Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

UMonitor, VX2 - need some help


  • Please log in to reply

#1
ksijur

ksijur

    New Member

  • Member
  • Pip
  • 9 posts
Hi,
I have read about this UMonitor & VX2 for last 3 hours and tried many of the steps written on this forum... well, no luck... so, if someone would help me with this, I'd appreciate it very much...
here is hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 12:04:54 PM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Progra~1\dnetc\dnetc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuwkwu.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: distributed.net client - Distributed Computing Technologies, Inc. - C:\Progra~1\dnetc\dnetc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
-=jonnyrotten=- :tazz:
  • 0

#3
ksijur

ksijur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Michael\Desktop

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 11:50 AM 225,132 dn2401fqe.dll
01/10/2005 11:49 AM 225,132 mgtask.dll
01/10/2005 11:47 AM 225,378 lv0809due.dll
01/10/2005 10:24 AM 225,231 o0pq0a75ed.dll
01/07/2005 06:45 AM 224,937 ohbccu32.dll
01/06/2005 05:29 PM 223,149 kwdcz1.dll
01/06/2005 02:36 PM 223,752 ilign32.dll
01/06/2005 02:02 PM 223,149 inencode.dll
01/06/2005 01:28 PM 225,365 PVCN11.DLL
01/06/2005 01:23 PM 224,858 unrfaxa.dll
01/06/2005 01:17 PM 222,859 lVngwrbk.dll
01/06/2005 12:23 PM 224,858 vxrmux.dll
01/06/2005 12:06 PM 222,859 rputetab.dll
01/04/2005 05:19 PM 223,248 lv8o09l3e.dll
01/03/2005 10:26 AM 223,527 o8660ijse8o60.dll
01/01/2005 04:04 PM 222,935 gpp0l37m1.dll
12/31/2004 07:29 PM 224,798 k008ladu1d08.dll
12/28/2004 12:16 PM 225,830 dnj0011me.dll
12/28/2004 09:11 AM 225,654 l20ulcd91f0.dll
12/25/2004 07:15 AM 226,296 m2460chsef460.dll
12/24/2004 09:19 AM 225,828 dn0401dqe.dll
12/22/2004 09:55 PM 223,176 gpl2l33o1.dll
12/19/2004 10:36 AM 223,192 l4p2le7o1h.dll
12/19/2004 08:26 AM 223,187 hrpq0575e.dll
12/18/2004 08:23 AM 223,187 adferror.dll
12/15/2004 11:23 AM 225,269 j02q0af5ed2.dll
12/15/2004 08:24 AM 225,858 f82m0if1e82.dll
12/14/2004 08:36 AM 225,858 wonmm.dll
12/11/2004 04:56 PM 226,220 enp4l17q1.dll
12/11/2004 04:45 PM 225,366 jtj6071se.dll
12/10/2004 12:58 PM 224,749 ktjql7151.dll
10/24/2003 04:34 PM <DIR> Microsoft
10/23/2003 04:24 PM <DIR> dllcache
31 File(s) 6,960,837 bytes
2 Dir(s) 40,907,440,128 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

10/23/2003 04:39 PM 488 logonui.exe.manifest
10/23/2003 04:39 PM 488 WindowsLogon.manifest
10/23/2003 04:39 PM 749 sapi.cpl.manifest
10/23/2003 04:39 PM 749 wuaucpl.cpl.manifest
10/23/2003 04:39 PM 749 cdplayer.exe.manifest
10/23/2003 04:39 PM 749 nwc.cpl.manifest
10/23/2003 04:39 PM 749 ncpa.cpl.manifest
10/23/2003 04:24 PM <DIR> dllcache
7 File(s) 4,721 bytes
1 Dir(s) 40,907,407,360 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 12:02 PM 225,378 guard.tmp
1 File(s) 225,378 bytes
0 Dir(s) 40,907,374,592 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 12:02 PM 225,378 guard.tmp
09/03/2002 01:00 PM 53,248 uninst1.tmp
09/03/2002 01:00 PM 238,080 uninst2.tmp
09/03/2002 01:00 PM 8,336,384 uninst3.tmp
09/03/2002 01:00 PM 2,577 CONFIG.TMP
5 File(s) 8,855,667 bytes
0 Dir(s) 40,907,341,824 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv0809due.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
jtj607~1.dll Sat Dec 11 2004 4:45:12p ..S.R 225,366 220.08 K
enp4l1~1.dll Sat Dec 11 2004 4:56:42p ..S.R 226,220 220.92 K
wonmm.dll Tue Dec 14 2004 8:36:32a ..S.R 225,858 220.56 K
adferror.dll Sat Dec 18 2004 8:23:10a ..S.R 223,187 217.95 K
kwdcz1.dll Thu Jan 6 2005 5:29:40p ..S.R 223,149 217.92 K
f82m0i~1.dll Wed Dec 15 2004 8:24:34a ..S.R 225,858 220.56 K
rputetab.dll Thu Jan 6 2005 12:06:42p ..S.R 222,859 217.63 K
ohbccu32.dll Fri Jan 7 2005 6:45:40a ..S.R 224,937 219.66 K
unrfaxa.dll Thu Jan 6 2005 1:23:28p ..S.R 224,858 219.59 K
dn2401~1.dll Mon Jan 10 2005 11:50:40a ..S.R 225,132 219.86 K
hrpq05~1.dll Sun Dec 19 2004 8:26:10a ..S.R 223,187 217.95 K
vxrmux.dll Thu Jan 6 2005 12:23:36p ..S.R 224,858 219.59 K
pvcn11.dll Thu Jan 6 2005 1:28:38p ..S.R 225,365 220.08 K
inencode.dll Thu Jan 6 2005 2:02:20p ..S.R 223,149 217.92 K
ilign32.dll Thu Jan 6 2005 2:36:28p ..S.R 223,752 218.51 K
mgtask.dll Mon Jan 10 2005 11:49:40a ..S.R 225,132 219.86 K
j02q0a~1.dll Wed Dec 15 2004 11:23:50a ..S.R 225,269 219.99 K
o0pq0a~1.dll Mon Jan 10 2005 10:24:56a ..S.R 225,231 219.95 K
dn0401~1.dll Fri Dec 24 2004 9:19:38a ..S.R 225,828 220.54 K
l4p2le~1.dll Sun Dec 19 2004 10:36:16a ..S.R 223,192 217.96 K
gpl2l3~1.dll Wed Dec 22 2004 9:55:42p ..S.R 223,176 217.95 K
m2460c~1.dll Sat Dec 25 2004 7:15:50a ..S.R 226,296 220.99 K
l20ulc~1.dll Tue Dec 28 2004 9:11:46a ..S.R 225,654 220.36 K
dnj001~1.dll Tue Dec 28 2004 12:16:44p ..S.R 225,830 220.54 K
gpp0l3~1.dll Sat Jan 1 2005 4:04:32p ..S.R 222,935 217.71 K
k008la~1.dll Fri Dec 31 2004 7:29:28p ..S.R 224,798 219.53 K
lv0809~1.dll Mon Jan 10 2005 11:47:00a ..S.R 225,378 220.09 K
o8660i~1.dll Mon Jan 3 2005 10:26:42a ..S.R 223,527 218.29 K
lv8o09~1.dll Tue Jan 4 2005 5:19:32p ..S.R 223,248 218.02 K
lvngwrbk.dll Thu Jan 6 2005 1:17:42p ..S.R 222,859 217.63 K
ktjql7~1.dll Fri Dec 10 2004 12:58:00p ..S.R 224,749 219.48 K

31 items found: 31 files, 0 directories.
Total of file sizes: 6,960,837 bytes 6.64 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\epeaep.dll: updates.qoologic.com
C:\WINDOWS\system32\cucpcu.dll: updates.qoologic.com
C:\WINDOWS\system32\huhqhu.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\wuwkwu.exe: .aspack
C:\WINDOWS\system32\pupvpu.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hghnhg.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Narrator"="C:\\WINDOWS\\system32\\wuwkwu.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


uf... I like this program ;-)
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
This is a long fix. Please follow each step closely.
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\XXXXX.dlldn2401fqe.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\mgtask.dll
    • C:\WINDOWS\System32\lv0809due.dll
    • C:\WINDOWS\System32\o0pq0a75ed.dll
    • C:\WINDOWS\System32\ohbccu32.dll
    • C:\WINDOWS\System32\kwdcz1.dll
    • C:\WINDOWS\System32\ilign32.dll
    • C:\WINDOWS\System32\inencode.dll
    • C:\WINDOWS\System32\PVCN11.DLL
    • C:\WINDOWS\System32\unrfaxa.dll
    • C:\WINDOWS\System32\lVngwrbk.dll
    • C:\WINDOWS\System32\vxrmux.dll
    • C:\WINDOWS\System32\rputetab.dll
    • C:\WINDOWS\System32\lv8o09l3e.dll
    • C:\WINDOWS\System32\o8660ijse8o60.dll
    • C:\WINDOWS\System32\gpp0l37m1.dll
    • C:\WINDOWS\System32\k008ladu1d08.dll
    • C:\WINDOWS\System32\dnj0011me.dll
    • C:\WINDOWS\System32\l20ulcd91f0.dll
    • C:\WINDOWS\System32\m2460chsef460.dll
    • C:\WINDOWS\System32\dn0401dqe.dll
    • C:\WINDOWS\System32\gpl2l33o1.dll
    • C:\WINDOWS\System32\l4p2le7o1h.dll
    • C:\WINDOWS\System32\hrpq0575e.dll
    • C:\WINDOWS\System32\adferror.dll
    • C:\WINDOWS\System32\j02q0af5ed2.dll
    • C:\WINDOWS\System32\f82m0if1e82.dll
    • C:\WINDOWS\System32\wonmm.dll
    • C:\WINDOWS\System32\enp4l17q1.dll
    • C:\WINDOWS\System32\jtj6071se.dll
    • C:\WINDOWS\System32\ktjql7151.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
Copy and paste the code below into a text editor such as Notepad.

Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
  • Download VX2Finder.
  • Double-click on VX2Finder.exe.
  • Click "Restore Policy".
  • In the File menu click "Exit".
  • Double-click on KillBox.exe.
  • In the File menu click "Delete all Dummy files".
  • In the Tools menu click "Delete Temp Files".
  • Choose "Standard File Kill" if not already selected.
  • Paste these files one by one into the top "Full Path of File to Delete" box.
    • C:\RECYCLER\desktop.ini
    • C:\WINDOWS\System32\drivers\etc\HOSTS
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Confirm Delete prompt.
  • It should give you a successful "File was deleted" prompt for each one.
  • Double-click on find.bat and post the new output.txt.
  • Paste a fresh HijackThis log.

  • 0

#5
ksijur

ksijur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Michael\Desktop

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 03:04 PM 225,132 bpackbox.dll
01/10/2005 03:03 PM 225,378 dnjs0117e.dll
01/10/2005 11:50 AM 225,132 dn2401fqe.dll
10/24/2003 04:34 PM <DIR> Microsoft
10/23/2003 04:24 PM <DIR> dllcache
3 File(s) 675,642 bytes
2 Dir(s) 41,026,846,720 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

10/23/2003 04:39 PM 488 logonui.exe.manifest
10/23/2003 04:39 PM 488 WindowsLogon.manifest
10/23/2003 04:39 PM 749 sapi.cpl.manifest
10/23/2003 04:39 PM 749 wuaucpl.cpl.manifest
10/23/2003 04:39 PM 749 cdplayer.exe.manifest
10/23/2003 04:39 PM 749 nwc.cpl.manifest
10/23/2003 04:39 PM 749 ncpa.cpl.manifest
10/23/2003 04:24 PM <DIR> dllcache
7 File(s) 4,721 bytes
1 Dir(s) 41,026,813,952 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 03:05 PM 225,132 guard.tmp
1 File(s) 225,132 bytes
0 Dir(s) 41,026,781,184 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 03:05 PM 225,132 guard.tmp
09/03/2002 01:00 PM 53,248 uninst1.tmp
09/03/2002 01:00 PM 238,080 uninst2.tmp
09/03/2002 01:00 PM 8,336,384 uninst3.tmp
09/03/2002 01:00 PM 2,577 CONFIG.TMP
5 File(s) 8,855,421 bytes
0 Dir(s) 41,026,748,416 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dn2401fqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
dn2401~1.dll Mon Jan 10 2005 11:50:40a ..S.R 225,132 219.86 K
bpackbox.dll Mon Jan 10 2005 3:04:28p ..S.R 225,132 219.86 K
dnjs01~1.dll Mon Jan 10 2005 3:03:14p ..S.R 225,378 220.09 K

3 items found: 3 files, 0 directories.
Total of file sizes: 675,642 bytes 659.80 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\epeaep.dll: updates.qoologic.com
C:\WINDOWS\system32\cucpcu.dll: updates.qoologic.com
C:\WINDOWS\system32\huhqhu.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\wuwkwu.exe: .aspack
C:\WINDOWS\system32\pupvpu.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hghnhg.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Narrator"="C:\\WINDOWS\\system32\\wuwkwu.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
  • 0

#6
ksijur

ksijur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
waited all night and no response? please, help...
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\bpackbox.dll
C:\WINDOWS\System32\dnjs0117e.dll
C:\WINDOWS\system32\dn2401fqe.dll
C:\WINDOWS\system32\epeaep.dll
C:\WINDOWS\system32\cucpcu.dll
C:\WINDOWS\system32\huhqhu.exe
C:\WINDOWS\system32\wuwkwu.exe
C:\WINDOWS\system32\pupvpu.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hghnhg.exe <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Post back with a HijackThis log.

Regards,

Pieter
  • 0

#8
ksijur

ksijur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
well, I was kinda impatient and studied the procedure from the first step and managed to kill that VX2 s..t. I want to thank you all for your help, however I've got one more question about your guides... what this registrie entry that you suggested putting in does?

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-

and where did you get it?

thanks again...
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I made that looking for the related entries in your log.

The first line removes your User Agent, just like VX2finder would.

The second removes the Winlogon\Notify startup for this malware.

The third removes the startup for the Narrator trojan.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP