Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Umonitor dll error


  • Please log in to reply

#1
Sabres rock

Sabres rock

    Member

  • Member
  • PipPip
  • 22 posts
Hi -- I get a variable dll error followed by Umonitor. Ads are popping up like carzy. Your help is appreciated. Thankyou.

Logfile of HijackThis v1.98.2
Scan saved at 4:15:33 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ktiyii.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
F3 - REG:win.ini: load=
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10F3BFA0-F9A2-4127-A07D-6957DB958D65}: NameServer = 172.16.0.2,172.16.0.3
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You have a new variation of a VX2 infection, identified by these entries:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

This fix is still a work in progress, but seems to be working well.
1. Download VX2Finder here: http://www.geekstogo...=download&id=37
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.

2. Download this ZIP file: http://www.geekstogo...=download&id=36
and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.

3. Please download DllCompare from here: http://www.geekstogo...=download&id=38

When it has downloaded, run the program and click on the Run Locate.com button. When that has completed, click on the Compare button. When that completed click on the Make Log of What Was Found button. Then post the contents of that log as a reply to this post.

Only if you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.

4. Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.
  • 0

#3
Sabres rock

Sabres rock

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
1. Vx2 Finder
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ModuleUsage
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{C6F11B0C-6A1D-4EF2-A33F-CBB1D583D743}

2. Find.bat log
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

12/13/2004 02:06 PM 223,576 k044lahq1d4e.dll
12/13/2004 07:04 AM 223,232 k6620gjoe6oc0.dll
12/12/2004 07:50 PM 223,576 en8ql1l51.dll
09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
11/26/2001 10:56 AM <DIR> Microsoft
4 File(s) 670,473 bytes
2 Dir(s) 66,834,067,456 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
1 File(s) 89 bytes
1 Dir(s) 66,834,063,360 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

12/13/2004 02:23 PM 223,576 guard.tmp
05/27/1999 07:30 PM 208,896 SoftGuard6.ocx
2 File(s) 432,472 bytes
0 Dir(s) 66,834,063,360 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

12/13/2004 02:23 PM 223,576 guard.tmp
08/18/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 226,153 bytes
0 Dir(s) 66,834,063,360 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C6F11B0C-6A1D-4EF2-A33F-CBB1D583D743}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en8ql1l51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

3. Error received when pressing Run Locate.com. I copied the autoexec.nt file from the repair folder to systems32 folder. Do I need to now run the Run Locate.com “compare” and “make log?”

4. Yes, there is a Guard.tmp file visible in the System 32 folder.

Thank you.
  • 0

#4
admin

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Finally we get a version with guard.tmp ;) This one we should be able to fix. :tazz:
  • 0

#5
Sabres rock

Sabres rock

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi again -- I hope you're right that we should be able to fix. The situation seems to be worsening -- arbitrary reboots, depleting memory, taking over IE, and, of course, those ubiquitous popups.

I've read the other posts related to this subject, and don't seem to have the files mentioned to find for deleting with Killbox. The only one in common with others is the guard.tmp, so I left everything as is until hearing from you. I did, however, go back to dll compare (after moving the autoexec.nt file to the system 32 folder), for "run locate" instructions. The log follows. Any help appreciated. I have absolutely no idea what to do next.

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\d6j02g~1.dll Wed Dec 15 2004 1:19:22p ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\g640lg~1.dll Wed Dec 15 2004 10:45:04a ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\j40sle~1.dll Wed Dec 15 2004 8:05:30a ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\k626lg~1.dll Wed Dec 15 2004 1:11:24p ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\k6620g~1.dll Mon Dec 13 2004 7:04:34a ..S.R 223,232 218.00 K
C:\WINDOWS\SYSTEM32\l4j80e~1.dll Wed Dec 15 2004 8:02:34a ..S.R 225,485 220.20 K
C:\WINDOWS\SYSTEM32\mhtime.dll Tue Dec 14 2004 3:43:34p ..S.R 225,485 220.20 K
C:\WINDOWS\SYSTEM32\mvj2l9~1.dll Tue Dec 14 2004 1:45:52p ..S.R 223,576 218.34 K
________________________________________________

1,307 items found: 1,307 files (8 H/S), 0 directories.
Total of file sizes: 266,063,389 bytes 253.73 M

Administrator Account = True

AppInit_DLLs value = NVDESK32.DLL (not hidden)
--------------------End log---------------------
  • 0

#6
Sabres rock

Sabres rock

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi -- Judging by the number of people who have posted the same dll error, I am guessing there was no easy fix? My situation continues to deteriorate, and now the computer is almost useless. I could live with the pop-ups, but the rebooting on its own is unmanagable. If you have a solution, please let me know. I saw an "admin" post to use killbox, and thought I might try that if I do not hear from the original respondent. Thanks --
  • 0

#7
admin

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
New tools:
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
We'll get it! :tazz:
  • 0

#8
Sabres rock

Sabres rock

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for writing and for your optimism. I would have replied sooner but my reboot-when-you-feel-like-it system took over. :tazz: Here's the log. I hope it's not as bad as it looks.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

12/20/2004 07:17 PM 223,583 lvr4099qe.dll
12/20/2004 07:09 PM 223,084 mv4ql9h51.dll
12/20/2004 05:43 PM 223,084 t48u0el9ehq.dll
12/20/2004 05:35 PM 223,084 hr6s05j7e.dll
12/20/2004 05:27 PM 224,638 h20q0cd5ef0.dll
12/20/2004 07:54 AM 224,638 aoi3d1ag.dll
12/20/2004 07:49 AM 222,966 hmpapml0.dll
12/20/2004 07:42 AM 222,966 CSDetres.dll
12/15/2004 10:45 AM 222,966 g640lghm164a.dll
12/15/2004 08:05 AM 222,966 j40sled71h0.dll
12/15/2004 08:02 AM 225,485 l4j80e1ueh.dll
12/14/2004 03:43 PM 225,485 mhtime.dll
12/14/2004 01:45 PM 223,576 mvj2l91o1.dll
09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
11/26/2001 10:56 AM <DIR> Microsoft
14 File(s) 2,908,610 bytes
2 Dir(s) 67,143,172,096 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
1 File(s) 89 bytes
1 Dir(s) 67,143,172,096 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

05/27/1999 07:30 PM 208,896 SoftGuard6.ocx
1 File(s) 208,896 bytes
0 Dir(s) 67,143,172,096 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

08/18/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 67,143,168,000 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C6F11B0C-6A1D-4EF2-A33F-CBB1D583D743}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\t48u0el9ehq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
aoi3d1ag.dll Mon Dec 20 2004 7:54:52a ..S.R 224,638 219.37 K
csdetres.dll Mon Dec 20 2004 7:42:04a ..S.R 222,966 217.74 K
g640lg~1.dll Wed Dec 15 2004 10:45:04a ..S.R 222,966 217.74 K
h20q0c~1.dll Mon Dec 20 2004 5:27:52p ..S.R 224,638 219.37 K
hmpapml0.dll Mon Dec 20 2004 7:49:42a ..S.R 222,966 217.74 K
hr6s05~1.dll Mon Dec 20 2004 5:35:44p ..S.R 223,084 217.86 K
j40sle~1.dll Wed Dec 15 2004 8:05:30a ..S.R 222,966 217.74 K
l4j80e~1.dll Wed Dec 15 2004 8:02:34a ..S.R 225,485 220.20 K
lvr409~1.dll Mon Dec 20 2004 7:17:42p ..S.R 223,583 218.34 K
mhtime.dll Tue Dec 14 2004 3:43:34p ..S.R 225,485 220.20 K
mv4ql9~1.dll Mon Dec 20 2004 7:09:54p ..S.R 223,084 217.86 K
mvj2l9~1.dll Tue Dec 14 2004 1:45:52p ..S.R 223,576 218.34 K
t48u0e~1.dll Mon Dec 20 2004 5:43:50p ..S.R 223,084 217.86 K

13 items found: 13 files, 0 directories.
Total of file sizes: 2,908,521 bytes 2.77 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\lwapaa.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\vrcycc.exe: .aspack
C:\WINDOWS\SYSTEM32\wbkqkk.dat: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="C:\\WINDOWS\\MMKeybd.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"AHQInit"="C:\\Program Files\\Creative\\SBLive\\Program\\AHQInit.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"HP SchedIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppschedindexer.exe"
"HP AutoIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppautoindexer.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
  • 0

#9
Sabres rock

Sabres rock

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Good morning. I'm still "infected." I see a couple people have used "killbox" to rid themselves of the virus. Might it work for me? My husband has threatened to uninstall all my software and reinstall Windows, et al. I'd like to avoid that and have about two days until he's home for vacation. :tazz: Any help in the interim appreciated.
  • 0

#10
admin

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Because of the time that's lapsed could you please post a new find_it log?

We've been pretty successful at removing this new infection, and we should be able to help you too. :tazz:
  • 0

Advertisements


#11
Sabres rock

Sabres rock

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Here's the latest. Thanks again for your help.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

12/27/2004 10:20 AM 224,848 l64q0gh5e64.dll
12/25/2004 11:32 AM 223,200 g4jole131h.dll
12/20/2004 07:09 PM 223,084 mv4ql9h51.dll
12/20/2004 05:35 PM 223,084 hr6s05j7e.dll
12/20/2004 05:27 PM 224,638 h20q0cd5ef0.dll
12/20/2004 07:54 AM 224,638 aoi3d1ag.dll
12/20/2004 07:49 AM 222,966 hmpapml0.dll
12/20/2004 07:42 AM 222,966 CSDetres.dll
12/15/2004 10:45 AM 222,966 g640lghm164a.dll
12/15/2004 08:05 AM 222,966 j40sled71h0.dll
12/15/2004 08:02 AM 225,485 l4j80e1ueh.dll
12/14/2004 03:43 PM 225,485 mhtime.dll
12/14/2004 01:45 PM 223,576 mvj2l91o1.dll
09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
11/26/2001 10:56 AM <DIR> Microsoft
14 File(s) 2,909,991 bytes
2 Dir(s) 67,077,558,272 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
1 File(s) 89 bytes
1 Dir(s) 67,077,558,272 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

12/27/2004 10:59 AM 223,200 guard.tmp
05/27/1999 07:30 PM 208,896 SoftGuard6.ocx
2 File(s) 432,096 bytes
0 Dir(s) 67,077,558,272 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

12/27/2004 10:59 AM 223,200 guard.tmp
08/18/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 225,777 bytes
0 Dir(s) 67,077,554,176 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C6F11B0C-6A1D-4EF2-A33F-CBB1D583D743}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g4jole131h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
aoi3d1ag.dll Mon Dec 20 2004 7:54:52a ..S.R 224,638 219.37 K
csdetres.dll Mon Dec 20 2004 7:42:04a ..S.R 222,966 217.74 K
g4jole~1.dll Sat Dec 25 2004 11:32:18a ..S.R 223,200 217.97 K
g640lg~1.dll Wed Dec 15 2004 10:45:04a ..S.R 222,966 217.74 K
h20q0c~1.dll Mon Dec 20 2004 5:27:52p ..S.R 224,638 219.37 K
hmpapml0.dll Mon Dec 20 2004 7:49:42a ..S.R 222,966 217.74 K
hr6s05~1.dll Mon Dec 20 2004 5:35:44p ..S.R 223,084 217.86 K
j40sle~1.dll Wed Dec 15 2004 8:05:30a ..S.R 222,966 217.74 K
l4j80e~1.dll Wed Dec 15 2004 8:02:34a ..S.R 225,485 220.20 K
l64q0g~1.dll Mon Dec 27 2004 10:20:28a ..S.R 224,848 219.58 K
mhtime.dll Tue Dec 14 2004 3:43:34p ..S.R 225,485 220.20 K
mv4ql9~1.dll Mon Dec 20 2004 7:09:54p ..S.R 223,084 217.86 K
mvj2l9~1.dll Tue Dec 14 2004 1:45:52p ..S.R 223,576 218.34 K

13 items found: 13 files, 0 directories.
Total of file sizes: 2,909,902 bytes 2.77 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\lwapaa.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\vrcycc.exe: .aspack
C:\WINDOWS\SYSTEM32\wbkqkk.dat: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="C:\\WINDOWS\\MMKeybd.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"AHQInit"="C:\\Program Files\\Creative\\SBLive\\Program\\AHQInit.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"HP SchedIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppschedindexer.exe"
"HP AutoIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppautoindexer.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
  • 0

#12
admin

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\64q0gh5e64.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\g4jole131h.dll
    • C:\WINDOWS\System32\mv4ql9h51.dll
    • C:\WINDOWS\System32\hr6s05j7e.dll
    • C:\WINDOWS\System32\h20q0cd5ef0.dll
    • C:\WINDOWS\System32\aoi3d1ag.dll
    • C:\WINDOWS\System32\hmpapml0.dll
    • C:\WINDOWS\System32\CSDetres.dll
    • C:\WINDOWS\System32\g640lghm164a.dll
    • C:\WINDOWS\System32\j40sled71h0.dll
    • C:\WINDOWS\System32\l4j80e1ueh.dll
    • C:\WINDOWS\System32\mhtime.dll
    • C:\WINDOWS\System32\mvj2l91o1.dll
    • C:\WINDOWS\System32\lwapaa.exe
    • C:\WINDOWS\System32\vrcycc.exe
    • C:\WINDOWS\System32\wbkqkk.dat
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.

  • 0

#13
Sabres rock

Sabres rock

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
New output.txt log follows. After following the Pocket Killbox instructions and rebooting on the last operation (after deleting guard.tmp file), I still received the dreaded thud and error message on reboot, "RUN DLL: An exception occured while trying to run c:\Windows\system32\KUDAGE.DLL",umonitor" and a pop-up almost immediately. :tazz: The good news: The list is shorter this time.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

12/27/2004 10:52 PM 56 m4po0e73eh.dll
12/27/2004 10:20 AM 224,848 l64q0gh5e64.dll
09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
11/26/2001 10:56 AM <DIR> Microsoft
3 File(s) 224,993 bytes
2 Dir(s) 67,080,970,240 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
1 File(s) 89 bytes
1 Dir(s) 67,080,970,240 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

05/27/1999 07:30 PM 208,896 SoftGuard6.ocx
1 File(s) 208,896 bytes
0 Dir(s) 67,080,970,240 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D4F4-3C57

Directory of C:\WINDOWS\System32

08/18/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 67,080,966,144 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C6F11B0C-6A1D-4EF2-A33F-CBB1D583D743}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l64q0gh5e64.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
l64q0g~1.dll Mon Dec 27 2004 10:20:28a ..S.R 224,848 219.58 K
m4po0e~1.dll Mon Dec 27 2004 10:52:08p ..S.R 56 0.05 K

2 items found: 2 files, 0 directories.
Total of file sizes: 224,904 bytes 219.63 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="C:\\WINDOWS\\MMKeybd.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"AHQInit"="C:\\Program Files\\Creative\\SBLive\\Program\\AHQInit.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"HP SchedIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppschedindexer.exe"
"HP AutoIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppautoindexer.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
  • 0

#14
Sabres rock

Sabres rock

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi again -- I don't see a smiley face with a hammer, or I'd use it. I'm wondering if there are more files I should delete after reviewing the last log? I've been reading the other messages and it appears there may be a few more stages to go through and solutions to try -- before I reduce my system to rubble and beg my husband for a new computer. Speaking of, said spouse still insists that we should wipe clean the Windows file and reinstall all, so any help to stave that process is appreciated. I am having the same problems -- popups, alien rebooting, and spinning hourglass loading who-knows-what onto my system. I thought I was an isolated user, but it appears many others now have the same problem. Any chance Symantec or similar software might become available soon?
  • 0

#15
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
This process takes several steps, so just take a breath. And tell your husband to stay away! ;) You don't want to wipe it clean - you'll miss a lot of programs, trust me.

I will look at it in a minute and get back with you. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP