VX2, Twain Tech, and IEPLUGIN

Got one that's driving me crazy. W2K system and no matter how carefully I get rid of everything in safe mode and disconnected from the net - I get these three MalWare programs on reboot.

VX2.ABetterInternet shows up in C:\Winnt\susp.exe

Twain Tech shows up in C:\Winnt\twaintech.dll

IEPlugin shows up in C:\Winnt\wupdt.exe

Yes, I've read the FAQs and followed 'em to the letter. Got a HJT log if and when you're ready for it.

Can anybody help?

Thanx in advance..... Guy

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

OK, HJT log file is attached

Sophos, Symantec Ghost, and Ericom are trusted entities. I was suspicious of a file named bandobjs.dll in the Lotus directory structure, so I renamed it (shows on O9 as file missing).

Thanx again for any help you can offer!

berstRegards, Guy.

 

Please update to Hijack This 1.99.1 and attach a new log using the new version.

Also, I notice your running Sophos Anti-Virus & McAfee. Pick one and uninstall because running 2 will cause conflicts on your machine.

 

OK - McAfee is history, HJT 1.99.1 is installed and log is attached. Sorry it took me so long to get back to you on this one.

bestRegards, Guy.

 

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
(If you need this leave it, if not have HJT fix it)

O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll (file missing)

O16 - DPF: {BEAD5FAF-941E-4054-9950-9104E8CE0602} (PtConnector421 Class) - http://208.179.2.14/ericom/WebConnect4.21/ActiveX/ptermX.CAB
O16 - DPF: {C1ECC9B2-75B2-4490-8040-B8A107F45DC2} (PtConnector422 Class) - http://208.179.2.14/ericom/WebConnect4.22/ActiveX/ptermX.CAB

Are you familiar with these entries? If so, leave them.

Make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Run CCleaner

Reboot after doing the above. Your log is fairly clean, what problems are you currently having?

 

The two "O16" lines are valid - they belong to a terminal emulation application, and are necessary to access an OpenVMS box. The lines with IP addresses are the current DNS settings, but I'm not sure why they're in there.

The second "O9" line is for a Lotus Organizer application that the user claims is necessary - but I was quite suspicious of it, as (1) he got it off of Kazaa, and (2) one of the anti-Virus scanners picked it up as infected. I changed the name of the DLL file, that's why it's showing up in the HJT log as "(file missing)".

The answer to your question about what problem I'm having is in the title - no matter what I do, VX2, Twain Tech, and IEPLUGIN all keep showing up as soon as I reboot.

VX2.ABetterInternet shows up in C:\Winnt\susp.exe

Twain Tech shows up in C:\Winnt\twaintech.dll

IEPlugin shows up in C:\Winnt\wupdt.exe

BTW, thanks for all your help on this so far.


bestRegards, Guy.

 

Those entries are only ActiveX controls, removing them will NOT hurt anything. However if you know them, leave them!

It says (file missing), have HJT fix it.

First, manually remove these files!

Now:
Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates!

Please make sure ALL Browser Windows are Closed!

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode.

After removing all found infections from MA, procede with the next step.

Download Generic Detection Tool - NT/2000/XP

NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

Been there, done that. When the system reboots, our three friends are back again.

Roger! WillCo!

It will take me a day or so to get back to the client, however.


bestRegards, Guy.

 

Get me the Generic Detection Log.

What version of MA are you running?

This should be your updates:
Microsoft AntiSpyware Version: 1.0.509

Spyware Definitions 5707

 

M$AS reports version 1.0.501, but claims this is up-to-date. Ran the update just a few minutes ago. Spyware defs are, indeed, 5707

GDL is attached.


bestRegards, Guy.

 

Just to make you aware before I request you to remove this. There is a file named archlib.dll hidden within your system folder. This is part of the Keycorder Keylogger, are you familiar with this program being installed?

Also, go here and download MSAS, this is the updated version.

Microsoft® Windows AntiSpyware

 

Don't think it's part of anything legit.

bestRegards, Guy.

 

Some users install keyloggers and some get infected with them, just wanted to make sure you didnt install it before I had you remove it. Did you install and update the new version of MSAS? If so, what were the scan results?

First, look in Add/Remove Programs for anything referring to Keycorder Keylogger, you may or may not see this.

Now:

Locate PocketKillbox

Now, Copy and Paste C:\WINNT\System32\archlib.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After you reboot, post a fresh HJT log.

 

I did install the new MSAS, but results were the same. Los Tres Amigos (VX2, Twaintech and IEPLUGIN) still showed up after reboot.

Nothing showed up

Now I get an error message on reboot: "Schedule daemon.exe Unable To Locate DLL" followed by all known paths.

Attached.

BTW, something interesting occurred. Remember those lines thatt had DNS addresses in them? I had HJT zap 'em. Afterwards, I couldn't browse - couldn't find the servers. Went to my IP settings, and no addresses were listed in the DNS section! So I dutifully put them back in, and this HJT log shows that funny line with DNS addresses again. Funny, no?

bwestgRegards, Guy.

 

Lets take care of a few things first.

Look in Add/Remove Programs for SpyKiller as this is on the list of rogue antispyware programs.

For more information click the link below:
http://www.spywarewarrior.com/rogue_anti-spyware.htm


Post me the results from MSAS so I can see what exactly its finding.

Also, the O17 entries must be required if you lost internet access after removing them so leave them if everything is ok.

 

Couldn't find Spykiller in the Add/Remove list, but I had HJT zap the startup line. Wasn't aware MSAS had a logging function. Here's the closest I could come:

 

Locate PocketKillbox

Now, Copy and Paste c:\winnt\wupdt.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste c:\winnt\twaintec.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After the reboot, see if problems remain!

 

No joy - the little buggers are stil there.

bestRegards, Guy.

 

Did you run killbox and select delete on reboot? Did you click no for the first one and then reboot after the second one? Any problems during this?

Do you see the files after Killbox removes them?

 

Yes, yes, no, and yes. I'm quite convinced there's something that looks for them during startup - and if they're not found, downloads and installs them.

Just can't figure out what it is. Could it be the popup-stopper? Aquarium screen saver? What?!?

Pardon the frustration, and thanks for all the help!

bestRegards, Guy.

 

Download the following removal tool:

• IE Plugin Removal Tool

After doing the above, procede to the next step!

Click Start > Run > type in the below:

regsvr32 /u c:\winnt\twaintec.dll

After you do this, reboot into Safe Mode and delete this file manually.

Reboot into normal mode, see if those baddies are there now!

 

I'm assuming I was supposed to run it after downloading it, right? Right or wrong, I did it. It found a couple of things. Reported that it had zapped 'em.

Reported that twaintec.dll wasn't an executable, wasn't registered.

Zapped it - but alas, no joy. The three amigos still show up after reboot. One curiosity: the files we're talking about (wupdt.exe, twaintec.dll, and suspd.exe) all show up zero-length in C:\WINNT. Can't get rid of 'em either as they are in use by another process.

bestRegards, Guy.

 

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.