Jump to content


Photo

Rads01.Quadrogram


  • Please log in to reply
3 replies to this topic

#1 jonah

jonah

    Member

  • New Member
  • Pip
  • 2 posts

Posted 09 July 2004 - 10:09 AM

Recently, I was infected with the CoolWebSearch virus, but with CWShredder running in safe mode, I believe I got rid of it. I think (although am not positive) that my current problems are unrelated.

Every time I reboot, the Rads01.Quadrogram keeps loading itself onto my system. I run Ad-aware 6.0 (with the latest build, I just updated it a half-hour ago), and successfully identifies and supposedly removes all associated files, until I reboot again, and the Quadrogram comes back. (I've run ad-aware using In-depth scanning and all the settings I've found recommended on the Lavasoft site.)

Please help!! I ran Ad-aware, rebooted, ran Ad-aware again, and then generated the following HijackThis Logfile:

Logfile of HijackThis v1.98.0
Scan saved at 9:59:47 AM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bxaco.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxaco.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Oxwe2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [sdknb32.exe] C:\WINDOWS\system32\sdknb32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [ao49RkMsg] ipskmon.exe
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DD2EC124-1CBB-4206-B30D-CD7FB3144339} - (no file) (HKCU)
O20 - AppInit_DLLs: C:\WINDOWS\System32\TAPI3152a.dll

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 11 July 2004 - 06:56 PM

You're still showing signs of CoolWebSearch - but first let's work on the Rads01.Quadrogram - which is also known as Peper. It's presence can hamper the effectiveness of some of the other removal tools.

It's also gotten more resistant, so let's hit it in Safe Mode. But, first, download Peperfix.exe from http://downloads.sub...rg/PeperFix.exe and save it to your Desktop.

Next make sure you have Ad-aware set up for a Full Scan:

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window
  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Click on the Scanning button on the left and select :
    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
    • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

We're not going to run Ad-aware yet, but when we do, after you click Start, on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose Use Custom Scanning Options.

OK, boot your computer into Safe Mode and:
  • Run PeperFix (make sure each program is closed when finished)
  • Run Ad-aware Full Scan
  • Run CWShredder
  • Run a HJT scan
Some of these items may be gone at this point, mark all that remain for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bxaco.dll/sp.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxaco.dll/sp.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Oxwe2.exe

O4 - HKLM\..\Run: [sdknb32.exe] C:\WINDOWS\system32\sdknb32.exe

O4 - HKCU\..\Run: [ao49RkMsg] ipskmon.exe

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Still in Safe Mode, Open Windows Explorer and reconfigure it to Enable Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the Files and Folders section.
Select: Display the contents of system folders.

Scroll down to the Hidden Files and Folders section.
Select: Show hidden files and folders, Ok the prompt
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files
Ok the Prompt, click Apply

Click the Apply to all Folders button.

Find and delete (if still existing) these files:

C:\WINDOWS\System32\Oxwe2.exe
C:\WINDOWS\system32\sdknb32.exe

The location of ipskmon.exe wasn't revealed so you'll need to search for it - it will likely be in the C:\WINDOWS or [b]C:\WINDOWS\System32
folders - if it still exists.

Reboot normally, run another HJT scan, and post it here for further review.

Edited by Fireflyer, 13 July 2004 - 12:44 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 jonah

jonah

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 11:59 PM

Thanks for the help! Unfortunately, I followed all the steps and I still couldn't get rid of TAPI[something]a.dll (don't remember the filename). It told me (in safe mode) that I didn't have the permissions to delete it. Now that I look at the post again though, your reply is missing the direction to delete this file. Did you edit that out?

Anyway, here's my HJT file immediately after I rebooted after trying all your suggestions. Thanks again for your help!

Logfile of HijackThis v1.98.0
Scan saved at 11:53:12 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxaco.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [ao49RkMsg] ipskmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DD2EC124-1CBB-4206-B30D-CD7FB3144339} - (no file) (HKCU)
O20 - AppInit_DLLs: C:\WINDOWS\System32\MIMEFILT715b.dll

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 14 July 2004 - 11:56 AM

Yes, I edited my post - I wasn't sure if you'd seen it yet, and I had some doubts about that item. Next time though I'll just make a second post explaining the doubts, as I see now that editing it out can cause confusion.

A "super hidden" AppInit_DLL is a key ingredient in one of the CWS about:blank variants - they would not show up in the earlier HijackThis logs - seeing that one in your log made with the new 1.98 HJT, immediately attracted my attention.

Originally I felt that TAPI3152a.dll was bad because I couldn't find any info on it through extensive research - that's almost always an indication of something fishy. However, during more research, I discovered that TAPI is Short for Telephony Application Programming Interface, an API for connecting a PC running Windows to telephone services. So I felt I needed to check with you to see if you had any Telephone related applications installed.

Since you couldn't delete the TAPI3152a.dll it should still be there. It's not, but another AppInit_DLL is now there. So, it appears to have changed names - that is again suspicious - legit files don't change names - and, I'm finding no info on it either, so that's even more suspicious.

The main CWS infection looks better - but there are still some lingering fragments. I also see the ipskmon.exe file still present which appears to be a Peper fragment - however, the main Peper signature is gone.

Download About:Buster Version 1.27 and unzip it to your desktop.

Boot into Safe Mode again, run a HJT scan and mark these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxaco.dll/sp.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [ao49RkMsg] ipskmon.exe

O9 - Extra button: (no name) - {DD2EC124-1CBB-4206-B30D-CD7FB3144339} - (no file) (HKCU)


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked. Close HJT when done.

Still in Safe Mode, open Windows Explorer and make another try at finding and deleting ipskmon.exe.

Close Windows Explorer before proceeding. Stay in Safe Mode and:
  • Run Peperfix.
  • Run About:Buster - Start it, hit OK, Start, And OK again to start the scan. It will generate a log in the central window. Copy it to a text file for posting here.
  • Run Ad-aware.
Reboot normally, run another HJT scan, and post it here along with the About:Buster log. Let me know about any Telephone Applications and let's see if that AppInit_DLL is still there or changes names again.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button