Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

UMonitor DLL error / Recycle bin problems / VX2

Started by Thejesus , Jan 15 2005 04:29 PM

  • Please log in to reply

#1
Thejesus
Posted 15 January 2005 - 04:29 PM

Thejesus

    Member

  • Member
  • PipPip
  • 14 posts
Ok first off I have been having this problem for a long time. I have been working with computers for a while now and I thought I could take care of this myself... well I was wrong to think that. Going from forum to forum I an now asking for help.

Ad-awere cant get rid of it VX2. Spybot cant get rid of Coolwwwsearch and my moniter keeps showing these blue lines "sometimes red" all up and down my screen whenever I run a 3D game and messes up the graphics big time. Now I am getting these blue lines up and down my screen all the time even out of games. Now I know the screen happens most the time when that Umonitor pops up so I think it might be that "its not the monitor I just replaced my old one thinking it was". Well and last I have pop ups.

This is my full Hijackthis Log help me please I don't think I can take this problem much more.

Logfile of HijackThis v1.99.0
Scan saved at 5:25:44 PM, on 1/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter\WUSB54GP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\hnesl1.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ian Dudek\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cow8RgHER] hnesl1.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\PH Train & Assess IT\plugin\cab\awswaxf.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WUSB54GPSVC - Unknown - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe" "WUSB54GP.exe (file missing)
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 15 January 2005 - 06:27 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
-=jonnyrotten=- :tazz:
  • 0

#3
Thejesus
Posted 15 January 2005 - 06:56 PM

Thejesus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thanks for the help here is the log



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Ian Dudek\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/15/2005 07:45 PM 223,011 srriptpw.dll
01/15/2005 07:45 PM 224,277 k662lgjo16oc.dll
01/15/2005 07:41 PM 223,011 kt06l7ds1.dll
01/15/2005 04:26 PM 223,554 q8860ilse8q60.dll
01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/03/2004 08:47 AM <DIR> Microsoft
5 File(s) 1,282,973 bytes
2 Dir(s) 15,654,604,800 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/15/2005 04:41 AM <DIR> dllcache
01/12/2005 01:42 PM <DIR> vmss
12/08/2004 10:39 AM 389,120 l?a**.exe
07/02/2004 03:15 PM 488 logonui.exe.manifest
07/02/2004 03:15 PM 488 WindowsLogon.manifest
07/02/2004 03:15 PM 749 sapi.cpl.manifest
07/02/2004 03:15 PM 749 nwc.cpl.manifest
07/02/2004 03:15 PM 749 ncpa.cpl.manifest
07/02/2004 03:15 PM 749 cdplayer.exe.manifest
07/02/2004 03:15 PM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
2 Dir(s) 15,654,600,704 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 15,654,600,704 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt06l7ds1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
k662lg~1.dll Sat Jan 15 2005 7:45:50p ..S.R 224,277 219.02 K
kt06l7~1.dll Sat Jan 15 2005 7:41:16p ..S.R 223,011 217.78 K
lass~1.exe Wed Dec 8 2004 10:39:06a ..SHR 389,120 380.00 K
q8860i~1.dll Sat Jan 15 2005 4:26:44p ..S.R 223,554 218.31 K
srriptpw.dll Sat Jan 15 2005 7:45:50p ..S.R 223,011 217.78 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,282,973 bytes 1.22 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
  • 0

#4
-=jonnyrotten=-
Posted 16 January 2005 - 03:18 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\srriptpw.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\k662lgjo16oc.dll
    • C:\WINDOWS\System32\kt06l7ds1.dll
    • C:\WINDOWS\System32\q8860ilse8q60.dll
    • C:\WINDOWS\System32\l?a**.exe
    • C:\WINDOWS\System32\kt06l7ds1.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
  • Double-click on find.bat and post the new output.txt.
Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


Reboot normally and post a new output.txt log.

-=jonnyrotten=- :tazz:
  • 0

#5
-=jonnyrotten=-
Posted 16 January 2005 - 03:39 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Also make sure to delete this folder:

c:\windows\system32\vmss

-=jonnyrotten=- :tazz:
  • 0

#6
Thejesus
Posted 16 January 2005 - 11:01 PM

Thejesus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok here it is and thanks again for helping.


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Ian Dudek\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/16/2005 11:36 PM 225,571 msc70.dll
01/16/2005 11:36 PM 223,061 j60slgd7160.dll
01/15/2005 08:16 PM 225,261 mkexcl40.dll
01/15/2005 08:16 PM 225,571 g0jo0a13ed.dll
01/15/2005 08:09 PM 223,065 k4jsle171h.dll
01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/03/2004 08:47 AM <DIR> Microsoft
6 File(s) 1,511,649 bytes
2 Dir(s) 15,532,544,000 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/15/2005 04:41 AM <DIR> dllcache
01/12/2005 01:42 PM <DIR> vmss
12/08/2004 10:39 AM 389,120 l?a**.exe
07/02/2004 03:15 PM 488 logonui.exe.manifest
07/02/2004 03:15 PM 488 WindowsLogon.manifest
07/02/2004 03:15 PM 749 sapi.cpl.manifest
07/02/2004 03:15 PM 749 nwc.cpl.manifest
07/02/2004 03:15 PM 749 ncpa.cpl.manifest
07/02/2004 03:15 PM 749 cdplayer.exe.manifest
07/02/2004 03:15 PM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
2 Dir(s) 15,532,539,904 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 15,532,539,904 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g0jo0a13ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
g0jo0a~1.dll Sat Jan 15 2005 8:16:52p ..S.R 225,571 220.28 K
j60slg~1.dll Sun Jan 16 2005 11:36:08p ..S.R 223,061 217.83 K
k4jsle~1.dll Sat Jan 15 2005 8:09:30p ..S.R 223,065 217.84 K
lass~1.exe Wed Dec 8 2004 10:39:06a ..SHR 389,120 380.00 K
mkexcl40.dll Sat Jan 15 2005 8:16:54p ..S.R 225,261 219.98 K
msc70.dll Sun Jan 16 2005 11:36:08p ..S.R 225,571 220.28 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,511,649 bytes 1.44 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"



  • 0

#7
-=jonnyrotten=-
Posted 16 January 2005 - 11:31 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Find and delete the following file and folder in bold:

C:\Windows\System32\vmss
C:\Windows\System32\l?a**.exe <<<You may not find this one, but that's ok, because you will use the killbox to kill it too.

Now remove the following files with the "Pocket Killbox" in the same way you did before, except instead of "Replacing on Reboot", select "Delete on Reboot"

C:\Windows\System32\l?a**.exe
C:\Windows\System32\msc70.dll
C:\Windows\System32\j60slgd7160.dll
C:\Windows\System32\mkexcl40.dll
C:\Windows\System32\k4jsle171h.dll
C:\Windows\System32\g0jo0a13ed.dll <<<This one last

Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]


Reboot normally and post a new output.txt.

-=jonnyrotten=- :tazz:
  • 0

#8
Thejesus
Posted 17 January 2005 - 05:16 PM

Thejesus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
OK I did what you said but a few things went wrong.

kill bot said that these files did not exist
C:\Windows\System32\g0jo0a13ed.dll
dam and I cant remember the other two... sorry :tazz:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Ian Dudek\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/17/2005 05:51 PM 225,882 sjscrap.dll
01/17/2005 05:13 PM 222,974 mvjsl9171.dll
01/17/2005 05:06 PM 225,882 i2jq0c15ef.dll
01/17/2005 12:47 PM 225,882 czcoinst.dll
01/17/2005 01:53 AM 222,762 jtjm0711e.dll
01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/03/2004 08:47 AM <DIR> Microsoft
6 File(s) 1,512,502 bytes
2 Dir(s) 15,600,816,128 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/02/2004 03:15 PM 488 logonui.exe.manifest
07/02/2004 03:15 PM 488 WindowsLogon.manifest
07/02/2004 03:15 PM 749 nwc.cpl.manifest
07/02/2004 03:15 PM 749 sapi.cpl.manifest
07/02/2004 03:15 PM 749 ncpa.cpl.manifest
07/02/2004 03:15 PM 749 cdplayer.exe.manifest
07/02/2004 03:15 PM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
1 Dir(s) 15,600,812,032 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 15,600,812,032 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServicesOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtjm0711e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i2jq0c15ef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
czcoinst.dll Mon Jan 17 2005 12:47:26p ..S.R 225,882 220.59 K
i2jq0c~1.dll Mon Jan 17 2005 5:06:28p ..S.R 225,882 220.59 K
jtjm07~1.dll Mon Jan 17 2005 1:53:20a ..S.R 222,762 217.54 K
lass~1.exe Wed Dec 8 2004 10:39:06a ..SHR 389,120 380.00 K
mvjsl9~1.dll Mon Jan 17 2005 5:13:38p ..S.R 222,974 217.75 K
sjscrap.dll Mon Jan 17 2005 5:51:20p ..S.R 225,882 220.59 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,512,502 bytes 1.44 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"



  • 0

#9
-=jonnyrotten=-
Posted 17 January 2005 - 06:23 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Have you been rebooting in between posting logs or receiving a response? These files keep coming back as different ones, that's why the Killbox said the file wasn't found, because it changed names. Everytime you reboot these files will change their names. Hopefully all this is still the same. If you have shutdown since you posted the last log, then we will most likely need another one and make sure not to turn the pc off this time, we have to kill all of these files at the same time or this will keep coming back.
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\sjscrap.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\mvjsl9171.dll
    • C:\WINDOWS\System32\czcoinst.dll
    • C:\WINDOWS\System32\l?a**.exe
    • C:\WINDOWS\System32\jtjm0711e.dll
    • C:\WINDOWS\System32\i2jq0c15ef.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
  • Double-click on find.bat and post the new output.txt.
-=jonnyrotten=- :tazz:
  • 0

#10
Thejesus
Posted 17 January 2005 - 07:36 PM

Thejesus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
oh sorry about that. My video card is on the fritz and I cant see anything half the time so I restart my computer so I can work on it again. :tazz: I will send new log and wont restart untill I am told to do so.

Once again sorry about all that.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Ian Dudek\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/17/2005 08:21 PM 225,882 kddmac.dll
01/17/2005 08:21 PM 222,763 enjml1111.dll
01/17/2005 05:53 PM 225,882 ktjql7151.dll
01/17/2005 12:47 PM 225,882 czcoinst.dll
01/17/2005 01:53 AM 222,762 jtjm0711e.dll
01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/03/2004 08:47 AM <DIR> Microsoft
6 File(s) 1,512,291 bytes
2 Dir(s) 15,598,702,592 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/02/2004 03:15 PM 488 logonui.exe.manifest
07/02/2004 03:15 PM 488 WindowsLogon.manifest
07/02/2004 03:15 PM 749 nwc.cpl.manifest
07/02/2004 03:15 PM 749 sapi.cpl.manifest
07/02/2004 03:15 PM 749 ncpa.cpl.manifest
07/02/2004 03:15 PM 749 cdplayer.exe.manifest
07/02/2004 03:15 PM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
1 Dir(s) 15,598,698,496 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 15,598,698,496 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServicesOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtjm0711e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ktjql7151.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
czcoinst.dll Mon Jan 17 2005 12:47:26p ..S.R 225,882 220.59 K
enjml1~1.dll Mon Jan 17 2005 8:21:36p ..S.R 222,763 217.54 K
jtjm07~1.dll Mon Jan 17 2005 1:53:20a ..S.R 222,762 217.54 K
kddmac.dll Mon Jan 17 2005 8:21:36p ..S.R 225,882 220.59 K
ktjql7~1.dll Mon Jan 17 2005 5:53:20p ..S.R 225,882 220.59 K
lass~1.exe Wed Dec 8 2004 10:39:06a ..SHR 389,120 380.00 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,512,291 bytes 1.44 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"



  • 0

Advertisements

#11
-=jonnyrotten=-
Posted 17 January 2005 - 07:46 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Nice, give me a few minutes, and I'm on it :tazz:

-=jonnyrotten=- ;)
  • 0

#12
-=jonnyrotten=-
Posted 17 January 2005 - 08:21 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.[list]
  • C:\WINDOWS\System32\kddmac.dll
[*]Click the "Delete File" button which looks like a stop sign.
[*]Click "Yes" at the Replace on Reboot prompt.
[*]Click "No" at the Pending Operations prompt.
[*]Repeat steps 4-8 above for these files:
  • C:\WINDOWS\System32\enjml1111.dll
  • C:\WINDOWS\System32\czcoinst.dll
  • C:\WINDOWS\System32\l?a**.exe
  • C:\WINDOWS\System32\jtjm0711e.dll
  • C:\WINDOWS\System32\ktjql7151.dll
[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste this file into the top "Full Path of File to Delete" box.
[list]

Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServicesOnce]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]


Reboot normally and post a new log.

-=jonnyrotten=- :tazz:
  • 0

#13
Thejesus
Posted 17 January 2005 - 08:38 PM

Thejesus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ah my computer shut off on me.... dont know why it just turned it off :tazz: I am getting pissed.

SO SO sorry here is a new log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Ian Dudek\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/17/2005 09:27 PM 222,763 neshrui.dll
01/17/2005 09:27 PM 222,842 lvp0097me.dll
01/17/2005 08:21 PM 222,763 enjml1111.dll
01/17/2005 12:47 PM 225,882 czcoinst.dll
01/17/2005 01:53 AM 222,762 jtjm0711e.dll
01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/03/2004 08:47 AM <DIR> Microsoft
6 File(s) 1,506,132 bytes
2 Dir(s) 15,591,305,216 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/02/2004 03:15 PM 488 logonui.exe.manifest
07/02/2004 03:15 PM 488 WindowsLogon.manifest
07/02/2004 03:15 PM 749 nwc.cpl.manifest
07/02/2004 03:15 PM 749 sapi.cpl.manifest
07/02/2004 03:15 PM 749 ncpa.cpl.manifest
07/02/2004 03:15 PM 749 cdplayer.exe.manifest
07/02/2004 03:15 PM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
1 Dir(s) 15,591,301,120 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 15,591,301,120 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enjml1111.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServicesOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtjm0711e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
czcoinst.dll Mon Jan 17 2005 12:47:26p ..S.R 225,882 220.59 K
enjml1~1.dll Mon Jan 17 2005 8:21:36p ..S.R 222,763 217.54 K
jtjm07~1.dll Mon Jan 17 2005 1:53:20a ..S.R 222,762 217.54 K
lvp009~1.dll Mon Jan 17 2005 9:27:02p ..S.R 222,842 217.62 K
lass~1.exe Wed Dec 8 2004 10:39:06a ..SHR 389,120 380.00 K
neshrui.dll Mon Jan 17 2005 9:27:02p ..S.R 222,763 217.54 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,506,132 bytes 1.43 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"



  • 0

#14
-=jonnyrotten=-
Posted 17 January 2005 - 10:31 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ok, hopefully I'm not too late. :tazz:
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\neshrui.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\lvp0097me.dll
    • C:\WINDOWS\System32\enjml1111.dll
    • C:\WINDOWS\System32\l?a**.exe
    • C:\WINDOWS\System32\enjml1111.dll
    • C:\WINDOWS\System32\jtjm0711e.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
  • Double-click on find.bat and post the new output.txt.
Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{12C3B16C-054E-4543-B34F-8C5F0C271D64}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServicesOnce]


Reboot normally and post new log.

-=jonnyrotten=- ;)
  • 0

#15
Thejesus
Posted 18 January 2005 - 07:46 AM

Thejesus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok I did what you said. Here is my new log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Ian Dudek\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/17/2005 12:47 PM 225,882 czcoinst.dll
01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/03/2004 08:47 AM <DIR> Microsoft
2 File(s) 615,002 bytes
2 Dir(s) 15,568,084,992 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/15/2005 04:41 AM <DIR> dllcache
12/08/2004 10:39 AM 389,120 l?a**.exe
07/02/2004 03:15 PM 488 logonui.exe.manifest
07/02/2004 03:15 PM 488 WindowsLogon.manifest
07/02/2004 03:15 PM 749 nwc.cpl.manifest
07/02/2004 03:15 PM 749 sapi.cpl.manifest
07/02/2004 03:15 PM 749 ncpa.cpl.manifest
07/02/2004 03:15 PM 749 cdplayer.exe.manifest
07/02/2004 03:15 PM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
1 Dir(s) 15,568,080,896 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/18/2005 08:34 AM 222,763 guard.tmp
1 File(s) 222,763 bytes
0 Dir(s) 15,568,080,896 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 4893-EC97

Directory of C:\WINDOWS\System32

01/18/2005 08:34 AM 222,763 guard.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 225,340 bytes
0 Dir(s) 15,568,080,896 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvp0097me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
czcoinst.dll Mon Jan 17 2005 12:47:26p ..S.R 225,882 220.59 K
lass~1.exe Wed Dec 8 2004 10:39:06a ..SHR 389,120 380.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 615,002 bytes 600.59 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"



  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP