Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

GENERALLY SCREWED UP

Started by DR04 , Mar 06 2005 08:31 PM

  • Please log in to reply

#1
DR04
Posted 06 March 2005 - 08:31 PM

DR04

    Member

  • Member
  • PipPip
  • 57 posts
Tried to run the scans by the numbers, but Ad-Aware keeps giving me Explorer and Rundll32 'Illegal operation' errors. The scan finishes, but locks up during the delete phase unless I don't select the CoolWebSearch items that are found. No matter what other scans I run (Spybot and Norton Antivirus (NAV runs are negative for viruses), EVERYTHING keeps coming back with a vengeance. Here's a copy of my hijackthis log that I just ran:

Logfile of HijackThis v1.99.0
Scan saved at 9:26:11 PM, on 3/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RVQRIY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\ISRVS\DESKTOP.EXE
C:\WINDOWS\SYSTEM\LEHVEAYJ.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\APPLICATION DATA\OSUT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\CALC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rvqriy.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Tbmt] C:\WINDOWS\Application Data\osut.exe
O4 - HKCU\..\Run: [Dirlcvu] C:\WINDOWS\SYSTEM\fakkb.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\Program Files\PLUS!\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: tkftuy.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
  • 0

Advertisements

#2
Dragon
Posted 20 March 2005 - 06:38 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
hi wan welcoem to Geeks to Go. If you have already gotten your machine fixed please let us know. if not please follollow these directions as posted.

You May want to pring these direction out as you will need to be disconnected from the internet.

1.)Please Download LSPFix from http://www.downloads....org/lspfix.zip and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of [file]. Reboot.

2.)Click Here download the latest version of Hijack This (1.99.1). It's better able to catch the latest threats.
And post a fresh Hijack this log.

Thanks
  • 0

#3
DR04
Posted 26 March 2005 - 07:00 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Thanks for the reply. Sorry this took so long, but my PC 'blew up' when I was about to do what you suggested (my fault). Finally got that problem corrected and am back in the saddle.

Did as you suggested (downloaded and ran lspfix). Here were the files that were removed:

rnr20.dll
mswasp.dll
msafd.dll
rsvpsp.dll

The REPAIR SUMMARY window said:
1 NameSpace provider entries removed
0 NameSpace provider entries renumbered
9 Protocol entries removed
0 Protocol entries renumbered

Here is the HiJackThis v 1.99.1 log:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:07 AM, on 3/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\ISRVS\DESKTOP.EXE
C:\WINDOWS\SYSTEM\LEHVEAYJ.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\MIAMPR.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\APPLICATION DATA\OSUT.EXE
C:\WINDOWS\SYSTEM\FAKKB.EXE
C:\WINDOWS\CALC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
O2 - BHO: (no name) - {A368E0B8-7006-7EF0-7D21-7DC2BE571694} - C:\WINDOWS\SYSTEM\LFYGMYBO.DLL
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\miampr.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Tbmt] C:\WINDOWS\Application Data\osut.exe
O4 - HKCU\..\Run: [Dirlcvu] C:\WINDOWS\SYSTEM\fakkb.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\Program Files\PLUS!\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: prup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Thanks in advance,
DR04
  • 0

#4
Dragon
Posted 26 March 2005 - 09:25 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
Download the free VX2 Cleaner here

*************************
Here is the fix

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

1. do the following
  • Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
  • Install the VX2 Cleaner
  • Start Ad-Aware SE build 1.05
  • Go to “Plug-ins”
  • Select the VX2 Cleaner plug-in and click “Run Plugin”
  • If your computer isn't infected, click "close"
  • If your computer is infected:
  • Select “Clean System”
  • Reboot your computer
  • Scan your computer with Ad-Aware
  • Remove any VX2 objects detected
  • Reboot your computer again
  • Run a second scan to make sure the files have been removed from your computer
2. Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

3. Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

4. Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

5. Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

6. Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

6. Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
O2 - BHO: (no name) - {A368E0B8-7006-7EF0-7D21-7DC2BE571694} - C:\WINDOWS\SYSTEM\LFYGMYBO.DLL
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\miampr.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Tbmt] C:\WINDOWS\Application Data\osut.exe
O4 - HKCU\..\Run: [Dirlcvu] C:\WINDOWS\SYSTEM\fakkb.exe
O4 - Startup: prup.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


did you set these with Sbybot Search&Destroy? if not go ahead and let Hijack this fix these two entries too.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then delete the following files (if they exist):

C:\WINDOWS\DLMAX.DLL
C:\WINDOWS\SYSTEM\LFYGMYBO.DLL
C:\N20050308.EXE
C:\WINDOWS\isrvs
C:\windows\system\lehveayj.exe
C:\WINDOWS\FARMMEXT.exe
C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
C:\WINDOWS\miampr.exe
C:\WINDOWS\SYSTEM\nsvsvc
C:\WINDOWS\SYSTEM\PICSVR
C:\WINDOWS\wupdt.exe
C:\WINDOWS\Application Data\osut.exe
C:\WINDOWS\SYSTEM\fakkb.exe
prup.exe <--You may have to do a search for this it could be in C:\-C:\windows-or C:\windows\system32
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER


Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.
  • 0

#5
DR04
Posted 26 March 2005 - 09:23 PM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Did everything you said and then some. Here are the logs you requested:

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
**********************************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:19:50 PM, on 3/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\BROTHER\BRMFL03A\BRSTDVPT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\ISRVS\DESKTOP.EXE
C:\WINDOWS\SYSTEM\LEHVEAYJ.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\MIAMPR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSAGENT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\PACKAGER.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\miampr.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKCU\..\Run: [Dirlcvu] C:\WINDOWS\SYSTEM\fakkb.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: prup.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

What next?

Thanks,
DR04
  • 0

#6
Dragon
Posted 26 March 2005 - 09:28 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
ok, we have a look2me infection to take care of.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#7
DR04
Posted 27 March 2005 - 12:38 PM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Did as you suggested. However, when I double-clicked on l2mfix.bat, I got the following msg on the MS-DOS window that popped up:

Directory already exists
Syntax error

The notepad window that popped up said the following:

Not compatible with 9x or windows nt

Tried running when connected and not connected to the internet - same results. Am I doing something wrong (such as, not being in SAFE MODE), or is my PC even more screwed up than ever? Here's another HIJACKTHIS log that I just ran:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:35 PM, on 3/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\ISRVS\DESKTOP.EXE
C:\WINDOWS\SYSTEM\LEHVEAYJ.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\MIAMPR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\PACKAGER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\miampr.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKCU\..\Run: [Dirlcvu] C:\WINDOWS\SYSTEM\fakkb.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: prup.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Thanks and Happy Easter,
DR04
  • 0

#8
Dragon
Posted 28 March 2005 - 08:15 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
Download the following file:

http://castlecops.co.../FindIt9xME.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Edited by Efwis, 28 March 2005 - 08:17 AM.

  • 0

#9
DR04
Posted 28 March 2005 - 10:52 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

This could take some time to accomplish as I'll have do all this when I have some time to:

a) Run this without interruption

b) Make sure I can keep the rest of the household from using the PC (I assume that if applications are accessed, there is a good chance that additional files may get loaded/changed, too)

Unless you say differently, I'll remain connected to the internet during this whole process. May have to wait until this weekend, so please be patient with me.

Thanks,
DR04
  • 0

#10
Dragon
Posted 28 March 2005 - 10:55 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
if you must wait until this weekend I understand. hopefully I will have the rest of the fix to you within an hour of your response

adn dealing with your assumption, the files will change their name

Edited by Efwis, 28 March 2005 - 10:55 AM.

  • 0

Advertisements

#11
DR04
Posted 28 March 2005 - 03:04 PM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Roger all. I'll see what I can do about expediting the process.

Later,
DR04
  • 0

#12
fime
Posted 29 March 2005 - 10:32 AM

fime

    New Member

  • Member
  • Pip
  • 3 posts
:tazz: There must be a mistake!! I don't know what are you talking about, I've

already answered the reply that was sent to me. What I see is that you are

changing my name for "dr04" instead of "FIME" which is my real name. Otherwise

thank you again. ;)

Edited: Fime I sent you a PM on this issue. Thank you.

Edited by Efwis, 29 March 2005 - 10:43 AM.

  • 0

#13
DR04
Posted 02 April 2005 - 08:55 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Ran Findlt9xMe.bat. The log is below. I'll stand-by for your reply.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

VW4EN16 DLL 227,104 03-16-05 7:06a VW4EN16.DLL
OSETHK32 DLL 227,104 03-16-05 7:06a OSETHK32.DLL
IDM32 DLL 227,104 03-16-05 7:06a IDM32.DLL
OUECNV32 DLL 227,104 03-16-05 7:06a OUECNV32.DLL
MUMP3WAV DLL 227,104 03-16-05 7:06a mump3wav.dll
UHP10 DLL 227,104 03-16-05 7:06a uhp10.dll
VBHELPER DLL 227,104 03-16-05 7:06a VBHELPER.DLL
WOICORE DLL 227,104 03-16-05 7:06a WOICORE.DLL
CPTDLL DLL 227,104 03-16-05 7:06a CPTDLL.DLL
PSBDLG DLL 227,104 03-16-05 7:06a PSBDLG.DLL
FISRCH DLL 227,104 03-16-05 7:06a FISRCH.DLL
ID50_QC DLL 227,104 03-16-05 7:06a Id50_qc.dll
MXCPXL32 DLL 227,104 03-16-05 7:06a MXCPXL32.DLL
MZACM DLL 227,104 03-16-05 7:06a MZACM.DLL
MQC42ENU DLL 227,104 03-16-05 7:06a MQC42ENU.DLL
RVAUI DLL 227,104 03-16-05 7:06a RVAUI.DLL
MWAFD DLL 227,104 03-16-05 7:06a MWAFD.DLL
MZCRLREV DLL 227,104 03-16-05 7:06a mzcrlrev.dll
VGR DLL 227,104 03-16-05 7:06a VGR.DLL
NIS DLL 227,104 03-16-05 7:06a NIS.DLL
SKSCRAP DLL 227,104 03-16-05 7:06a SKSCRAP.DLL
SCLSTR DLL 227,104 03-16-05 7:06a SCLSTR.DLL
TED32 DLL 227,104 03-16-05 7:06a TED32.DLL
SREM0409 DLL 227,104 03-16-05 7:06a SREM0409.DLL
NOS DLL 227,104 03-16-05 7:06a NOS.DLL
MHSTDFMT DLL 227,104 03-16-05 7:06a MHSTDFMT.DLL
SHSTHUNK DLL 227,104 03-16-05 7:06a SHSTHUNK.DLL
MFYUV DLL 227,104 03-16-05 7:06a mfyuv.dll
BGMFUSB DLL 227,104 03-16-05 7:06a BgmfUSB.dll
MDAFD DLL 227,104 03-16-05 7:06a MDAFD.DLL
JOMP500 DLL 227,104 03-16-05 7:06a JOMP500.DLL
BANDFILE DLL 227,104 03-16-05 7:06a BANDFILE.DLL
AASTREAM DLL 227,104 03-16-05 7:06a AASTREAM.DLL
DXIMAN32 DLL 227,104 03-16-05 7:06a DXIMAN32.DLL
JFVALE DLL 227,104 03-16-05 7:06a JFVALE.DLL
IDDKCS32 DLL 227,104 03-16-05 7:06a IDDKCS32.DLL
POUSTAB DLL 227,104 03-16-05 7:06a POUSTAB.DLL
SXLWOA DLL 227,104 03-16-05 7:06a SXLWOA.DLL
CQRESRC DLL 227,104 03-16-05 7:06a CQRESRC.DLL
MRBRKR12 DLL 227,104 03-16-05 7:06a MRBRKR12.DLL
OJE2NLS DLL 227,104 03-16-05 7:06a OJE2NLS.DLL
VXODCTL DLL 227,104 03-16-05 7:06a VXODCTL.DLL
DXNDI DLL 227,104 03-16-05 7:06a DXNDI.DLL
IK509CLS DLL 227,104 03-16-05 7:06a IK509CLS.DLL
BXWEBINS DLL 227,104 03-16-05 7:06a BxWebIns.dll
AVDENC32 DLL 227,104 03-16-05 7:06a AVDENC32.DLL
ONECNV32 DLL 227,104 03-16-05 7:06a ONECNV32.DLL
TZBINF32 DLL 227,104 03-16-05 7:06a TZBINF32.DLL
WFLSOF32 DLL 227,104 03-16-05 7:06a Wflsof32.dll
MZAFD DLL 227,104 03-16-05 7:06a MZAFD.DLL
DYDXOF DLL 227,104 03-16-05 7:06a DYDXOF.DLL
ACFERROR DLL 227,104 03-16-05 7:06a acferror.dll
IDCTL DLL 227,104 03-16-05 7:06a idctl.dll
MCPCIC DLL 227,104 03-16-05 7:06a MCPCIC.DLL
SVLWOA DLL 227,104 03-16-05 7:06a SVLWOA.DLL
RUAUI DLL 227,104 03-15-05 3:33p RUAUI.DLL
LEME_ENC DLL 227,104 03-15-05 3:33p lEme_enc.dll
MMGSYS DLL 227,104 03-15-05 3:33p MMGSYS.DLL
MMMIXMGR DLL 227,104 03-15-05 3:33p MMMIXMGR.DLL
MKIMRT16 DLL 227,104 03-08-05 5:32p MKIMRT16.DLL
MFOSS DLL 227,104 03-08-05 5:32p MFOSS.DLL
QSSNAME DLL 227,104 03-08-05 5:32p QSSNAME.DLL
PIGFILT DLL 227,104 03-08-05 5:32p pigfilt.dll
REAUI DLL 227,104 03-08-05 5:32p REAUI.DLL
MZVCIRT DLL 227,104 03-08-05 5:32p mzvcirt.dll
NERSNL DLL 227,104 03-08-05 5:32p NERSNL.DLL
IPSENG DLL 227,104 03-08-05 2:31p IPSENG.DLL
AXRIP DLL 227,104 03-08-05 2:31p axrip.dll
RWSAPI16 DLL 222,568 02-01-05 2:54p RWSAPI16.DLL
CNHTMGR DLL 222,568 02-01-05 2:54p CNHTMGR.DLL
WCNNET16 DLL 222,568 02-01-05 2:54p WCNNET16.DLL
ILMUI DLL 222,568 02-01-05 2:54p ILMUI.DLL
NSMODE DLL 222,568 02-01-05 2:54p NSMODE.DLL
KDRNEL32 DLL 222,568 02-01-05 2:54p KDRNEL32.DLL
SOELL DLL 222,568 02-01-05 2:54p SOELL.DLL
OOBCINT DLL 222,568 02-01-05 2:54p OOBCINT.DLL
PKUSTAB DLL 222,568 02-01-05 2:54p PKUSTAB.DLL
FHNTEXT DLL 222,568 02-01-05 2:54p FHNTEXT.DLL
OZECNV32 DLL 222,568 02-01-05 2:54p OZECNV32.DLL
DEMIGR DLL 222,568 02-01-05 2:54p demigr.dll
VFAR2232 DLL 222,568 02-01-05 2:54p VFAR2232.DLL
WBLP32T DLL 222,568 02-01-05 2:54p WBLP32T.DLL
IJDKCS32 DLL 222,568 02-01-05 2:54p IJDKCS32.DLL
IDSENG DLL 222,568 02-01-05 2:54p IDSENG.DLL
SGNSAPI DLL 222,568 02-01-05 2:54p sgnsapi.dll
BHNDFILE DLL 222,568 02-01-05 2:54p BHNDFILE.DLL
IU509CLS DLL 222,568 02-01-05 2:54p IU509CLS.DLL
RWVPSP DLL 222,568 02-01-05 2:54p RWVPSP.DLL
TCPI DLL 222,568 02-01-05 2:54p TCPI.DLL
VKRSION DLL 222,568 02-01-05 2:54p VKRSION.DLL
FFPWPP DLL 222,568 02-01-05 2:54p FFPWPP.DLL
XHLPARSE DLL 222,568 02-01-05 2:54p xhlparse.dll
NSQTWK DLL 222,568 02-01-05 2:54p NSQTWK.DLL
MJSTDFMT DLL 222,568 02-01-05 2:54p MJSTDFMT.DLL
MFJINT35 DLL 222,568 02-01-05 2:54p mfjint35.dll
CSMMDLG DLL 222,568 02-01-05 2:54p CSMMDLG.DLL
PUTORERC DLL 222,568 02-01-05 2:54p PUTORERC.DLL
SMBAPI DLL 222,568 02-01-05 2:54p smbapi.dll
ESSMTP DLL 222,568 02-01-05 2:54p essmtp.dll
IZWDIAL DLL 222,568 02-01-05 2:54p izwdial.dll
MFLTUS40 DLL 222,568 02-01-05 2:54p MFLTUS40.DLL
GUU32 DLL 222,568 02-01-05 2:54p GUU32.DLL
NBRSES DLL 222,568 02-01-05 2:54p NBRSES.DLL
MVPP32 DLL 222,568 02-01-05 2:54p MVPP32.DLL
DOVOICED DLL 222,568 02-01-05 2:54p dovoiced.dll
MQCPXL32 DLL 222,568 02-01-05 2:54p MQCPXL32.DLL
DLMCLIEN DLL 222,568 02-01-05 2:54p dlmclien.dll
TKPELIB DLL 222,568 02-01-05 2:54p TKPELIB.DLL
RDCLTS3 DLL 222,568 02-01-05 2:54p RDCLTS3.DLL
JET DLL 222,568 02-01-05 2:54p JET.DLL
MEC40 DLL 222,568 02-01-05 2:54p MEC40.DLL
MWC40 DLL 222,568 02-01-05 2:54p MWC40.DLL
JPSD400 DLL 222,568 02-01-05 2:54p jpsd400.dll
JXDW500 DLL 222,568 02-01-05 2:54p JXDW500.DLL
WX5INF16 DLL 222,568 02-01-05 2:54p WX5INF16.DLL
NMRSIT DLL 222,568 02-01-05 2:54p NMRSIT.DLL
DKWAVED DLL 222,568 02-01-05 2:54p dkwaved.dll
RLCLTSCM DLL 222,568 02-01-05 2:54p RLCLTSCM.DLL
TREMBED DLL 222,568 02-01-05 2:54p tRembed.dll
COHTMGRX DLL 222,568 02-01-05 2:54p COHTMGRX.DLL
COAXFR DLL 222,568 02-01-05 2:54p COAXFR.DLL
DVVENUM DLL 222,568 02-01-05 2:54p DVVENUM.DLL
MALTUS40 DLL 222,568 02-01-05 2:54p MALTUS40.DLL
BZOWSEUI DLL 222,568 02-01-05 2:54p BZOWSEUI.DLL
ANMCMPRS DLL 222,568 02-01-05 2:54p ANMCMPRS.DLL
CLIMGX DLL 222,568 02-01-05 2:54p CLIMGX.DLL
ULP10 DLL 222,568 02-01-05 2:54p ulp10.dll
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
129 file(s) 29,082,660 bytes
0 dir(s) 9,563.75 MB free

------- Hidden Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

NSVSVC <DIR> 03-26-05 9:17p nsvsvc
FOLDER HTT 13,122 03-26-05 11:58a folder.htt
DESKTOP INI 266 03-26-05 11:58a desktop.ini
PROSETP GID 24,200 03-26-05 9:15a PROSETP.GID
PICSVR <DIR> 03-25-05 8:51p picsvr
VMSS <DIR> 03-06-05 6:30p vmss
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
VX0 NLS 8,192 11-01-04 7:47p VX0.NLS
6 file(s) 553,856 bytes
3 dir(s) 9,563.73 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{305938A1-9132-56EB-379D-BFFE055C0FC5}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vw4en16.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
osethk32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rwsapi16.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
cnhtmgr.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
wcnnet16.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
ilmui.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
nsmode.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
kdrnel32.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
folder.htt Sat Mar 26 2005 11:58:40a ...H. 13,122 12.81 K
idm32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
soell.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
desktop.ini Sat Mar 26 2005 11:58:40a ...H. 266 0.26 K
ouecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oobcint.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
pkustab.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
mump3wav.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
uhp10.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
fhntext.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
ozecnv32.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
demigr.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
vfar2232.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
prosetp.gid Sat Mar 26 2005 9:15:36a A..H. 24,200 23.63 K
vbhelper.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
woicore.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
wblp32t.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
ijdkcs32.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
idseng.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
sgnsapi.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
bhndfile.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
iu509cls.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
rwvpsp.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
tcpi.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
vkrsion.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
ffpwpp.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
xhlparse.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
nsqtwk.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
mjstdfmt.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
mfjint35.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
csmmdlg.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
putorerc.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
smbapi.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
essmtp.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
izwdial.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
mfltus40.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
guu32.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
nbrses.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
mvpp32.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
dovoiced.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
mqcpxl32.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
dlmclien.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
cptdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
psbdlg.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
fisrch.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tkpelib.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
rdclts3.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
jet.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
mec40.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
mwc40.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
jpsd400.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
id50_qc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jxdw500.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
wx5inf16.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
nmrsit.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
dkwaved.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
rlcltscm.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
trembed.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
cohtmgrx.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
coaxfr.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
dvvenum.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
maltus40.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
bzowseui.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
anmcmprs.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
climgx.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
ipseng.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
mkimrt16.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mfoss.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
qssname.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
pigfilt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
reaui.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
axrip.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
ulp10.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
ruaui.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mzvcirt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
leme_enc.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmgsys.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmmixmgr.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mxcpxl32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzacm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nersnl.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mqc42enu.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rvaui.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mwafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzcrlrev.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vgr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nis.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
skscrap.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sclstr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ted32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
srem0409.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nos.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mhstdfmt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
shsthunk.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfyuv.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bgmfusb.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mdafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jomp500.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bandfile.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
aastream.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dximan32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jfvale.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
iddkcs32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
poustab.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sxlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cqresrc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mrbrkr12.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oje2nls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vxodctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dxndi.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ik509cls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bxwebins.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
avdenc32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
onecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tzbinf32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
wflsof32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dydxof.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
acferror.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
idctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mcpcic.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
svlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K

130 items found: 130 files, 0 directories.
Total of file sizes: 28,612,172 bytes 27.29 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\hmrho.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\RWSAPI16.DLL: UMonitor
C:\WINDOWS\SYSTEM\CNHTMGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\WCNNET16.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\ILMUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\NSMODE.DLL: UMonitor
C:\WINDOWS\SYSTEM\KDRNEL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SOELL.DLL: UMonitor
C:\WINDOWS\SYSTEM\OOBCINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PKUSTAB.DLL: UMonitor
C:\WINDOWS\SYSTEM\FHNTEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\OZECNV32.DLL: UMonitor
C:\WINDOWS\SYSTEM\demigr.dll: UMonitor
C:\WINDOWS\SYSTEM\VFAR2232.DLL: UMonitor
C:\WINDOWS\SYSTEM\WBLP32T.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJDKCS32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IDSENG.DLL: UMonitor
C:\WINDOWS\SYSTEM\sgnsapi.dll: UMonitor
C:\WINDOWS\SYSTEM\BHNDFILE.DLL: UMonitor
C:\WINDOWS\SYSTEM\IU509CLS.DLL: UMonitor
C:\WINDOWS\SYSTEM\RWVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\TCPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\VKRSION.DLL: UMonitor
C:\WINDOWS\SYSTEM\FFPWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\xhlparse.dll: UMonitor
C:\WINDOWS\SYSTEM\NSQTWK.DLL: UMonitor
C:\WINDOWS\SYSTEM\MJSTDFMT.DLL: UMonitor
C:\WINDOWS\SYSTEM\mfjint35.dll: UMonitor
C:\WINDOWS\SYSTEM\CSMMDLG.DLL: UMonitor
C:\WINDOWS\SYSTEM\PUTORERC.DLL: UMonitor
C:\WINDOWS\SYSTEM\smbapi.dll: UMonitor
C:\WINDOWS\SYSTEM\essmtp.dll: UMonitor
C:\WINDOWS\SYSTEM\izwdial.dll: UMonitor
C:\WINDOWS\SYSTEM\MFLTUS40.DLL: UMonitor
C:\WINDOWS\SYSTEM\GUU32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NBRSES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MVPP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\dovoiced.dll: UMonitor
C:\WINDOWS\SYSTEM\MQCPXL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\dlmclien.dll: UMonitor
C:\WINDOWS\SYSTEM\TKPELIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\RDCLTS3.DLL: UMonitor
C:\WINDOWS\SYSTEM\JET.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\jpsd400.dll: UMonitor
C:\WINDOWS\SYSTEM\JXDW500.DLL: UMonitor
C:\WINDOWS\SYSTEM\WX5INF16.DLL: UMonitor
C:\WINDOWS\SYSTEM\NMRSIT.DLL: UMonitor
C:\WINDOWS\SYSTEM\dkwaved.dll: UMonitor
C:\WINDOWS\SYSTEM\RLCLTSCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\tRembed.dll: UMonitor
C:\WINDOWS\SYSTEM\COHTMGRX.DLL: UMonitor
C:\WINDOWS\SYSTEM\COAXFR.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVVENUM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MALTUS40.DLL: UMonitor
C:\WINDOWS\SYSTEM\BZOWSEUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\ANMCMPRS.DLL: UMonitor
C:\WINDOWS\SYSTEM\CLIMGX.DLL: UMonitor
C:\WINDOWS\SYSTEM\ulp10.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"EnsoniqMixer"="C:\\WINDOWS\\starter.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"IndexSearch"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"WildTangent CDA"="RUNDLL32.exe C:\\PROGRA~1\\WILDTA~1\\APPS\\CDA\\CDAENG~1.DLL,cdaEngineMain"
"vptray"="C:\\PROGRA~1\\NORTON~1\\vptray.exe"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
"lehveayj"="c:\\windows\\system\\lehveayj.exe"
"nsvcin"="C:\\N20050308.EXE"
"Nsv"="C:\\WINDOWS\\SYSTEM\\nsvsvc\\nsvsvc.exe"
"picsvr"="C:\\WINDOWS\\SYSTEM\\PICSVR\\PICSVR.EXE"
"KavSvc"="C:\\WINDOWS\\miampr.exe"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL,SHStart"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


  • 0

#14
Dragon
Posted 02 April 2005 - 10:11 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
I am working on a fix for you right now, thanks
  • 0

#15
Dragon
Posted 02 April 2005 - 11:08 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
lease print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the [url=http://www.bleepingcomputer.com/files/killbox.php]Killbox.[/url

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

2. Paste this file into the top Full Path of File to Delete field.


C:\WINDOWS\SYSTEM\RWSAPI16.DLL

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.


C:\WINDOWS\SYSTEM\CNHTMGR.DLL
C:\WINDOWS\SYSTEM\WCNNET16.DLL
C:\WINDOWS\SYSTEM\MRCO30.DLL
C:\WINDOWS\SYSTEM\ILMUI.DLL
C:\WINDOWS\SYSTEM\NSMODE.DLL
C:\WINDOWS\SYSTEM\KDRNEL32.DLL
C:\WINDOWS\SYSTEM\SOELL.DLL
C:\WINDOWS\SYSTEM\OOBCINT.DLL
C:\WINDOWS\SYSTEM\PKUSTAB.DLL
C:\WINDOWS\SYSTEM\FHNTEXT.DLL
C:\WINDOWS\SYSTEM\OZECNV32.DLL
C:\WINDOWS\SYSTEM\demigr.dll
C:\WINDOWS\SYSTEM\VFAR2232.DLL
C:\WINDOWS\SYSTEM\WBLP32T.DLL
C:\WINDOWS\SYSTEM\IJDKCS32.DLL
C:\WINDOWS\SYSTEM\IDSENG.DLL:
C:\WINDOWS\SYSTEM\sgnsapi.dll
C:\WINDOWS\SYSTEM\BHNDFILE.DLL
C:\WINDOWS\SYSTEM\IU509CLS.DLL
C:\WINDOWS\SYSTEM\RWVPSP.DLL
C:\WINDOWS\SYSTEM\TCPI.DLL
C:\WINDOWS\SYSTEM\VKRSION.DLL
C:\WINDOWS\SYSTEM\FFPWPP.DLL
C:\WINDOWS\SYSTEM\xhlparse.dll
C:\WINDOWS\SYSTEM\NSQTWK.DLL
C:\WINDOWS\SYSTEM\MJSTDFMT.DLL
C:\WINDOWS\SYSTEM\mfjint35.dll
C:\WINDOWS\SYSTEM\CSMMDLG.DLL
C:\WINDOWS\SYSTEM\PUTORERC.DLL
C:\WINDOWS\SYSTEM\smbapi.dll
C:\WINDOWS\SYSTEM\essmtp.dll
C:\WINDOWS\SYSTEM\izwdial.dll
C:\WINDOWS\SYSTEM\MFLTUS40.DLL
C:\WINDOWS\SYSTEM\GUU32.DLL
C:\WINDOWS\SYSTEM\NBRSES.DLL
C:\WINDOWS\SYSTEM\MVPP32.DLL
C:\WINDOWS\SYSTEM\dovoiced.dll
C:\WINDOWS\SYSTEM\MQCPXL32.DLL
C:\WINDOWS\SYSTEM\dlmclien.dll
C:\WINDOWS\SYSTEM\TKPELIB.DLL
C:\WINDOWS\SYSTEM\RDCLTS3.DLL
C:\WINDOWS\SYSTEM\MEC40.DLL
C:\WINDOWS\SYSTEM\MWC40.DLL
C:\WINDOWS\SYSTEM\jpsd400.dll
C:\WINDOWS\SYSTEM\JXDW500.DLL
C:\WINDOWS\SYSTEM\WX5INF16.DLL
C:\WINDOWS\SYSTEM\NMRSIT.DLL
C:\WINDOWS\SYSTEM\dkwaved.dll
C:\WINDOWS\SYSTEM\RLCLTSCM.DLL
C:\WINDOWS\SYSTEM\tRembed.dll
C:\WINDOWS\SYSTEM\COHTMGRX.DLL
C:\WINDOWS\SYSTEM\COAXFR.DLL
C:\WINDOWS\SYSTEM\DVVENUM.DLL
C:\WINDOWS\SYSTEM\MALTUS40.DLL
C:\WINDOWS\SYSTEM\BZOWSEUI.DLL
C:\WINDOWS\SYSTEM\ANMCMPRS.DLL
C:\WINDOWS\SYSTEM\CLIMGX.DLL
C:\WINDOWS\SYSTEM\ulp10.dll

Then post a fresh Hijack this log and a new Findit log
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP