Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJack This log (inqwire popups) [RESOLVED]


  • This topic is locked This topic is locked

#16
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please download the Killbox.


Please run Killbox.
  • Select "Delete on Reboot".
  • Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\SYSTEM\jdvaprxy.dll
    C:\WINDOWS\SYSTEM\norspl.dll
    C:\WINDOWS\SYSTEM\Sunbhowseui.dll
    C:\WINDOWS\SYSTEM\spelete.dll
    C:\WINDOWS\SYSTEM\guard.tmp


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
  • Let the system reboot.
Can you pelase run Findit again and post the log.

Thanks,

:tazz:

Excal
  • 0

Advertisements


#17
newtoforum

newtoforum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks Excal. Did that, here is the current Findit Log:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

NJWRSZHT DLL 227,104 06-26-05 10:03p NJWRSZHT.DLL
SPELETE DLL 227,104 06-26-05 10:03p SPelete.dll
2 file(s) 454,208 bytes
0 dir(s) 20,697.84 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 1,006 07-02-05 2:45p vsconfig.xml
ZLLICTBL DAT 4,212 05-30-05 7:01a zllictbl.dat
HPF72H06 GID 8,628 10-20-04 6:52p HPF72h06.GID
HPF72T06 GID 8,628 10-20-04 6:51p HPF72t06.GID
LOG0 TXT 5,709 04-06-04 9:03p log0.txt
LOGBAK~1 TXT 29,416 04-06-04 9:03p log.bak.txt
LOG1 TXT 10,365 04-06-04 9:27a log1.txt
FIZ0 218 04-06-04 9:01a fiz0
LOG2 TXT 13,407 04-06-04 9:01a log2.txt
RATINGS POL 8,192 12-22-03 7:56p RATINGS.POL
HPF72D06 GID 8,628 11-21-03 6:14a HPF72d06.GID
DESKTOP INI 271 06-21-00 10:21a desktop.ini
FOLDER HTT 23,155 06-21-00 10:21a folder.htt
13 file(s) 121,835 bytes
0 dir(s) 20,697.81 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
njwrszht.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
vsconfig.xml Sat Jul 2 2005 2:45:40p A..H. 1,006 0.98 K
zllictbl.dat Mon May 30 2005 7:01:08a ...H. 4,212 4.11 K
spelete.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K

4 items found: 4 files, 0 directories.
Total of file sizes: 459,426 bytes 448.66 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"Promon.exe"="Promon.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Gateway Ink Monitor"="C:\\Program Files\\Gateway\\Gateway Ink Monitor\\InkMonitor.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb10.exe"
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec Core LC"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe start"
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE /Consumer"
"CreateCD50"="C:\\PROGRA~1\\COMMON~1\\ADAPTE~1\\CREATECD\\CREATE~1.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"





Thanks a million. Also, I have the free version of Zone Alarm, and Norton Internet Security (which gives me alot of trouble, its buggy) along with Ad-Aware and Counterspy. Once I'm able to get my system cleared up, what do you suggest to help protect my computer while I'm online?

Thanks
newtoforum
  • 0

#18
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hey newtoforum,


I will give u a whole list of free programs, including antivirus and firewalls that are pretty good. I actually run theseprograms (well one of each)



Please run Killbox.
  • Select "Delete on Reboot".
  • Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\SYSTEM\spelete.dll
    C:\WINDOWS\SYSTEM\njwrszht.dll
    C:\WINDOWS\SYSTEM\guard.tmp

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
  • Let the system reboot.
Can you pelase run Findit again and post the log.

Thanks,

:tazz: thumbsup.gif

Excal
  • 0

#19
newtoforum

newtoforum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Done, here's the latest FindIt log:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

SAFOLDER DLL 227,104 06-26-05 10:03p SAFOLDER.DLL
JHT DLL 227,104 06-26-05 10:03p JHT.DLL
MPJTES40 DLL 227,104 06-26-05 10:03p MPJTES40.DLL
SZACE DLL 227,104 06-26-05 10:03p Szace.dll
SPELETE DLL 227,104 06-26-05 10:03p SPelete.dll
5 file(s) 1,135,520 bytes
0 dir(s) 20,662.47 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 1,006 07-02-05 10:56p vsconfig.xml
ZLLICTBL DAT 4,212 05-30-05 7:01a zllictbl.dat
HPF72H06 GID 8,628 10-20-04 6:52p HPF72h06.GID
HPF72T06 GID 8,628 10-20-04 6:51p HPF72t06.GID
LOG0 TXT 5,709 04-06-04 9:03p log0.txt
LOGBAK~1 TXT 29,416 04-06-04 9:03p log.bak.txt
LOG1 TXT 10,365 04-06-04 9:27a log1.txt
FIZ0 218 04-06-04 9:01a fiz0
LOG2 TXT 13,407 04-06-04 9:01a log2.txt
RATINGS POL 8,192 12-22-03 7:56p RATINGS.POL
HPF72D06 GID 8,628 11-21-03 6:14a HPF72d06.GID
DESKTOP INI 271 06-21-00 10:21a desktop.ini
FOLDER HTT 23,155 06-21-00 10:21a folder.htt
13 file(s) 121,835 bytes
0 dir(s) 20,662.44 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
safolder.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
jht.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
mpjtes40.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
szace.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
vsconfig.xml Sat Jul 2 2005 10:56:14p A..H. 1,006 0.98 K
zllictbl.dat Mon May 30 2005 7:01:08a ...H. 4,212 4.11 K
spelete.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K

7 items found: 7 files, 0 directories.
Total of file sizes: 1,140,738 bytes 1.09 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"Promon.exe"="Promon.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Gateway Ink Monitor"="C:\\Program Files\\Gateway\\Gateway Ink Monitor\\InkMonitor.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb10.exe"
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"CreateCD50"="C:\\PROGRA~1\\COMMON~1\\ADAPTE~1\\CREATECD\\CREATE~1.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Let me know how it's going.
Thanks
  • 0

#20
newtoforum

newtoforum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi Excal,
I'm also getting loadingwebsite.com popups. Any ideas?
  • 0

#21
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi newtoforum,

I want to apologize to you on the length of time it has taken me to respond. I have been having issues with my internet connection that I hope are resolved now.

Sometimes it takes 3 or more tries to delete all the files of the l2m infection that you have, please be patient. I know you want to get your computer clean, and this is my goal also :tazz: Lets try to finish up this l2m infection, then we will deal with that loadingwebsite.com bugger.

Please run Killbox.
  • Select "Delete on Reboot".
  • Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\SYSTEM\safolder.dll
    C:\WINDOWS\SYSTEM\jht.dll
    C:\WINDOWS\SYSTEM\mpjtes40.dll
    C:\WINDOWS\SYSTEM\szace.dll
    C:\WINDOWS\SYSTEM\spelete.dll
    C:\WINDOWS\SYSTEM\guard.tmp


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
  • Let the system reboot.

Edited by Excal, 06 July 2005 - 03:01 PM.

  • 0

#22
newtoforum

newtoforum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi Excal,
Sorry I don't mean to be impatient.

I ran Killbox and deleted (or tried to) the files you listed.
Here is the current FindIt Log:


------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

CNRDS DLL 227,104 06-26-05 10:03p CNRDS.DLL
SPELETE DLL 227,104 06-26-05 10:03p SPelete.dll
2 file(s) 454,208 bytes
0 dir(s) 20,562.22 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 1,006 07-07-05 8:20a vsconfig.xml
ZLLICTBL DAT 4,212 05-30-05 7:01a zllictbl.dat
HPF72H06 GID 8,628 10-20-04 6:52p HPF72h06.GID
HPF72T06 GID 8,628 10-20-04 6:51p HPF72t06.GID
LOG0 TXT 5,709 04-06-04 9:03p log0.txt
LOGBAK~1 TXT 29,416 04-06-04 9:03p log.bak.txt
LOG1 TXT 10,365 04-06-04 9:27a log1.txt
FIZ0 218 04-06-04 9:01a fiz0
LOG2 TXT 13,407 04-06-04 9:01a log2.txt
RATINGS POL 8,192 12-22-03 7:56p RATINGS.POL
HPF72D06 GID 8,628 11-21-03 6:14a HPF72d06.GID
DESKTOP INI 271 06-21-00 10:21a desktop.ini
FOLDER HTT 23,155 06-21-00 10:21a folder.htt
13 file(s) 121,835 bytes
0 dir(s) 20,562.19 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
cnrds.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
vsconfig.xml Thu Jul 7 2005 8:20:00a A..H. 1,006 0.98 K
zllictbl.dat Mon May 30 2005 7:01:08a ...H. 4,212 4.11 K
spelete.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K

4 items found: 4 files, 0 directories.
Total of file sizes: 459,426 bytes 448.66 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"Promon.exe"="Promon.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Gateway Ink Monitor"="C:\\Program Files\\Gateway\\Gateway Ink Monitor\\InkMonitor.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb10.exe"
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"CreateCD50"="C:\\PROGRA~1\\COMMON~1\\ADAPTE~1\\CREATECD\\CREATE~1.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


I say "try" to delete the files because that one is still there.
  • 0

#23
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Like i said, sometimes it takes a few tried to get these. This is one tough infection, so bear with me :tazz:

Please run Killbox.
  • Select "Delete on Reboot".
  • Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\SYSTEM\CNRDS.DLL
    C:\WINDOWS\SYSTEM\safolder.dll
    C:\WINDOWS\SYSTEM\jht.dll
    C:\WINDOWS\SYSTEM\mpjtes40.dll
    C:\WINDOWS\SYSTEM\szace.dll
    C:\WINDOWS\SYSTEM\spelete.dll
    C:\WINDOWS\SYSTEM\guard.tmp


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
  • Let the system reboot.

  • 0

#24
newtoforum

newtoforum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks Excal. Did all you advised, here is the latest FindIt Log:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

RNPILIB DLL 227,104 06-26-05 10:03p RNPILIB.DLL
SPELETE DLL 227,104 06-26-05 10:03p SPelete.dll
2 file(s) 454,208 bytes
0 dir(s) 20,500.44 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 1,006 07-07-05 11:03a vsconfig.xml
ZLLICTBL DAT 4,212 05-30-05 7:01a zllictbl.dat
HPF72H06 GID 8,628 10-20-04 6:52p HPF72h06.GID
HPF72T06 GID 8,628 10-20-04 6:51p HPF72t06.GID
LOG0 TXT 5,709 04-06-04 9:03p log0.txt
LOGBAK~1 TXT 29,416 04-06-04 9:03p log.bak.txt
LOG1 TXT 10,365 04-06-04 9:27a log1.txt
FIZ0 218 04-06-04 9:01a fiz0
LOG2 TXT 13,407 04-06-04 9:01a log2.txt
RATINGS POL 8,192 12-22-03 7:56p RATINGS.POL
HPF72D06 GID 8,628 11-21-03 6:14a HPF72d06.GID
DESKTOP INI 271 06-21-00 10:21a desktop.ini
FOLDER HTT 23,155 06-21-00 10:21a folder.htt
13 file(s) 121,835 bytes
0 dir(s) 20,500.41 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
rnpilib.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
vsconfig.xml Thu Jul 7 2005 11:03:38a A..H. 1,006 0.98 K
zllictbl.dat Mon May 30 2005 7:01:08a ...H. 4,212 4.11 K
spelete.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K

4 items found: 4 files, 0 directories.
Total of file sizes: 459,426 bytes 448.66 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"Promon.exe"="Promon.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Gateway Ink Monitor"="C:\\Program Files\\Gateway\\Gateway Ink Monitor\\InkMonitor.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb10.exe"
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"CreateCD50"="C:\\PROGRA~1\\COMMON~1\\ADAPTE~1\\CREATECD\\CREATE~1.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
  • 0

#25
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi,

Go ahead and run this one:

http://www.downloads...VX2Finder9x.exe


Post the results please.

Thanks,

:tazz:

Excal
  • 0

Advertisements


#26
newtoforum

newtoforum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi Excal,
Done, results:


Log for VX2.BetterInternet File Finder

Files Found---


User Agent String---
{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}
  • 0

#27
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
O boy, we have a very stubborn infection. Lets try to tackle this from a diffrent angle.

Please download FindQoologic from here:
http://forums.net-in...=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see

Also post another findit log for me please.

thanks,

:tazz:

Excal
  • 0

#28
newtoforum

newtoforum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I'll say its stubborn :tazz: When I went to download the program, I got the following message:

findqoologic is no longer available, use an alternative such as scanning with a
current updated version of Ewido While in safe mode please.
  • 0

#29
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
lol, this is going to be the death of both of us! I have pulled out 2 patches of hair ;), so now I am ready to continue ;)

Ok, I know I told you not to reboot or shut the machine off, but we are going to have to for this to work.

Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. The log will be saved as C:\log.txt

Run find it and save the log

Reboot into normal mode and post both logs. Please dont' reboot or turn off computer until told to do so.

Thanks,

:tazz:

Excal
  • 0

#30
newtoforum

newtoforum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks Excal. Here are the results.


RKfiles:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\IEAccess2.dll: UPX!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\Unwash5.exe: UPX!
Finished
bye


FindIt:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

IXM32 DLL 227,104 06-26-05 10:03p IXM32.DLL
SJC DLL 227,104 06-26-05 10:03p SJC.DLL
HWINK DLL 227,104 06-26-05 10:03p HWINK.DLL
MGSYSTEM DLL 227,104 06-26-05 10:03p MGSYSTEM.DLL
LKFIL11N DLL 227,104 06-26-05 10:03p lkfil11n.DLL
SPELETE DLL 227,104 06-26-05 10:03p SPelete.dll
6 file(s) 1,362,624 bytes
0 dir(s) 20,468.03 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 1,006 07-09-05 8:59p vsconfig.xml
ZLLICTBL DAT 4,212 05-30-05 7:01a zllictbl.dat
HPF72H06 GID 8,628 10-20-04 6:52p HPF72h06.GID
HPF72T06 GID 8,628 10-20-04 6:51p HPF72t06.GID
LOG0 TXT 5,709 04-06-04 9:03p log0.txt
LOGBAK~1 TXT 29,416 04-06-04 9:03p log.bak.txt
LOG1 TXT 10,365 04-06-04 9:27a log1.txt
FIZ0 218 04-06-04 9:01a fiz0
LOG2 TXT 13,407 04-06-04 9:01a log2.txt
RATINGS POL 8,192 12-22-03 7:56p RATINGS.POL
HPF72D06 GID 8,628 11-21-03 6:14a HPF72d06.GID
DESKTOP INI 271 06-21-00 10:21a desktop.ini
FOLDER HTT 23,155 06-21-00 10:21a folder.htt
13 file(s) 121,835 bytes
0 dir(s) 20,468.00 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ixm32.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
vsconfig.xml Sat Jul 9 2005 8:59:24p A..H. 1,006 0.98 K
zllictbl.dat Mon May 30 2005 7:01:08a ...H. 4,212 4.11 K
sjc.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
hwink.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
mgsystem.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
lkfil11n.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
spelete.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,367,842 bytes 1.30 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"Promon.exe"="Promon.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Gateway Ink Monitor"="C:\\Program Files\\Gateway\\Gateway Ink Monitor\\InkMonitor.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb10.exe"
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"CreateCD50"="C:\\PROGRA~1\\COMMON~1\\ADAPTE~1\\CREATECD\\CREATE~1.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Thanks as always.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP