Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Found you from Dell

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Found you from Dell

Unread postby snowman » September 23rd, 2005, 2:44 pm

I saw a post on a Dell forum and here I am.
snowman
Active Member
 
Posts: 7
Joined: September 23rd, 2005, 1:36 pm
Location: Milwaukee
Advertisement
Register to Remove

I want pop tops not popups

Unread postby snowman » September 23rd, 2005, 2:55 pm

I have spent 3 days on this problem so far. Check out this log and please help if you can.

Logfile of HijackThis v1.99.1
Scan saved at 1:46:54 PM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\TightVNC-unstable\WinVNC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\nrpn\osoa.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\comarm.exe
C:\WINDOWS\system32\comarm.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:8081
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - HKCU\..\Run: [comarm] C:\WINDOWS\system32\comarm.exe
O4 - HKCU\..\RunOnce: [comarm] C:\WINDOWS\system32\comarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://sc.communities.msn.com/controls/ ... chat42.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/ ... snUpld.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = overview.com
O17 - HKLM\Software\..\Telephony: DomainName = overview.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = overview.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = overview.com
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\wavcore.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c3RldmUA\command.exe
O23 - Service: CWShredder Service - Trend Micro Incorporated - C:\hjt\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-unstable\WinVNC.exe" -service (file missing)
snowman
Active Member
 
Posts: 7
Joined: September 23rd, 2005, 1:36 pm
Location: Milwaukee

Re: I want pop tops not popups

Unread postby Perculator » September 24th, 2005, 2:55 am

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

L2MFIX Log

Unread postby snowman » September 24th, 2005, 11:44 am

Here is the log you requested.
I also included a log from EWIDO that may have some useful info.
Thanks for the help


L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0803767C-585D-A8EF-3229-2631462E7882}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{584EF118-3DFB-4BC5-AA94-84BC067F45E2}"=""
"{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}\InprocServer32]
@="C:\\WINDOWS\\system32\\IVSUTIL.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}\InprocServer32]
@="C:\\WINDOWS\\system32\\RNGSVC.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aamrccsp.dll Tue Sep 20 2005 10:04:56p A.... 45,056 44.00 K
aeroles.dll Thu Sep 22 2005 12:01:42p ..S.R 417,792 408.00 K
atmtd.dll Tue Sep 20 2005 11:39:14a A.... 687,592 671.48 K
cdusapi.dll Thu Sep 22 2005 12:51:02p ..S.R 417,792 408.00 K
dkocx.dll Tue Sep 20 2005 2:16:40p ..S.R 417,792 408.00 K
eoaed.dll Sat Sep 24 2005 8:17:04a A.... 10,240 10.00 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
gwfspi~1.dll Wed Aug 3 2005 10:33:38a A.... 23,304 22.76 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
iusads.dll Thu Sep 22 2005 8:33:54a ..S.R 417,792 408.00 K
ivsutil.dll Thu Sep 22 2005 11:14:34a ..S.R 417,792 408.00 K
kodir.dll Thu Sep 22 2005 9:02:28a ..S.R 417,792 408.00 K
kudla.dll Thu Sep 22 2005 9:58:44a ..S.R 417,792 408.00 K
kydlt.dll Tue Sep 20 2005 8:47:46p ..S.R 417,792 408.00 K
legitc~1.dll Mon Aug 29 2005 1:27:12p A.... 520,968 508.76 K
lhtga11n.dll Thu Sep 22 2005 10:47:44a ..S.R 417,792 408.00 K
lwkrn11n.dll Thu Sep 22 2005 10:07:36p ..S.R 417,792 408.00 K
lyrt.dll Fri Sep 23 2005 11:19:42a ..S.R 417,792 408.00 K
mctime.dll Thu Sep 22 2005 8:50:00a ..S.R 417,792 408.00 K
msegco~1.dll Tue Sep 20 2005 12:12:54p A.... 22 0.02 K
mutask.dll Tue Sep 20 2005 1:17:28p ..S.R 417,792 408.00 K
ncmarta.dll Thu Sep 22 2005 9:32:12a ..S.R 417,792 408.00 K
ofengl32.dll Thu Sep 22 2005 2:16:50p ..S.R 417,792 408.00 K
qkdit.dll Thu Sep 22 2005 12:06:32p ..S.R 417,792 408.00 K
rccdll.dll Thu Sep 22 2005 10:43:16a ..S.R 417,792 408.00 K
repairs.dll Fri Sep 23 2005 8:28:46a A.... 83,456 81.50 K
rngsvc.dll Thu Sep 22 2005 12:13:48p ..S.R 417,792 408.00 K
rxpsnd.dll Tue Sep 20 2005 9:47:18p ..S.R 417,792 408.00 K
tzbyuv.dll Fri Sep 23 2005 8:13:34a ..S.R 417,792 408.00 K
uqandlg.dll Thu Sep 22 2005 9:13:06a ..S.R 417,792 408.00 K
vzmdbg.dll Thu Sep 22 2005 2:33:04p ..S.R 417,792 408.00 K
wavcore.dll Fri Sep 23 2005 8:01:32a ..S.R 417,792 408.00 K
woecedit.dll Tue Sep 20 2005 1:47:48p ..S.R 417,792 408.00 K
zrpfldr.dll Tue Sep 20 2005 8:13:16a ..S.R 417,792 408.00 K
__dele~1.dll Sat Sep 24 2005 8:17:04a A.... 46,080 45.00 K

36 items found: 36 files (25 H/S), 0 directories.
Total of file sizes: 12,201,622 bytes 11.63 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Sep 20 2005 12:36:32p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is D4FB-D427

Directory of C:\WINDOWS\System32

09/23/2005 11:19 AM 417,792 lyrt.dll
09/23/2005 08:13 AM 417,792 TZBYUV.DLL
09/23/2005 08:01 AM 417,792 wavcore.dll
09/22/2005 10:07 PM 417,792 Lwkrn11n.dll
09/22/2005 10:07 PM <DIR> DLLCACHE
09/22/2005 02:33 PM 417,792 vzmdbg.dll
09/22/2005 02:16 PM 417,792 ofengl32.dll
09/22/2005 12:51 PM 417,792 CDUSAPI.DLL
09/22/2005 12:13 PM 417,792 RNGSVC.DLL
09/22/2005 12:06 PM 417,792 QKDIT.DLL
09/22/2005 12:01 PM 417,792 aeroles.dll
09/22/2005 11:14 AM 417,792 IVSUTIL.DLL
09/22/2005 10:47 AM 417,792 lhtga11n.dll
09/22/2005 10:43 AM 417,792 RCCDLL.DLL
09/22/2005 09:58 AM 417,792 KUDLA.DLL
09/22/2005 09:32 AM 417,792 NCMARTA.DLL
09/22/2005 09:13 AM 417,792 UQANDLG.DLL
09/22/2005 09:02 AM 417,792 KODIR.DLL
09/22/2005 08:49 AM 417,792 MCTIME.DLL
09/22/2005 08:33 AM 417,792 IUSADS.DLL
09/20/2005 09:47 PM 417,792 RXPSND.DLL
09/20/2005 08:47 PM 417,792 KYDLT.DLL
09/20/2005 02:16 PM 417,792 DKOCX.DLL
09/20/2005 01:47 PM 417,792 WOECEDIT.DLL
09/20/2005 01:17 PM 417,792 MUTASK.DLL
09/20/2005 12:36 PM 417,792 guard.tmp
09/20/2005 08:13 AM 417,792 zrpfldr.dll
09/08/2005 08:46 AM 401,408 n?tepad.exe
12/30/2002 04:54 AM <DIR> Microsoft
27 File(s) 11,264,000 bytes
2 Dir(s) 10,536,701,952 bytes free



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:06:23 AM, 9/24/2005
+ Report-Checksum: B0A8ACFC

+ Scan result:

[2020] C:\WINDOWS\system32\fksfdsf.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
[280] C:\WINDOWS\system32\fksfdsf.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[292] C:\WINDOWS\system32\fksfdsf.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[476] C:\WINDOWS\system32\fksfdsf.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[644] C:\WINDOWS\system32\fksfdsf.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[684] C:\WINDOWS\system32\fksfdsf.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F266E9F2-3297-4096-853A-4EAF60.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP385\A0092652.exe -> TrojanSpy.VB.eh : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP385\A0092653.dll -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP385\A0092654.exe -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP385\A0092655.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP385\A0092659.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP385\A0092663.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP385\A0092664.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\SYSTEM32\wbkwq.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup


::Report End
snowman
Active Member
 
Posts: 7
Joined: September 23rd, 2005, 1:36 pm
Location: Milwaukee

Unread postby Perculator » September 25th, 2005, 2:49 pm

please post a fresh hijackthis log too
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

2 Things Left

Unread postby snowman » September 25th, 2005, 4:19 pm

I think I have killed off most of the problems But I still have 2 reports still happening.

MS Antispy is still reporting Apropos Media in the registry. It keeps comming back even after it is cleaned.
HKLM\SOftware\Aprps is the reg key indicated.

Also EWIDO reports this.
Cleaned it and it keeps comming back.

I am also including the latest HJT and L2MFix log.

Please advise if I need to soomething else.

Thanks
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:56:50 PM, 9/25/2005
+ Report-Checksum: F2B48C70

+ Scan result:

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP386\A0093668.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP386\A0093669.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup


::Report End

These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0803767C-585D-A8EF-3229-2631462E7882}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{584EF118-3DFB-4BC5-AA94-84BC067F45E2}"=""
"{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}\InprocServer32]
@="C:\\WINDOWS\\system32\\IVSUTIL.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}\InprocServer32]
@="C:\\WINDOWS\\system32\\RNGSVC.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aamrccsp.dll Tue Sep 20 2005 10:04:56p A.... 45,056 44.00 K
aeroles.dll Thu Sep 22 2005 12:01:42p ..S.R 417,792 408.00 K
atmtd.dll Tue Sep 20 2005 11:39:14a A.... 687,592 671.48 K
browseui.dll Sat Jul 2 2005 9:11:28p A.... 1,019,904 996.00 K
cdfview.dll Sat Jul 2 2005 9:11:28p A.... 151,040 147.50 K
cdusapi.dll Thu Sep 22 2005 12:51:02p ..S.R 417,792 408.00 K
dkocx.dll Tue Sep 20 2005 2:16:40p ..S.R 417,792 408.00 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
gwfspi~1.dll Wed Aug 3 2005 10:33:38a A.... 23,304 22.76 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
icm32.dll Tue Jun 28 2005 8:46:00p A.... 254,976 249.00 K
iepeers.dll Sat Jul 2 2005 9:11:28p A.... 251,392 245.50 K
inseng.dll Sat Jul 2 2005 9:11:28p A.... 96,256 94.00 K
iusads.dll Thu Sep 22 2005 8:33:54a ..S.R 417,792 408.00 K
ivsutil.dll Thu Sep 22 2005 11:14:34a ..S.R 417,792 408.00 K
kodir.dll Thu Sep 22 2005 9:02:28a ..S.R 417,792 408.00 K
kudla.dll Thu Sep 22 2005 9:58:44a ..S.R 417,792 408.00 K
kydlt.dll Tue Sep 20 2005 8:47:46p ..S.R 417,792 408.00 K
legitc~1.dll Mon Aug 29 2005 1:27:12p A.... 520,968 508.76 K
lhtga11n.dll Thu Sep 22 2005 10:47:44a ..S.R 417,792 408.00 K
lwkrn11n.dll Thu Sep 22 2005 10:07:36p ..S.R 417,792 408.00 K
lyrt.dll Fri Sep 23 2005 11:19:42a ..S.R 417,792 408.00 K
mctime.dll Thu Sep 22 2005 8:50:00a ..S.R 417,792 408.00 K
mscms.dll Tue Jun 28 2005 8:46:00p A.... 74,240 72.50 K
mshtml.dll Tue Jul 19 2005 9:00:30p A.... 3,014,144 2.87 M
mshtmled.dll Sat Jul 2 2005 9:11:30p A.... 448,512 438.00 K
msrating.dll Sat Jul 2 2005 9:11:30p A.... 146,432 143.00 K
mutask.dll Tue Sep 20 2005 1:17:28p ..S.R 417,792 408.00 K
ncmarta.dll Thu Sep 22 2005 9:32:12a ..S.R 417,792 408.00 K
ofengl32.dll Thu Sep 22 2005 2:16:50p ..S.R 417,792 408.00 K
pngfilt.dll Sat Jul 2 2005 9:11:30p A.... 39,424 38.50 K
qkdit.dll Thu Sep 22 2005 12:06:32p ..S.R 417,792 408.00 K
rccdll.dll Thu Sep 22 2005 10:43:16a ..S.R 417,792 408.00 K
repairs.dll Fri Sep 23 2005 8:28:46a A.... 83,456 81.50 K
rngsvc.dll Thu Sep 22 2005 12:13:48p ..S.R 417,792 408.00 K
rxpsnd.dll Tue Sep 20 2005 9:47:18p ..S.R 417,792 408.00 K
shdocvw.dll Sat Jul 2 2005 9:11:30p A.... 1,483,776 1.41 M
shlwapi.dll Sat Jul 2 2005 9:11:30p A.... 473,600 462.50 K
tapisrv.dll Fri Jul 8 2005 11:27:56a A.... 249,344 243.50 K
tzbyuv.dll Fri Sep 23 2005 8:13:34a ..S.R 417,792 408.00 K
umpnpmgr.dll Wed Jun 29 2005 9:02:40p A.... 118,272 115.50 K
uqandlg.dll Thu Sep 22 2005 9:13:06a ..S.R 417,792 408.00 K
urlmon.dll Sat Jul 2 2005 9:11:30p A.... 607,744 593.50 K
vzmdbg.dll Thu Sep 22 2005 2:33:04p ..S.R 417,792 408.00 K
wavcore.dll Fri Sep 23 2005 8:01:32a ..S.R 417,792 408.00 K
wininet.dll Sat Jul 2 2005 9:11:30p A.... 658,432 643.00 K
woecedit.dll Tue Sep 20 2005 1:47:48p ..S.R 417,792 408.00 K
zrpfldr.dll Tue Sep 20 2005 8:13:16a ..S.R 417,792 408.00 K

49 items found: 49 files (25 H/S), 0 directories.
Total of file sizes: 21,232,768 bytes 20.25 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Sep 20 2005 12:36:32p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is D4FB-D427

Directory of C:\WINDOWS\System32

09/23/2005 11:19 AM 417,792 lyrt.dll
09/23/2005 08:13 AM 417,792 TZBYUV.DLL
09/23/2005 08:01 AM 417,792 wavcore.dll
09/22/2005 10:07 PM 417,792 Lwkrn11n.dll
09/22/2005 10:07 PM <DIR> DLLCACHE
09/22/2005 02:33 PM 417,792 vzmdbg.dll
09/22/2005 02:16 PM 417,792 ofengl32.dll
09/22/2005 12:51 PM 417,792 CDUSAPI.DLL
09/22/2005 12:13 PM 417,792 RNGSVC.DLL
09/22/2005 12:06 PM 417,792 QKDIT.DLL
09/22/2005 12:01 PM 417,792 aeroles.dll
09/22/2005 11:14 AM 417,792 IVSUTIL.DLL
09/22/2005 10:47 AM 417,792 lhtga11n.dll
09/22/2005 10:43 AM 417,792 RCCDLL.DLL
09/22/2005 09:58 AM 417,792 KUDLA.DLL
09/22/2005 09:32 AM 417,792 NCMARTA.DLL
09/22/2005 09:13 AM 417,792 UQANDLG.DLL
09/22/2005 09:02 AM 417,792 KODIR.DLL
09/22/2005 08:49 AM 417,792 MCTIME.DLL
09/22/2005 08:33 AM 417,792 IUSADS.DLL
09/20/2005 09:47 PM 417,792 RXPSND.DLL
09/20/2005 08:47 PM 417,792 KYDLT.DLL
09/20/2005 02:16 PM 417,792 DKOCX.DLL
09/20/2005 01:47 PM 417,792 WOECEDIT.DLL
09/20/2005 01:17 PM 417,792 MUTASK.DLL
09/20/2005 12:36 PM 417,792 guard.tmp
09/20/2005 08:13 AM 417,792 zrpfldr.dll
09/08/2005 08:46 AM 401,408 n?tepad.exe
12/30/2002 04:54 AM <DIR> Microsoft
27 File(s) 11,264,000 bytes
2 Dir(s) 10,305,011,712 bytes free

Logfile of HijackThis v1.99.1
Scan saved at 2:59:51 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\TightVNC-unstable\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:8081
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://sc.communities.msn.com/controls/ ... chat42.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/ ... snUpld.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = overview.com
O17 - HKLM\Software\..\Telephony: DomainName = overview.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = overview.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = overview.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-unstable\WinVNC.exe" -service (file missing)
snowman
Active Member
 
Posts: 7
Joined: September 23rd, 2005, 1:36 pm
Location: Milwaukee

Unread postby Perculator » September 26th, 2005, 5:18 am

Download Track qoo
Save it somewhere you will remember like the Desktop

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

trackqoo log

Unread postby snowman » September 26th, 2005, 9:26 pm

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- EditPlus
{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}
C:\Program Files\EditPlus 2\eppshell.dll

Subkey --- mtxmgxmn
{c2806b30-d55c-45ce-a3d0-55b8f45937da}
C:\WINDOWS\system32\eoaed.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
==============================
C:\Documents and Settings\steve\Start Menu\Programs\Startup

DESKTOP.INI
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
cpl_moh.cpl
desk.cpl Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
MAIN.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
NCPA.CPL Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
NWC.CPL Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
snowman
Active Member
 
Posts: 7
Joined: September 23rd, 2005, 1:36 pm
Location: Milwaukee

Re: trackqoo log

Unread postby Perculator » September 29th, 2005, 4:01 pm

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Reverse the process when you’ve carried out the advise.


Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!



Please run Notepad and paste the following text into a new file:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ mtxmgxmn]

[-HKEY_CLASSES_ROOT\CLSID\{ c2806b30-d55c-45ce-a3d0-55b8f45937da}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.



Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\system32\eoaed.dll
C:\WINDOWS\SYSTEM32\cpl_moh.cpl



For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.


While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


Now In safe mode perform a full scan with ewido and save the complete log it makes including the header.


Reboot back to windows normal mode


Download trackQ, extract the file inside also to the desktop. Double left click Track qoo 1.vbs (This script is by Mosiac1)
http://forums.subratam.org/index.php?ac ... t&id=39295


Download FindQoologic.zip save it to your Desktop.
http://forums.net-integration.net/index ... &id=134981
Extract (unzip) the files inside Preferably here to C:\
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in your reply.



Now post the Qoologic log, the ewido log, the l2m log and a new hijack this log
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Can't locate findQooLogic.Zip

Unread postby snowman » September 29th, 2005, 9:30 pm

I was unable to find QooLogic.Zip at this link.

http://forums.net-integration.net/index ... &id=134981

I Did some searching and they all seem to point here. I will proceed with the other steps.
snowman
Active Member
 
Posts: 7
Joined: September 23rd, 2005, 1:36 pm
Location: Milwaukee

Here are the logs

Unread postby snowman » September 30th, 2005, 12:35 am

Logfile of HijackThis v1.99.1
Scan saved at 11:23:34 PM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\TightVNC-unstable\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:8081
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-36.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://sc.communities.msn.com/controls/ ... chat42.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/ ... snUpld.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = overview.com
O17 - HKLM\Software\..\Telephony: DomainName = overview.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = overview.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = overview.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-unstable\WinVNC.exe" -service (file missing)


TrackQ

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- EditPlus
{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}
C:\Program Files\EditPlus 2\eppshell.dll

Subkey --- mtxmgxmn
{c2806b30-d55c-45ce-a3d0-55b8f45937da}
C:\WINDOWS\system32\eoaed.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
==============================
C:\Documents and Settings\steve\Start Menu\Programs\Startup

DESKTOP.INI
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
MAIN.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
NCPA.CPL Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
NWC.CPL Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:16:18 PM, 9/29/2005
+ Report-Checksum: B8DA4855

+ Scan result:

C:\Documents and Settings\steve\Cookies\steve@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\steve\Cookies\steve@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\steve\Cookies\steve@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\steve\Cookies\steve@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup


::Report End

L2MFix==========================================

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 592 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1560 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aeroles.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aeroles.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CDUSAPI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CDUSAPI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DKOCX.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DKOCX.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IUSADS.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IUSADS.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IVSUTIL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IVSUTIL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KODIR.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KODIR.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KUDLA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KUDLA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KYDLT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KYDLT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lhtga11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lhtga11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Lwkrn11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Lwkrn11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lyrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lyrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MCTIME.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MCTIME.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MUTASK.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MUTASK.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NCMARTA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NCMARTA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ofengl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ofengl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\QKDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\QKDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RCCDLL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RCCDLL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RNGSVC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RNGSVC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RXPSND.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RXPSND.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TZBYUV.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TZBYUV.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\UQANDLG.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\UQANDLG.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vzmdbg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vzmdbg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wavcore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wavcore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WOECEDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WOECEDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\zrpfldr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\zrpfldr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\aeroles.dll
Successfully Deleted: C:\WINDOWS\system32\aeroles.dll
deleting: C:\WINDOWS\system32\aeroles.dll
Successfully Deleted: C:\WINDOWS\system32\aeroles.dll
deleting: C:\WINDOWS\system32\CDUSAPI.DLL
Successfully Deleted: C:\WINDOWS\system32\CDUSAPI.DLL
deleting: C:\WINDOWS\system32\CDUSAPI.DLL
Successfully Deleted: C:\WINDOWS\system32\CDUSAPI.DLL
deleting: C:\WINDOWS\system32\DKOCX.DLL
Successfully Deleted: C:\WINDOWS\system32\DKOCX.DLL
deleting: C:\WINDOWS\system32\DKOCX.DLL
Successfully Deleted: C:\WINDOWS\system32\DKOCX.DLL
deleting: C:\WINDOWS\system32\IUSADS.DLL
Successfully Deleted: C:\WINDOWS\system32\IUSADS.DLL
deleting: C:\WINDOWS\system32\IUSADS.DLL
Successfully Deleted: C:\WINDOWS\system32\IUSADS.DLL
deleting: C:\WINDOWS\system32\IVSUTIL.DLL
Successfully Deleted: C:\WINDOWS\system32\IVSUTIL.DLL
deleting: C:\WINDOWS\system32\IVSUTIL.DLL
Successfully Deleted: C:\WINDOWS\system32\IVSUTIL.DLL
deleting: C:\WINDOWS\system32\KODIR.DLL
Successfully Deleted: C:\WINDOWS\system32\KODIR.DLL
deleting: C:\WINDOWS\system32\KODIR.DLL
Successfully Deleted: C:\WINDOWS\system32\KODIR.DLL
deleting: C:\WINDOWS\system32\KUDLA.DLL
Successfully Deleted: C:\WINDOWS\system32\KUDLA.DLL
deleting: C:\WINDOWS\system32\KUDLA.DLL
Successfully Deleted: C:\WINDOWS\system32\KUDLA.DLL
deleting: C:\WINDOWS\system32\KYDLT.DLL
Successfully Deleted: C:\WINDOWS\system32\KYDLT.DLL
deleting: C:\WINDOWS\system32\KYDLT.DLL
Successfully Deleted: C:\WINDOWS\system32\KYDLT.DLL
deleting: C:\WINDOWS\system32\lhtga11n.dll
Successfully Deleted: C:\WINDOWS\system32\lhtga11n.dll
deleting: C:\WINDOWS\system32\lhtga11n.dll
Successfully Deleted: C:\WINDOWS\system32\lhtga11n.dll
deleting: C:\WINDOWS\system32\Lwkrn11n.dll
Successfully Deleted: C:\WINDOWS\system32\Lwkrn11n.dll
deleting: C:\WINDOWS\system32\Lwkrn11n.dll
Successfully Deleted: C:\WINDOWS\system32\Lwkrn11n.dll
deleting: C:\WINDOWS\system32\lyrt.dll
Successfully Deleted: C:\WINDOWS\system32\lyrt.dll
deleting: C:\WINDOWS\system32\lyrt.dll
Successfully Deleted: C:\WINDOWS\system32\lyrt.dll
deleting: C:\WINDOWS\system32\MCTIME.DLL
Successfully Deleted: C:\WINDOWS\system32\MCTIME.DLL
deleting: C:\WINDOWS\system32\MCTIME.DLL
Successfully Deleted: C:\WINDOWS\system32\MCTIME.DLL
deleting: C:\WINDOWS\system32\MUTASK.DLL
Successfully Deleted: C:\WINDOWS\system32\MUTASK.DLL
deleting: C:\WINDOWS\system32\MUTASK.DLL
Successfully Deleted: C:\WINDOWS\system32\MUTASK.DLL
deleting: C:\WINDOWS\system32\NCMARTA.DLL
Successfully Deleted: C:\WINDOWS\system32\NCMARTA.DLL
deleting: C:\WINDOWS\system32\NCMARTA.DLL
Successfully Deleted: C:\WINDOWS\system32\NCMARTA.DLL
deleting: C:\WINDOWS\system32\ofengl32.dll
Successfully Deleted: C:\WINDOWS\system32\ofengl32.dll
deleting: C:\WINDOWS\system32\ofengl32.dll
Successfully Deleted: C:\WINDOWS\system32\ofengl32.dll
deleting: C:\WINDOWS\system32\QKDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\QKDIT.DLL
deleting: C:\WINDOWS\system32\QKDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\QKDIT.DLL
deleting: C:\WINDOWS\system32\RCCDLL.DLL
Successfully Deleted: C:\WINDOWS\system32\RCCDLL.DLL
deleting: C:\WINDOWS\system32\RCCDLL.DLL
Successfully Deleted: C:\WINDOWS\system32\RCCDLL.DLL
deleting: C:\WINDOWS\system32\RNGSVC.DLL
Successfully Deleted: C:\WINDOWS\system32\RNGSVC.DLL
deleting: C:\WINDOWS\system32\RNGSVC.DLL
Successfully Deleted: C:\WINDOWS\system32\RNGSVC.DLL
deleting: C:\WINDOWS\system32\RXPSND.DLL
Successfully Deleted: C:\WINDOWS\system32\RXPSND.DLL
deleting: C:\WINDOWS\system32\RXPSND.DLL
Successfully Deleted: C:\WINDOWS\system32\RXPSND.DLL
deleting: C:\WINDOWS\system32\TZBYUV.DLL
Successfully Deleted: C:\WINDOWS\system32\TZBYUV.DLL
deleting: C:\WINDOWS\system32\TZBYUV.DLL
Successfully Deleted: C:\WINDOWS\system32\TZBYUV.DLL
deleting: C:\WINDOWS\system32\UQANDLG.DLL
Successfully Deleted: C:\WINDOWS\system32\UQANDLG.DLL
deleting: C:\WINDOWS\system32\UQANDLG.DLL
Successfully Deleted: C:\WINDOWS\system32\UQANDLG.DLL
deleting: C:\WINDOWS\system32\vzmdbg.dll
Successfully Deleted: C:\WINDOWS\system32\vzmdbg.dll
deleting: C:\WINDOWS\system32\vzmdbg.dll
Successfully Deleted: C:\WINDOWS\system32\vzmdbg.dll
deleting: C:\WINDOWS\system32\wavcore.dll
Successfully Deleted: C:\WINDOWS\system32\wavcore.dll
deleting: C:\WINDOWS\system32\wavcore.dll
Successfully Deleted: C:\WINDOWS\system32\wavcore.dll
deleting: C:\WINDOWS\system32\WOECEDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\WOECEDIT.DLL
deleting: C:\WINDOWS\system32\WOECEDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\WOECEDIT.DLL
deleting: C:\WINDOWS\system32\zrpfldr.dll
Successfully Deleted: C:\WINDOWS\system32\zrpfldr.dll
deleting: C:\WINDOWS\system32\zrpfldr.dll
Successfully Deleted: C:\WINDOWS\system32\zrpfldr.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: aeroles.dll (188 bytes security) (deflated 48%)
adding: CDUSAPI.DLL (188 bytes security) (deflated 48%)
adding: DKOCX.DLL (188 bytes security) (deflated 48%)
adding: IUSADS.DLL (188 bytes security) (deflated 48%)
adding: IVSUTIL.DLL (188 bytes security) (deflated 48%)
adding: KODIR.DLL (188 bytes security) (deflated 48%)
adding: KUDLA.DLL (188 bytes security) (deflated 48%)
adding: KYDLT.DLL (188 bytes security) (deflated 48%)
adding: lhtga11n.dll (188 bytes security) (deflated 48%)
adding: Lwkrn11n.dll (188 bytes security) (deflated 48%)
adding: lyrt.dll (188 bytes security) (deflated 48%)
adding: MCTIME.DLL (188 bytes security) (deflated 48%)
adding: MUTASK.DLL (188 bytes security) (deflated 48%)
adding: NCMARTA.DLL (188 bytes security) (deflated 48%)
adding: ofengl32.dll (188 bytes security) (deflated 48%)
adding: QKDIT.DLL (188 bytes security) (deflated 48%)
adding: RCCDLL.DLL (188 bytes security) (deflated 48%)
adding: RNGSVC.DLL (188 bytes security) (deflated 48%)
adding: RXPSND.DLL (188 bytes security) (deflated 48%)
adding: TZBYUV.DLL (188 bytes security) (deflated 48%)
adding: UQANDLG.DLL (188 bytes security) (deflated 48%)
adding: vzmdbg.dll (188 bytes security) (deflated 48%)
adding: wavcore.dll (188 bytes security) (deflated 48%)
adding: WOECEDIT.DLL (188 bytes security) (deflated 48%)
adding: zrpfldr.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 36%)
adding: DD-GUI2.ini (188 bytes security) (deflated 73%)
adding: asdf.txt (188 bytes security) (deflated 64%)
adding: Debug.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 91%)
adding: test.txt (188 bytes security) (deflated 89%)
adding: test2.txt (188 bytes security) (deflated 14%)
adding: test3.txt (188 bytes security) (deflated 14%)
adding: test5.txt (188 bytes security) (deflated 14%)
adding: xfind.txt (188 bytes security) (deflated 86%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: aeroles.dll
deleting local copy: aeroles.dll
deleting local copy: CDUSAPI.DLL
deleting local copy: CDUSAPI.DLL
deleting local copy: DKOCX.DLL
deleting local copy: DKOCX.DLL
deleting local copy: IUSADS.DLL
deleting local copy: IUSADS.DLL
deleting local copy: IVSUTIL.DLL
deleting local copy: IVSUTIL.DLL
deleting local copy: KODIR.DLL
deleting local copy: KODIR.DLL
deleting local copy: KUDLA.DLL
deleting local copy: KUDLA.DLL
deleting local copy: KYDLT.DLL
deleting local copy: KYDLT.DLL
deleting local copy: lhtga11n.dll
deleting local copy: lhtga11n.dll
deleting local copy: Lwkrn11n.dll
deleting local copy: Lwkrn11n.dll
deleting local copy: lyrt.dll
deleting local copy: lyrt.dll
deleting local copy: MCTIME.DLL
deleting local copy: MCTIME.DLL
deleting local copy: MUTASK.DLL
deleting local copy: MUTASK.DLL
deleting local copy: NCMARTA.DLL
deleting local copy: NCMARTA.DLL
deleting local copy: ofengl32.dll
deleting local copy: ofengl32.dll
deleting local copy: QKDIT.DLL
deleting local copy: QKDIT.DLL
deleting local copy: RCCDLL.DLL
deleting local copy: RCCDLL.DLL
deleting local copy: RNGSVC.DLL
deleting local copy: RNGSVC.DLL
deleting local copy: RXPSND.DLL
deleting local copy: RXPSND.DLL
deleting local copy: TZBYUV.DLL
deleting local copy: TZBYUV.DLL
deleting local copy: UQANDLG.DLL
deleting local copy: UQANDLG.DLL
deleting local copy: vzmdbg.dll
deleting local copy: vzmdbg.dll
deleting local copy: wavcore.dll
deleting local copy: wavcore.dll
deleting local copy: WOECEDIT.DLL
deleting local copy: WOECEDIT.DLL
deleting local copy: zrpfldr.dll
deleting local copy: zrpfldr.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aeroles.dll
C:\WINDOWS\system32\aeroles.dll
C:\WINDOWS\system32\CDUSAPI.DLL
C:\WINDOWS\system32\CDUSAPI.DLL
C:\WINDOWS\system32\DKOCX.DLL
C:\WINDOWS\system32\DKOCX.DLL
C:\WINDOWS\system32\IUSADS.DLL
C:\WINDOWS\system32\IUSADS.DLL
C:\WINDOWS\system32\IVSUTIL.DLL
C:\WINDOWS\system32\IVSUTIL.DLL
C:\WINDOWS\system32\KODIR.DLL
C:\WINDOWS\system32\KODIR.DLL
C:\WINDOWS\system32\KUDLA.DLL
C:\WINDOWS\system32\KUDLA.DLL
C:\WINDOWS\system32\KYDLT.DLL
C:\WINDOWS\system32\KYDLT.DLL
C:\WINDOWS\system32\lhtga11n.dll
C:\WINDOWS\system32\lhtga11n.dll
C:\WINDOWS\system32\Lwkrn11n.dll
C:\WINDOWS\system32\Lwkrn11n.dll
C:\WINDOWS\system32\lyrt.dll
C:\WINDOWS\system32\lyrt.dll
C:\WINDOWS\system32\MCTIME.DLL
C:\WINDOWS\system32\MCTIME.DLL
C:\WINDOWS\system32\MUTASK.DLL
C:\WINDOWS\system32\MUTASK.DLL
C:\WINDOWS\system32\NCMARTA.DLL
C:\WINDOWS\system32\NCMARTA.DLL
C:\WINDOWS\system32\ofengl32.dll
C:\WINDOWS\system32\ofengl32.dll
C:\WINDOWS\system32\QKDIT.DLL
C:\WINDOWS\system32\QKDIT.DLL
C:\WINDOWS\system32\RCCDLL.DLL
C:\WINDOWS\system32\RCCDLL.DLL
C:\WINDOWS\system32\RNGSVC.DLL
C:\WINDOWS\system32\RNGSVC.DLL
C:\WINDOWS\system32\RXPSND.DLL
C:\WINDOWS\system32\RXPSND.DLL
C:\WINDOWS\system32\TZBYUV.DLL
C:\WINDOWS\system32\TZBYUV.DLL
C:\WINDOWS\system32\UQANDLG.DLL
C:\WINDOWS\system32\UQANDLG.DLL
C:\WINDOWS\system32\vzmdbg.dll
C:\WINDOWS\system32\vzmdbg.dll
C:\WINDOWS\system32\wavcore.dll
C:\WINDOWS\system32\wavcore.dll
C:\WINDOWS\system32\WOECEDIT.DLL
C:\WINDOWS\system32\WOECEDIT.DLL
C:\WINDOWS\system32\zrpfldr.dll
C:\WINDOWS\system32\zrpfldr.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{584EF118-3DFB-4BC5-AA94-84BC067F45E2}"=-
"{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}"=-
[-HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}]
[-HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

snowman
Active Member
 
Posts: 7
Joined: September 23rd, 2005, 1:36 pm
Location: Milwaukee

Unread postby Perculator » October 4th, 2005, 3:45 pm

I will examine your log and post back tomorrow
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Perculator » October 7th, 2005, 3:18 am

Please run Notepad and paste the following text into a new file:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mtxmgxmn]


Save the file to the desktop as fixk.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.



Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\system32\eoaed.dll

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

After the restart

Make and post a fresh hijackthis log please
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby NonSuch » October 23rd, 2005, 3:33 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 495 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware