[RESOLVED] Internet Connection is Dialing Itself

ok

ESET

C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{6269E072-38BA-421A-A83F-5AA7068DEBD4}\RP226\A0018749.dll a variant of Win32/Kheagol.H trojan
C:\System Volume Information\_restore{6269E072-38BA-421A-A83F-5AA7068DEBD4}\RP226\A0018843.dll Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{6269E072-38BA-421A-A83F-5AA7068DEBD4}\RP227\snapshot\MFEX-1.DAT a variant of Win32/Kheagol.H trojan
C:\System Volume Information\_restore{6269E072-38BA-421A-A83F-5AA7068DEBD4}\RP228\snapshot\MFEX-1.DAT a variant of Win32/Kheagol.H trojan
C:\WINDOWS\system32\t5ql.dll a variant of Win32/Kheagol.H trojan
C:\WINDOWS\system32\version.dll a variant of Win32/Kheagol.J trojan
Operating memory multiple threats

Every thing seems ok this morning....

Very well then :)

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Code:

  ---

  :OTL

:Services

:Reg

:Files
C:\WINDOWS\system32\t5ql.dll
C:\WINDOWS\system32\version.dll

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

  ---

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

=====================================================

Your computer is clean https://discussions.virtualdr.com/

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

---

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

---

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

ok... will do
As far as the clean up thing, I went and put all the downloaded programs and saved *.txt files on my desktop and put them in a folder on the desktop.
Hope that didn't screw anything up.

Note: when i booted up this morning a noticed an Internet Explorer icon on my desktop where there had not been one before. I went to the 'Display' dialogue and clicked on the 'Desktop' tab and there was not a choice to remove the Internet Explorer icon where there should have been. Also on the Screensaver tab at the bottom where the power settings are the 'Energy' logo was missing.

I'll get on this stuff right now...

Here is the first OTL Log.... but I had a problem, I'll tell you at the end.

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\system32\t5ql.dll moved successfully.
C:\WINDOWS\system32\version.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Dave
->Temp folder emptied: 36764 bytes
->Temporary Internet Files folder emptied: 32474779 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1032 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 10596 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7817 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 7454623 bytes

Total Files Cleaned = 38.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Dave
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.24.1 log created on 06242011_124039

Files\Folders moved on Reboot...
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\958C2H7W\918[1].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\958C2H7W\918[2].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\4P9AIDCO\iepngfix[1].htc moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\4P9AIDCO\partner[1].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\4P9AIDCO\showthread[2].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...


When computer started back up I got at least 10 error messages for different files, from winlogon.exe to explorer.exe with this message...."This application failed to start because t5ql.dll was not found. Re-installing the application may fix this problem"

I noticed at the very top of this report that t5ql.dll had been moved. Is this relevant?

Do NOT run step 2 yet.

Restart computer and see if you'll get same errors again.

I Have restarted a few times and it happens everytime... Also the error msg appears when I attempt to open any program. However after I click OK the prog seems to run ok.

have not run any more steps

Can you post EXACT error message(s) you're getting?

Quote:

---

"This application failed to start because t5ql.dll was not found. Re-installing the application may fix this problem"

---

At least 10 times on bootup from win login.exe to explorer.exe and all of my other programs on startup. Plus it happens anytime I open any other program.
I attached a picture of it.

Navigate to:
C:\_OTL\MovedFiles
Copy t5ql.dll file from there and paste it to C:\WINDOWS\system32 folder.
Restart computer.
Are the errors gone?

That did it ! :)

Very well, however I'm not very fond of that file.
I can't really find any info about it.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\t5ql.dll
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

Any other issues?

Antivirus results
AhnLab-V3 - 2011.06.25.00 - 2011.06.24 - -
AntiVir - 7.11.10.104 - 2011.06.24 - -
Antiy-AVL - 2.0.3.7 - 2011.06.24 - Trojan/Win32.Agent.gen
Avast - 4.8.1351.0 - 2011.06.24 - Win32:Malware-gen
Avast5 - 5.0.677.0 - 2011.06.24 - Win32:Malware-gen
AVG - 10.0.0.1190 - 2011.06.24 - PSW.Agent.AMUH
BitDefender - 7.2 - 2011.06.25 - -
CAT-QuickHeal - 11.00 - 2011.06.24 - -
ClamAV - 0.97.0.0 - 2011.06.25 - PUA.Packed.ASPack
Commtouch - 5.3.2.6 - 2011.06.24 - -
Comodo - 9180 - 2011.06.25 - -
DrWeb - 5.0.2.03300 - 2011.06.25 - -
eSafe - 7.0.17.0 - 2011.06.23 - -
eTrust-Vet - 36.1.8405 - 2011.06.24 - -
F-Prot - 4.6.2.117 - 2011.06.24 - -
F-Secure - 9.0.16440.0 - 2011.06.24 - -
Fortinet - 4.2.257.0 - 2011.06.24 - -
GData - 22 - 2011.06.25 - Win32:Malware-gen
Ikarus - T3.1.1.104.0 - 2011.06.24 - Trojan-PWS.Win32.Agent
Jiangmin - 13.0.900 - 2011.06.24 - -
K7AntiVirus - 9.106.4840 - 2011.06.24 - Password-Stealer
Kaspersky - 9.0.0.837 - 2011.06.25 - Trojan-PSW.Win32.Agent.xez
McAfee - 5.400.0.1158 - 2011.06.25 - -
McAfee-GW-Edition - 2010.1D - 2011.06.24 - -
Microsoft - 1.7000 - 2011.06.24 - -
NOD32 - 6236 - 2011.06.25 - a variant of Win32/Kheagol.H
Norman - 6.07.10 - 2011.06.24 - -
nProtect - 2011-06-24.01 - 2011.06.24 - -
Panda - 10.0.3.5 - 2011.06.24 - Suspicious file
PCTools - 8.0.0.5 - 2011.06.23 - -
Prevx - 3.0 - 2011.06.25 - -
Rising - 23.63.04.01 - 2011.06.24 - -
Sophos - 4.66.0 - 2011.06.25 - -
SUPERAntiSpyware - 4.40.0.1006 - 2011.06.25 - -
Symantec - 20111.1.0.186 - 2011.06.25 - -
TheHacker - 6.7.0.1.239 - 2011.06.23 - Trojan/PSW.Agent.xez
TrendMicro - 9.200.0.1012 - 2011.06.24 - -
TrendMicro-HouseCall - 9.200.0.1012 - 2011.06.25 - -
VBA32 - 3.12.16.3 - 2011.06.24 - TrojanPSW.Agent.xez
VIPRE - 9683 - 2011.06.25 - -
ViRobot - 2011.6.24.4531 - 2011.06.24 - -
VirusBuster - 14.0.94.0 - 2011.06.24 - Trojan.Kheagol!AxrLEkZrH0Y
File info:
MD5: 246e54d003ee721b7c4390b5a52c4d74
SHA1: 9e0e6ced4b59f9701ef2c0c643ab809f0e11ebf3
SHA256: 96fd23059ac715fb179feb68ada64fc7d6b44d27a1171a0d3b0e9a7f9eb36d5b
File size: 265292 bytes
Scan date: 2011-06-25 01:05:51 (UTC)

Additional informationShow all
MD5 : 246e54d003ee721b7c4390b5a52c4d74
SHA1 : 9e0e6ced4b59f9701ef2c0c643ab809f0e11ebf3
SHA256: 96fd23059ac715fb179feb68ada64fc7d6b44d27a1171a0d3b0e9a7f9eb36d5b
ssdeep: 6144:S+jY5SU5YRIPki/tENvZW72p6xAnOUz0gO9P5TBlOYi0y:S+jySvRXi/WPK2+AOKdsP5T3
OYdy
File size : 265292 bytes
First seen: 2011-06-25 01:05:51
Last seen : 2011-06-25 01:05:51
TrID:
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: ASPack v2.12
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x60001
timedatestamp....: 0x4DB9CAF7 (Thu Apr 28 20:15:51 2011)
machinetype......: 0x14c (I386)

[[ 6 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x56000, 0x39400, 8.00, 6003245f71d4019b706c1bf4ae15fdea
.rdata, 0x57000, 0x4000, 0x4000, 6.66, 1362f3b0da2432d6eab4d1538aba4f35
.data, 0x5B000, 0x3000, 0xA00, 7.76, ce1737aa1aec43251382a44268738fb8
.reloc, 0x5E000, 0x2000, 0x1800, 7.77, 6372c8536a46d4db1725482bb88f0086
.aspack, 0x60000, 0x2000, 0x1200, 5.74, 3d66167acab19483eaa8debecceac03c
.adata, 0x62000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

[[ 1 import(s) ]]
kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA

[[ 1 export(s) ]]
ecsqxygtbcghyw

Symantec reputation:Suspicious.Insight