteVerify trojan !!!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\U.....6HAW\archive[1].jar\BLACKBOX.CLASS ... Found the
Exploit-ByteVerify trojan !!!
 
David H. Lipman said:
From: "N Cook" <[email protected]>


| Unzipped ok into
| C:\AV-CLS\
| with 21 files
| but whether on or off line would not start,
| returning
| "Cannot find the file C:\AV-CLS\StartMenu.bat (or one of its components)"
| despite double-clicking on its label
|
| Running
| C:\AV-CLS\kix32 C:\AV-CLS\menu.kix
| opens but fails to find material also
|
| Windows 2000 if relevant
|

I don't uderstand the problem you are having.

If all 21 files are in the folder C:\AV-CLS the it should all work.

Verify that C:\AV-CLS does indeed have 21 files.

Open a Command Prompt.

Type the following commands...

cd\av-cls
kix32 menu.kix

Any error messages displayed ?
If yes, what are they ?
Click to expand...

I first typed h for help
Acrobat (4 if relevant ) opened
and 5 times I closed the "There was an error opening the
doc. The file does not exist " box
before it returned to menu.
 
From: "N Cook" <[email protected]>

| I first typed h for help
| Acrobat (4 if relevant ) opened
| and 5 times I closed the "There was an error opening the
| doc. The file does not exist " box
| before it returned to menu.
|

Just double click on; "C:\AV-CLS\Multi AV Command Line Scanner.PDF"

If you ar using NT4, you should delete Acrobat v4.x, reboot the PC and install Acrobat v7.x
http://www.adobe.com/products/acrobat/readstep2.html

The log snippet shows there are Java Script Trojans as .CLASS files in Java Jars.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5...

Please logon as'administrator' and dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options --> delete files

W32/Aliz@MM -- http://vil.nai.com/vil/content/v_99260.htm

This is an old worm that exploits and old vulner ability.

You need to have win2K SP4 and the post SP4 Update RollOut installed on teh PC as well as
IE6 SP1 and all Critical updates installed on your PC.

You also show adware with the Trojans and Virus found on the computer.

You'll need to scan with McAfee in Normal Mode and in Safe Mode and use another scanner such
as Sophos and/or Kaspersky and Normal and safe Modes.

Then we can go on from there...
 
Back
Top