• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jonah

Rads01.Quadrogram

4 posts in this topic

Recently, I was infected with the CoolWebSearch virus, but with CWShredder running in safe mode, I believe I got rid of it. I think (although am not positive) that my current problems are unrelated.

 

Every time I reboot, the Rads01.Quadrogram keeps loading itself onto my system. I run Ad-aware 6.0 (with the latest build, I just updated it a half-hour ago), and successfully identifies and supposedly removes all associated files, until I reboot again, and the Quadrogram comes back. (I've run ad-aware using In-depth scanning and all the settings I've found recommended on the Lavasoft site.)

 

Please help!! I ran Ad-aware, rebooted, ran Ad-aware again, and then generated the following HijackThis Logfile:

 

Logfile of HijackThis v1.98.0

Scan saved at 9:59:47 AM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\NavNT\vptray.exe

C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bxaco.dll/sp.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxaco.dll/sp.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Oxwe2.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe

O4 - HKLM\..\Run: [sdknb32.exe] C:\WINDOWS\system32\sdknb32.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O4 - HKCU\..\Run: [ao49RkMsg] ipskmon.exe

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DD2EC124-1CBB-4206-B30D-CD7FB3144339} - (no file) (HKCU)

O20 - AppInit_DLLs: C:\WINDOWS\System32\TAPI3152a.dll

Share this post


Link to post
Share on other sites

You're still showing signs of CoolWebSearch - but first let's work on the Rads01.Quadrogram - which is also known as Peper. It's presence can hamper the effectiveness of some of the other removal tools.

 

It's also gotten more resistant, so let's hit it in Safe Mode. But, first, download Peperfix.exe from http://downloads.subratam.org/PeperFix.exe and save it to your Desktop.

 

Next make sure you have Ad-aware set up for a Full Scan:

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)

    [*]Click on the Scanning button on the left and select :

    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
      • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

We're not going to run Ad-aware yet, but when we do, after you click Start, on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose Use Custom Scanning Options.

 

OK, boot your computer into Safe Mode and:

  • Run PeperFix (make sure each program is closed when finished)
  • Run Ad-aware Full Scan
  • Run CWShredder
  • Run a HJT scan

Some of these items may be gone at this point, mark all that remain for removal:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bxaco.dll/sp.html#37680

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxaco.dll/sp.html#37680

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

 

R3 - Default URLSearchHook is missing

 

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Oxwe2.exe

 

O4 - HKLM\..\Run: [sdknb32.exe] C:\WINDOWS\system32\sdknb32.exe

 

O4 - HKCU\..\Run: [ao49RkMsg] ipskmon.exe

 

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Still in Safe Mode, Open Windows Explorer and reconfigure it to Enable Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the Files and Folders section.

Select: Display the contents of system folders.

 

Scroll down to the Hidden Files and Folders section.

Select: Show hidden files and folders, Ok the prompt

Uncheck: Hide file extensions for known file types

Uncheck: Hide protected operating system files

Ok the Prompt, click Apply

 

Click the Apply to all Folders button.

 

Find and delete (if still existing) these files:

 

C:\WINDOWS\System32\Oxwe2.exe

C:\WINDOWS\system32\sdknb32.exe

 

The location of ipskmon.exe wasn't revealed so you'll need to search for it - it will likely be in the C:\WINDOWS or C:\WINDOWS\System32 folders - if it still exists.

 

Reboot normally, run another HJT scan, and post it here for further review.

Edited by Fireflyer

Share this post


Link to post
Share on other sites

Thanks for the help! Unfortunately, I followed all the steps and I still couldn't get rid of TAPI[something]a.dll (don't remember the filename). It told me (in safe mode) that I didn't have the permissions to delete it. Now that I look at the post again though, your reply is missing the direction to delete this file. Did you edit that out?

 

Anyway, here's my HJT file immediately after I rebooted after trying all your suggestions. Thanks again for your help!

 

Logfile of HijackThis v1.98.0

Scan saved at 11:53:12 PM, on 7/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\PROGRA~1\NavNT\vptray.exe

C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxaco.dll/sp.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O4 - HKCU\..\Run: [ao49RkMsg] ipskmon.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DD2EC124-1CBB-4206-B30D-CD7FB3144339} - (no file) (HKCU)

O20 - AppInit_DLLs: C:\WINDOWS\System32\MIMEFILT715b.dll

Share this post


Link to post
Share on other sites

Yes, I edited my post - I wasn't sure if you'd seen it yet, and I had some doubts about that item. Next time though I'll just make a second post explaining the doubts, as I see now that editing it out can cause confusion.

 

A "super hidden" AppInit_DLL is a key ingredient in one of the CWS about:blank variants - they would not show up in the earlier HijackThis logs - seeing that one in your log made with the new 1.98 HJT, immediately attracted my attention.

 

Originally I felt that TAPI3152a.dll was bad because I couldn't find any info on it through extensive research - that's almost always an indication of something fishy. However, during more research, I discovered that TAPI is Short for Telephony Application Programming Interface, an API for connecting a PC running Windows to telephone services. So I felt I needed to check with you to see if you had any Telephone related applications installed.

 

Since you couldn't delete the TAPI3152a.dll it should still be there. It's not, but another AppInit_DLL is now there. So, it appears to have changed names - that is again suspicious - legit files don't change names - and, I'm finding no info on it either, so that's even more suspicious.

 

The main CWS infection looks better - but there are still some lingering fragments. I also see the ipskmon.exe file still present which appears to be a Peper fragment - however, the main Peper signature is gone.

 

Download About:Buster Version 1.27 and unzip it to your desktop.

 

Boot into Safe Mode again, run a HJT scan and mark these:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxaco.dll/sp.html#37680

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

 

R3 - Default URLSearchHook is missing

 

O4 - HKCU\..\Run: [ao49RkMsg] ipskmon.exe

 

O9 - Extra button: (no name) - {DD2EC124-1CBB-4206-B30D-CD7FB3144339} - (no file) (HKCU)

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked. Close HJT when done.

 

Still in Safe Mode, open Windows Explorer and make another try at finding and deleting ipskmon.exe.

 

Close Windows Explorer before proceeding. Stay in Safe Mode and:

  • Run Peperfix.
  • Run About:Buster - Start it, hit OK, Start, And OK again to start the scan. It will generate a log in the central window. Copy it to a text file for posting here.
  • Run Ad-aware.

Reboot normally, run another HJT scan, and post it here along with the About:Buster log. Let me know about any Telephone Applications and let's see if that AppInit_DLL is still there or changes names again.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0