logo1_.exe, rundll16.exe and zts2.exe
Calypze
Stockholm, Sweden
Hello.
In my Windows folder the is a folder called logo1_.exe. It appears that there is a trojan that has this name.
I couldn't find any process with that name or similar. However, is this folder dangerous (I would guess so) and should I get rid of it? If so, how?
The folder is (according to Properties) of the size of 0 bytes and it refuses me to open it, even I use administator rights.
There is also two similar folders in the Windows directory called zts2.exe and rundll16.exe. I can enter the first mentioned without problems, but not the last one, same problem as with logo1_.exe.
These are those strange folders I've found, probably there are more.
Please help me with this. Thanks in advance.
In my Windows folder the is a folder called logo1_.exe. It appears that there is a trojan that has this name.
I couldn't find any process with that name or similar. However, is this folder dangerous (I would guess so) and should I get rid of it? If so, how?
The folder is (according to Properties) of the size of 0 bytes and it refuses me to open it, even I use administator rights.
There is also two similar folders in the Windows directory called zts2.exe and rundll16.exe. I can enter the first mentioned without problems, but not the last one, same problem as with logo1_.exe.
These are those strange folders I've found, probably there are more.
Please help me with this. Thanks in advance.
0
Comments
Welcome to Icrontic Malware Removal Forum.
My name is peku006 and I will be assisting you.
Please Click here to download HJTsetup.exe
* Save HJTsetup.exe to your desktop.
* Double click on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Continue to click Next(three times) in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
* Put a check by Create a desktop icon then click Next again.
* Then you will need to click on install
* At the final dialogue box click Finish and it will launch Hijack This.
* Click on the Do a system scan and save a log file button. It will scan and then notepad will open up
* Click file>save as and save it to your desktop
* Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
* Come back here to this thread and Paste the log in your next reply.
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
If it is important, the installation didn't exactly took place as you mentioned. Nevertheless, the program was installed without any problems. In any case, here is the log:
I'll need more information from you. Download Deckard's System Scanner (DSS) to your Desktop.
What DSS will do:
* create a new System Restore point in Windows XP and Vista.
* clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* check some important areas of your system and produce a report for your analyst to review.
* DSS automatically runs HijackThis 1.99.1 for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Note: You must be logged onto an account with administrator privileges.
1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Please attach extra.txt to your post.
In any case, here is the content of main.txt:
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button
- Save the file to your desktop.
- Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
The forum refuses me to post in this post, so I'll have to attach the document. I hope you don't mind.
Not seeing anything Suspicious in your Logfiles.
Your comp looks clean.
You can delete these files (logo1_.exe.,zts2.exe.and rundll16.exe. if present)
Did you try changing the ownership of the file ?
Make sure to change the ownership of the file and also select the option to change the ownership of everything inside that folder
take ownership of the file
I searched on Google and found some stuff: http://forums.spywareinfo.com/lofiversion/index.php/t96388.html
It appears that MWAV eScan creates those folders is some odd attempt to prevent the malware with the same name from taking root. Do you think this could be the case here as well?
I am not sure
Let us take a deeper look.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
(filepath)logo1_.exe.
Do the same for the following Files: zts2.exe ,and rundll16.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html
You can delete these folders (logo1_.exe.,zts2.exe.and rundll16.exe. if present)
So it is fine I guess. I mean, are the earlier logs ok?
And I have a general question about the Kaspersky Online Scanner: When I run it, should I run IE as an administrator or not (keep in mind that I have Vista)?
Sorry about the delay in responding
I'm not seeing anything malicious in your logs
Your comp looks clean. what says Kaspersky Online Virus Scanner if you run that?
Requirements and limitations:
When using this service for the first time, you have to run with Administrator privileges in order to install the product. Also, you will need to download and install files about 400 KB in size
Can I ask one more question before we consider this thread resolved? It's a rather dumb question, but better safe than sorry:
Does the "extended" definitions include the "standard" definitions for scanning? Or do I have to make another scan using the "standard" definitions to be able to find that suff as well?
YES
I'm not sure wether I should start a new thread for this or continue in this, I continue in this because this is still recent, and it is in part connected to this thread.
Today I made a scan with the Kaspersky Online Scanner. It detected dss.exe, the file you told me to download earlier, as being infected with IM-Worm.Win32.Sohanad.aw. It has never done so before. Do you think it is a false positive? Or could the file really be infected by that worm? I uploaded the file to Jotti as well, and there both Kaspersky and F-Secure detected is as that worm. What shoud I do?
About the worm, from Kaspersky: http://www.viruslist.com/en/viruses/encyclopedia?virusid=161634
Sorry about the delay in responding
Please do the following...
Please Print out these instructions or copy them to a NotePad file so they will be accessible
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Nice program btw. I didn't expect that Kaspersky would miss stuff that this would pick up.
If this is of any interest, the progress of the program didn't work out exactly as in your post. When it found the first thing, a notice appeared immediately, asking me if I wanted to remove/cure it, and I selected "Yes to all", so that it would remove potential other malwares without prompt. As for the dss.exe file, I removed it after the Kaspersky scanner had finished, because I could stand having a potential malware right in my face. Again, I don't know if this information is of any value, but I'm telling you just in case.
Glad I could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.
This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead
Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here