Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJackThis Log - Amester


  • This topic is locked This topic is locked

#16
amester

amester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi, fellas.

Thanks to all of you for your expertise and for stepping in to help.

I need to unfortunately back-track to Matt's comment from February 3rd---it seems that I cannot locate the following file:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hypkfk.exe

Any insight before I procede with LineOFire's advice from February 4th?

Thank you,

Amester
  • 0

Advertisements


#17
mpfeif101

mpfeif101

    Member 1K

  • Retired Staff
  • 1,411 posts
Go ahead with LineOFire's advice :tazz:
  • 0

#18
amester

amester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi, LineOFire.

Thanks for helping out.

Here you go--below is my log from FindIt NT-2K-XP:

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)

********* Date/Time ********

Monday, February 07, 2005 (2/7/2005)
1:51 PM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Administrator\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINNT\system32\cgzlil.dll: updates.qoologic.com
C:\WINNT\system32\ezuisi.dll: updates.qoologic.com
C:\WINNT\system32\hpmlxl.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINNT\system32\pqywgw.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hypkfk.exe: .aspack

---------------- Active Setup Installed Components ----------------

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkmsm]
@="{66d4abb3-675b-43bb-9061-3627bea8b1f3}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Promon.exe"="Promon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Narrator"="C:\\WINNT\\system32\\wyovqv.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------
  • 0

#19
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\cgzlil.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\ezuisi.dll
    • C:\WINDOWS\System32\hpmlxl.exe
    • C:\WINDOWS\System32\pqywgw.dat
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hypkfk.exe
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  • Once the computer has been restarted, double-click on FindNarrator.bat and post the new FindNarrator.txt.

  • 0

#20
amester

amester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi there, LineOFire.

Thanks for all your efforts! :-)

Here is the FindNarrator Log you requested:

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)

********* Date/Time ********

Tuesday, February 08, 2005 (2/8/2005)
11:58 AM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Administrator\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINNT\system32\cgzlil.dll: updates.qoologic.com
C:\WINNT\system32\ezuisi.dll: updates.qoologic.com
C:\WINNT\system32\hpmlxl.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINNT\system32\pqywgw.dat: .aspack

---------------- Active Setup Installed Components ----------------

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkmsm]
@="{66d4abb3-675b-43bb-9061-3627bea8b1f3}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Promon.exe"="Promon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Narrator"="C:\\WINNT\\system32\\wyovqv.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------



On start-up, I now get the following DOS prompt (See thumbnail). And the other DOS prompts mentioned in my earlier post unfortunately still appear and give me the system beep.

Aside from switching to a MAC, do you think there is hope?

Thanks again,

Amester

Attached Thumbnails

  • hypkfk_exe.gif

  • 0

#21
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Unfortunately, those errors are caused by the trojan. :tazz:

They will be gone once the trojan is removed so there is still hope. ;)
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\cgzlil.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\ezuisi.dll
    • C:\WINDOWS\System32\hpmlxl.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\pqywgw.dat
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  • Once the computer has been restarted, double-click on FindNarrator.bat and post the new FindNarrator.txt.

  • 0

#22
amester

amester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi there, LineOFire.

Thanks for helping out! :-)

Here is the FindNarrator log you requested.

I'm still getting two or three random DOS screens when my Desktop tries to launch, but, I just close them really quickly.

The system 'beep' happens only occasionally now:

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)

********* Date/Time ********

Wednesday, February 09, 2005 (2/9/2005)
3:45 PM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Administrator\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINNT\system32\cgzlil.dll: updates.qoologic.com
C:\WINNT\system32\ezuisi.dll: updates.qoologic.com
C:\WINNT\system32\hpmlxl.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINNT\system32\pqywgw.dat: .aspack

---------------- Active Setup Installed Components ----------------

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkmsm]
@="{66d4abb3-675b-43bb-9061-3627bea8b1f3}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Promon.exe"="Promon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Narrator"="C:\\WINNT\\system32\\wyovqv.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------


Thanks again,

Amester
  • 0

#23
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Copy and paste this code box text into a text editor such as Notepad.

Save this text as FixNarrator.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on FixNarrator.reg. When it asks you to merge the information to the registry click Yes.
REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkmsm]

[-HKEY_CLASSES_ROOT\CLSID\{66d4abb3-675b-43bb-9061-3627bea8b1f3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-
Then restart and post a new FindNarrator log.
  • 0

#24
amester

amester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi there, LineOFire.

Well, here you go---a new FindNarrator Log:

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)

********* Date/Time ********

Tuesday, February 15, 2005 (2/15/2005)
2:49 PM, Eastern Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Administrator\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINNT\system32\cgzlil.dll: updates.qoologic.com
C:\WINNT\system32\ezuisi.dll: updates.qoologic.com
C:\WINNT\system32\hpmlxl.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINNT\system32\pqywgw.dat: .aspack

---------------- Active Setup Installed Components ----------------

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Promon.exe"="Promon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------


I am still getting at least two DOS screens at boot, and also, they now randomly appear with system beeping post-boot up.

Please advise on what's next.

Thanks for all your hard work,

Amester
  • 0

#25
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
  • Double-click on KillBox.exe.
  • Click "Standard File Kill" and check the "End Explorer Shell While Killing File" box.
  • Paste this file into the top "Full Path of File to Delete" box.[list]
  • C:\WINNT\system32\cgzlil.dll
[*]Click the "Delete File" button which looks like a stop sign.
[*]Click "Yes" at the Confirm Delete prompt.
[*]Your desktop and icons should disappear for a few seconds.
[*]Click "OK" at the Delete was successful prompt.
[*]Repeat steps 4-8 above for these files:
  • C:\WINNT\system32\ezuisi.dll
  • C:\WINNT\system32\hpmlxl.exe
  • C:\WINNT\system32\pqywgw.dat
Then please restart and post a new HijackTHis log.

[edit] As there has been no response from the original poster, this topic is now closed. If you have any other problems, please post a new topic.

Edited by bananafanafo, 15 April 2005 - 12:47 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP