Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack nightmare, Rundll issues

Started by Geekgirl , Jan 02 2005 07:15 PM

  • Please log in to reply

#1
Geekgirl
Posted 02 January 2005 - 07:15 PM

Geekgirl

    Member

  • Member
  • PipPip
  • 16 posts
This is my third attempt at trying to post this as it seems that “something” keeps crashing my system preventing me from posting! So, I’ll copy and paste from a word document and try to beat this thing.

I have several issues that I need help on

1. Hijackers – I have tried for three days now (10 hours just today) looking at posts, trying all sorts of things to rid myself of these pests. I have downloaded and run the following programs before, during and after Safe Mode only to have the hijackers return. I have manually edited the registry to delete any occurrences of these things only to have them return. I also have an external hard drive that these programs have been run on.

Norton Antivirus – nothing detected
Spy Bot – cleaned and fixed issues
Ad-Aware 6.0 – fixed issues
Ad-Watch3.0 – blocked attempted registry edits
PC Bug Doctor – fixed issues
CW Shredder – nothing detected
WinsockxpFix – fixed issues
Spyware Blaster – currently running – nothing detected
Trojan Guard Gold Version – active and useless!
HijackThis – see log below
FindIt – see log below

I have already downloaded KillBox and am awaiting your advice!


2. Rundll error messages. On reboot I receive different rundll error messages that change only in the last segment; i.e. C:\WINDOWS\system32\?????.dll. Where ???? appears, I have had the following appear after “system32\”: rputils, MEXEX, pcapi, uziplat and czpbk32 appear.

3. Coincidentally, my Palm M100 is inoperable. Is this related?

4. If your website is correct, then I am also infected with variant Apropos (no pun intended!) and will attempt the fix while I await your response to this!

5. I am unable to open FireFox web browser only Explorer. Is it possible one of these hijackers have locked this shut?

Thank you sooooooo much for your assistance – I am just about ready to do a clean re-install. Do you think that would do it?


HIJACKTHIS LOG FILE:

Find.bat is running from: C:\Documents and Settings\Renee\Desktop\Find It NT-2K-XP
Logfile of HijackThis v1.99.0
Scan saved at 8:10:33 PM, on 01/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kykipf.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Renee\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5....m/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5....v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communitie...UC/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



FIXIT Log File:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

01/02/2005 05:23 PM 223,870 nudll.dll
01/02/2005 05:19 PM 223,870 o6nslg5716.dll
01/02/2005 05:17 PM 223,553 enl6l13s1.dll
01/02/2005 04:56 PM 223,870 jtjo0713e.dll
01/02/2005 04:54 PM 223,777 g4220efoeh2c0.dll
01/02/2005 04:44 PM 223,730 jtpm0771e.dll
01/02/2005 01:29 PM 224,302 uxbui.dll
01/02/2005 01:05 PM 223,046 vqrcodec.dll
01/02/2005 10:09 AM 223,803 jtns0757e.dll
01/02/2005 10:02 AM 223,046 cmmpatui.dll
01/02/2005 10:00 AM 223,046 j4p0le7m1h.dll
01/02/2005 09:36 AM 223,046 enn0l15m1.dll
01/02/2005 09:29 AM 223,046 m4rm0e91eh.dll
01/02/2005 12:08 AM 223,046 f8l0li3m18.dll
01/01/2005 10:35 PM <DIR> DLLCACHE
01/01/2005 10:15 PM 224,636 q0rqla951d.dll
01/01/2005 09:12 PM 223,047 p8p6li7s18.dll
12/30/2004 09:04 AM 225,291 lnpcd12n.dll
12/30/2004 09:04 AM 225,712 dn2401fqe.dll
12/30/2004 08:46 AM 225,302 t4r80e9ueh.dll
12/30/2004 08:30 AM 225,959 ennql1551.dll
12/29/2004 08:28 PM 225,677 mv62l9jo1.dll
12/29/2004 07:37 PM 223,232 wyauserv.dll
09/23/2002 01:44 PM <DIR> Microsoft
01/05/2002 03:40 AM 487,424 msvcp70.dll
23 File(s) 5,415,331 bytes
2 Dir(s) 8,943,292,416 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

01/01/2005 10:35 PM <DIR> DLLCACHE
08/31/2001 10:48 AM 488 logonui.exe.manifest
08/31/2001 10:48 AM 488 WindowsLogon.manifest
08/31/2001 10:48 AM 749 nwc.cpl.manifest
08/31/2001 10:48 AM 749 sapi.cpl.manifest
08/31/2001 10:48 AM 749 ncpa.cpl.manifest
08/31/2001 10:48 AM 749 wuaucpl.cpl.manifest
08/31/2001 10:48 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 8,943,226,880 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

08/12/2004 09:40 PM 0 _r_a_p_.tmp
08/11/2004 12:45 AM 5,550,080 setb5.tmp
08/29/2002 05:41 AM 221,696 _000046_.tmp
02/01/2002 04:00 PM 45,056 qdc6EDF.tmp
02/01/2002 04:00 PM 15,449 csh4D18.tmp
5 File(s) 5,832,281 bytes
0 Dir(s) 8,943,091,712 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{10800918-E1C0-4BDB-AE85-A5F9CCCCB850}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OemStartMenuData]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtjo0713e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cmmpatui.dll Sun Jan 2 2005 10:02:46a ..S.R 223,046 217.82 K
dn2401~1.dll Thu Dec 30 2004 9:04:08a ..S.R 225,712 220.42 K
enl6l1~1.dll Sun Jan 2 2005 5:17:42p ..S.R 223,553 218.31 K
enn0l1~1.dll Sun Jan 2 2005 9:36:04a ..S.R 223,046 217.82 K
ennql1~1.dll Thu Dec 30 2004 8:30:38a ..S.R 225,959 220.66 K
f8l0li~1.dll Sun Jan 2 2005 12:08:06a ..S.R 223,046 217.82 K
g4220e~1.dll Sun Jan 2 2005 4:54:04p ..S.R 223,777 218.53 K
j4p0le~1.dll Sun Jan 2 2005 10:00:44a ..S.R 223,046 217.82 K
jtjo07~1.dll Sun Jan 2 2005 4:56:40p ..S.R 223,870 218.62 K
jtns07~1.dll Sun Jan 2 2005 10:09:22a ..S.R 223,803 218.55 K
jtpm07~1.dll Sun Jan 2 2005 4:44:16p ..S.R 223,730 218.48 K
lnpcd12n.dll Thu Dec 30 2004 9:04:08a ..S.R 225,291 220.01 K
m4rm0e~1.dll Sun Jan 2 2005 9:29:28a ..S.R 223,046 217.82 K
mv62l9~1.dll Wed Dec 29 2004 8:28:56p ..S.R 225,677 220.39 K
nudll.dll Sun Jan 2 2005 5:23:14p ..S.R 223,870 218.62 K
o6nslg~1.dll Sun Jan 2 2005 5:19:50p ..S.R 223,870 218.62 K
p8p6li~1.dll Sat Jan 1 2005 9:12:24p ..S.R 223,047 217.82 K
q0rqla~1.dll Sat Jan 1 2005 10:15:06p ..S.R 224,636 219.37 K
t4r80e~1.dll Thu Dec 30 2004 8:46:48a ..S.R 225,302 220.02 K
uxbui.dll Sun Jan 2 2005 1:29:32p ..S.R 224,302 219.04 K
vqrcodec.dll Sun Jan 2 2005 1:05:08p ..S.R 223,046 217.82 K
wyauserv.dll Wed Dec 29 2004 7:37:34p ..S.R 223,232 218.00 K

22 items found: 22 files, 0 directories.
Total of file sizes: 4,927,907 bytes 4.70 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\izinus.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\lglqzi.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\lplamx.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\vyvgoq.exe: .aspack
C:\WINDOWS\SYSTEM32\wqwkyg.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kykipf.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Narrator"="C:\\WINDOWS\\system32\\vyvgoq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"





************************

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
MCD
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{10800918-E1C0-4BDB-AE85-A5F9CCCCB850}
  • 0

Advertisements

#2
LineOFire
Posted 03 January 2005 - 01:07 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
You are well prepared. :tazz:

I can answer your questions after your logs are cleaner. Please delete the Find It NT-2K-XP directory you have. We are going to download another one.

Download FindIt NT-2K-XP from here:

http://lineofire.gee...It NT-2K-XP.zip

Unzip the contents. Navigate to the FindIt NT-2K-XP directory and double-click on FindVX2.bat. It will produce a log file named FindVX2.txt. Please post the contents of that log into your next post.
  • 0

#3
Geekgirl
Posted 03 January 2005 - 07:53 AM

Geekgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello and THANK YOU sooooooooooo much for your assistance! I have never seen anything so insidious as this! The download for Find Vx2 you referred me to had a bit more to it than the one I had. Thanks for that link. Below is what it turned up. Also I notice there is a file that keeps pinning itself to my start up file even after I take it off "vyvgog.exe" any idea what that is? When I do a search on the hard drive it doesn't even appear!

By the way - at least I was able to successfully get rid of Apropos! Thanks! :tazz:




---------------- FindVX2 NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Home Edition 5.1 Service Pack 2 (Build 2600)

********* Date/Time ********

Monday, January 03, 2005 (01/03/2005)
8:44 AM, Eastern Standard Time

*********** Path ***********

FindVX2.bat is running from: C:\Documents and Settings\Renee\Desktop\Find It NT-2K-XP\FindIt NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

01/03/2005 08:37 AM 224,480 fnntext.dll
01/03/2005 08:37 AM 224,797 jtjo0713e.dll
01/03/2005 08:35 AM 224,480 j0j60a1sed.dll
01/03/2005 08:29 AM 224,422 m2nq0c55ef.dll
01/03/2005 08:21 AM 225,480 j0j6la1s1d.dll
01/02/2005 11:30 PM 225,212 j24olch31f4.dll
01/02/2005 07:41 PM 225,704 n4l8le3u1h.dll
01/02/2005 07:16 PM 225,532 o266lcjs1fo6.dll
01/02/2005 05:17 PM 223,553 enl6l13s1.dll
01/02/2005 04:54 PM 223,777 g4220efoeh2c0.dll
01/02/2005 04:44 PM 223,730 jtpm0771e.dll
01/02/2005 01:29 PM 224,302 uxbui.dll
01/02/2005 01:05 PM 223,046 vqrcodec.dll
01/02/2005 10:09 AM 223,803 jtns0757e.dll
01/02/2005 10:02 AM 223,046 cmmpatui.dll
01/02/2005 10:00 AM 223,046 j4p0le7m1h.dll
01/02/2005 09:36 AM 223,046 enn0l15m1.dll
01/02/2005 09:29 AM 223,046 m4rm0e91eh.dll
01/02/2005 12:08 AM 223,046 f8l0li3m18.dll
01/01/2005 10:35 PM <DIR> DLLCACHE
01/01/2005 10:15 PM 224,636 q0rqla951d.dll
01/01/2005 09:12 PM 223,047 p8p6li7s18.dll
12/30/2004 09:04 AM 225,291 lnpcd12n.dll
12/30/2004 09:04 AM 225,712 dn2401fqe.dll
12/30/2004 08:46 AM 225,302 t4r80e9ueh.dll
12/30/2004 08:30 AM 225,959 ennql1551.dll
12/29/2004 08:28 PM 225,677 mv62l9jo1.dll
12/29/2004 07:37 PM 223,232 wyauserv.dll
09/23/2002 01:44 PM <DIR> Microsoft
01/05/2002 03:40 AM 487,424 msvcp70.dll
28 File(s) 6,543,828 bytes
2 Dir(s) 8,945,459,200 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

01/01/2005 10:35 PM <DIR> DLLCACHE
08/31/2001 10:48 AM 488 logonui.exe.manifest
08/31/2001 10:48 AM 488 WindowsLogon.manifest
08/31/2001 10:48 AM 749 nwc.cpl.manifest
08/31/2001 10:48 AM 749 sapi.cpl.manifest
08/31/2001 10:48 AM 749 ncpa.cpl.manifest
08/31/2001 10:48 AM 749 wuaucpl.cpl.manifest
08/31/2001 10:48 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 8,945,393,664 bytes free

--------------- Files Named "Guard" --------------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32


-------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

08/12/2004 09:40 PM 0 _r_a_p_.tmp
08/11/2004 12:45 AM 5,550,080 setb5.tmp
08/29/2002 05:41 AM 221,696 _000046_.tmp
02/01/2002 04:00 PM 45,056 qdc6EDF.tmp
02/01/2002 04:00 PM 15,449 csh4D18.tmp
5 File(s) 5,832,281 bytes
0 Dir(s) 8,945,197,056 bytes free

------------------- User Agent -------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{10800918-E1C0-4BDB-AE85-A5F9CCCCB850}"=""

--------------- Keys Under Notify ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j0j60a1sed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------ Shell Extensions Approved -----------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"
"{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"
"{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B78C33AC-AB4A-4AAD-906C-09D98DC6F7A6}"=""

--------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
cmmpatui.dll Sun Jan 2 2005 10:02:46a ..S.R 223,046 217.82 K
dn2401~1.dll Thu Dec 30 2004 9:04:08a ..S.R 225,712 220.42 K
enl6l1~1.dll Sun Jan 2 2005 5:17:42p ..S.R 223,553 218.31 K
enn0l1~1.dll Sun Jan 2 2005 9:36:04a ..S.R 223,046 217.82 K
ennql1~1.dll Thu Dec 30 2004 8:30:38a ..S.R 225,959 220.66 K
f8l0li~1.dll Sun Jan 2 2005 12:08:06a ..S.R 223,046 217.82 K
fnntext.dll Mon Jan 3 2005 8:37:40a ..S.R 224,480 219.22 K
g4220e~1.dll Sun Jan 2 2005 4:54:04p ..S.R 223,777 218.53 K
j0j60a~1.dll Mon Jan 3 2005 8:35:10a ..S.R 224,480 219.22 K
j0j6la~1.dll Mon Jan 3 2005 8:21:24a ..S.R 225,480 220.20 K
j24olc~1.dll Sun Jan 2 2005 11:30:24p ..S.R 225,212 219.93 K
j4p0le~1.dll Sun Jan 2 2005 10:00:44a ..S.R 223,046 217.82 K
jtjo07~1.dll Mon Jan 3 2005 8:37:40a ..S.R 224,797 219.53 K
jtns07~1.dll Sun Jan 2 2005 10:09:22a ..S.R 223,803 218.55 K
jtpm07~1.dll Sun Jan 2 2005 4:44:16p ..S.R 223,730 218.48 K
lnpcd12n.dll Thu Dec 30 2004 9:04:08a ..S.R 225,291 220.01 K
m2nq0c~1.dll Mon Jan 3 2005 8:29:04a ..S.R 224,422 219.16 K
m4rm0e~1.dll Sun Jan 2 2005 9:29:28a ..S.R 223,046 217.82 K
mv62l9~1.dll Wed Dec 29 2004 8:28:56p ..S.R 225,677 220.39 K
n4l8le~1.dll Sun Jan 2 2005 7:41:38p ..S.R 225,704 220.41 K
o266lc~1.dll Sun Jan 2 2005 7:16:08p ..S.R 225,532 220.25 K
p8p6li~1.dll Sat Jan 1 2005 9:12:24p ..S.R 223,047 217.82 K
q0rqla~1.dll Sat Jan 1 2005 10:15:06p ..S.R 224,636 219.37 K
t4r80e~1.dll Thu Dec 30 2004 8:46:48a ..S.R 225,302 220.02 K
uxbui.dll Sun Jan 2 2005 1:29:32p ..S.R 224,302 219.04 K
vqrcodec.dll Sun Jan 2 2005 1:05:08p ..S.R 223,046 217.82 K
wyauserv.dll Wed Dec 29 2004 7:37:34p ..S.R 223,232 218.00 K

27 items found: 27 files, 0 directories.
Total of file sizes: 6,056,404 bytes 5.77 M

---------------- FindVX2 NT-2K-XP ----------------

  • 0

#4
LineOFire
Posted 03 January 2005 - 07:00 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts

Hello and THANK YOU sooooooooooo much for your assistance!   I have never seen anything so insidious as this!  The download for Find Vx2 you referred me to had a bit more to it than the one I had.  Thanks for that link.  Below is what it turned up.  Also I notice there is a file that keeps pinning itself to my start up file even after I take it off "vyvgog.exe"  any idea what that is?  When I do a search on the hard drive it doesn't even appear! 

By the way - at least I was able to successfully get rid of Apropos!  Thanks! ;)


This is a very insidious infection. The file loading at startup is part of the Narrator trojan infection. We will get rid of it after we tackle VX2. Glad to hear you were able to fix Apropos. :tazz:
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\fnntext.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\jtjo0713e.dll
    • C:\WINDOWS\System32\j0j60a1sed.dll
    • C:\WINDOWS\System32\m2nq0c55ef.dll
    • C:\WINDOWS\System32\j0j6la1s1d.dll
    • C:\WINDOWS\System32\j24olch31f4.dll
    • C:\WINDOWS\System32\n4l8le3u1h.dll
    • C:\WINDOWS\System32\o266lcjs1fo6.dll
    • C:\WINDOWS\System32\enl6l13s1.dll
    • C:\WINDOWS\System32\g4220efoeh2c0.dll
    • C:\WINDOWS\System32\jtpm0771e.dll
    • C:\WINDOWS\System32\uxbui.dll
    • C:\WINDOWS\System32\vqrcodec.dll
    • C:\WINDOWS\System32\jtns0757e.dll
    • C:\WINDOWS\System32\cmmpatui.dll
    • C:\WINDOWS\System32\j4p0le7m1h.dll
    • C:\WINDOWS\System32\enn0l15m1.dll
    • C:\WINDOWS\System32\m4rm0e91eh.dll
    • C:\WINDOWS\System32\f8l0li3m18.dll
    • C:\WINDOWS\System32\q0rqla951d.dll
    • C:\WINDOWS\System32\p8p6li7s18.dll
    • C:\WINDOWS\System32\lnpcd12n.dll
    • C:\WINDOWS\System32\dn2401fqe.dll
    • C:\WINDOWS\System32\t4r80e9ueh.dll
    • C:\WINDOWS\System32\ennql1551.dll
    • C:\WINDOWS\System32\mv62l9jo1.dll
    • C:\WINDOWS\System32\wyauserv.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  • Once the computer has been restarted, double-click on FindVX2.bat and post the new FindVX2.txt.

Edited by LineOFire, 03 January 2005 - 07:01 PM.

  • 0

#5
Geekgirl
Posted 04 January 2005 - 11:51 PM

Geekgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi LineOFire....

Thank you for your assistance. I was unable to log back onto this website for a couple of days - kept receiving error messages I was beginning to think perhaps this nasty thing had something to do with it! Sooooo, just like a woman I tried a few things on my own and did some hunting via a laptop that I have working remotely off my base PC so here is what I've done. . .

I had found out about "guard.tmp" (snooping around other sites,,,sawwwrry!) so I manually deleted it and did a search on the same when I saw you requested it and came up with nothing so it appears to be gone. (at least for now!)

I had also gone into the registry and thought I deleted the HK_LM:Run Narrator file that I found but that appears to be a bust!

It was mentioned on another site that if one has AD-Aware professional (which I do) that it was necessary to disable Ad-Watch before scanning with Ad-Aware...apparently Ad-Watch automatically restores some of the registry stuff that Ad-Aware removes. Had you heard of this? I did disable Ad-Watch for your procedure just in case.

I went into System32 and manually unchecked the "read only" box in each dll , erased, saved changes and rechecked back to "read only". I upon reboot saw all was gone - except a few did manage to replicate themselves with full bytes and there were a handful that had only 2 bytes. Just to be safe, I performed the complete procedure as you suggested on everysingle one of them.

This was all done in safe mode, disconnected from the internet and I did purge tmp files and the recycle bin. The results of the new Find VX2 are posted below.

I've run Spybot and in advanced, under "Start-up" I see unwanted start up files I believe are a part of this however with different dlls than what VX2 found that return even after deleted.

Thanks again. I promise to be more patient this time and to never cheat on you again :tazz:




---------------- FindVX2 NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****


********* Date/Time ********


*********** Path ***********

FindVX2.bat is running from: C:\Documents and Settings\Renee\Desktop\Find It NT-2K-XP\FindIt NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

01/04/2005 10:59 AM 0 jtns0757e.dll
01/01/2005 10:35 PM <DIR> DLLCACHE
12/30/2004 09:04 AM 225,712 dn2401fqe.dll
12/30/2004 08:46 AM 225,302 t4r80e9ueh.dll
12/30/2004 08:30 AM 225,959 ennql1551.dll
12/29/2004 08:28 PM 225,677 mv62l9jo1.dll
12/29/2004 07:37 PM 223,232 wyauserv.dll
09/23/2002 01:44 PM <DIR> Microsoft
01/05/2002 03:40 AM 487,424 msvcp70.dll
7 File(s) 1,613,306 bytes
2 Dir(s) 8,189,538,304 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

01/01/2005 10:35 PM <DIR> DLLCACHE
08/31/2001 10:48 AM 488 logonui.exe.manifest
08/31/2001 10:48 AM 488 WindowsLogon.manifest
08/31/2001 10:48 AM 749 nwc.cpl.manifest
08/31/2001 10:48 AM 749 sapi.cpl.manifest
08/31/2001 10:48 AM 749 ncpa.cpl.manifest
08/31/2001 10:48 AM 749 wuaucpl.cpl.manifest
08/31/2001 10:48 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 8,189,599,744 bytes free

--------------- Files Named "Guard" --------------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32


-------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

08/12/2004 09:40 PM 0 _r_a_p_.tmp
08/11/2004 12:45 AM 5,550,080 setb5.tmp
08/29/2002 05:41 AM 221,696 _000046_.tmp
02/01/2002 04:00 PM 45,056 qdc6EDF.tmp
02/01/2002 04:00 PM 15,449 csh4D18.tmp
5 File(s) 5,832,281 bytes
0 Dir(s) 8,189,530,112 bytes free

------------------- User Agent -------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{10800918-E1C0-4BDB-AE85-A5F9CCCCB850}"=""

--------------- Keys Under Notify ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtn8075ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------ Shell Extensions Approved -----------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"
"{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"
"{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B78C33AC-AB4A-4AAD-906C-09D98DC6F7A6}"=""

--------------- Locate.com Results ---------------

---------------- FindVX2 NT-2K-XP ----------------

  • 0

#6
Metallica
Posted 05 January 2005 - 01:52 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\dn2401fqe.dll
C:\WINDOWS\System32\t4r80e9ueh.dll
C:\WINDOWS\System32\ennql1551.dll
C:\WINDOWS\System32\mv62l9jo1.dll
C:\WINDOWS\System32\wyauserv.dll
C:\WINDOWS\system32\jtn8075ue.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{10800918-E1C0-4BDB-AE85-A5F9CCCCB850}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B78C33AC-AB4A-4AAD-906C-09D98DC6F7A6}"=-


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Regards,

Pieter
  • 0

#7
DogbertBH
Posted 05 January 2005 - 03:07 PM

DogbertBH

    New Member

  • Member
  • Pip
  • 1 posts
I seem to have been hijacked!!!

My home page gets reset to About:Blank on EVERY logoff & reboot.

Tried CWS Shredder, Ad Aware, Spybot & Norton (ust for the kick)

This is a friend's computer so I can't just switch browsers on him.

Can you help?

Thank You,

DogbertBH
  • 0

#8
Metallica
Posted 05 January 2005 - 03:11 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts

Can you help?

View Post


Sure, but you will need to start a topic of your own.
Best include a HijackThis log:
http://home.planet.n...xplanation.html

Regards,

Pieter
  • 0

#9
Geekgirl
Posted 05 January 2005 - 08:24 PM

Geekgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello Pieter;

We're getting closer....Below is the Find VX2 log after completing the above process and it looks to me like there would be one more to deal with (msvcp70.dll)

Would you want me to complete the steps as outlined in your last post on this item?
I also find the file vyvgog.exe and a different suspicious file of cisvc.exe when I run the HijackThis log also pasted below. (Which by the way looks MUCH better than when we began this.

I have WinPatrol Plus and see that my friends are still hiding out as they keep trying to attach themselves to the start-up: vyvgog.exe and kykipf.exe I have "killed" them many times and asked to "delete on reboot" but of course that doesn't happen.

Thanks,
Renee



---------------- FindVX2 NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****


********* Date/Time ********


*********** Path ***********

FindVX2.bat is running from: C:\Documents and Settings\Renee\Desktop\Find It NT-2K-XP\FindIt NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

01/01/2005 10:35 PM <DIR> DLLCACHE
09/23/2002 01:44 PM <DIR> Microsoft
01/05/2002 03:40 AM 487,424 msvcp70.dll
1 File(s) 487,424 bytes
2 Dir(s) 8,165,568,512 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

01/01/2005 10:35 PM <DIR> DLLCACHE
08/31/2001 10:48 AM 488 logonui.exe.manifest
08/31/2001 10:48 AM 488 WindowsLogon.manifest
08/31/2001 10:48 AM 749 nwc.cpl.manifest
08/31/2001 10:48 AM 749 sapi.cpl.manifest
08/31/2001 10:48 AM 749 ncpa.cpl.manifest
08/31/2001 10:48 AM 749 wu
aucpl.cpl.manifest
08/31/2001 10:48 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 8,165,502,976 bytes free

--------------- Files Named "Guard" --------------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32


-------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is C0FE-4CCB

Directory of C:\WINDOWS\System32

08/12/2004 09:40 PM 0 _r_a_p_.tmp
08/11/2004 12:45 AM 5,550,080 setb5.tmp
08/29/2002 05:41 AM 221,696 _000046_.tmp
02/01/2002 04:00 PM 45,056 qdc6EDF.tmp
02/01/2002 04:00 PM 15,449 csh4D18.tmp
5 File(s) 5,832,281 bytes
0 Dir(s) 8,165,306,368 bytes free

------------------- User Agent -------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

--------------- Keys Under Notify ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------ Shell Extensions Approved -----------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"
"{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"
"{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

--------------- Locate.com Results ---------------

---------------- FindVX2 NT-2K-XP ----------------


HIJACK THIS LOG[U]

Logfile of HijackThis v1.99.0
Scan saved at 9:13:59 PM, on 01/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vyvgoq.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\Notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5....m/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5....v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communitie...UC/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
mpfeif101
Posted 05 January 2005 - 10:39 PM

mpfeif101

    Member 1K

  • Retired Staff
  • 1,411 posts
Moved to HJT forum :tazz:
  • 0

Advertisements

#11
LineOFire
Posted 06 January 2005 - 01:05 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Msvcp70.dll is actually a legitimate Windows file.

Those startup entries are part of the Narrator trojan.

Navigate to the FindIt NT-2K-XP directory and double-click on FindNarrator.bat. Post the results into your next post.
  • 0

#12
Geekgirl
Posted 06 January 2005 - 08:04 AM

Geekgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
So glad you found me after the "Move"! :tazz: I was afraid I wouldn't see anyone for a while.

I am starting to wonder. . . can Narrator be sucessfully removed?

Funny thing, I had to re-download the FineIt NT-2K-XP as the FindNarrator.bat would not work. (I did this in Safe Mode with networking.) You can see Narrator sitting in the System 32 file. (Even after WinPatrol was told to Kill and Delete on Reboot!) When I do a "search" it does not turn up at all. Amazing! Also, I see that kykipf.exe has returned and I believe that is part of Narrator as well. A new addition seems to be wqwkyg.dat and ntdll.dll is this also a part of Narrator morphing?

Thank you guys for all your efforts - even though it is still there, I am no where near as messed up as when I first posted. You are all super!

The results are below;

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Home Edition 5.1 Service Pack 2 (Build 2600)

********* Date/Time ********

Thursday, January 06, 2005 (01/06/2005)
8:44 AM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Renee\Desktop\Find It NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINDOWS\SYSTEM32\izinus.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\lglqzi.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\lplamx.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\vyvgoq.exe: .aspack
C:\WINDOWS\SYSTEM32\wqwkyg.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kykipf.exe: .aspack

---------------- Active Setup Installed Components ----------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\22e655f2-850a-42c3-808b-516cc9838c16

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{032A6019-9DAA-40f9-A3B3-34ABB0AA0947}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{057997dd-71e4-43cc-b161-3f8180691a9e}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{14303301-758B-402B-9A0D-2C6A591680DB}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2298d453-bcae-4519-bf33-1cbf3faf1524}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{26FCDD66-A1AA-49AF-B65A-069DA3A75221}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2757B1D6-0367-4663-877C-93ECC5C01BF6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2cc9d512-6db6-4f1c-8979-9a41fae88de0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D5974C5-5185-4f5b-80B6-28015ACDD74C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2eac6a2d-57a8-44d4-96f7-e32bab40ca5f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{347B0667-C7ED-429B-BDE3-CC8D3BACAA31}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{377483c2-e4b4-4ee8-b577-9aed264c8735}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3fe8dce3-19f0-35c9-aaf2-efc830dc2105}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{411EDCF7-755D-414E-A74B-3DCD6583F589}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{429D8DD3-05E0-4F56-B6D6-AC0730567C02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5f3c70b3-ac2f-432c-8f9c-1624df61f54f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{61E6EAE5-7821-4AC1-9BBD-AED032A8E273}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{78705f0d-e8db-4b2d-8193-982bdda15ecd}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{795d0712-722c-43ec-906a-fc5e678eada9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{81B52903-4C11-11D6-B6E1-00B0D049139F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{871F8A30-15A2-11D6-8711-0002B3281F8B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C34F4917-ED43-439f-9023-97B0024A2B3B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DBB3C81D-3C91-4a1e-BDDF-905B61C7CEDF}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{eddbec60-89cb-44ef-8291-0850fd28ff6a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f5173cf0-1dfb-4978-8e50-a90169ee7ca9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F5776D81-AE53-4935-8E84-B0B283D8BCEF}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f5de1b93-9d38-416b-b09e-aa85a8e84309}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F9C174E3-3E87-40bc-AA94-B8974F2B9222}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FE8C6BC0-2F6E-11D1-B2CD-0000F67B67A8}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FF4DD9CD-F25E-425a-8B5C-A2D062781FBB}

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mgmxks]
@="{d81eb0c0-e34a-4f7b-8129-b88aeabbc16a}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu]
@="{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR]
@="{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"Ad-aware"="\"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe\" +c"
"Narrator"="C:\\WINDOWS\\system32\\vyvgoq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------

  • 0

#13
Metallica
Posted 06 January 2005 - 08:25 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Use Killbox like we did before on these files:

C:\WINDOWS\SYSTEM32\izinus.dll
C:\WINDOWS\SYSTEM32\lglqzi.dll
C:\WINDOWS\SYSTEM32\lplamx.exe
C:\WINDOWS\SYSTEM32\vyvgoq.exe
C:\WINDOWS\SYSTEM32\wqwkyg.da
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kykipf.exe <= has to be the last one.

After the reboot you should see:
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\vyvgoq.exe

Fix that entry and allow it to change.

Regards,

Pieter
  • 0

#14
Geekgirl
Posted 06 January 2005 - 01:22 PM

Geekgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

Use Killbox like we did before on these files:

C:\WINDOWS\SYSTEM32\izinus.dll
C:\WINDOWS\SYSTEM32\lglqzi.dll
C:\WINDOWS\SYSTEM32\lplamx.exe
C:\WINDOWS\SYSTEM32\vyvgoq.exe
C:\WINDOWS\SYSTEM32\wqwkyg.da
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kykipf.exe <= has to be the last one.

After the reboot you should see:
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\vyvgoq.exe

Fix that entry and allow it to change.

Regards,

Pieter

View Post


  • 0

#15
Geekgirl
Posted 06 January 2005 - 01:29 PM

Geekgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

After the reboot you should see:
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\vyvgoq.exe

Fix that entry and allow it to change.

Regards,

Pieter

View Post



Pieter,
with regards to the above after I run KillBox on the System32 entries, I am to "fix" the 04 entry in HJT by simply checking the box?? (Then, reboot and check again)?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP