Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

UMonitor Problem

Started by pedrossi , Dec 31 2004 08:46 PM

  • Please log in to reply

#1
pedrossi
Posted 31 December 2004 - 08:46 PM

pedrossi

    Member

  • Member
  • PipPip
  • 57 posts
:tazz:
I am really relieved to have found somewhere where I can maybe get help for this problem.
For weeks now, every time I turn on my computer, the message appears:

RUNDLL
An exception ocurred while trying to run ""C:\windows\system32\wcjcdlg.dll", UMonitor


-------------------------------------------------------------------------------------
Some other symptons that may or may not be related to this virus/worm:

I believe a program in my computer is controlling all my internet activity. When I go to an internet website that is invalid (such as www.askdjasd.com), this appears in my IE's address bar: http://69.20.62.53/d...rl=askdjasd.com
I am not an expert with computers but I think that means a program in my computer is forcing all outgoing info to go through the IP 69.20.62.53 which is probably a server and through the file dns.php before returning to my PC.
I also believe this because I cannot use any other browser other than Internet Explorer to connect to the internet. If I try to use Netscape or Firefox, it always says "Connection Refused". I believe this dns.php file is responsible for this.

I cannot visit any sites ending in certain domains, such as any sites ending in .tk. I believe this is because somewhere in the dns.php file in the above IP, there is some code that only allows certain known domains to be allowed to go through it, and .tk isn't a well-known domain extension.

My computer has been slowing down during startup and regular use.

I cannot run Disk Cleanup. It says it is analyzing but it never finishes. It stays at 0%. I think maybe this virus disabled it in fear that Disk Cleanup will delete it?

I get Memory Read Errors sometimes when doing random operations on my computer.

The UMonitor problem mentioned above.

I get constant error messages when trying to install programs:
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.
[ Close ] [ Ignore ]


Constant Internet Failing, even though the same cable internet works when connected to another computer.

Computer "Blacks Out". I turn it on in the afternoon, use it for about 20 minutes, leave to eat a cookie or something and when I come back the screen is black but the computer seems to be running, the lights on it are on, but no matter what I do (move mouse, press keyboard keys, press reset button) it won't respond. I have to cut power to it to get it working again.

------------------------------------------------------------------------------------------

I read other posts on this forum, and to save time, I downloaded Find It and ran find.bat

This message came up:
I get constant error messages when trying to install programs:
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.
[ Close ] [ Ignore ]

I clicked Ignore to proceed with the scanning, and after a while a log file came up, which I will post on another post.
Please help me solve this problem, it is very frustrating and I don't know what to do anymore. Thank you very much for providing this help for free out of your own time, I am really glad I found you guys. Thanks again!
  • 0

Advertisements

#2
pedrossi
Posted 31 December 2004 - 08:48 PM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
This is the log named output.txt after running find.bat.
Thanks again!




Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 0CBD-64B6

Directory of C:\WINDOWS\System32

12/31/2004 08:11 PM 570,501 sin.dat
12/31/2004 07:09 PM 222,362 gp2ml3f11.dll
12/31/2004 04:15 PM 222,362 j8p0li7m18.dll
12/31/2004 01:44 PM 222,362 fp4o03h3e.dll
12/31/2004 01:41 PM 222,362 i260lcjm1foa.dll
12/30/2004 11:20 PM 226,092 g6402ghmg64a2.dll
12/30/2004 08:31 PM 222,362 lv0o09d3e.dll
12/30/2004 07:34 PM 224,777 rNsdlg.dll
12/30/2004 03:47 PM <DIR> dllcache
12/30/2004 09:51 AM 225,151 m4po0e73eh.dll
12/29/2004 08:48 AM 224,869 l2r00c9mef.dll
12/28/2004 05:22 PM 224,777 fpj8031ue.dll
12/28/2004 05:12 PM 226,167 o0rola931d.dll
12/22/2004 11:41 AM 223,060 j40sled71h0.dll
12/22/2004 11:18 AM 225,901 f42mlef11h2.dll
12/22/2004 11:04 AM 223,121 m628lgfu1628.dll
12/22/2004 10:10 AM 225,620 fp4803hue.dll
12/21/2004 10:57 PM 223,232 q4nule591h.dll
12/21/2004 09:59 AM 223,232 mpvcrt40.dll
12/21/2004 09:57 AM 224,419 mvp0l97m1.dll
12/21/2004 09:38 AM 223,232 mvvcrt40.dll
12/21/2004 09:38 AM 224,419 kt8ml7l11.dll
12/20/2004 09:15 PM 224,403 enpml1711.dll
12/20/2004 06:43 PM 223,232 hrj0051me.dll
12/20/2004 02:16 PM 223,232 tOpi.dll
12/05/2004 10:26 PM 833 Y%zI¬%^zŸI?Ÿ<YIŸSSISzŸ?I^Ÿ??.,I®œ"œ
11/26/2004 01:09 AM 476 ?z%%,Y?s%zIY~?z~%^
10/02/2004 03:16 PM 13,824 Thumbs.db
09/27/2004 08:33 AM 380,928 w?nspool.exe
08/29/2004 08:24 AM 512 Elq0h.z89
08/26/2004 08:30 PM 253,962 HubG73V4.exe
08/26/2004 08:30 PM 253,962 Vaa7UQXb.exe
08/26/2004 08:30 PM 253,962 UywcVn.exe
08/26/2004 08:30 PM 253,962 NtuN.exe
08/26/2004 08:30 PM 253,962 IkxNu62.exe
08/26/2004 08:30 PM 253,962 OjqN9Y44.exe
08/26/2004 08:30 PM 499,722 RkmsYifG.exe
08/26/2004 08:30 PM 499,722 Oval63H.exe
08/26/2004 08:30 PM 499,722 Xzgx9W5.exe
08/14/2004 03:18 PM 32 {DB5AB100-AAEE-4678-99CD-CDBEEF37CB0B}.dat
08/14/2004 03:17 PM 32 {1EE6031A-59BC-4885-A183-7219B04AC9FD}.dat
08/06/2004 08:48 PM 1,868,042 1-VtaehCottiN.dat
04/29/2004 07:04 PM <DIR> Microsoft
01/20/2004 11:06 AM 29,347 nis.exe
01/20/2004 11:06 AM 15,360 nis.dll
43 File(s) 11,053,571 bytes
2 Dir(s) 6,812,397,568 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 0CBD-64B6

Directory of C:\WINDOWS\System32

12/31/2004 08:11 PM 570,501 sin.dat
12/30/2004 03:47 PM <DIR> dllcache
12/05/2004 10:26 PM 833 Y%zI¬%^zŸI?Ÿ<YIŸSSISzŸ?I^Ÿ??.,I®œ"œ
11/26/2004 01:09 AM 476 ?z%%,Y?s%zIY~?z~%^
10/02/2004 03:16 PM 13,824 Thumbs.db
09/27/2004 08:33 AM 380,928 w?nspool.exe
09/19/2004 09:10 AM 22,528 cleaner12.exe
08/29/2004 08:24 AM 512 Elq0h.z89
08/26/2004 08:30 PM 253,962 HubG73V4.exe
08/26/2004 08:30 PM 253,962 Vaa7UQXb.exe
08/26/2004 08:30 PM 253,962 UywcVn.exe
08/26/2004 08:30 PM 253,962 NtuN.exe
08/26/2004 08:30 PM 253,962 IkxNu62.exe
08/26/2004 08:30 PM 253,962 OjqN9Y44.exe
08/26/2004 08:30 PM 499,722 RkmsYifG.exe
08/26/2004 08:30 PM 499,722 Oval63H.exe
08/26/2004 08:30 PM 499,722 Xzgx9W5.exe
08/14/2004 03:18 PM 32 {DB5AB100-AAEE-4678-99CD-CDBEEF37CB0B}.dat
08/14/2004 03:17 PM 32 {1EE6031A-59BC-4885-A183-7219B04AC9FD}.dat
08/06/2004 08:48 PM 1,868,042 1-VtaehCottiN.dat
05/02/2004 04:44 PM 2,052 log0.txt
05/02/2004 04:44 PM 299,627 log.bak.txt
05/02/2004 04:44 PM 10,330 log1.txt
05/02/2004 04:44 PM 10,533 fiz0
05/02/2004 03:33 PM 10,444 log2.txt
05/02/2004 01:41 PM 10,401 log3.txt
05/01/2004 06:58 PM 10,363 log4.txt
05/01/2004 04:18 PM 30,064 fiz1
05/01/2004 01:56 PM 30,055 fiz2
04/30/2004 07:59 PM 30,192 fiz3
04/30/2004 07:35 PM 3,130,856 kyf.dat
01/20/2004 07:15 PM 488 logonui.exe.manifest
01/20/2004 07:15 PM 488 WindowsLogon.manifest
01/20/2004 07:15 PM 749 cdplayer.exe.manifest
01/20/2004 07:15 PM 749 sapi.cpl.manifest
01/20/2004 07:15 PM 749 nwc.cpl.manifest
01/20/2004 07:15 PM 749 ncpa.cpl.manifest
01/20/2004 07:15 PM 749 wuaucpl.cpl.manifest
01/20/2004 11:06 AM 15,360 nis.dll
01/20/2004 11:06 AM 29,347 nis.exe
39 File(s) 9,504,991 bytes
1 Dir(s) 6,812,266,496 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is 0CBD-64B6

Directory of C:\WINDOWS\System32

12/31/2004 08:02 PM 222,362 guard.tmp
1 File(s) 222,362 bytes
0 Dir(s) 6,812,200,960 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is 0CBD-64B6

Directory of C:\WINDOWS\System32

12/31/2004 08:02 PM 222,362 guard.tmp
09/27/2004 07:28 PM 7,168 telnet.exe.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0015.TMP
08/03/2004 11:56 PM 1,236,480 ~GLH001a.TMP
08/29/2002 01:00 PM 2,577 CONFIG.TMP
5 File(s) 2,705,067 bytes
0 Dir(s) 6,812,131,328 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0288C6F7-371D-43D6-BB52-0BBAC8EBAB77}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nis]
"DllName"="nis.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="WLELock"
"Logoff"="WLELogoff"
"Logon"="WLELogon"
"Shutdown"="WLEShutdown"
"StartScreenSaver"="WLEStartScreenSaver"
"Startup"="WLEStartup"
"StopScreenSaver"="WLEStopScreenSaver"
"Unlock"="WLEUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NittoCheatV-1]
"DllName"="NittoCheatV-1.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="WLELock"
"Logoff"="WLELogoff"
"Logon"="WLELogon"
"Shutdown"="WLEShutdown"
"StartScreenSaver"="WLEStartScreenSaver"
"Startup"="WLEStartup"
"StopScreenSaver"="WLEStopScreenSaver"
"Unlock"="WLEUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv0o09d3e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\gclqlz.dll: updates.qoologic.com
C:\WINDOWS\system32\phlalm.exe: updates.qoologic.com
C:\WINDOWS\system32\zeiniu.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\GUPM.exe: .aspack
C:\WINDOWS\system32\in10b6s.dll: .aspack
C:\WINDOWS\system32\qpwkwy.dat: .aspack
C:\WINDOWS\system32\thin-75-1-x-x.exe: .aspack
C:\WINDOWS\system32\thinInstall.exe: .aspack
C:\WINDOWS\system32\thinInstGUPM44.dll: 'aspack
C:\WINDOWS\system32\ywvgvo.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yhkikp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Narrator"="C:\\WINDOWS\\System32\\ywvgvo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"kalvsys"="C:\\windows\\system32\\kalvwug32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#3
pedrossi
Posted 31 December 2004 - 09:37 PM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
I kept reading more and I decided to go ahead and download HiJackThis, so here's the log, I hope it helps:


Logfile of HijackThis v1.99.0
Scan saved at 9:29:49 PM, on 12/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nis.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ywvgvo.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Pedro\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.c...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Pedro\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4arcade.c...rch/redir.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.c...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ydgoomyzc...ri4vb82M0.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Pedro\Application Data\Mozilla\Profiles\default\vhzqasn6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pedro\Application Data\Mozilla\Profiles\default\vhzqasn6.slt\prefs.js)
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll/300
O8 - Extra context menu item: Get all flash - C:\Program Files\Super Flash Player Manager\source.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.dot.tk
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.c...TTT/lotrttt.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...84f880889783bc3
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.c...ds/iaieplay.dll
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch....tp_le/setup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://hotsearchbar....r2/winhot32.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D03A1C33-1913-4533-A8C1-F2C8D13045DE} - http://www.cjb.net/search.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelpe...alHelperNew.cab
O18 - Filter: text/html - {1E0D73EC-9E1C-4661-827E-D118CBAB27BF} - C:\WINDOWS\System32\lnmpp.dll
O18 - Filter: text/plain - {1E0D73EC-9E1C-4661-827E-D118CBAB27BF} - C:\WINDOWS\System32\lnmpp.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
  • 0

#4
Metallica
Posted 01 January 2005 - 06:27 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\system32\gp2ml3f11.dll
C:\WINDOWS\system32\j8p0li7m18.dll
C:\WINDOWS\system32\fp4o03h3e.dll
C:\WINDOWS\system32\i260lcjm1foa.dll
C:\WINDOWS\system32\g6402ghmg64a2.dll
C:\WINDOWS\system32\lv0o09d3e.dll
C:\WINDOWS\system32\rNsdlg.dll
C:\WINDOWS\system32\m4po0e73eh.dll
C:\WINDOWS\system32\l2r00c9mef.dll
C:\WINDOWS\system32\fpj8031ue.dll
C:\WINDOWS\system32\o0rola931d.dll
C:\WINDOWS\system32\j40sled71h0.dll
C:\WINDOWS\system32\f42mlef11h2.dll
C:\WINDOWS\system32\m628lgfu1628.dll
C:\WINDOWS\system32\fp4803hue.dll
C:\WINDOWS\system32\q4nule591h.dll
C:\WINDOWS\system32\mpvcrt40.dll
C:\WINDOWS\system32\mvp0l97m1.dll
C:\WINDOWS\system32\mvvcrt40.dll
C:\WINDOWS\system32\kt8ml7l11.dll
C:\WINDOWS\system32\enpml1711.dll
C:\WINDOWS\system32\hrj0051me.dll
C:\WINDOWS\system32\tOpi.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\gclqlz.dll
C:\WINDOWS\system32\phlalm.exe
C:\WINDOWS\system32\zeiniu.dll
C:\WINDOWS\system32\GUPM.exe
C:\WINDOWS\system32\in10b6s.dll
C:\WINDOWS\system32\qpwkwy.dat
C:\WINDOWS\system32\ywvgvo.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yhkikp.exe <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0288C6F7-371D-43D6-BB52-0BBAC8EBAB77}"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-
"kalvsys"=-


Download LSPfix here: http://www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of aklsp.dll and calsp.dll but nothing else, and move them to the "Remove" pane.
Then click Finish.

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Then reboot once more and post a new HijackThis log.

Regards,

Pieter
  • 0

#5
pedrossi
Posted 01 January 2005 - 10:00 AM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Hi again,

Thank you very much for taking time to help me with this!
Here's the next HiJackThis log:


Logfile of HijackThis v1.99.0
Scan saved at 9:53:34 AM, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nis.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Pedro\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ydgoomyzc...ri4vb82M0.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Pedro\Application Data\Mozilla\Profiles\default\vhzqasn6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pedro\Application Data\Mozilla\Profiles\default\vhzqasn6.slt\prefs.js)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll (HKCU)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


Thanks again!
  • 0

#6
Metallica
Posted 01 January 2005 - 10:10 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Excellent. :tazz:

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ydgoomyzc...ri4vb82M0.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Pedro\Application Data\Mozilla\Profiles\default\vhzqasn6.slt\prefs.js)

And delete:
C:\windows\system32\kalvwug32.exe

Regards,

Pieter
  • 0

#7
pedrossi
Posted 01 January 2005 - 03:48 PM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
I did everything you told me to do, but when I went to delete C:\windows\system32\kalvwug32.exe, the file isn't there. Maybe it's because back when I ran Ad-Aware it got deleted?
I made sure that hidden folders and files are being displayed, but it still didn't show.
I rebooted just in case, checked HiJackThis and they're not there anymore.
I still got the UMonitor error and can't go to www.dot.tk, I still got that IP link showing in the address bar (http://69.20.62.53/dns.php?url=dot.tk). There haven't been any pop ups yet since I booted but maybe they're just waiting till I post then they'll pop up :tazz:
Thanks again for the help, is there anything else I can do besides formatting?
  • 0

#8
Metallica
Posted 02 January 2005 - 05:08 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you post a new FindIt log?

We may have missed something.

Regards,

Pieter
  • 0

#9
pedrossi
Posted 02 January 2005 - 10:21 AM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Here's the new FindIt Log:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 0CBD-64B6

Directory of C:\WINDOWS\System32

01/02/2005 10:08 AM 413,087 sin.dat
01/02/2005 09:37 AM <DIR> dllcache
01/01/2005 05:13 PM 224,123 jt8o07l3e.dll
01/01/2005 04:59 PM 224,735 o4480ehueh480.dll
01/01/2005 04:19 PM 224,123 u0ru0a99ed.dll
12/31/2004 09:58 PM 222,362 cqrpol.dll
12/21/2004 09:38 AM 224,419 kt8ml7l11.dll
12/05/2004 10:26 PM 833 Y%zI¬%^zŸI?Ÿ<YIŸSSISzŸ?I^Ÿ??.,I®œ"œ
11/26/2004 01:09 AM 476 ?z%%,Y?s%zIY~?z~%^
10/02/2004 03:16 PM 13,824 Thumbs.db
09/27/2004 08:33 AM 380,928 w?nspool.exe
08/29/2004 08:24 AM 512 Elq0h.z89
08/26/2004 08:30 PM 253,962 HubG73V4.exe
08/26/2004 08:30 PM 253,962 Vaa7UQXb.exe
08/26/2004 08:30 PM 253,962 UywcVn.exe
08/26/2004 08:30 PM 253,962 NtuN.exe
08/26/2004 08:30 PM 253,962 IkxNu62.exe
08/26/2004 08:30 PM 253,962 OjqN9Y44.exe
08/14/2004 03:18 PM 32 {DB5AB100-AAEE-4678-99CD-CDBEEF37CB0B}.dat
08/14/2004 03:17 PM 32 {1EE6031A-59BC-4885-A183-7219B04AC9FD}.dat
08/06/2004 08:48 PM 1,868,042 1-VtaehCottiN.dat
04/29/2004 07:04 PM <DIR> Microsoft
01/20/2004 11:06 AM 15,360 nis.dll
01/20/2004 11:06 AM 29,347 nis.exe
22 File(s) 5,366,007 bytes
2 Dir(s) 8,523,755,520 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 0CBD-64B6

Directory of C:\WINDOWS\System32

01/02/2005 10:08 AM 413,087 sin.dat
01/02/2005 09:37 AM <DIR> dllcache
12/05/2004 10:26 PM 833 Y%zI¬%^zŸI?Ÿ<YIŸSSISzŸ?I^Ÿ??.,I®œ"œ
11/26/2004 01:09 AM 476 ?z%%,Y?s%zIY~?z~%^
10/02/2004 03:16 PM 13,824 Thumbs.db
09/27/2004 08:33 AM 380,928 w?nspool.exe
09/19/2004 09:10 AM 22,528 cleaner12.exe
08/29/2004 08:24 AM 512 Elq0h.z89
08/26/2004 08:30 PM 253,962 HubG73V4.exe
08/26/2004 08:30 PM 253,962 Vaa7UQXb.exe
08/26/2004 08:30 PM 253,962 UywcVn.exe
08/26/2004 08:30 PM 253,962 NtuN.exe
08/26/2004 08:30 PM 253,962 IkxNu62.exe
08/26/2004 08:30 PM 253,962 OjqN9Y44.exe
08/14/2004 03:18 PM 32 {DB5AB100-AAEE-4678-99CD-CDBEEF37CB0B}.dat
08/14/2004 03:17 PM 32 {1EE6031A-59BC-4885-A183-7219B04AC9FD}.dat
08/06/2004 08:48 PM 1,868,042 1-VtaehCottiN.dat
05/02/2004 04:44 PM 10,330 log1.txt
05/02/2004 04:44 PM 10,533 fiz0
05/02/2004 03:33 PM 10,444 log2.txt
05/02/2004 01:41 PM 10,401 log3.txt
05/01/2004 06:58 PM 10,363 log4.txt
05/01/2004 04:18 PM 30,064 fiz1
05/01/2004 01:56 PM 30,055 fiz2
04/30/2004 07:59 PM 30,192 fiz3
04/30/2004 07:35 PM 3,130,856 kyf.dat
01/20/2004 07:15 PM 488 logonui.exe.manifest
01/20/2004 07:15 PM 488 WindowsLogon.manifest
01/20/2004 07:15 PM 749 wuaucpl.cpl.manifest
01/20/2004 07:15 PM 749 nwc.cpl.manifest
01/20/2004 07:15 PM 749 ncpa.cpl.manifest
01/20/2004 07:15 PM 749 cdplayer.exe.manifest
01/20/2004 07:15 PM 749 sapi.cpl.manifest
01/20/2004 11:06 AM 15,360 nis.dll
01/20/2004 11:06 AM 29,347 nis.exe
34 File(s) 7,546,732 bytes
1 Dir(s) 8,523,624,448 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is 0CBD-64B6

Directory of C:\WINDOWS\System32

01/02/2005 09:39 AM 224,123 guard.tmp
1 File(s) 224,123 bytes
0 Dir(s) 8,523,558,912 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is 0CBD-64B6

Directory of C:\WINDOWS\System32

01/02/2005 09:39 AM 224,123 guard.tmp
09/27/2004 07:28 PM 7,168 telnet.exe.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0015.TMP
08/03/2004 11:56 PM 1,236,480 ~GLH001a.TMP
08/29/2002 01:00 PM 2,577 CONFIG.TMP
5 File(s) 2,706,828 bytes
0 Dir(s) 8,523,489,280 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0288C6F7-371D-43D6-BB52-0BBAC8EBAB77}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\u0ru0a99ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nis]
"DllName"="nis.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="WLELock"
"Logoff"="WLELogoff"
"Logon"="WLELogon"
"Shutdown"="WLEShutdown"
"StartScreenSaver"="WLEStartScreenSaver"
"Startup"="WLEStartup"
"StopScreenSaver"="WLEStopScreenSaver"
"Unlock"="WLEUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NittoCheatV-1]
"DllName"="NittoCheatV-1.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="WLELock"
"Logoff"="WLELogoff"
"Logon"="WLELogon"
"Shutdown"="WLEShutdown"
"StartScreenSaver"="WLEStartScreenSaver"
"Startup"="WLEStartup"
"StopScreenSaver"="WLEStopScreenSaver"
"Unlock"="WLEUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------
------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\thinInstGUPM44.dll: 'aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"AlcxMonitor"="ALCXMNTR.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"kalvsys"="C:\\windows\\system32\\kalvwug32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"










Thanks again for helping!
  • 0

#10
pedrossi
Posted 02 January 2005 - 10:24 AM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
I thought I'd also post a HiJackThis log as well, in case you need it...



Logfile of HijackThis v1.99.0
Scan saved at 10:20:32 AM, on 1/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nis.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Pedro\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.c...ODQ6NTo5&Terms=
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: strings.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll (HKCU)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


Thanks!
  • 0

Advertisements

#11
Metallica
Posted 02 January 2005 - 12:47 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\jt8o07l3e.dll
C:\WINDOWS\System32\o4480ehueh480.dll
C:\WINDOWS\System32\cqrpol.dll
C:\WINDOWS\System32\kt8ml7l11.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\u0ru0a99ed.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0288C6F7-371D-43D6-BB52-0BBAC8EBAB77}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]


In HijackThis Fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.c...ODQ6NTo5&Terms=

O4 - Global Startup: strings.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Download and run: http://www.downloads...g/VX2Finder.exe

Use the Restore Policy Button.
Reboot when prompted to.

Now we need to find the name of your Recycle Bin. This depends on your file system.
First set hidden files/folders to show as follows:
Double Click on My Computer.
Click on Tools > Folder Options... in the menus.
Click on the View tab.
Select Show hidden files and folders under Hidden files and folders.
Click Apply to all folders.
Click the OK button.

Now in the C:\ directory you should see a (transparent) folder that is either called Recycler or Recycled. Adapt the part below to match yours.

Check the name of your folder first (it depends on your filesystem) and then go to go to Start > Run and type "Cmd" without quotes and hit Ok

At the prompt, type the following and hit Enter after each line:
Type: cd\ [enter]
Type: attrib -s -h recycled [enter] or attrib -s -h recycler [enter]
Type: del recycled [enter] or del recycler [enter]

Reboot and let us know if it's fixed.

Regards,

Pieter
  • 0

#12
pedrossi
Posted 03 January 2005 - 09:32 AM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
:thumbsup:
Thank you!! I did what you told me and it worked! I didn't get the UMonitor error and no pop ups up to now. I can use Firefox and Netscape now, but one problem still remains: I can't go to .tk sites :-| http://www.dot.tk shows up as Page Cannot Be Displayed. I've tried many things but it's been like this for months, and most of my friends use .tk for their sites! Is there anything I can try to fix it? If not, it's ok I'm happy enough that my spyware was fixed thanks to you :tazz:

Thanks for taking the time to help me, but I learned a lesson from this and I wanna take some steps to protect my PC. I downloaded Spybot Search & Destroy and Spyware, scanned my PC and removed some more ads. I enabled my Windows Firewall, and enabled Windows Updates. Right now, I'm installing Service Pack 2. I also kept all those programs I had to download and threw them in a folder. I keep WinPatrol always runningand downloaded SpyWare Blaster and I'm now protected against a bunch of sites and ActiveX's. Is there anything else I can do to protect my PC from future problems in terms of Settings I can put in or Programs I can download? I'll also be more careful what sites I go to, that's for sure.

Thank you again very much Pieter for helping me, you guys are wonderful and saved my PC from formatting ;)
  • 0

#13
Metallica
Posted 04 January 2005 - 09:48 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I think you have quite some bases covered on prevention. Check my site (link in my signature) for more information.

I have been Googling for not being able to reach .tk sites, but that didn't give me any usable results. Let me know if that behavior survives SP2 and we will see if we can come up with a solution.

Regards,

Pieter
  • 0

#14
pedrossi
Posted 04 January 2005 - 11:32 AM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Hey,
Thanks again for everything.

Yesterday my dad got a new laptop at work and came to my house to show it to me, it's powered by that Centrino technology, and it picked up the signal from my internet router. So he was connected to the internet, and I tried to go to www.dot.tk on his laptop but I couldn't, so I'm almost 100% sure it MUST be something to do with the ISP or the Network. I talked to my friend, and he said that he called his ISP's 1-800 number and they fixed it for him over the phone, so I'm gonna try that, I think you should too.

I'll go to your site and see what else I can do to protect my PC. Thanks again! :tazz:



Pedro
  • 0

#15
pedrossi
Posted 04 January 2005 - 11:34 AM

pedrossi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
:tazz: Hmm I clicked on the link on your signature and it says "Page Cannot Be Displayed"... Are you sure your site is up?


Pedro
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP