Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

UMonitor


  • Please log in to reply

#1
dcdog

dcdog

    New Member

  • Member
  • Pip
  • 2 posts
I keep getting dll errors everytime I reboot, and they all point to UMonitor can anyone help? Here is my log

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
ShellServiceObjectDelayLoad


Guardian Key--- is called:

User Agent String---
{8E705A9F-7F57-46FD-BBB9-C9F9765F9980}

Logfile of HijackThis v1.98.2
Scan saved at 4:29:43 PM, on 12/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Dave\Desktop\VX2Finder(126).exe
C:\Documents and Settings\Dave\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.dpmr.kde....tivexviewer.cab
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0

#3
dcdog

dcdog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Here's my log after running FindIt

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is AC4C-FD94

Directory of C:\WINDOWS\System32

12/21/2004 12:06 AM 222,481 odengl32.dll
12/20/2004 08:19 PM 225,941 enrol1931.dll
12/19/2004 12:04 AM <DIR> DLLCACHE
12/18/2004 11:18 PM 225,965 en28l1fu1.dll
12/18/2004 11:16 AM 222,902 mv8ol9l31.dll
12/16/2004 03:51 PM 224,089 k6440ghqe64e0.dll
11/29/2004 07:23 PM 225,228 u6rulg9916.dll
11/29/2004 06:51 PM 224,692 mv8ul9l91.dll
06/04/2003 05:58 AM <DIR> Microsoft
7 File(s) 1,571,298 bytes
2 Dir(s) 50,035,286,016 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is AC4C-FD94

Directory of C:\WINDOWS\System32

12/19/2004 12:04 AM <DIR> DLLCACHE
09/03/2002 01:33 PM 488 logonui.exe.manifest
09/03/2002 01:33 PM 488 WindowsLogon.manifest
09/03/2002 01:33 PM 749 nwc.cpl.manifest
09/03/2002 01:33 PM 749 sapi.cpl.manifest
09/03/2002 01:33 PM 749 ncpa.cpl.manifest
09/03/2002 01:33 PM 749 wuaucpl.cpl.manifest
09/03/2002 01:33 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 50,035,281,920 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is AC4C-FD94

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is AC4C-FD94

Directory of C:\WINDOWS\System32

08/29/2002 05:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 50,035,277,824 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8E705A9F-7F57-46FD-BBB9-C9F9765F9980}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\odengl32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
en28l1~1.dll Sat Dec 18 2004 11:18:28p ..S.R 225,965 220.67 K
enrol1~1.dll Mon Dec 20 2004 8:19:30p ..S.R 225,941 220.64 K
k6440g~1.dll Thu Dec 16 2004 3:51:26p ..S.R 224,089 218.84 K
mv8ol9~1.dll Sat Dec 18 2004 11:16:52a ..S.R 222,902 217.68 K
mv8ul9~1.dll Mon Nov 29 2004 6:51:16p ..S.R 224,692 219.43 K
odengl32.dll Tue Dec 21 2004 12:06:02a ..S.R 222,481 217.27 K
u6rulg~1.dll Mon Nov 29 2004 7:23:36p ..S.R 225,228 219.95 K

7 items found: 7 files, 0 directories.
Total of file sizes: 1,571,298 bytes 1.50 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MaxtorOneTouch"="C:\\PROGRA~1\\Maxtor\\OneTouch\\Utils\\OneTouch.exe"
"kalvsys"="C:\\windows\\system32\\kalvghj32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\odengl32.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\enrol1931.dll
    • C:\WINDOWS\System32\en28l1fu1.dll
    • C:\WINDOWS\System32\mv8ol9l31.dll
    • C:\WINDOWS\System32\k6440ghqe64e0.dll
    • C:\WINDOWS\System32\u6rulg9916.dll
    • C:\WINDOWS\System32\mv8ul9l91.dll
    • C:\WINDOWS\System32\ntdll.dll
    • C:\WINDOWS\System32\kalvghj32.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP