problems after trojan

**cabal** · April 15th, 2004, 03:33 PM

on a win98 system, got a trojan, dowload.small.en, after downloading a program from the 'net. AVG diagnosed and killed it but since then this system is acting very weird. It gets annoying popup windows, loses the toolbar, and the desktop icons do nothing after it is on for about an hour. I have to push reset to get it back and then it is fine for another hour or so.

This kills me because I run spybot and adaware and have spywareblaster installed. Everytime I run one of these now it finds problems and fixes them; I've run them both a few times today and it still happens. I also have the google toolbar and panicware's popup stopper installed. I've run hijack this and bhodmn but they show anything unusual.
Anyone seen anything like this?

**NooNoo** · April 18th, 2004, 01:59 PM

Yes, look in hijack this log for netpal games or variant thereof

Look in the c:\ for an installerupdater.exe
Delete the java applets in the internet cache.

**cabal** · April 18th, 2004, 08:13 PM

Thanks, NooNoo. I'll try this tomorrow morning.

**cabal** · April 20th, 2004, 12:07 PM

I looked in the hijack this log but didn't see any entries for either of the items you mentioned. I got curious and installed zonealarm on this system. I noticed that rundll32.exe wanted to access the internet; when I let it I got the popup ads, and if I blocked it the system works fine. It's been running all day without a problem. Does this mean something has corrupted this dll?

**rgharper** · April 20th, 2004, 10:27 PM

Originally Posted by cabal

I looked in the hijack this log but didn't see any entries for either of the items you mentioned. I got curious and installed zonealarm on this system. I noticed that rundll32.exe wanted to access the internet; when I let it I got the popup ads, and if I blocked it the system works fine. It's been running all day without a problem. Does this mean something has corrupted this dll?

Nope, it means you have an adware or spyware DLL on your system. Rundll32 allows a DLL file to run as an executable file, so it's getting blamed for the problem but it's not the real culprit. The DLL that's calling it is to blame.

**NooNoo** · April 21st, 2004, 12:53 AM

It will show up in the hijack log, its a question of finding the little bugga...

**cabal** · April 21st, 2004, 11:10 AM

here is the hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 12:03:58 PM, on 4/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISERVICE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SIMAILPROXYSERVER.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISPAMFILTERENGINE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SIMAIN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UTILITIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windrivers.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SISERVICE.exe] "C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISERVICE.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

Since i told zonealarm to not allow rundll32 to access the 'net, I get an error message that says "rundll32 has caused an invalid page fault in mrtcp.cpy.dll"

something strange is running on this system.

**NooNoo** · April 21st, 2004, 11:30 AM

go into safe mode, go on a search and destroy mission in both the registry and the system files for the mrtcp.cpy.dll Turn off system restore, otherwise it will be back.

**cabal** · April 21st, 2004, 12:17 PM

thanks NooNoo. I had to reboot with a floppy to remove that file, in safe mode it said it was in use. One very annoying and stubborn piece of spyware to get rid of.