Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

UMONITOR error on startup

Started by mgibson4678 , Jan 06 2005 03:44 PM

Please log in to reply

#1
mgibson4678

Posted 06 January 2005 - 03:44 PM

New Member

Member
5 posts

Everytime I start my PC I get a error: an exception occurred while trying to run "c:\windows\system32\variation, umonitor

I have been working for days trying to get rid of the spyware. IT IS VERY FRUSTRATING. Can you help me? Here is my log.

Logfile of HijackThis v1.99.0
Scan saved at 3:12:40 PM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINDOWS\system32\wvwacv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton AntiVirus\NAVAPW32.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\unzipped\KillBox\KillBox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\wynonak.POC1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton AntiVirus\NAVAPW32.EXE
O4 - Global Startup: strings.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files\Microsoft Office\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {1F1DE440-4ECA-11D4-A017-0001031D971F} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://streak.fimc.n...va/cfs31229.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {1227F1FA-F0D0-4FE9-9722-21F65E27A5D0} - http://parissrvr/PAR...n03/Default.cab
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://parissrvr/par...OPM04Client.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {7B8F9A70-2B56-453C-A528-ACC5925B3F7F} - http://parissrvr/PAR...ent/Default.cab
O16 - DPF: {7E2D9D44-BAF0-459A-A0F2-C9E84A23E775} - http://parissrvr/PAR...n03/Default.cab
O16 - DPF: {91FCF3A7-4A78-4130-B7AD-E0F439CB0FF4} - http://parissrvr/PAR...03ClientHF5.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://216.157.26.3/svideo3.cab
O16 - DPF: {E839F0A1-4D68-472A-BBB8-08FA530581CF} (MBCInstaller 6.0 object) - http://parissrvr/PAR...INSTaller60.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.14...geWell-ipix.cab
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://parissrvr/par...INSTaller70.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = POC.local
O17 - HKLM\Software\..\Telephony: DomainName = POC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCF64F4D-68F1-4722-8A4C-EAEA6BD079EB}: Domain = cox-internet.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCF64F4D-68F1-4722-8A4C-EAEA6BD079EB}: NameServer = 10.3.25.212,66.76.2.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = POC.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = POC.local
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

#2
mgibson4678

Posted 06 January 2005 - 03:49 PM

New Member

Topic Starter
Member
5 posts

Here is the FIND it nt-2k-xp log also.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\unzipped\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 07D0-061E

Directory of C:\WINDOWS\System32

01/06/2005 02:37 PM 56 q686lgls16q6.dll
01/06/2005 02:03 PM 224,911 enrul1991.dll
01/06/2005 12:09 PM 222,920 m4rm0e91eh.dll
01/06/2005 12:08 PM 223,684 p46s0ej7eho.dll
01/06/2005 11:48 AM 222,920 nmmsdba.dll
01/06/2005 10:49 AM 222,920 i0nmla511d.dll
01/06/2005 10:42 AM 222,920 fp0003dme.dll
01/06/2005 10:41 AM 224,295 irpol5731.dll
01/05/2005 10:11 AM 225,704 lvj8091ue.dll
01/03/2005 10:22 AM 222,573 m0ls0a37ed.dll
12/30/2004 11:44 AM 222,694 fppu0379e.dll
12/29/2004 01:59 PM 226,003 lvr2099oe.dll
12/29/2004 01:26 PM 225,934 h0l20a3oed.dll
12/22/2004 08:59 AM 224,360 m0nqla551d.dll
12/21/2004 10:24 AM 224,145 irlol5331.dll
12/14/2004 08:30 AM 225,497 f2l0lc3m1f.dll
12/13/2004 04:21 PM 225,497 e8200ifme82a0.dll
12/13/2004 04:16 PM 224,698 fpp6037se.dll
12/13/2004 03:55 PM 224,970 i4jq0e15eh.dll
12/13/2004 02:34 PM 223,518 irj2l51o1.dll
12/13/2004 02:28 PM 223,410 l60ulgd9160.dll
12/13/2004 11:44 AM 224,433 lvp8097ue.dll
12/13/2004 11:22 AM 224,433 kcdgkl.dll
12/13/2004 10:52 AM 223,410 EZLCNS32.DLL
12/13/2004 10:24 AM 223,410 fp4003hme.dll
12/10/2004 03:05 PM 223,232 i024lafq1d2e.dll
12/09/2004 12:12 PM 223,304 vboy.dll
07/12/2004 04:21 PM 512 Ryeo85lm.bua
07/24/2003 02:30 PM <DIR> Microsoft
07/24/2003 01:52 PM <DIR> dllcache
28 File(s) 5,826,363 bytes
2 Dir(s) 2,474,344,448 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D0-061E

Directory of C:\WINDOWS\System32

07/12/2004 04:21 PM 512 Ryeo85lm.bua
03/27/2004 05:57 PM <DIR> GroupPolicy
07/24/2003 02:07 PM 488 logonui.exe.manifest
07/24/2003 02:07 PM 488 WindowsLogon.manifest
07/24/2003 02:07 PM 749 ncpa.cpl.manifest
07/24/2003 02:07 PM 749 nwc.cpl.manifest
07/24/2003 02:07 PM 749 sapi.cpl.manifest
07/24/2003 02:07 PM 749 wuaucpl.cpl.manifest
07/24/2003 02:07 PM 749 cdplayer.exe.manifest
07/24/2003 01:52 PM <DIR> dllcache
06/30/2000 09:01 PM 13,122 folder.htt
9 File(s) 18,355 bytes
2 Dir(s) 2,474,328,064 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 07D0-061E

Directory of C:\WINDOWS\System32

01/06/2005 02:42 PM 224,911 guard.tmp
1 File(s) 224,911 bytes
0 Dir(s) 2,474,311,680 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 07D0-061E

Directory of C:\WINDOWS\System32

01/06/2005 02:42 PM 224,911 guard.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
2 File(s) 227,488 bytes
0 Dir(s) 2,474,295,296 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D1744D2E-2E1B-42BA-832A-6EF233B260EF}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enrul1991.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
vboy.dll Thu Dec 9 2004 12:12:58p ..S.R 223,304 218.07 K
kcdgkl.dll Mon Dec 13 2004 11:22:10a ..S.R 224,433 219.17 K
nmmsdba.dll Thu Jan 6 2005 11:48:36a ..S.R 222,920 217.70 K
fp4003~1.dll Mon Dec 13 2004 10:24:20a ..S.R 223,410 218.17 K
ezlcns32.dll Mon Dec 13 2004 10:52:16a ..S.R 223,410 218.17 K
lvp809~1.dll Mon Dec 13 2004 11:44:12a ..S.R 224,433 219.17 K
irj2l5~1.dll Mon Dec 13 2004 2:34:04p ..S.R 223,518 218.28 K
lvr209~1.dll Wed Dec 29 2004 1:59:36p ..S.R 226,003 220.70 K
fpp603~1.dll Mon Dec 13 2004 4:16:00p ..S.R 224,698 219.43 K
i024la~1.dll Fri Dec 10 2004 3:05:26p ..S.R 223,232 218.00 K
irlol5~1.dll Tue Dec 21 2004 10:24:00a ..S.R 224,145 218.89 K
fppu03~1.dll Thu Dec 30 2004 11:44:10a ..S.R 222,694 217.47 K
irpol5~1.dll Thu Jan 6 2005 10:41:24a ..S.R 224,295 219.04 K
l60ulg~1.dll Mon Dec 13 2004 2:28:02p ..S.R 223,410 218.17 K
i4jq0e~1.dll Mon Dec 13 2004 3:55:54p ..S.R 224,970 219.70 K
lvj809~1.dll Wed Jan 5 2005 10:11:58a ..S.R 225,704 220.41 K
e8200i~1.dll Mon Dec 13 2004 4:21:22p ..S.R 225,497 220.21 K
fp0003~1.dll Thu Jan 6 2005 10:42:24a ..S.R 222,920 217.70 K
enrul1~1.dll Thu Jan 6 2005 2:03:54p ..S.R 224,911 219.64 K
f2l0lc~1.dll Tue Dec 14 2004 8:30:38a ..S.R 225,497 220.21 K
m0nqla~1.dll Wed Dec 22 2004 8:59:44a ..S.R 224,360 219.10 K
h0l20a~1.dll Wed Dec 29 2004 1:26:42p ..S.R 225,934 220.64 K
m0ls0a~1.dll Mon Jan 3 2005 10:22:38a ..S.R 222,573 217.36 K
p46s0e~1.dll Thu Jan 6 2005 12:08:36p ..S.R 223,684 218.44 K
i0nmla~1.dll Thu Jan 6 2005 10:49:34a ..S.R 222,920 217.70 K
q686lg~1.dll Thu Jan 6 2005 2:37:30p ..S.R 56 0.05 K
m4rm0e~1.dll Thu Jan 6 2005 12:09:36p ..S.R 222,920 217.70 K

27 items found: 27 files, 0 directories.
Total of file sizes: 5,825,851 bytes 5.55 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\eierni.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\clcaql.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\clcuql.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\hlhual.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\pwpukw.dat: .aspack
C:\WINDOWS\SYSTEM32\wvwacv.exe: .aspack
C:\WINDOWS\SYSTEM32\wpwabp.exe: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hkhgik.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM32\\qttask.exe\" -atboottime"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"_AntiSpyware"="C:\\Program Files\\McAfee\\McAfee AntiSpyware\\MssCli.exe"
"McRegWiz"="C:\\Program Files\\McAfee.com\\Agent\\McRegWiz.exe /autorun"
"Narrator"="C:\\WINDOWS\\system32\\wvwacv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#3
-=jonnyrotten=-

Posted 06 January 2005 - 07:01 PM

Member 2k

Retired Staff
2,678 posts

Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D1744D2E-2E1B-42BA-832A-6EF233B260EF}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\q686lgls16q6.dll
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:
- C:\WINDOWS\System32\enrul1991.dll
- C:\WINDOWS\System32\m4rm0e91eh.dll
- C:\WINDOWS\System32\p46s0ej7eho.dll
- C:\WINDOWS\System32\nmmsdba.dll
- C:\WINDOWS\System32\i0nmla511d.dll
- C:\WINDOWS\System32\fp0003dme.dll
- C:\WINDOWS\System32\irpol5731.dll
- C:\WINDOWS\System32\lvj8091ue.dll
- C:\WINDOWS\System32\m0ls0a37ed.dll
- C:\WINDOWS\System32\fppu0379e.dll
- C:\WINDOWS\System32\lvr2099oe.dll
- C:\WINDOWS\System32\h0l20a3oed.dll
- C:\WINDOWS\System32\m0nqla551d.dll
- C:\WINDOWS\System32\irlol5331.dll
- C:\WINDOWS\System32\f2l0lc3m1f.dll
- C:\WINDOWS\System32\e8200ifme82a0.dll
- C:\WINDOWS\System32\fpp6037se.dll
- C:\WINDOWS\System32\i4jq0e15eh.dll
- C:\WINDOWS\System32\irj2l51o1.dll
- C:\WINDOWS\System32\l60ulgd9160.dll
- C:\WINDOWS\System32\lvp8097ue.dll
- C:\WINDOWS\System32\kcdgkl.dll
- C:\WINDOWS\System32\EZLCNS32.DLL
- C:\WINDOWS\System32\fp4003hme.dll
- C:\WINDOWS\System32\i024lafq1d2e.dll
- C:\WINDOWS\System32\vboy.dll
- C:\\WINDOWS\\System32\\enrul1991.dll
- C:\WINDOWS\SYSTEM32\eierni.dll
- C:\WINDOWS\SYSTEM32\clcaql.dll
- C:\WINDOWS\SYSTEM32\clcuql.dll
- C:\WINDOWS\SYSTEM32\hlhual.exe
- C:\WINDOWS\SYSTEM32\pwpukw.dat
- C:\WINDOWS\SYSTEM32\wvwacv.exe
- C:\WINDOWS\SYSTEM32\wpwabp.exe
- C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hkhgik.exe
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\Guard.tmp
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.
You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
Double-click on find.bat and post the new output.txt.

-=jonnyrotten=- :tazz:

#4
mgibson4678

Posted 07 January 2005 - 09:58 AM

New Member

Topic Starter
Member
5 posts

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D0-061E

Directory of C:\WINDOWS\System32

01/06/2005 12:09 PM 222,920 m4rm0e91eh.dll
07/12/2004 04:21 PM 512 Ryeo85lm.bua
07/24/2003 02:30 PM <DIR> Microsoft
07/24/2003 01:52 PM <DIR> dllcache
2 File(s) 223,432 bytes
2 Dir(s) 2,382,184,448 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D0-061E

Directory of C:\WINDOWS\System32

07/12/2004 04:21 PM 512 Ryeo85lm.bua
03/27/2004 05:57 PM <DIR> GroupPolicy
07/24/2003 02:07 PM 488 logonui.exe.manifest
07/24/2003 02:07 PM 488 WindowsLogon.manifest
07/24/2003 02:07 PM 749 ncpa.cpl.manifest
07/24/2003 02:07 PM 749 nwc.cpl.manifest
07/24/2003 02:07 PM 749 sapi.cpl.manifest
07/24/2003 02:07 PM 749 wuaucpl.cpl.manifest
07/24/2003 02:07 PM 749 cdplayer.exe.manifest
07/24/2003 01:52 PM <DIR> dllcache
06/30/2000 09:01 PM 13,122 folder.htt
9 File(s) 18,355 bytes
2 Dir(s) 2,382,168,064 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 07D0-061E

Directory of C:\WINDOWS\System32

01/07/2005 09:36 AM 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 2,382,151,680 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 07D0-061E

Directory of C:\WINDOWS\System32

01/07/2005 09:36 AM 56 Guard.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 2,382,135,296 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q686lgls16q6.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
m4rm0e~1.dll Thu Jan 6 2005 12:09:36p ..S.R 222,920 217.70 K

1 item found: 1 file, 0 directories.
Total of file sizes: 222,920 bytes 217.70 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\wpwabp.exe: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM32\\qttask.exe\" -atboottime"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"_AntiSpyware"="C:\\Program Files\\McAfee\\McAfee AntiSpyware\\MssCli.exe"
"McRegWiz"="C:\\Program Files\\McAfee.com\\Agent\\McRegWiz.exe /autorun"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#5
mgibson4678

Posted 07 January 2005 - 02:22 PM

New Member

Topic Starter
Member
5 posts

I posted the output from the latest time above.

#6
-=jonnyrotten=-

Posted 07 January 2005 - 07:29 PM

Member 2k

Retired Staff
2,678 posts

Reboot into safe mode and use the killbox to delete these files.

c:\windows\system32\m4rm0e91eh.dll
C:\WINDOWS\SYSTEM32\wpwabp.exe
C:\\WINDOWS\\system32\\q686lgls16q6.dll

Then make another file named regfix.reg or something of that sort. And paste the following quoted text into it and make sure the file type is "All files"