[amester]

Hi, fellas.

Thanks to all of you for your expertise and for stepping in to help.

I need to unfortunately back-track to Matt's comment from February 3rd---it seems that I cannot locate the following file:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hypkfk.exe

Any insight before I procede with LineOFire's advice from February 4th?

Thank you,

Amester

[Advertisements]

Go ahead with LineOFire's advice

[mpfeif101]

Go ahead with LineOFire's advice

[amester]

Hi, LineOFire.

Thanks for helping out.

Here you go--below is my log from FindIt NT-2K-XP:

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)

********* Date/Time ********

Monday, February 07, 2005 (2/7/2005)
1:51 PM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Administrator\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINNT\system32\cgzlil.dll: updates.qoologic.com
C:\WINNT\system32\ezuisi.dll: updates.qoologic.com
C:\WINNT\system32\hpmlxl.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINNT\system32\pqywgw.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hypkfk.exe: .aspack

---------------- Active Setup Installed Components ----------------

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkmsm]
@="{66d4abb3-675b-43bb-9061-3627bea8b1f3}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Promon.exe"="Promon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Narrator"="C:\\WINNT\\system32\\wyovqv.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------

[LineOFire]

• Download the Pocket Killbox.
• Unzip the contents of KillBox.zip to a convenient location.
• Double-click on KillBox.exe.
• Click "Replace on Reboot" and check the "Use Dummy" box.
• Paste this file into the top "Full Path of File to Delete" box.
  • C:\WINDOWS\System32\cgzlil.dll
• Click the "Delete File" button which looks like a stop sign.
• Click "Yes" at the Replace on Reboot prompt.
• Click "No" at the Pending Operations prompt.
• Repeat steps 4-8 above for these files:
  • C:\WINDOWS\System32\ezuisi.dll
  • C:\WINDOWS\System32\hpmlxl.exe
  • C:\WINDOWS\System32\pqywgw.dat
• Click "Replace on Reboot" and check the "Use Dummy" box.
• Paste this file into the top "Full Path of File to Delete" box.
  • C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hypkfk.exe
• Click the "Delete File" button which looks like a stop sign.
• Click "Yes" at the Replace on Reboot prompt.
• Click "Yes" at the Pending Operations prompt to restart your computer.
• If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
• Once the computer has been restarted, double-click on FindNarrator.bat and post the new FindNarrator.txt.

[amester]

Hi there, LineOFire.

Thanks for all your efforts! :-)

Here is the FindNarrator Log you requested:

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)

********* Date/Time ********

Tuesday, February 08, 2005 (2/8/2005)
11:58 AM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Administrator\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINNT\system32\cgzlil.dll: updates.qoologic.com
C:\WINNT\system32\ezuisi.dll: updates.qoologic.com
C:\WINNT\system32\hpmlxl.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINNT\system32\pqywgw.dat: .aspack

---------------- Active Setup Installed Components ----------------

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkmsm]
@="{66d4abb3-675b-43bb-9061-3627bea8b1f3}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Promon.exe"="Promon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Narrator"="C:\\WINNT\\system32\\wyovqv.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------



On start-up, I now get the following DOS prompt (See thumbnail). And the other DOS prompts mentioned in my earlier post unfortunately still appear and give me the system beep.

Aside from switching to a MAC, do you think there is hope?

Thanks again,

Amester

Attached Thumbnails

• 

[LineOFire]

Unfortunately, those errors are caused by the trojan.

They will be gone once the trojan is removed so there is still hope.

• Download the Pocket Killbox.
• Unzip the contents of KillBox.zip to a convenient location.
• Double-click on KillBox.exe.
• Click "Replace on Reboot" and check the "Use Dummy" box.
• Paste this file into the top "Full Path of File to Delete" box.
  • C:\WINDOWS\System32\cgzlil.dll
• Click the "Delete File" button which looks like a stop sign.
• Click "Yes" at the Replace on Reboot prompt.
• Click "No" at the Pending Operations prompt.
• Repeat steps 4-8 above for these files:
  • C:\WINDOWS\System32\ezuisi.dll
  • C:\WINDOWS\System32\hpmlxl.exe
• Click "Replace on Reboot" and check the "Use Dummy" box.
• Paste this file into the top "Full Path of File to Delete" box.
  • C:\WINDOWS\System32\pqywgw.dat
• Click the "Delete File" button which looks like a stop sign.
• Click "Yes" at the Replace on Reboot prompt.
• Click "Yes" at the Pending Operations prompt to restart your computer.
• If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
• Once the computer has been restarted, double-click on FindNarrator.bat and post the new FindNarrator.txt.

[amester]

Hi there, LineOFire.

Thanks for helping out! :-)

Here is the FindNarrator log you requested.

I'm still getting two or three random DOS screens when my Desktop tries to launch, but, I just close them really quickly.

The system 'beep' happens only occasionally now:

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)

********* Date/Time ********

Wednesday, February 09, 2005 (2/9/2005)
3:45 PM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Administrator\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINNT\system32\cgzlil.dll: updates.qoologic.com
C:\WINNT\system32\ezuisi.dll: updates.qoologic.com
C:\WINNT\system32\hpmlxl.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINNT\system32\pqywgw.dat: .aspack

---------------- Active Setup Installed Components ----------------

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkmsm]
@="{66d4abb3-675b-43bb-9061-3627bea8b1f3}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Promon.exe"="Promon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Narrator"="C:\\WINNT\\system32\\wyovqv.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------


Thanks again,

Amester

[LineOFire]

Copy and paste this code box text into a text editor such as Notepad.

Save this text as FixNarrator.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on FixNarrator.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkmsm]

[-HKEY_CLASSES_ROOT\CLSID\{66d4abb3-675b-43bb-9061-3627bea8b1f3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-

Then restart and post a new FindNarrator log.

[amester]

Hi there, LineOFire.

Well, here you go---a new FindNarrator Log:

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)

********* Date/Time ********

Tuesday, February 15, 2005 (2/15/2005)
2:49 PM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Administrator\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINNT\system32\cgzlil.dll: updates.qoologic.com
C:\WINNT\system32\ezuisi.dll: updates.qoologic.com
C:\WINNT\system32\hpmlxl.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINNT\system32\pqywgw.dat: .aspack

---------------- Active Setup Installed Components ----------------

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Promon.exe"="Promon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------


I am still getting at least two DOS screens at boot, and also, they now randomly appear with system beeping post-boot up.

Please advise on what's next.

Thanks for all your hard work,

Amester

[LineOFire]

• Double-click on KillBox.exe.
• Click "Standard File Kill" and check the "End Explorer Shell While Killing File" box.
• Paste this file into the top "Full Path of File to Delete" box.[list]
• C:\WINNT\system32\cgzlil.dll

[*]Click the "Delete File" button which looks like a stop sign.
[*]Click "Yes" at the Confirm Delete prompt.
[*]Your desktop and icons should disappear for a few seconds.
[*]Click "OK" at the Delete was successful prompt.
[*]Repeat steps 4-8 above for these files:

• C:\WINNT\system32\ezuisi.dll
• C:\WINNT\system32\hpmlxl.exe
• C:\WINNT\system32\pqywgw.dat

Then please restart and post a new HijackTHis log.

[edit] As there has been no response from the original poster, this topic is now closed. If you have any other problems, please post a new topic.

Edited by bananafanafo, 15 April 2005 - 12:47 PM.