Hehe, stay calm, we're making progress (slow) but it's working believe me. If you go postal will you take pictures and send them to me? I won't tell. Anyways here's the new instructions remember to do this in safe mode.
Remove the following files the same way as you have been already. They're all in c:\winnt\system32 except for the last one.
kudcan.dll
q8860ilse8q60.dll
atmparse.dll
k480lelm1hqa.dll
mxdart.dll
hrr0059me.dll
j44o0eh3eh4.dll
hrj0051me.dll
d?dplay.exe
mkzay.dll
d?dplay.exe
mkzay.dll
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe
Post a new output.txt. This will take a few more steps, but we'll get it.
-=jonnyrotten=-
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A
Directory of C:\WINNT\System32
12/30/2004 11:02 AM 225,959 rcutils.dll
12/30/2004 11:02 AM 223,091 p66slgj716o.dll
12/30/2004 10:37 AM 225,959 nbtlogon.dll
12/30/2004 10:10 AM 225,959 irnol5531.dll
12/30/2004 02:40 AM <DIR> dllcache
12/10/2004 08:10 AM 225,991 j44o0eh3eh4.dll
12/10/2004 05:33 AM 224,043 hrj0051me.dll
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/06/2003 02:34 PM <DIR> Microsoft
7 File(s) 1,740,122 bytes
2 Dir(s) 111,168,344,064 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A
Directory of C:\WINNT\System32
12/30/2004 02:40 AM <DIR> dllcache
12/27/2004 10:21 AM <DIR> vmss
12/27/2004 10:21 AM <DIR> wsxsvc
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/06/2003 02:25 PM 488 WindowsLogon.manifest
10/06/2003 02:25 PM 488 logonui.exe.manifest
10/06/2003 02:25 PM 749 nwc.cpl.manifest
10/06/2003 02:25 PM 749 ncpa.cpl.manifest
10/06/2003 02:25 PM 749 sapi.cpl.manifest
10/06/2003 02:25 PM 749 cdplayer.exe.manifest
10/06/2003 02:25 PM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
3 Dir(s) 111,168,335,872 bytes free
---------- Files Named "Guard" -------------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A
Directory of C:\WINNT\System32
--------- Temp Files in System32 Directory --------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A
Directory of C:\WINNT\System32
03/31/2003 06:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 111,168,331,776 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D533D09D-E5D3-40ED-97BD-26C23029ABEA}"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\irnol5531.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
------------------ Locate.com Results ------------------
------------ Strings.exe Qoologic Results ------------
-------------- Strings.exe Aspack Results -------------
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="\"C:\\Program Files\\Gateway Utilities\\GWInkMonitor.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"kalvsys"="C:\\winnt\\system32\\kalvgvm32.exe"
"WeeqEE"="C:\\WINNT\\jhefoyts.exe"
"Narrator"="C:\\WINNT\\System32\\youuwy.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"winupdtl"="C:\\WINNT\\System32\\winupdtl.exe"
"Dvx"="C:\\WINNT\\System32\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINNT\\System32\\vmss\\vmss.exe"
"zknszkl"="C:\\WINNT\\zknszkl.exe"
"CashBack"="C:\\Program Files\\CashBack\\bin\\cashback.exe"
"NaviSearch"="C:\\Program Files\\NaviSearch\\bin\\nls.exe"
"BullsEye Network"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"
"BCPC"="\"C:\\Program Files\\Bcpc\\bcpc.exe\""
"SurfSideKick 2"="C:\\Program Files\\SurfSideKick 2\\Ssk.exe"
"version"="C:\\WINNT\\System32\\ms1B.exe"
"secure"="C:\\WINNT\\System32\\secure.exe"
"180ax"="c:\\docume~1\\owner\\locals~1\\temp\\180ax.exe"
"fuf"="C:\\WINNT\\fuf.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
there still here.... wish i was in wakiki " mostly sunny today a few windward and makka showers highs in the 80's" easy now Nitrox