A
AndyManchesta
Hi Stuart
I was just looking for your previous post but it now
says "Message Unavailable" using the http address to
access this newsgroup, This happens alot on here so Im
not sure what the motives behind that are, I used Mozilla
ThunderBird and was able to read the messages and can see
the CLSID has now changed on your machine so the
infection had regenerated.
There isnt really problems in your log except for the BHO
entry, Vundo isnt being called from Winlogon this time so
it's looking better than your last logs. The 010 is
showing Broken internet connection but this is just a bug
in Hijack This, The LSP is valid so it "Should Not" be
fixed using Hijack This as fixing it will cause internet
connection problems.
If you do ever have connection problems in the future
then goto start and run and type cmd press enter then
copy and paste this
netsh winsock reset
and press enter again to rebuild the LSP chain
The Proxy Override on your's looks like this:
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = local.,
But it should look like this:
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = <local>
Setting the value of 'ProxyOverride' to equal '<local>'
will stop internal addresses from going through the
proxy. You can easily change this by Opening a IE Browser
window and going to "Tools" then "Internet Options", Next
goto the "Connections" tab and press "LAN Settings" then
uncheck "Bypass Proxy Server For Local Addresses" and
that will remove that line then press OK
I dont want to fix that line using Hijack This as it may
be genuine and required for you but wanted to let you
know how to change this if its something you do not need.
check this entry with Hijack This
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-
FBAE6A448152} - C:\WINDOWS\system32\sstqo.dll (file
missing)
close all open Browser Windows except Hijack This and
press "Fix Checked"
These are all optional fixes and its up to you if you
want to remove them, They will be automatically
downloaded again next time you use the games if they are
required.
O16 - DPF: RaptisoftGameLoader -
http://www.miniclip.com/hamsterball/raptisoftgameloader.ca
b
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
http://install.wildtangent.com/ActiveLauncher/ActiveLaunch
er.cab
http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98}
(Measurement Service Client v.3.4) -
http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
http://download.games.yahoo.com/games/popcap/zuma/popcaplo
ader_v5.cab
I believe Vundo can store backups in the folder it
infected with the dll but they are written backwards to
make it easier for the infection to regenerate.
Next Enable Hidden Files and Folder
(Goto Start Menu and Search then Tools on the Top Bar,
Choose Folder Options then goto the view tab
make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is
checked & 'Hide extentions for known file types ' is not
checked then press apply
You should set this back later by opening the same page
and pressing 'restore defaults' then pressing apply,
Check for these files and delete them if any exist (Go
into system32 and look for them)
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\oqtss.tmp1
C:\WINDOWS\system32\oqtss.tmp2
then run an antivirus scan here
ActiveScan
http://www.pandasoftware.com/products/activescan.htm
Let us know if you have more problems with this, Id like
to get Vundo myself to run some tests on it but its
difficult to know where its coming from, I helped someone
remove it and was given a link to a codec bundle which
they though infected them but I didnt get any problems by
installing the codec bundle on my test pc so If you know
the site that may of gave you the infection then please
email it to me
Regards
Andy
I was just looking for your previous post but it now
says "Message Unavailable" using the http address to
access this newsgroup, This happens alot on here so Im
not sure what the motives behind that are, I used Mozilla
ThunderBird and was able to read the messages and can see
the CLSID has now changed on your machine so the
infection had regenerated.
There isnt really problems in your log except for the BHO
entry, Vundo isnt being called from Winlogon this time so
it's looking better than your last logs. The 010 is
showing Broken internet connection but this is just a bug
in Hijack This, The LSP is valid so it "Should Not" be
fixed using Hijack This as fixing it will cause internet
connection problems.
If you do ever have connection problems in the future
then goto start and run and type cmd press enter then
copy and paste this
netsh winsock reset
and press enter again to rebuild the LSP chain
The Proxy Override on your's looks like this:
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = local.,
But it should look like this:
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = <local>
Setting the value of 'ProxyOverride' to equal '<local>'
will stop internal addresses from going through the
proxy. You can easily change this by Opening a IE Browser
window and going to "Tools" then "Internet Options", Next
goto the "Connections" tab and press "LAN Settings" then
uncheck "Bypass Proxy Server For Local Addresses" and
that will remove that line then press OK
I dont want to fix that line using Hijack This as it may
be genuine and required for you but wanted to let you
know how to change this if its something you do not need.
check this entry with Hijack This
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-
FBAE6A448152} - C:\WINDOWS\system32\sstqo.dll (file
missing)
close all open Browser Windows except Hijack This and
press "Fix Checked"
These are all optional fixes and its up to you if you
want to remove them, They will be automatically
downloaded again next time you use the games if they are
required.
O16 - DPF: RaptisoftGameLoader -
http://www.miniclip.com/hamsterball/raptisoftgameloader.ca
b
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
http://install.wildtangent.com/ActiveLauncher/ActiveLaunch
er.cab
http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98}
(Measurement Service Client v.3.4) -
http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
http://download.games.yahoo.com/games/popcap/zuma/popcaplo
ader_v5.cab
I believe Vundo can store backups in the folder it
infected with the dll but they are written backwards to
make it easier for the infection to regenerate.
Next Enable Hidden Files and Folder
(Goto Start Menu and Search then Tools on the Top Bar,
Choose Folder Options then goto the view tab
make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is
checked & 'Hide extentions for known file types ' is not
checked then press apply
You should set this back later by opening the same page
and pressing 'restore defaults' then pressing apply,
Check for these files and delete them if any exist (Go
into system32 and look for them)
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\oqtss.tmp1
C:\WINDOWS\system32\oqtss.tmp2
then run an antivirus scan here
ActiveScan
http://www.pandasoftware.com/products/activescan.htm
Let us know if you have more problems with this, Id like
to get Vundo myself to run some tests on it but its
difficult to know where its coming from, I helped someone
remove it and was given a link to a codec bundle which
they though infected them but I didnt get any problems by
installing the codec bundle on my test pc so If you know
the site that may of gave you the infection then please
email it to me
Regards
Andy