C:windows\system32\ DISPEXI.DLL\[Morphine]\[UPX]

Viruses and worms
1

I keep getting a notice for this. Avast isn’t being allowed to quarantine or delete it. It isn’t being picked up by my other programs (search and destroy, malwarebytes anti-malware) either. I have Windows XP with Avast 4.8 home and keep it updated.

Any ideas? thanks, Juno

2

Hi junofeb,

Here are manual removal instructions in case of dispexi.dll

dispexi.dll
We suggest you to remove dispexi.dll from your computer as soon as possible.
Dispexi.dll is Troj/Agent-GIH.
Related files:
%Temp%_vdmstmsnd_.dat
%Temp%\tmp<#>.bat
%Temp%\tmp<#>.tmp
%Temp%\dm<#>.exe
%Temp%\dm<#>h.exe
%System%\avicap32n.dll
%System%\dpnaddrm.dll
%System%\dispexi.dll
Read more: http://www.sophos.com/security/analyses/trojagentgih.html

or it could be part of, see whether you have these traces and then follow instructions below:
dmadmin_1.exe - Dangerous
dm<#>.exe
We suggest you to remove dm<#>.exe from your computer as soon as possible.
Dm<#>.exe is Troj/Agent-GIH.
Related files:
%Temp%_vdmstmsnd_.dat
%Temp%\tmp<#>.bat
%Temp%\tmp<#>.tmp
%Temp%\dm<#>.exe
%Temp%\dm<#>h.exe
%System%\avicap32n.dll
%System%\dpnaddrm.dll
%System%\dispexi.dll

Kill the process dm<#>.exe and remove dm<#>.exe from Windows startup.

Removal: dm<#>.exe is removed by RegRun.

dm<#>h.exe
We suggest you to remove dm<#>h.exe from your computer as soon as possible.
Dm<#>h.exe is Troj/Agent-GIH.
Related files:
%Temp%_vdmstmsnd_.dat
%Temp%\tmp<#>.bat
%Temp%\tmp<#>.tmp
%Temp%\dm<#>.exe
%Temp%\dm<#>h.exe
%System%\avicap32n.dll
%System%\dpnaddrm.dll
%System%\dispexi.dll

Kill the process dm<#>h.exe and remove dm<#>h.exe from Windows startup.

dmadmin_1.exe
Dmadmin_1.exe is W32.Killaut.A.
W32.Killaut.A is a worm that copies itself to local and removable drives.
It also disables system tools and certain antivirus-related processes.
Related files:
%UserProfile%\My Documents[CURRENT USER ACCOUNT].exe
%System%\debug_32.exe
%System%\MsMpEng.exe
%Windir%\Tasks\At1.job
%Windir%\Tasks\At2.job
%Windir%\Tasks\dmadmin_1.exe
%Windir%\compmgmt.exe

Kill the process dmadmin_1.exe and remove dmadmin_1.exe from Windows startup,

polonus

3

how about the boot-time scan?

4

Thanks for the input.

boot log:

CmdLine - quick
aswBoot.exe /A:“" /L:“English” /RA:chest /KBD:2
CmdLine end
SafeBoot: 0
CreateKbThread
new CKbBuffer
CKbBuffer::Init
CKbBuffer::Init end
NtCreateEvent(g_hStopEvent)
dep_osBeginThread - KbThread
CreateKbThread end
NtInitializeRegistry
KbThread start
ReadRegistry
DATA=C:\Program Files\Alwil Software\Avast4\DATA
PROG=C:\Program Files\Alwil Software\Avast4
BUILD=1296
Microsoft Windows XP Service Pack 3
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
ReadRegistry end
CreateTemp
CreateTemp end
cmnbInit
SetFolders
SetFolders end
aswEnginDllMain(DLL_PROCESS_ATTACH)
InitLog
InitLog end
CmdLine - full
aswBoot.exe /A:"” /L:“English” /RA:chest /KBD:2
CmdLine end
Unschedule
61,00,75,00,74,00,6F,00,63,00,68,00,65,00,63,00,
6B,00,20,00,61,00,75,00,74,00,6F,00,63,00,68,00,
6B,00,20,00,2A,00,00,00,50,00,61,00,72,00,74,00,
69,00,7A,00,61,00,6E,00,00,00,61,00,73,00,77,00,
42,00,6F,00,6F,00,74,00,2E,00,65,00,78,00,65,00,
20,00,2F,00,41,00,3A,00,22,00,2A,00,22,00,20,00,
2F,00,4C,00,3A,00,22,00,45,00,6E,00,67,00,6C,00,
69,00,73,00,68,00,22,00,20,00,2F,00,52,00,41,00,
3A,00,63,00,68,00,65,00,73,00,74,00,20,00,2F,00,
4B,00,42,00,44,00,3A,00,32,00,00,00,00,00,
Unschedule end
LoadResources
LoadResources end
InitReport
InitReport end
NtSetEvent(g_hInitEvent) - 1
InitKeyboard
g_dwKbdNum: 2
s_dwKbdClassCnt: 2
InitKeyboard end
NtSetEvent(g_hInitEvent) - 2
GetKey
FreeMemory: 1923964928
avworkInitialize
FreeMemory: 1864880128
CKbBuffer::Wait
CKbBuffer::Get
CKbBuffer::Get end
CKbBuffer::Wait end
ProcessArea
avfilesScanAdd *MBR0
avfilesScanAdd *RAW:C:\ [Fs: 000700ff, NTFS; Dev: 07, 00000020]
avfilesScanAdd *RAW:D:\ [Fs: 000700ff, NTFS; Dev: 07, 00000020]
avfilesScanRealMulti begin
CKbBuffer::Get
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
GetErrorText
0, 2, 1, 0, 0
CKbBuffer::Get
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
GetErrorText
0, 2, 1, 0, 0
avfilesScanRealMulti finished
avworkClose
Checking deleted files:
MarkFileRemoval
MarkFileRemoval end
Going to disable files:
*RAW:C:\WINDOWS\system32\drivers\qulytsft.sys
Preparing for restart
TerminateKbThread
GetKey end
CloseKeyboard
CloseKeyboard end
KbThread stop
CKbBuffer::~CKbBuffer
CKbBuffer::~CKbBuffer end
aswEnginDllMain(DLL_PROCESS_DETACH)
cmnbFree
FreeResources
CloseReport
CloseLog

Something seemed to have happened from running the scan. When the warnings popped up again on reboot, I was able to relocate them to the chest, I wasn’t getting the pop-up saying that they could not be moved.
I couldn’t find them in my sys 32 folder anymore, so hopefully they’re gone. thanks, Juno

5

Check the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt that should report the scan stats including any detections. Though if there was a detection on the boot-time scan you should have been alerted and given options on what to do, see image.

6

this file C:\WINDOWS\system32\drivers\qulytsft.sys seems to be cleaned now (it was maybe a rootkit protecting the dll)… are you able to remove the dispexi.dll after the boot-time scan?