Hi All,

I have been using Nod32 for around a year and very happy with it. I however ran the Escan free antivirus tool (Uses Kasperky engine) and found this on my computer.

File C:\WINDOWS\system\vbpc.dll infected by "Trojan.Win32.Agent.cs" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system\vbpc.dll infected by "Trojan.Win32.Agent.cs" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\req.dll infected by "Trojan-Downloader.Win32.ConHook.b" Virus. Action Taken: No Action Taken.



Both files are dll files and you can see the location. The VBPC file was only detected by KAV engine (Checked at Jotti scanner) but the other one was detected by more av scanners but not Nod32.

I am sending the files to nod (password protected) with a link to this forum as I would like to know what to do? I do a lot of internet banking on my computer so would like to know how much my computer is comprimised!

Many Thanks

Jlo

Could someone move this post to the Nod32 group. Posted it in the wrong place. Sorry.

Jlo

The word "Trojan" in the name is not so dangerous as it looks.
It's Spyware. No Keylogger, no backdoor - 'only' spyware downloaders.

So there is normally no risk for your online banking data. Kaspersky calls the spyware downloaders also "Trojan". And this Agent exists in numerous of different versions. Please send it and we'll include it.

8^) HB.

Thanks Happy Bytes.

I have just sent them in with a link to this thread.

BTW can I just delete these dll files or will it mess up windows XP. Should I run a hyjack log

Cheers

Jlo

req.dll won't just delete as it is installed with a hook to winlogon in xp
C:\WINDOWS\system\vbpc.dll shoud delete it easily but i've included it in the killbox fix for easy use

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\system32\req.dll
C:\WINDOWS\system32\req.exe
C:\WINDOWS\system32\req.dat
C:\WINDOWS\system\vbpc.dll

Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then reboot

when it reboots

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - C:\WINDOWS\system32\req.dll
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll

and any entries relating to C:\WINDOWS\system\vbpc.dll

reboot again

if you don't have hijackthis already then

go to here (http://www.thespykiller.co.uk/downloads.htm) and download 'Hijack This!' double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis

Thanks very much for your help.

I did as instructed with the killbox exe.

I have now rebooted. Could you just check through my hyjack log and tell me exactly what to fix.

Many Thanks

Logfile of HijackThis v1.99.1
Scan saved at 19:59:50, on 18/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system\vbpc.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://62.3.133.38/UK/24_3d_view_my_car_pop.jsp?noreloadredir
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: vbpc - C:\WINDOWS\system\vbpc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

just these need fixing
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system\vbpc.dll
O20 - Winlogon Notify: vbpc - C:\WINDOWS\system\vbpc.dll

but by the looks of it you have the new pest there that won't straight delete and the only way to fix that is to boot up using the windows cd & get into the recovery console and delete it using the dos commands no other way has been found yet

please zip that file and send it to samples@nod32.com with a note referring to this thread

I'm sure someone here can explain a bit better than me about using the recovery console in xp but the basics are here
http://www.wown.com/j_helmig/wxprcons.htm

but once yopu have booted to RC then at the c: prompt type del "C:\WINDOWS\system\vbpc.dll" and say yes to prompts

if you haven't got a full XP cd then you will have to download the floppy set up from M$ as described

Thanks again for your post.

I tried fixing with Hyjack this but it keeps comming back :(

I sent the files to Nod32 yesterday with a link. I would really appreciate an analysis on those files just for my peice of mind so I know what this Malware or spyware is doing on my computer.

I think if I have to go to revcovery and dos to sort it out I will need to get a freind in to help as its to technical for me.

Cheers

Jlo

You can't delete these from inside windows as they are attached to winlogoon which starts before all the other windows processes & I'm afraid the RC is the only way

It's a good idea to get a friend in to help though

Thanks again.

I have sent the file to KAV as well to ask them if they can give me an analysis of what the file does.

Will report back with any replies.

Guess I will have to get the old windows XP home disk out!!!

Cheers

Jlo

{QUOTE-> I tried fixing with Hyjack this but it keeps comming back :(
<-QUOTE}

Did somebody tell this poor guy that he has to CLOSE all Internet Instances - OTHERWISE THIS COMES BACK ALL THE TIME!

That means if you have a browser window still open during fixing this IT WILL NOT WORK!

Mike when you look inside the files you see the protection this pest has inbuilt to it, that's why it needs RC to delete it and only then can you fix the reg entries with HJt

I dont have the files here yet :(

I sent them to you on 14th to your personal email address

webjava.zip it's the same file they are using semi random file names it's a new vundo version virtumonde adware pest

hm... let me check... do you mean this one?

well I don't read cyrillic but that is the right name and it was 368k when it left here but with IE overheads I suppose 486 would be right

Mike I've sent you a new email with 2 slightly different versions and the req.dat file as well
the file name is aardvak.zip

Ok. but i take a look at it tomorrow, it's already past midnight.

Hi,

I have sent in my files again and asked them to be fowarded to happy bytes and linked this thread.

[COLOR=Red]Hi,

Please foward this on to HappyBytes as requested at http://www.wilderssecurity.com/showthread.php?t=75902

Many Thanks

Jlo
The zip file is 'help.zip' and password 'infected'

Many Thanks

Jlo

Nod32 now detects this trojan but can't do anything with it as we expected.

Time Module Object Name Virus Action User Info
19/04/2005 07:57:18 AMON file C:\WINDOWS\system\vbpc.dll Win32/Agent.CS trojan NT AUTHORITY\SYSTEM


Unfortunatly as soon as my computer fires up this is the message I get. I cant quaratine or delete it!

Is there any chance of a tool being made to help me rid this virus or is the only only way to use the windows XP disk and dos comands.

If so I sould very much appreciate if someone could give me step by steo instructions onhow to do this.

Also if anyone could tell me what the virus does I would be much appreciated.

Cheers

Jlo

PS Untill I sort it I will have to keep Amon diactivated.

The only way to remove it is to use the windows CD and boot to a dos prompt

It is NOT fixable from inside windows

Thanks for all the help so far. You are a life line!

Well Ok this is as far as I got.

Managed to change my bios setting to boot from CD disk.

Put in my Home eddition XP disk

Booted up in to windows recovery console as per instruction but get to the screen which where it says 'which installation do you want to log on to'

Click 1 as suggested in the instruction and then you need to put in the adminstrator password. Now I am the adminstrator and know the password but it does not accept what I put in? It just says incorrect password 3 times and then reboots.

I went on to load up windows and checked I am still the administrator and my password works to log on to the computer but not through dos.

Any ideas?

Cheers

Jlo

Success. Many Thanks to all. To get past the adminstration password I just had to click the space bar.

That nasty agent trojan has gone.

I rescanned with KAV and now I just have this one which I think is adware


File C:\WINDOWS\system32\req.dll infected by "Trojan-Downloader.Win32.ConHook.b" Virus. Action Taken: No Action Taken.

and is not detected by Nod.

Could you also have a look at my hyjack this and advice whether just to delete the file?

Many Thanks

Jlo

Logfile of HijackThis v1.99.1
Scan saved at 19:30:38, on 19/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\DOCUME~1\JAMESL~1\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\JAMESL~1\LOCALS~1\Temp\kavss.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://62.3.133.38/UK/24_3d_view_my_car_pop.jsp?noreloadredir
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{156246A4-1F5C-41A9-9A05-CAF87970BCD3}: NameServer = 212.74.114.129 212.74.114.193
O17 - HKLM\System\CS1\Services\Tcpip\..\{156246A4-1F5C-41A9-9A05-CAF87970BCD3}: NameServer = 212.74.114.129 212.74.114.193
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\system32\req.dll
C:\WINDOWS\system32\req.exe
C:\WINDOWS\system32\req.dat

Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then reboot

DVK01 you are a star.

All malware gone now. thanks so much to you and this forum.

It was a shame it got through NOd32 but nod got the update out quickly and at least I managed to get rid of this malware with your help.

Many Thanks again.

Jlo

This has affected lot's of people and prevention is better than cure with it as it is with all these infections that must get on through unknown holes in IE/Windows

Turn off system restore by following instructions here
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place

THanks.

Yes I already did the system restore thing and I am running XP service pack 2 and only downloaded the latest updates a few days ago. May be I got infected before the update??

Anyway thanks for your help.

Do you think the Microsoft spybeta thing would have stopped the infection in the first place?

I downloaded it after the infection and it detected nothing but I know it is set to watch for suspicious operations.

At least all NOd32 users are protected from that particular nasty now!

Best Wishes

Jlo

Just checked windows update again and it says 'no priority updates avaiblable'

I was also suprised that AdawareSE and Spybot did not detect anything.

As you said think one needs multilayered defence as well as keeping up to date with updates.

Best wishes

Jlo

The Microsoft Antispyware if it's set properly will warn of attempts to change or add aBHO so should have warned you

This is a new baddie though and has only been around for about a week although the scum who make it are very well known. And each version they make get's harder to remove

Eset (Nod) have now started to include a lot more adware detection into their databases so hopefully in the future you will be much more protected as Nod should automatically block/warn about such downloads and hopefully their heuristics can be tweaked to detect these pests a bit more easily

Stephanos G

I have removed your post and put it in privacy software as it has absolutely nothing to do with NOD32 support issues

Thanks

I have been having similar problems, and would appreciate some advice.

the file 'req.dll' has been appearing on my system over the last two weeks... ... since my last windows update!!!

I am using killbox to delete it before it can do any damage (what a great programme).

I notice that an application file called '1' also appears on the c:\ drive at the same time as 'req,dll' appears in the windows\system32 directory.

'1' can be deleted without any dificulty.

Adaware, Spybot, SpywareBlaster, Norton AV, Sygate all fail to detect any change/virus or stop it being placed on my system.

BHO Demon warns me that changes are being attempted, which alerts me to the file being recreated.

Problem is, despite repeated attempts, the file comes back when I have been online for a while... on various sites.

Any idea on how to increase my security and stop req.dll from reappearing?

Thanks

Hi BuddieinEK,
Please send a log from Hijackthis (http://216.180.233.162/~merijn/files/HijackThis.exe) to support@eset.com with a link to this thread. Are you using NOD32 beta 2.50.7? Maybe you could try carrying an in-depth scan using the on-demand scanner first...

{QUOTE-> Hi BuddieinEK,
Please send a log from Hijackthis (http://216.180.233.162/~merijn/files/HijackThis.exe) to support@eset.com with a link to this thread. Are you using NOD32 beta 2.50.7? Maybe you could try carrying an in-depth scan using the on-demand scanner first... <-QUOTE}

Thank you Marcos,

I have sent the log as you suggested.

I found the req.dll file in a new hiding place today!!!

A folder called !Submit had been created on the hard drive which contained only one file... ... no prizes for guessing which one!!!

!submit is the folder killbox uses to make backup copies

as Nod already have copies of that file just delete anything inside the !submit folder

if req.dll keeps appearing try this

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\system32\req.dll
C:\WINDOWS\system32\req.exe
C:\WINDOWS\system32\req.dat

Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then reboot

when it reboots

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - C:\WINDOWS\system32\req.dll
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll


there might be more on your log but the Eset mods will soon advise you on that

{QUOTE-> req.dll won't just delete as it is installed with a hook to winlogon in xp
C:\WINDOWS\system\vbpc.dll shoud delete it easily but i've included it in the killbox fix for easy use

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\system32\req.dll
C:\WINDOWS\system32\req.exe
C:\WINDOWS\system32\req.dat
C:\WINDOWS\system\vbpc.dll

Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then reboot

when it reboots

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - C:\WINDOWS\system32\req.dll
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll

and any entries relating to C:\WINDOWS\system\vbpc.dll

reboot again

if you don't have hijackthis already then

go to here (http://www.thespykiller.co.uk/downloads.htm) and download 'Hijack This!' double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis <-QUOTE}

I have a trojan Norton has identified as Download.trojan. It is lurking in C:\WINDOWS\system32\req.dll

I have downloaded "Killbox" and "Hijack This".
"Hijack This" ran accidently before I ran "Killbox". However it showed me that I dont have this line:-

O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - C:\WINDOWS\system32\req.dll

but I do have:-

O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\req.dll

I can't see any entries relating to C:\WINDOWS\system\vbpc.dll

Should I delete:-

O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\req.dll

and consider myself fortunate their are no entries relating to C:\WINDOWS\system\vbpc.dll ???


Hope you can help,

Brian :-\

Hi,

Don't worry about the VBPC.dll. I was infected with 2 things and you obvously just have the one.

In the end I had to use WIndows XP recovery tool, boot up from the disk and delete the file from dos (Which a freind helped me do)

I am sure DVK01 will be around soon to help as he was a great help to me.

Kind Regards

Jlo

Brian look at post 35 and use that as the guide to what to fix. If the numbers are different then fix the bho with the req.dll file name

Hi jlo and dvk01,

You guys are great! Norton scan is clear now.

Thanks for your sound advice. I can't believe how quick you both responded to my request for help. Brilliant!

No Problem although the thanks should go to DVK01 as he came up to the solution of my original malware problem which helped with yours.

Thanks DVK01


Cheers

Jlo