Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Microsoft visual C++ run time error


  • This topic is locked This topic is locked

#16
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:18:21 PM, on 4/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\WINNT\system32\nsvsvc\nsvsvc.exe
C:\WINNT\system32\picsvr\picsvr.exe
C:\WINNT\system32\rprlna.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements


#17
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please do me a favor,
Go to Add/Remove programs and search for DelfinMedia Viewer
If found please remove it,
Your computer should ask to restart if it doesn't please do so,

Next,

Please open HJT> Click on the Config button> Click >Misc. Tools > Click > Open Process manager> Highlight “
nsvsvc.exe
picsvr.exe
rprlna.exe
“ >Click> Kill process>
Next click the scan button and put a check mark next to the following, close all open windows , Click “ Fix Checked”

O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe

Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files View Hidden Folders search for and delete the following in BOLD

C:\WINNT\system32\nsvsvc\nsvsvc.exe <--Delete the folder this is sitting in ( Not the system32 folder the nsvsvc folder)
C:\WINNT\system32\picsvr\picsvr.exe <--Delete the folder this is sitting in ( Not the system32 folder the picsvr folder)

C:\WINNT\system32\rprlna.exe

Restart your computer,
this is important Please,
Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Run a scan with Ad-aware have it fix all it finds,
Restart your computer, Restart HJT and post back a fresh log please

Also,
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please
  • 0

#18
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
"Silent Runners.vbs", revision 34, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"WinVNC" = ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper" ["RealVNC Ltd."]
"SO5 Integrator Pass Two" = "C:\WINNT\SOINTGR.EXE" [null data]
"KavSvc" = "C:\WINNT\system32\rprlna.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
4911568c-8b89-464b-ba0f-c9a98d4150a3\(Default) = (no title provided)
\StubPath = "C:\WINNT\system32\cncqoxd.exe" [null data]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express Access"
\StubPath = ""C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{0AA29C7D-2CCF-4838-B777-EAA058F34ADF}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\recss.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll" [null data]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssbezier.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.


Startup items in "lopezs" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"dkdc.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"


HOSTS file
----------

C:\WINNT\system32\Drivers\Etc\HOSTS

maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DefWatch, DefWatch, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe" ["Symantec Corporation"]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe" ["Symantec Corporation"]
Time Service, TimeServ, "C:\WINNT\system32\timeserv.exe" [MS]
VNC Server, winvnc, ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service" ["RealVNC Ltd."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
-----------------------------------------------------------------------------------------------
this is the other log.

Logfile of HijackThis v1.99.1
Scan saved at 11:14:29 PM, on 4/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rprlna.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#19
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Ok lets see if we can get this now,
Please open HJT> Click on the Config button> Click >Misc. Tools > Click > Open Process manager> Highlight “
rprlna.exe
dkdc.exe
“ >Click> Kill process>
Next click the scan button and put a check mark next to the following, close all open windows , Click “ Fix Checked”

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe

Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files View Hidden Folders search for and delete the following in BOLD

C:\WINNT\system32\rprlna.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"dkdc.exe

Restart your computer,

If you couldn't find the above 2 files, Please proceed with this .
Download Pocket Killbox from. Here Paste the full file path (C:\WINNT\system32\rprlna.exe ) in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes"

Do the same for C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"dkdc.exe

Post a new log when you have rebooted.
Let us know how you make out
  • 0

#20
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Issue is that I can't have the kilbox destroy on reboot and then I click on woudl you liek to restart now then the system does't allow me.
  • 0

#21
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:29:04 PM, on 4/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rprlna.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Sorry the rprlna.exe is still showing up I rebooted used killed proccess then used killbox and killed it but it keeps on showing up.
  • 0

#22
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Try running killbox from safe mode, Follow the above instructions for kill box again,
Let us know how you make out
  • 0

#23
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Already did that tried both here is the log anyway after doing that.
Logfile of HijackThis v1.99.1
Scan saved at 6:12:29 PM, on 4/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LiveChatNow! Enterprise Edition\LiveChatNow.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#24
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please download FindQoologic from here:
http://forums.net-in...=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here to this post please
  • 0

#25
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINNT\AOAVK.DLL
* qoologic C:\WINNT\AOAVK.DLL
* qoologic C:\WINNT\UNADBEH.EXE

* ad-beh C:\WINNT\System32\NKNQA.DLL
* ad-beh C:\WINNT\System32\PIPBGES.DLL
* ad-beh C:\WINNT\System32\CNCQOXD.EXE
* ad-beh C:\WINNT\System32\RPRLNA.EXE
* ad-beh C:\WINNT\System32\QAQYV.DAT
* ad-beh C:\WINNT\System32\WMCONFIG.CPL
* ad-beh C:\WINNT\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\DKDC.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
dkdc.exe

User Startup:
C:\Documents and Settings\lopezs\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 20:37
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
"4911568c-8b89-464b-ba0f-c9a98d4150a3\(Default)" = ""
\StubPath = "C:\WINNT\system32\cncqoxd.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express Access"
\StubPath = ""C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE" [MS]
  • 0

Advertisements


#26
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Ok please print out these instructions or save to notebook so you have them Available,



[*]Please download the Killbox.
[*]Unzip it to the desktop but do NOT run it yet.
[*]Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
[*]Once in Safe Mode, please run Killbox.
[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste the following into the top "Full Path of File to Delete" box.
  • C:\WINDOWS\System32\ rprlna.exe
[*]Click the red-and-white "Delete File".
[*]Click "Yes" at the Replace on Reboot prompt.
[*]Click "No" at the Pending Operations prompt.
[*]Repeat steps 5-9 above for these files:
  • C:\WINNT\AOAVK.DLL
  • C:\WINNT\AOAVK.DLL
  • C:\WINNT\UNADBEH.EXE
  • C:\WINNT\System32\NKNQA.DLL
  • C:\WINNT\System32\PIPBGES.DLL
  • C:\WINNT\System32\CNCQOXD.EXE
  • C:\WINNT\System32\RPRLNA.EXE
  • C:\WINNT\System32\QAQYV.DAT
  • C:\WINNT\System32\WMCONFIG.CPL
  • C:\WINNT\UNADBEH.EXE
  • C:\WINNT\system32\cncqoxd.exe
[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste the following file into the top " C:\docume~1\alluse~1\startm~1\programs\startup\DKDC.EXE " box.
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run Find-Qoologic2.bat again and post the new log here.

  • 0

#27
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINNT\AOAVK.DLL
* qoologic C:\WINNT\AOAVK.DLL
* qoologic C:\WINNT\UNADBEH.EXE

* ad-beh C:\WINNT\System32\NKNQA.DLL
* ad-beh C:\WINNT\System32\PIPBGES.DLL
* ad-beh C:\WINNT\System32\CNCQOXD.EXE
* ad-beh C:\WINNT\System32\RPRLNA.EXE
* ad-beh C:\WINNT\System32\QAQYV.DAT
* ad-beh C:\WINNT\System32\WMCONFIG.CPL
* ad-beh C:\WINNT\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\DKDC.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
dkdc.exe

User Startup:
C:\Documents and Settings\lopezs\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 22:43
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
"4911568c-8b89-464b-ba0f-c9a98d4150a3\(Default)" = ""
\StubPath = "C:\WINNT\system32\cncqoxd.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express Access"
\StubPath = ""C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE" [MS]
  • 0

#28
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry I edited my reply above please run through it again please
  • 0

#29
wassupsergio

wassupsergio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINNT\AOAVK.DLL
* qoologic C:\WINNT\AOAVK.DLL
* qoologic C:\WINNT\UNADBEH.EXE

* ad-beh C:\WINNT\System32\NKNQA.DLL
* ad-beh C:\WINNT\System32\PIPBGES.DLL
* ad-beh C:\WINNT\System32\CNCQOXD.EXE
* ad-beh C:\WINNT\System32\RPRLNA.EXE
* ad-beh C:\WINNT\System32\QAQYV.DAT
* ad-beh C:\WINNT\System32\WMCONFIG.CPL
* ad-beh C:\WINNT\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\DKDC.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
dkdc.exe

User Startup:
C:\Documents and Settings\lopezs\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 23:46
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
"4911568c-8b89-464b-ba0f-c9a98d4150a3\(Default)" = ""
\StubPath = "C:\WINNT\system32\cncqoxd.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express Access"
\StubPath = ""C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE" [MS]
  • 0

#30
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Did you try to kill the files using killbox?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP