Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojans running wild [RESOLVED]


  • This topic is locked This topic is locked

#1
feltfeeler

feltfeeler

    Member

  • Member
  • PipPip
  • 33 posts
Hi, I have many embedded Trojans doing their things. I've run HJT, AVG, STOPzilla, AdAware and Spybot S&D, to name a few. These guys are tricky! Please let me know what I need to do for you to help. Thanks!
  • 0

Advertisements


#2
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi feltfeeler and welcome to Geeks To Go :tazz:

We have been very busy these last few days, do you still require our help?
  • 0

#3
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, John, I certainly do still need your help. If you could indulge me, in addition to my trojan/virus problems, the power supply just went out on the computer in question. I'll need a couple of days to get a new one, then I can post lots of details for you. Thanks!
  • 0

#4
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi feltfeeler ;)

Bad power supply sorry to hear that, sure get that taken care of, when you return, please download a copy of hijack this for us and we will see what we can come up with regarding those trojans.

Hijack This

*Important* : HijackThis! needs to be installed in its own folder, as it creates backups that you may need later (create a folder in "My Documents", for example...). This tool can be dangerous when handled improperly, so, PLEASE DON'T FIX ANYTHING WITH IT YET !! and wait for instructions. Run HijackThis!, then click on "Do a system scan and save a logfile". Save the log, then copy/paste it here so we can have a look.

See you when you get back :tazz:
  • 0

#5
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, John, the new power supply is *gasp* working like a charm, so here goes

I get weird things requesting access to the Internet through Zone Alarm, which I've been denying lately since I've had these problems. I can get you some of those if you'd like, but for now, here's my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:36 PM, on 7/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\XL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\RFA\RFAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\XDRHZK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\OSAKA.EXE
C:\WINDOWS\TEMP\MSHTML2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [XtreamLok License Manager] C:\WINDOWS\SYSTEM\xl.exe start
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [rfagent] "C:\PROGRAM FILES\RFA\rfagent.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [xdrhzk] c:\windows\system\xdrhzk.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Taskbar Display Controls.lnk = C:\WINDOWS\RUNDLL.EXE
O4 - Startup: MSN Internet Access.lnk = C:\Program Files\Plus!\SYSAGENT.EXE
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Configuration Utility.lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .display_pdf_file: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...dia/zoomviewer/
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#6
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi Feltfeeler :tazz:

Been a couple of days since i made it back here, sorry for the delay.

Ok, download L2MFix from
Here
and Save the file to your Desktop; double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your Desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log. Copy the contents of that log and paste it into your next post here. Do a new scan with HijackThis!, and post the new log as well.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#7
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Delay not a problem, John. Thanks for your help.

I downloaded L2Mfix, hit L2Mfix.bat, and a Notepad file opened saying "Not compatible with 9x or windows nt." I'm running Windows98SE...no need to berate me for that--I've already learned my lesson, but that's what I'm stuck with.

Unless the gremlins have overtaken L2Mfix, it's back to the drawing board.
  • 0

#8
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi feltfeeler ;)

Hmm my bad i thought that fix worked with all versions of windows, guess i was wrong about that :tazz:

Well then we will just have to do this a different way and see where that gets us.

I need some files analyzed please.

C:\OSAKA.EXE<---This file
C:\WINDOWS\TEMP\MSHTML2.EXE<---This file
C:\WINDOWS\CERES.DLL<---This file
C:\WINDOWS\RUNDLL.EXE<---This file

They can be analyzed here.

Jotti On-line Scan

Have them scanned hit browse locate the files and hit submit.

Post back the results please.

Also download this tool and run it.

Ccleaner

Install it, and let it put shortcuts to your Recycle Bin for convenience. Open it, and click on the Options button, and then on the Advanced button; untick the box next to Only delete files in Windows Temp folders older than 48 hours, then click "Ok". Click on "Run Cleaner" and let it do its thing (getting rid of all Temp, temp internet files, cookies, etc..).

When this is done please reboot and send a new log please along with the jotti results. ;)
  • 0

#9
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, John, for the two below...

C:\OSAKA.EXE<---This file
C:\WINDOWS\TEMP\MSHTML2.EXE<---This file

I get this message:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
Service load: 0% 100%

Here are the results for the other two:

File: ceres.dll
Status: INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 8c26b138f19d7a75803c414b47bf351d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found Adware.Abetint
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Bettinet.Av.DLL
ClamAV Found nothing
Dr.Web Found not a virus Adware.BetterInternet
F-Prot Antivirus Found nothing
Fortinet Found Adware/Abetterintrnt
Kaspersky Anti-Virus Found not-a-virus:AdWare.BetterInternet.d
NOD32 Found Win32/Adware.BetterInternet application
Norman Virus Control Found W32/BetterInternet.K
UNA Found nothing
VBA32 Found AdWare.BetterInternet


: 0% 100%

File: rundll.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f13f99bec79c20e24bf29a420661344c
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Here is the new HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:09:40 AM, on 7/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\XL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\RFA\RFAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [XtreamLok License Manager] C:\WINDOWS\SYSTEM\xl.exe start
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [rfagent] "C:\PROGRAM FILES\RFA\rfagent.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Ara] C:\Program Files\ione\oulb.exe
O4 - Startup: Taskbar Display Controls.lnk = C:\WINDOWS\RUNDLL.EXE
O4 - Startup: MSN Internet Access.lnk = C:\Program Files\Plus!\SYSAGENT.EXE
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Configuration Utility.lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .display_pdf_file: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...dia/zoomviewer/
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#10
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi feltfeeler,

John_L asked me to help you out.

Go to Add/Remove Programs and uninstall (if present):
ione

You are running HijackThis on your Desktop. Please move it to its on folder. To create a folder:
  • Go to My Documents.
  • Right-click and select New> Folder.
  • Name the folder as "HijackThis".
  • Move HijackThis into this folder.
Then, open HijackThis, run a scan and check these items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O4 - HKCU\..\Run: [Ara] C:\Program Files\ione\oulb.exe


Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then,reboot in Safe mode. To reboot in Safe mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Then, delete this folder (if present):
C:\Program Files\ione

Then, reboot (in the normal mode).

Then, download and run FindIt 9x-ME:
  • Download FindIt 9x-ME.zip.
  • Unzip the contents of FindIt 9x-ME.zip to a convenient location.
  • Navigate to the FindIt9xME folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Then, post a fresh HijackThis log along with the FindIt log.
  • 0

Advertisements


#11
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj416,

Thanks for helping me out! Here's the stuff:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1F76-1704
Directory of C:\WINDOWS\SYSTEM

OULB EXE 82,432 07-20-05 2:54p oulb.exe
CXM DLL 405,504 07-14-05 12:54p CXM.DLL
DYNIM DLL 405,504 07-14-05 12:54p DYNIM.DLL
MFIIPLM5 DLL 405,504 07-14-05 12:54p MFIIPLM5.dll
RYAPH DLL 405,504 07-14-05 12:54p RYAPH.DLL
SLELLWP DLL 405,504 06-17-05 9:59a SLELLWP.DLL
JVEGLIB DLL 405,504 06-17-05 9:59a JVEGLIB.DLL
RDASIG DLL 405,504 06-17-05 9:59a RDASIG.DLL
WFV8DMOE DLL 405,504 06-17-05 9:59a wfv8dmoe.dll
MNCUIA32 DLL 405,504 06-17-05 9:59a MNCUIA32.DLL
MYPI32X DLL 405,504 06-17-05 9:59a mYpi32x.dll
VYPODBC DLL 405,504 06-17-05 9:59a VYPODBC.DLL
ODCCLI32 DLL 405,504 06-17-05 9:59a odccli32.dll
IFRNONCE DLL 405,504 06-17-05 9:59a IFRNONCE.DLL
NWDLL DLL 405,504 06-17-05 9:59a NWDLL.DLL
WBNMM DLL 405,504 06-17-05 9:59a WBNMM.DLL
MAR2C DLL 405,504 06-17-05 9:59a MAR2C.DLL
MZXML4 DLL 405,504 06-17-05 9:59a mzxml4.dll
CSWMDM DLL 405,504 06-17-05 9:59a CSWMDM.dll
IML15 DLL 405,504 06-17-05 9:59a iml15.dll
IISTS19X DLL 405,504 06-17-05 9:59a Iists19x.dll
IWL15 DLL 405,504 06-17-05 9:59a iwl15.dll
ER DLL 405,504 06-17-05 9:59a ER.DLL
ISS DLL 405,504 06-17-05 9:59a ISS.DLL
LTPSD11N DLL 405,504 06-17-05 9:59a ltpsd11n.dll
WON32S16 DLL 405,504 06-17-05 9:59a WON32S16.DLL
LZPSD11N DLL 405,504 06-17-05 9:59a lzpsd11n.dll
SSORTS DLL 405,504 06-17-05 9:59a Ssorts.dll
SHGS195 DLL 405,504 06-17-05 9:59a shgs195.dll
CPRAL DLL 405,504 06-17-05 9:59a cpral.dll
SOSINV DLL 405,504 06-17-05 9:59a SOSINV.DLL
MIACM32 DLL 405,504 06-17-05 9:59a MIACM32.DLL
DSAO35 DLL 405,504 06-17-05 9:59a DSAO35.DLL
OVMREG DLL 405,504 06-17-05 9:59a OVMREG.DLL
MKISIP DLL 405,504 06-17-05 9:59a mkisip.dll
MVI DLL 405,504 06-17-05 9:59a MVI.DLL
MJC30 DLL 405,504 06-17-05 9:59a MJC30.DLL
ICSIDE~1 DLL 405,504 06-17-05 9:59a Icside your Computer.dll
HFINK DLL 405,504 06-17-05 9:59a HFINK.DLL
LACARC DLL 405,504 06-17-05 9:59a LACARC.DLL
SQD401LC DLL 405,504 06-17-05 9:59a SQD401LC.DLL
PCMAPI16 DLL 405,504 06-17-05 9:59a PCMAPI16.DLL
HMDCI DLL 405,504 06-17-05 9:59a HMDCI.DLL
ALVIEW32 DLL 405,504 06-17-05 9:59a ALVIEW32.DLL
ZJCOMM DLL 405,504 06-17-05 9:59a zjcomm.dll
MVCD30 DLL 405,504 06-17-05 9:59a MVCD30.DLL
MMAPSSPC DLL 405,504 06-17-05 9:59a MMAPSSPC.DLL
STCDLL DLL 405,504 06-17-05 9:59a STCDLL.DLL
BWRV200 DLL 405,504 06-17-05 9:59a BWRV200.DLL
MXIIPLM5 DLL 405,504 06-17-05 9:59a MXIIPLM5.dll
FWXIG DLL 405,504 06-17-05 9:59a FWXIG.DLL
SUDOCVW DLL 405,504 06-17-05 9:59a SUDOCVW.DLL
SEP DLL 405,504 06-17-05 9:59a SEP.DLL
53 file(s) 21,168,640 bytes
0 dir(s) 9,675.44 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1F76-1704
Directory of C:\WINDOWS\SYSTEM

OULB EXE 82,432 07-20-05 2:54p oulb.exe
ZLLICTBL DAT 4,212 04-27-05 5:40p zllictbl.dat
FOLDER HTT 13,122 10-23-00 4:13p folder.htt
DESKTOP INI 266 10-23-00 4:13p desktop.ini
4 file(s) 100,032 bytes
0 dir(s) 9,675.42 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9BF5D519-491D-3877-F6C0-E70424F2552C}"=""


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnsoniqMixer"="starter.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"XtreamLok License Manager"="C:\\WINDOWS\\SYSTEM\\xl.exe start"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"LoadQM"="loadqm.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"QuickFinder Scheduler"="C:\\COREL\\OFFICE7\\SHARED\\QFINDER7\\QFSCHED.EXE"
"rfagent"="\"C:\\PROGRAM FILES\\RFA\\rfagent.exe\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"



Logfile of HijackThis v1.99.1
Scan saved at 3:24:18 PM, on 7/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\OULB.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\XL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\RFA\RFAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [XtreamLok License Manager] C:\WINDOWS\SYSTEM\xl.exe start
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [rfagent] "C:\PROGRAM FILES\RFA\rfagent.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Taskbar Display Controls.lnk = C:\WINDOWS\RUNDLL.EXE
O4 - Startup: MSN Internet Access.lnk = C:\Program Files\Plus!\SYSAGENT.EXE
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Configuration Utility.lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .display_pdf_file: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...dia/zoomviewer/
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#12
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi feltfeeler,

Download and run Killbox:
  • Download the Killbox.
  • Extract the contents of Killbox.zip to your Desktop.
  • Double-click Killbox.exe to run it.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Copy the file paths below to the clipboard by highlighting all of them and pressing Ctrl+C:
    • C:\WINDOWS\SYSTEM\oulb.exe
      C:\WINDOWS\SYSTEM\CXM.DLL
      C:\WINDOWS\SYSTEM\DYNIM.DLL
      C:\WINDOWS\SYSTEM\MFIIPLM5.dll
      C:\WINDOWS\SYSTEM\RYAPH.DLL
      C:\WINDOWS\SYSTEM\SLELLWP.DLL
      C:\WINDOWS\SYSTEM\JVEGLIB.DLL
      C:\WINDOWS\SYSTEM\RDASIG.DLL
      C:\WINDOWS\SYSTEM\wfv8dmoe.dll
      C:\WINDOWS\SYSTEM\MNCUIA32.DLL
      C:\WINDOWS\SYSTEM\mYpi32x.dll
      C:\WINDOWS\SYSTEM\VYPODBC.DLL
      C:\WINDOWS\SYSTEM\odccli32.dll
      C:\WINDOWS\SYSTEM\IFRNONCE.DLL
      C:\WINDOWS\SYSTEM\NWDLL.DLL
      C:\WINDOWS\SYSTEM\WBNMM.DLL
      C:\WINDOWS\SYSTEM\MAR2C.DLL
      C:\WINDOWS\SYSTEM\mzxml4.dll
      C:\WINDOWS\SYSTEM\CSWMDM.dll
      C:\WINDOWS\SYSTEM\iml15.dll
      C:\WINDOWS\SYSTEM\Iists19x.dll
      C:\WINDOWS\SYSTEM\iwl15.dll
      C:\WINDOWS\SYSTEM\ER.DLL
      C:\WINDOWS\SYSTEM\ISS.DLL
      C:\WINDOWS\SYSTEM\ltpsd11n.dll
      C:\WINDOWS\SYSTEM\WON32S16.DLL
      C:\WINDOWS\SYSTEM\lzpsd11n.dll
      C:\WINDOWS\SYSTEM\Ssorts.dll
      C:\WINDOWS\SYSTEM\shgs195.dll
      C:\WINDOWS\SYSTEM\cpral.dll
      C:\WINDOWS\SYSTEM\SOSINV.DLL
      C:\WINDOWS\SYSTEM\MIACM32.DLL
      C:\WINDOWS\SYSTEM\DSAO35.DLL
      C:\WINDOWS\SYSTEM\OVMREG.DLL
      C:\WINDOWS\SYSTEM\mkisip.dll
      C:\WINDOWS\SYSTEM\MVI.DLL
      C:\WINDOWS\SYSTEM\MJC30.DLL
      C:\WINDOWS\SYSTEM\Icside your Computer.dll
      C:\WINDOWS\SYSTEM\HFINK.DLL
      C:\WINDOWS\SYSTEM\LACARC.DLL
      C:\WINDOWS\SYSTEM\SQD401LC.DLL
      C:\WINDOWS\SYSTEM\PCMAPI16.DLL
      C:\WINDOWS\SYSTEM\HMDCI.DLL
      C:\WINDOWS\SYSTEM\ALVIEW32.DLL
      C:\WINDOWS\SYSTEM\zjcomm.dll
      C:\WINDOWS\SYSTEM\MVCD30.DLL
      C:\WINDOWS\SYSTEM\MMAPSSPC.DLL
      C:\WINDOWS\SYSTEM\STCDLL.DLL
      C:\WINDOWS\SYSTEM\BWRV200.DLL
      C:\WINDOWS\SYSTEM\MXIIPLM5.dll
      C:\WINDOWS\SYSTEM\FWXIG.DLL
      C:\WINDOWS\SYSTEM\SUDOCVW.DLL
      C:\WINDOWS\SYSTEM\SEP.DLL
  • Return to Killbox, go to File >Paste from Clipboard.
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt.
  • Double-click on find.bat and post the new output.txt.

Edited by tj416, 23 July 2005 - 07:29 PM.

  • 0

#13
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
tj416, just so you know, when I rebooted, Zone Alarm once again told me oulb.exe was trying to access the Internet, which I denied. Here's the file:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1F76-1704
Directory of C:\WINDOWS\SYSTEM

MOTAL DLL 405,504 07-22-05 1:10p MOTAL.DLL
RER20 DLL 405,504 07-22-05 1:10p RER20.DLL
MMOSS DLL 405,504 07-14-05 12:54p MMOSS.DLL
LORASP DLL 405,504 07-14-05 12:54p lorasp.dll
4 file(s) 1,622,016 bytes
0 dir(s) 9,681.38 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1F76-1704
Directory of C:\WINDOWS\SYSTEM

ZLLICTBL DAT 4,212 04-27-05 5:40p zllictbl.dat
FOLDER HTT 13,122 10-23-00 4:13p folder.htt
DESKTOP INI 266 10-23-00 4:13p desktop.ini
3 file(s) 17,600 bytes
0 dir(s) 9,681.36 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9BF5D519-491D-3877-F6C0-E70424F2552C}"=""


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnsoniqMixer"="starter.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"XtreamLok License Manager"="C:\\WINDOWS\\SYSTEM\\xl.exe start"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"LoadQM"="loadqm.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"QuickFinder Scheduler"="C:\\COREL\\OFFICE7\\SHARED\\QFINDER7\\QFSCHED.EXE"
"rfagent"="\"C:\\PROGRAM FILES\\RFA\\rfagent.exe\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"



  • 0

#14
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi feltfeeler,

Download and run Killbox:
  • Double-click Killbox.exe to run it.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Copy the file paths below to the clipboard by highlighting all of them and pressing Ctrl+C:
    • C:\WINDOWS\SYSTEM\MOTAL.DLL
      C:\WINDOWS\SYSTEM\RER20.DLL
      C:\WINDOWS\SYSTEM\MMOSS.DLL
      C:\WINDOWS\SYSTEM\lorasp.dll
  • Return to Killbox, go to File >Paste from Clipboard.
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt.
  • Double-click on find.bat and post the new output.txt.

  • 0

#15
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj416,

Here's the latest:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1F76-1704
Directory of C:\WINDOWS\SYSTEM

OULB EXE 82,432 07-26-05 10:22a oulb.exe
MOTAL DLL 405,504 07-22-05 1:10p MOTAL.DLL
UJP10 DLL 405,504 07-22-05 1:10p ujp10.dll
3 file(s) 893,440 bytes
0 dir(s) 9,651.88 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1F76-1704
Directory of C:\WINDOWS\SYSTEM

OULB EXE 82,432 07-26-05 10:22a oulb.exe
ZLLICTBL DAT 4,212 04-27-05 5:40p zllictbl.dat
FOLDER HTT 13,122 10-23-00 4:13p folder.htt
DESKTOP INI 266 10-23-00 4:13p desktop.ini
4 file(s) 100,032 bytes
0 dir(s) 9,651.86 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9BF5D519-491D-3877-F6C0-E70424F2552C}"=""


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnsoniqMixer"="starter.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"XtreamLok License Manager"="C:\\WINDOWS\\SYSTEM\\xl.exe start"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"LoadQM"="loadqm.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"QuickFinder Scheduler"="C:\\COREL\\OFFICE7\\SHARED\\QFINDER7\\QFSCHED.EXE"
"rfagent"="\"C:\\PROGRAM FILES\\RFA\\rfagent.exe\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"



  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP