Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

DLL Error On Boot

Started by upsman96 , Dec 26 2004 12:21 PM

  • Please log in to reply

#1
upsman96
Posted 26 December 2004 - 12:21 PM

upsman96

    Member

  • Member
  • PipPip
  • 15 posts
Well, it looks like I have the same kind of problem that many have had.

My problem is this:

When I logged on today, I got an error message that read:

RUNDLL

An exception ocurred while trying to run ""C:\WINDOWS\sys32\iseshare..dll",UMonitor

I clicked ok, and my computer seemed to be runnin alright, but then it rebooted on its own. So far my computer seems to be ok, but I would like to know what that error is. I looked up mugina through metacrawler and it linked it to some sort of virus. Also I've heard that UMonitor is a big problem....so any help would be appreciated.

Thanks in advance!

Mark
  • 0

Advertisements

#2
Metallica
Posted 26 December 2004 - 12:28 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to your active partition (usually the C: drive).
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Regards,

Pieter
  • 0

#3
upsman96
Posted 26 December 2004 - 06:23 PM

upsman96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for the help! Here's the output file.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Temp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/26/2004 11:15 AM 56 k4620ejoehoc0.dll
12/26/2004 10:11 AM 223,256 m6julg1916.dll
12/25/2004 11:53 PM 224,811 k0nola531d.dll
12/25/2004 11:14 PM 224,811 ag3api.dll
12/25/2004 01:00 AM 223,232 o0rola931d.dll
12/08/2004 03:49 PM 223,896 o4660ejseho60.dll
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 10:04 PM <DIR> Microsoft
03/19/2002 09:27 PM <DIR> dllcache
7 File(s) 1,128,766 bytes
2 Dir(s) 14,836,203,520 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/26/2004 11:21 AM 892 vsconfig.xml
12/21/2004 07:30 PM 4,212 zllictbl.dat
08/01/2004 02:02 PM 488 WindowsLogon.manifest
08/01/2004 02:02 PM 488 logonui.exe.manifest
08/01/2004 02:02 PM 749 nwc.cpl.manifest
08/01/2004 02:02 PM 749 cdplayer.exe.manifest
08/01/2004 02:02 PM 749 sapi.cpl.manifest
08/01/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/01/2004 02:02 PM 749 ncpa.cpl.manifest
03/13/2004 01:07 PM 4,212 imlictbl.dat
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 09:27 PM <DIR> dllcache
11 File(s) 22,741 bytes
1 Dir(s) 14,836,187,136 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/26/2004 11:22 AM 223,256 guard.tmp
1 File(s) 223,256 bytes
0 Dir(s) 14,836,170,752 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/26/2004 11:22 AM 223,256 guard.tmp
05/23/2003 01:15 PM 1,338,880 SET18D.tmp
04/14/2003 09:25 AM 483,840 SET191.tmp
3 File(s) 2,045,976 bytes
0 Dir(s) 14,836,154,368 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1E03FCAB-9838-463E-9007-1587E2754387}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\m6julg1916.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
ag3api.dll Sat Dec 25 2004 11:14:14p ..S.R 224,811 219.54 K
vsconfig.xml Sun Dec 26 2004 11:21:58a A..H. 892 0.87 K
zllictbl.dat Tue Dec 21 2004 7:30:48p ...H. 4,212 4.11 K
m6julg~1.dll Sun Dec 26 2004 10:11:40a ..S.R 223,256 218.02 K
o4660e~1.dll Wed Dec 8 2004 3:49:54p ..S.R 223,896 218.65 K
o0rola~1.dll Sat Dec 25 2004 1:00:18a ..S.R 223,232 218.00 K
k0nola~1.dll Sat Dec 25 2004 11:53:14p ..S.R 224,811 219.54 K
k4620e~1.dll Sun Dec 26 2004 11:15:38a ..S.R 56 0.05 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,125,166 bytes 1.07 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\seiuiu.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\xhlmlm.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\iclzlz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\Playboy by Don Diego Screensaver1024.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 4.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo1 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo2 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\gpwywy.dat: .aspack
C:\WINDOWS\SYSTEM32\qwvovo.exe: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\PerfectFoursome800.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-1.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-2.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum Screensaver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum.scr: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Multi-function Keyboard"="GWHotKey.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"REWARDS NETWORK"="C:\\Program Files\\Rewards Network\\brntray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"KazaaBooster"="aaDisabled"
"WheelMouse"="C:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"DXDllRegExe"="dxdllreg.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"saap"="c:\\docume~1\\atn4mxs\\locals~1\\temp\\is-km362.tmp\\180solutions\\saap.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SStb.exe"="SStb.exe"
"Narrator"="C:\\WINDOWS\\system32\\qwvovo.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#4
Metallica
Posted 27 December 2004 - 07:05 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\system32\qwvovo.exe
C:\WINDOWS\SYSTEM32\seiuiu.dll
C:\WINDOWS\SYSTEM32\xhlmlm.exe
C:\WINDOWS\SYSTEM32\iclzlz.dll
C:\WINDOWS\SYSTEM32\ag3api.dll
C:\WINDOWS\SYSTEM32\m6julg~1.dll
C:\WINDOWS\SYSTEM32\o4660e~1.dll
C:\WINDOWS\SYSTEM32\o0rola~1.dll
C:\WINDOWS\SYSTEM32\k0nola~1.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\system32\m6julg1916.dll

Save the text in bold below as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1E03FCAB-9838-463E-9007-1587E2754387}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DXDllRegExe"=-
"saap"=-
"SStb.exe"=-
"Narrator"=-

Then reboot once more and post a new HijackThis log.

Regards,

Pieter

Edited by Metallica, 27 December 2004 - 07:06 AM.

  • 0

#5
upsman96
Posted 27 December 2004 - 10:41 AM

upsman96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here's the next output file.

Thanks again for the help....Mark


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Temp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/26/2004 11:15 AM 56 k4620ejoehoc0.dll
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 10:04 PM <DIR> Microsoft
03/19/2002 09:27 PM <DIR> dllcache
2 File(s) 8,760 bytes
2 Dir(s) 14,842,560,512 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:19 AM 892 vsconfig.xml
12/21/2004 07:30 PM 4,212 zllictbl.dat
08/01/2004 02:02 PM 488 WindowsLogon.manifest
08/01/2004 02:02 PM 488 logonui.exe.manifest
08/01/2004 02:02 PM 749 nwc.cpl.manifest
08/01/2004 02:02 PM 749 cdplayer.exe.manifest
08/01/2004 02:02 PM 749 sapi.cpl.manifest
08/01/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/01/2004 02:02 PM 749 ncpa.cpl.manifest
03/13/2004 01:07 PM 4,212 imlictbl.dat
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 09:27 PM <DIR> dllcache
11 File(s) 22,741 bytes
1 Dir(s) 14,842,544,128 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
1 File(s) 223,256 bytes
0 Dir(s) 14,842,527,744 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
05/23/2003 01:15 PM 1,338,880 SET18D.tmp
04/14/2003 09:25 AM 483,840 SET191.tmp
3 File(s) 2,045,976 bytes
0 Dir(s) 14,842,511,360 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k4620ejoehoc0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Mon Dec 27 2004 11:19:54a A..H. 892 0.87 K
zllictbl.dat Tue Dec 21 2004 7:30:48p ...H. 4,212 4.11 K
k4620e~1.dll Sun Dec 26 2004 11:15:38a ..S.R 56 0.05 K

3 items found: 3 files, 0 directories.
Total of file sizes: 5,160 bytes 5.04 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\seiuiu.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\xhlmlm.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\iclzlz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\Playboy by Don Diego Screensaver1024.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 4.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo1 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo2 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\gpwywy.dat: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\PerfectFoursome800.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-1.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-2.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum Screensaver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum.scr: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Multi-function Keyboard"="GWHotKey.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"REWARDS NETWORK"="C:\\Program Files\\Rewards Network\\brntray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"KazaaBooster"="aaDisabled"
"WheelMouse"="C:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"Narrator"="C:\\WINDOWS\\system32\\qwvovo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#6
-=jonnyrotten=-
Posted 27 December 2004 - 02:55 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please reboot into safe mode and run the killbox once more and remove the following files using the same steps as you used the first time.

C:\WINDOWS\SYSTEM32\seiuiu.dll:
C:\WINDOWS\SYSTEM32\xhlmlm.exe:
C:\WINDOWS\SYSTEM32\iclzlz.dll:
C:\WINDOWS\SYSTEM32\guard.tmp

Reboot normally and post new output.txt log.

-=jonnyrotten=- :tazz:
  • 0

#7
upsman96
Posted 27 December 2004 - 09:02 PM

upsman96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here's the next file:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Temp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/26/2004 11:15 AM 56 k4620ejoehoc0.dll
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 10:04 PM <DIR> Microsoft
03/19/2002 09:27 PM <DIR> dllcache
2 File(s) 8,760 bytes
2 Dir(s) 14,071,939,072 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 08:59 PM 892 vsconfig.xml
12/21/2004 07:30 PM 4,212 zllictbl.dat
08/01/2004 02:02 PM 488 WindowsLogon.manifest
08/01/2004 02:02 PM 488 logonui.exe.manifest
08/01/2004 02:02 PM 749 nwc.cpl.manifest
08/01/2004 02:02 PM 749 cdplayer.exe.manifest
08/01/2004 02:02 PM 749 sapi.cpl.manifest
08/01/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/01/2004 02:02 PM 749 ncpa.cpl.manifest
03/13/2004 01:07 PM 4,212 imlictbl.dat
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 09:27 PM <DIR> dllcache
11 File(s) 22,741 bytes
1 Dir(s) 14,071,922,688 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
1 File(s) 223,256 bytes
0 Dir(s) 14,071,906,304 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
05/23/2003 01:15 PM 1,338,880 SET18D.tmp
04/14/2003 09:25 AM 483,840 SET191.tmp
3 File(s) 2,045,976 bytes
0 Dir(s) 14,071,889,920 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k4620ejoehoc0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Mon Dec 27 2004 8:59:02p A..H. 892 0.87 K
zllictbl.dat Tue Dec 21 2004 7:30:48p ...H. 4,212 4.11 K
k4620e~1.dll Sun Dec 26 2004 11:15:38a ..S.R 56 0.05 K

3 items found: 3 files, 0 directories.
Total of file sizes: 5,160 bytes 5.04 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\seiuiu.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\iclzlz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\Playboy by Don Diego Screensaver1024.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 4.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo1 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo2 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\gpwywy.dat: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\PerfectFoursome800.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-1.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-2.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum Screensaver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum.scr: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Multi-function Keyboard"="GWHotKey.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"REWARDS NETWORK"="C:\\Program Files\\Rewards Network\\brntray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"KazaaBooster"="aaDisabled"
"WheelMouse"="C:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"Narrator"="C:\\WINDOWS\\system32\\qwvovo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#8
-=jonnyrotten=-
Posted 28 December 2004 - 12:11 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Use the killbox as instructed above to remove the following entries:

C:\WINDOWS\SYSTEM32\seiuiu.dll
C:\WINDOWS\SYSTEM32\iclzlz.dll
C:\WINDOWS\SYSTEM32\guard.tmp

Reboot and post new output.txt

-=jonnyrotten=- :tazz:
  • 0

#9
upsman96
Posted 28 December 2004 - 03:03 PM

upsman96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here's the next posting:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Temp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/26/2004 11:15 AM 56 k4620ejoehoc0.dll
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 10:04 PM <DIR> Microsoft
03/19/2002 09:27 PM <DIR> dllcache
2 File(s) 8,760 bytes
2 Dir(s) 15,103,033,344 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/28/2004 11:00 AM 892 vsconfig.xml
12/21/2004 07:30 PM 4,212 zllictbl.dat
08/01/2004 02:02 PM 488 WindowsLogon.manifest
08/01/2004 02:02 PM 488 logonui.exe.manifest
08/01/2004 02:02 PM 749 nwc.cpl.manifest
08/01/2004 02:02 PM 749 cdplayer.exe.manifest
08/01/2004 02:02 PM 749 sapi.cpl.manifest
08/01/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/01/2004 02:02 PM 749 ncpa.cpl.manifest
03/13/2004 01:07 PM 4,212 imlictbl.dat
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 09:27 PM <DIR> dllcache
11 File(s) 22,741 bytes
1 Dir(s) 15,103,016,960 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
1 File(s) 223,256 bytes
0 Dir(s) 15,103,000,576 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
05/23/2003 01:15 PM 1,338,880 SET18D.tmp
04/14/2003 09:25 AM 483,840 SET191.tmp
3 File(s) 2,045,976 bytes
0 Dir(s) 15,102,984,192 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k4620ejoehoc0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Tue Dec 28 2004 11:00:24a A..H. 892 0.87 K
zllictbl.dat Tue Dec 21 2004 7:30:48p ...H. 4,212 4.11 K
k4620e~1.dll Sun Dec 26 2004 11:15:38a ..S.R 56 0.05 K

3 items found: 3 files, 0 directories.
Total of file sizes: 5,160 bytes 5.04 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\iclzlz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\Playboy by Don Diego Screensaver1024.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 4.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo1 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo2 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\gpwywy.dat: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\PerfectFoursome800.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-1.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-2.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum Screensaver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum.scr: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Multi-function Keyboard"="GWHotKey.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"REWARDS NETWORK"="C:\\Program Files\\Rewards Network\\brntray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"KazaaBooster"="aaDisabled"
"WheelMouse"="C:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"Narrator"="C:\\WINDOWS\\system32\\qwvovo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Thanks again,

Mark
  • 0

#10
-=jonnyrotten=-
Posted 28 December 2004 - 04:14 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Are you running service pack2 or 1?

Copy and paste this text into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

If running Service Pack 1 use this text:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]


If running Service Pack 2 use this text:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


Reboot and post new output.txt log.

-=jonnyrotten=- :tazz:
  • 0

Advertisements

#11
upsman96
Posted 28 December 2004 - 05:20 PM

upsman96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I'm running Service Pack 2. I did as you indicated and here are the results.

Thanks again,

Mark


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Temp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/26/2004 11:15 AM 56 k4620ejoehoc0.dll
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 10:04 PM <DIR> Microsoft
03/19/2002 09:27 PM <DIR> dllcache
2 File(s) 8,760 bytes
2 Dir(s) 15,099,789,312 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/28/2004 06:04 PM 892 vsconfig.xml
12/21/2004 07:30 PM 4,212 zllictbl.dat
08/01/2004 02:02 PM 488 WindowsLogon.manifest
08/01/2004 02:02 PM 488 logonui.exe.manifest
08/01/2004 02:02 PM 749 nwc.cpl.manifest
08/01/2004 02:02 PM 749 cdplayer.exe.manifest
08/01/2004 02:02 PM 749 sapi.cpl.manifest
08/01/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/01/2004 02:02 PM 749 ncpa.cpl.manifest
03/13/2004 01:07 PM 4,212 imlictbl.dat
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 09:27 PM <DIR> dllcache
11 File(s) 22,741 bytes
1 Dir(s) 15,099,772,928 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
1 File(s) 223,256 bytes
0 Dir(s) 15,099,756,544 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
05/23/2003 01:15 PM 1,338,880 SET18D.tmp
04/14/2003 09:25 AM 483,840 SET191.tmp
3 File(s) 2,045,976 bytes
0 Dir(s) 15,099,740,160 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Tue Dec 28 2004 6:04:16p A..H. 892 0.87 K
zllictbl.dat Tue Dec 21 2004 7:30:48p ...H. 4,212 4.11 K
k4620e~1.dll Sun Dec 26 2004 11:15:38a ..S.R 56 0.05 K

3 items found: 3 files, 0 directories.
Total of file sizes: 5,160 bytes 5.04 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\iclzlz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\Playboy by Don Diego Screensaver1024.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 4.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo1 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo2 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\gpwywy.dat: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\PerfectFoursome800.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-1.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-2.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum Screensaver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum.scr: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Multi-function Keyboard"="GWHotKey.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"REWARDS NETWORK"="C:\\Program Files\\Rewards Network\\brntray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"KazaaBooster"="aaDisabled"
"WheelMouse"="C:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"Narrator"="C:\\WINDOWS\\system32\\qwvovo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#12
-=jonnyrotten=-
Posted 28 December 2004 - 07:12 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
I know it may seem like we are just doing the same thing over and over, but it's helping, slowly. This should be nearing the end though. Use killbox to remove the following files as you have been doing. Note: make sure you are in safe mode when you remove these.

C:\WINDOWS\SYSTEM32\k4620ejoehoc0.dll
C:\WINDOWS\SYSTEM32\zllictbl.dat
C:\WINDOWS\SYSTEM32\imlictbl.dat
C:\WINDOWS\SYSTEM32\gpwywy.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe
C:\WINDOWS\SYSTEM32\iclzlz.dll

Reboot normally and post new output.txt and a new Hijack this log.

-=jonnyrotten=- :tazz:
  • 0

#13
upsman96
Posted 28 December 2004 - 09:54 PM

upsman96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Once again, I appreciate your help. Here's the output file. I'm getting a new dll error on boot. The detail is this:

DDE Server: fhkpkp.exe - Bad Image

The application or DLL C:\windows\system32\seiuiu.dll is not a valid windows image. Please check this against your installation diskette.



Output file:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Temp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 10:04 PM <DIR> Microsoft
03/19/2002 09:27 PM <DIR> dllcache
1 File(s) 8,704 bytes
2 Dir(s) 15,101,902,848 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/28/2004 10:39 PM 892 vsconfig.xml
08/01/2004 02:02 PM 488 logonui.exe.manifest
08/01/2004 02:02 PM 488 WindowsLogon.manifest
08/01/2004 02:02 PM 749 cdplayer.exe.manifest
08/01/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/01/2004 02:02 PM 749 ncpa.cpl.manifest
08/01/2004 02:02 PM 749 sapi.cpl.manifest
08/01/2004 02:02 PM 749 nwc.cpl.manifest
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 09:27 PM <DIR> dllcache
9 File(s) 14,317 bytes
1 Dir(s) 15,101,886,464 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
1 File(s) 223,256 bytes
0 Dir(s) 15,101,870,080 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
05/23/2003 01:15 PM 1,338,880 SET18D.tmp
04/14/2003 09:25 AM 483,840 SET191.tmp
3 File(s) 2,045,976 bytes
0 Dir(s) 15,101,853,696 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Tue Dec 28 2004 10:39:30p A..H. 892 0.87 K

1 item found: 1 file, 0 directories.
Total of file sizes: 892 bytes 0.87 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\iclzlz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\Playboy by Don Diego Screensaver1024.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 4.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo1 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo2 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\gpwywy.dat: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\PerfectFoursome800.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-1.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-2.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum Screensaver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum.scr: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Multi-function Keyboard"="GWHotKey.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"REWARDS NETWORK"="C:\\Program Files\\Rewards Network\\brntray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"KazaaBooster"="aaDisabled"
"WheelMouse"="C:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"Narrator"="C:\\WINDOWS\\system32\\qwvovo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#14
-=jonnyrotten=-
Posted 28 December 2004 - 10:20 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ok I believe the error is because windows is trying to load a file we have removed. Don't worry we will take care of that with the Hijack This log after we clean this one. The main thing I'm trying to get done right now is remove this file:

C:\WINDOWS\SYSTEM32\iclzlz.dll

In order to remove that I believe we need to remove these ones:

C:\WINDOWS\SYSTEM32\gpwywy.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe

So I suggest try this:
Reboot into safe mode and delete the following files:

C:\WINDOWS\SYSTEM32\gpwywy.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe
C:\WINDOWS\SYSTEM32\iclzlz.dll

If not allowed to right click the file and uncheck the box next to "Read Only" and try again. If that does not work then use the killbox. Reboot and post new output.txt.

If the file is still going to be stubborn I will need to get some backup. I've done quite a few of these logs lately, and none have had a file this hard to remove. Keep hangin in there, I'm not ready to give up. :tazz:

-=jonnyrotten=- ;)
  • 0

#15
upsman96
Posted 28 December 2004 - 10:58 PM

upsman96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I'll hang in there as long as you guys continue to help. Thanks again. I deleted the files in safe mode as you asked any had to use killbox only on the iclzlz.dll
file. After rebooting, the file was still there so I deleted the file from explorer with no problem. I rebooted and the file is still gone. Next I ran the cmd file and here are the results.


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Temp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 10:04 PM <DIR> Microsoft
03/19/2002 09:27 PM <DIR> dllcache
1 File(s) 8,704 bytes
2 Dir(s) 15,099,723,776 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/28/2004 11:42 PM 892 vsconfig.xml
08/01/2004 02:02 PM 488 logonui.exe.manifest
08/01/2004 02:02 PM 488 WindowsLogon.manifest
08/01/2004 02:02 PM 749 cdplayer.exe.manifest
08/01/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/01/2004 02:02 PM 749 ncpa.cpl.manifest
08/01/2004 02:02 PM 749 sapi.cpl.manifest
08/01/2004 02:02 PM 749 nwc.cpl.manifest
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 09:27 PM <DIR> dllcache
9 File(s) 14,317 bytes
1 Dir(s) 15,099,707,392 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
1 File(s) 223,256 bytes
0 Dir(s) 15,099,691,008 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7

Directory of C:\WINDOWS\System32

12/27/2004 11:00 AM 223,256 guard.tmp
05/23/2003 01:15 PM 1,338,880 SET18D.tmp
04/14/2003 09:25 AM 483,840 SET191.tmp
3 File(s) 2,045,976 bytes
0 Dir(s) 15,099,674,624 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Tue Dec 28 2004 11:42:28p A..H. 892 0.87 K

1 item found: 1 file, 0 directories.
Total of file sizes: 892 bytes 0.87 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\Playboy by Don Diego Screensaver1024.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 4.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo1 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo2 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\PerfectFoursome800.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-1.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-2.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum Screensaver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum.scr: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Multi-function Keyboard"="GWHotKey.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"REWARDS NETWORK"="C:\\Program Files\\Rewards Network\\brntray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"KazaaBooster"="aaDisabled"
"WheelMouse"="C:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"Narrator"="C:\\WINDOWS\\system32\\qwvovo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP