Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojans running wild [RESOLVED]


  • This topic is locked This topic is locked

#16
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi feltfeeler,

Run Killbox:
  • Double-click Killbox.exe to run it.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Copy the file paths below to the clipboard by highlighting all of them and pressing Ctrl+C:

    • C:\WINDOWS\SYSTEM\oulb.exe
      C:\WINDOWS\SYSTEM\MOTAL.DLL
      C:\WINDOWS\SYSTEM\ujp10.dll
  • Return to Killbox, go to File >Paste from Clipboard.
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt.
  • Double-click on find.bat and post the new output.txt.

  • 0

Advertisements


#17
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj416,

I don't know if it matters, but the killbox session didn't go quite as you described, since I wasn't doing the "Replace on reboot" and "Use dummy" operations. But here's what's left. It's possible I botched this operation, sorry.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1F76-1704
Directory of C:\WINDOWS\SYSTEM

OULB EXE 82,432 07-27-05 2:56p oulb.exe
FDXDLL32 DLL 405,504 07-22-05 1:10p FDXDLL32.DLL
2 file(s) 487,936 bytes
0 dir(s) 9,651.73 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1F76-1704
Directory of C:\WINDOWS\SYSTEM

OULB EXE 82,432 07-27-05 2:56p oulb.exe
ZLLICTBL DAT 4,212 04-27-05 5:40p zllictbl.dat
FOLDER HTT 13,122 10-23-00 4:13p folder.htt
DESKTOP INI 266 10-23-00 4:13p desktop.ini
4 file(s) 100,032 bytes
0 dir(s) 9,651.72 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9BF5D519-491D-3877-F6C0-E70424F2552C}"=""


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnsoniqMixer"="starter.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"XtreamLok License Manager"="C:\\WINDOWS\\SYSTEM\\xl.exe start"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"LoadQM"="loadqm.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"QuickFinder Scheduler"="C:\\COREL\\OFFICE7\\SHARED\\QFINDER7\\QFSCHED.EXE"
"rfagent"="\"C:\\PROGRAM FILES\\RFA\\rfagent.exe\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"



  • 0

#18
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj416,

Sorry to reply to my reply, but MAYDAY MAYDAY MAYDAY!!! I'm posting from my laptop because my infected computer now will no longer boot to windows98. It has said, variously, the generic "error reading drive C," and, when I can coax it to go further, it says, "While initializing device VDK Windows protection error. You need to restart your computer."

Sometimes it hangs in the middle of the error message. Yikes! I'm assuming I've messed things up.

It won't boot into safe mode the few times I tried. I figured (oh please, oh please, oh please) you may have a solution. Otherwise, it looks like desktop off the balcony :tazz:

Thanks for your continuing assistance, BTW!!
  • 0

#19
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi feltfeeler,

Sorry it to me so long to get back to you. I was on holiday. Pease post a fresh HijackThis log and I will be happy to take a look at it.
  • 0

#20
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj, no problem. I'm on vacation right now, too, and will return around Labor Day and post a new log if I'm able to. But so far, I can't boot to ANY windows screen.

Thanks! feltfeeler
  • 0

#21
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj,

I'm unable to boot my afflicted computer to Windows. I get the error message I described in my second-to-last post. Sometimes I get half an error message, or a couple of letters of an error message.

I think I've got serious registry problems, but when I run scanreg, it hangs.

I've tried using a boot disk, but that just gives me a DOS prompt from which I'm unable to fix anything. Every floppy program I try tells me it needs to be run in Windows. No CD I put in will autorun.

Unfortunately, I'm not geek enough to figure this one out. I think I may need a DOS-based solution, but I don't have the foggiest what it might be. If you've got any ideas, I'm all ears.

I'm feeling quite depressed about going backwards. :tazz: Thanks again for your help.
  • 0

#22
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi feltfeeler,

Try following the instructions mentioned here: http://www.howtodoth...spx?Article=114
  • 0

#23
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj,

In my hundred hours of trying things, I've come across the very page you recommended, and done what he mentioned, but...nothing. The scanreg screen appears, but it goes through the scan in a nanosecond, so I know it's not really doing anything. Neither scanreg/fix nor scanreg/restore is good for anything.

Isn't this a common problem? Don't the, ahem, geniuses at Microsloth have any DOS-based diagnostics?

Thanks again!
  • 0

#24
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi feltfeeler,

In the link I posted, they mentioned this method. Did you try it?

If your computer will not boot-up at all,hopefully
you have made a good emergency boot disk.
You can always make a windows startup disk by
creating one from another computer running
Windows 98 or Me.Perform the following if your
computer won't Boot-Up At All.


FIRST......Put your boot floppy disk in the floppy
drive and turn on the PC.On some computers,
you may have to access the bios and select the
Boot priority to your A: drive.Save any changes
and select "Start Computer without CDROM
support" and press Enter.Once you are at the
A prompt,type dir c: and press enter.


If your programs and other files are present,try
restoring your system Registry by following the
steps below.This may repair Windows,the Config.
Sys and autoexec.bat files to where the PC may
boot up normally.When the files are present,its
a good indication of a good hard drive.


SECOND......To correct the problem of your computer
not booting up,type in "fdisk /mbr" and press Enter
to restore your master boot record.Type "Scandisk C:"
to check the hard drive for errors that have occurred.
You can also type "Sys C:" to hopefully restore files
needed to boot up your computer.


  • 0

#25
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj,

I did try that, but it didn't work for me.
  • 0

Advertisements


#26
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi feltfeeler,

Boot the computer with a Wndows 98 Startup Diskette. At the prompt type the following and press enter after each line:

C:
cd windows
cd command
Scanreg /Restore

Select an early date when the computer was functional and press Enter. Restart the computer.

If the above does not resolve the issue, at the prompt type the following pressing Enter after each line:

C:
cd windows
cd command
Scanreg /Fix

Once completed, restart the computer.
  • 0

#27
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, tj,

I've tried these several times. I get the scanreg screen to appear, and the hard-drive light goes on for a few seconds, then the computer seems to hang. Finally, I get the C prompt to reappear at the top of the scanreg blue screen, and it's all over.

So it seems the computer is TRYING to scan, but can't quite manage.
  • 0

#28
peterm

peterm

    Trusted Tech

  • Technician
  • 3,173 posts
do we still need a hand here?
  • 0

#29
feltfeeler

feltfeeler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi, peterm,

Why, yes, we do. The good news is, I've gotten the computer to boot...Scandisk found a bad sector, and rewrote it somewhere else, I presume, and fixed THAT problem.

Now, though, I have a new challenge. With all the trojans running wild, my Netgear software has disabled itself, so I can no longer access the Internet from the afflicted computer. I've uninstalled the program, and reinstalled the program from CD, and reinstalled the program using a new, current driver, and read up on the problem on the Netgear website, and gotten nowhere.

I'm stymied because Windows refuses to install the driver and gives me a 1f6 error. I believe 1f6 is the default error code for, "Sorry, I'm a crappy OS and even though everything was fine before, going forward it will not be."

Clearly, this is a Windows 98SE mess-up. If you or anybody else can help me with THIS, I can get back to trojan hunting.

Now it's official: I hate Bill Gates as much as anybody.

And I'd like to apologize for being such a pain, and continuing to take one step forward and two back. But please realize I greatly appreciate all your help, and have already sung your praises to anyone who will listen.
  • 0

#30
peterm

peterm

    Trusted Tech

  • Technician
  • 3,173 posts
Sorry I need to ask an admin about this, now that you have the computer running it is a malware problem still and I can't reply to malware.
I asked if you needed help sa this was posted in the background as help needed to get the computer going.
I am not buck passing but a lot of problems that may look like they may be tech related are malware.

Edited by peterm, 21 September 2005 - 01:51 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP