Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help again


  • Please log in to reply
45 replies to this topic

#1 woovin

woovin

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:10:39 AM

Posted 02 February 2005 - 07:26 PM

Hello again. This is my work computer and it is a total mess. Everyone is sick of it. Here's my log. I hope someone could help.
Thank you!

Logfile of HijackThis v1.99.0
Scan saved at 4:21:31 PM, on 2/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\N20050308.EXE
C:\WINDOWS\OORKVY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1102095655\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1102095655\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\WAB.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DMIHXW9Q\HIJACKTHIS[1]\HIJACKTHIS.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCUPDMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCUPDUI.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://daily.webshots.com/redir.cgi?type=d...tc=0&os=24&ID=0
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\oorkvy.exe
O4 - HKLM\..\Run: [mcupdmgr.exe] C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCUPDMGR.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: pptnky.exe
O4 - Global Startup: updater.lnk = C:\WINDOWS\ASD.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .mov: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPQTW32.DLL
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for *: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npnul32.dll
O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} (JFC Classes) - http://www.imagicgames.com/java2/cabs/swing.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-5.9.5.30/flin...r-ob-assets.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.1.0.39/mahj...g-ob-assets.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:39 AM

Posted 04 February 2005 - 09:18 AM

Have you run and scanned your machine with ad-aware? If not please first download and install ad-aware :

http://www.lavasoftusa.com/software/adaware/

update it and scan and clean your computer. Then post a new log

#3 woovin

woovin
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:10:39 AM

Posted 06 February 2005 - 01:02 AM

I have run Adaware multiple times on this computer. Also About:Buster and McAfee virus. I don't know what else to do. My "Work Offline" icon keeps popping up constantly also and I don't know how to stop it.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:39 AM

Posted 06 February 2005 - 01:18 PM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\N20050308.EXE

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder. If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php, fill in the required fields, and browse to the file. Then click on the Send File button.


You are currently using hijackthis from a temp directory. This can cause problems. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on.

For a tutorial on how to use HijackThis please see the following link:

Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\oorkvy.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - Startup: pptnky.exe
O4 - Global Startup: updater.lnk = C:\WINDOWS\ASD.EXE
O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} (JFC Classes) - http://www.imagicgames.com/java2/cabs/swing.cab


Then delete these files or directories (Do not be concerned if they do not exist)

C:\PROGRAM FILES\VBOUNCER\
C:\N20050308.EXE
C:\WINDOWS\oorkvy.exe
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\
C:\WINDOWS\ASD.EXE

Reboot your computer to go back to normal mode and Download the following file:

http://castlecops.com/zx/Zupe/FindIt9xME.zip


and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

#5 woovin

woovin
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:10:39 AM

Posted 07 February 2005 - 12:22 PM

I ran Adaware, Microsoft Regclean, CWShredder, Spybot, and that program you asked me to. Here's the log that it came up with.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0547-0FEB
Directory of C:\WINDOWS\SYSTEM

FDWPP DLL 217,088 12-29-04 10:58a FDWPP.DLL
DPMSADSN DLL 217,088 12-29-04 10:58a DPMSADSN.DLL
OSEXL32 DLL 217,088 12-29-04 10:58a OSEXL32.DLL
MVSHRUI DLL 217,088 12-29-04 10:58a MVSHRUI.DLL
SLELL DLL 217,088 12-29-04 10:58a SLELL.DLL
MUFS32 DLL 217,088 12-29-04 10:58a MUFS32.DLL
IWETCPLC DLL 217,088 12-29-04 10:58a IWETCPLC.DLL
LJCMP70N DLL 217,088 12-29-04 10:58a LJCMP70n.DLL
LDAIPRPR DLL 217,088 12-29-04 10:58a LDAIPRPR.DLL
ROCMQCL DLL 217,088 12-29-04 10:58a ROCMQCL.DLL
RUSAPI16 DLL 217,088 12-29-04 10:58a RUSAPI16.DLL
TUEMBED DLL 217,088 12-29-04 10:58a tUembed.dll
WTVCORE DLL 217,088 12-29-04 10:58a WTVCORE.DLL
MRJET40 DLL 217,088 12-29-04 10:58a MRJET40.DLL
CYSWPP DLL 217,088 12-29-04 10:58a CYSWPP.DLL
MWINCP16 DLL 217,088 12-29-04 10:58a MWINCP16.DLL
UZIDRV DLL 217,088 12-29-04 10:58a UZIDRV.DLL
RFCMQCL DLL 217,088 12-29-04 10:58a RFCMQCL.DLL
TEEMBED DLL 217,088 12-29-04 10:58a tEembed.dll
OGEACC DLL 217,088 12-29-04 10:58a OGEACC.DLL
ANYCFILT DLL 217,088 12-29-04 10:58a ANYCFILT.DLL
RVCMQCL DLL 217,088 12-29-04 10:58a RVCMQCL.DLL
MTCUIW32 DLL 217,088 12-29-04 10:58a Mtcuiw32.dll
DZRAWEX DLL 217,088 12-29-04 10:58a DZRAWEX.DLL
PPDLIB32 DLL 217,088 12-29-04 10:58a PPDLIB32.dll
UODMXFRM DLL 217,088 12-29-04 10:58a UODMXFRM.DLL
MLACM DLL 217,088 12-29-04 10:58a MLACM.DLL
SKORTS DLL 217,088 12-29-04 10:58a Skorts.dll
MPSIP32 DLL 217,088 12-29-04 10:58a MPSIP32.DLL
WHHEXT DLL 217,088 12-29-04 10:58a WHHEXT.DLL
OYBCJT32 DLL 217,088 12-29-04 10:58a OYBCJT32.DLL
OIDBSE32 DLL 217,088 12-29-04 10:58a OIDBSE32.DLL
IORNONCE DLL 217,088 12-29-04 10:58a IORNONCE.DLL
OSBCJI32 DLL 217,088 12-29-04 10:58a OSBCJI32.DLL
PJCSTORE DLL 217,088 12-29-04 10:58a PJCSTORE.DLL
OI30 DLL 217,088 12-29-04 10:58a OI30.DLL
MCIDNTLD DLL 217,088 12-29-04 10:58a mcidntld.dll
SZLAD2 DLL 217,088 12-29-04 10:58a SZLAD2.dll
MYREPL40 DLL 217,088 12-29-04 10:58a MYREPL40.DLL
DECOBJ DLL 217,088 12-29-04 10:58a DECOBJ.DLL
WXHEXT DLL 217,088 12-29-04 10:58a WXHEXT.DLL
RIABASE DLL 217,088 12-29-04 10:58a RIABASE.DLL
MDBE DLL 217,088 12-29-04 10:58a mdbe.dll
KLUSER DLL 217,088 12-29-04 10:58a KLUSER.DLL
MPJT3032 DLL 217,088 12-29-04 10:58a MPJT3032.DLL
CJC DLL 217,088 12-29-04 10:58a CJC.DLL
OKEDLG DLL 217,088 12-29-04 10:58a OKEDLG.DLL
ICETCPLC DLL 217,088 12-29-04 10:58a ICETCPLC.DLL
MQIDNTLD DLL 217,088 12-29-04 10:58a mqidntld.dll
OME2NLS DLL 217,088 12-29-04 10:58a OME2NLS.DLL
WIADMOD DLL 217,088 12-29-04 10:58a wiadmod.dll
PVBROWSE DLL 217,088 12-29-04 10:58a pvbrowse.dll
DAMSRPCN DLL 217,088 12-29-04 10:58a DAMSRPCN.DLL
53 file(s) 11,505,664 bytes
0 dir(s) 6,050.55 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0547-0FEB
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 01-23-05 1:48p folder.htt
DESKTOP INI 266 01-23-05 1:48p desktop.ini
LXAIMA GID 45,735 03-26-04 11:05a lxaima.GID
EPIUIE3N GID 10,832 11-05-01 3:08p EPIUIE3N.GID
4 file(s) 69,955 bytes
0 dir(s) 6,050.55 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9D692D60-78E5-11D9-B8B0-CFB6ED9F7F78}"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:39 AM

Posted 08 February 2005 - 02:31 PM

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    c:\windows\system32\FDWPP.DLL
  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.


c:\windows\system32\DPMSADSN.DLL
c:\windows\system32\OSEXL32.DLL
c:\windows\system32\MVSHRUI.DLL
c:\windows\system32\SLELL.DLL
c:\windows\system32\MUFS32.DLL
c:\windows\system32\IWETCPLC.DLL
c:\windows\system32\LJCMP70n.DLL
c:\windows\system32\LDAIPRPR.DLL
c:\windows\system32\ROCMQCL.DLL
c:\windows\system32\RUSAPI16.DLL
c:\windows\system32\tUembed.dll
c:\windows\system32\WTVCORE.DLL
c:\windows\system32\MRJET40.DLL
c:\windows\system32\CYSWPP.DLL
c:\windows\system32\MWINCP16.DLL
c:\windows\system32\UZIDRV.DLL
c:\windows\system32\RFCMQCL.DLL
c:\windows\system32\tEembed.dll
c:\windows\system32\OGEACC.DLL
c:\windows\system32\ANYCFILT.DLL
c:\windows\system32\RVCMQCL.DLL
c:\windows\system32\Mtcuiw32.dll
c:\windows\system32\DZRAWEX.DLL
c:\windows\system32\PPDLIB32.dll
c:\windows\system32\UODMXFRM.DLL
c:\windows\system32\MLACM.DLL
c:\windows\system32\Skorts.dll
c:\windows\system32\MPSIP32.DLL
c:\windows\system32\WHHEXT.DLL
c:\windows\system32\OYBCJT32.DLL
c:\windows\system32\OIDBSE32.DLL
c:\windows\system32\IORNONCE.DLL
c:\windows\system32\OSBCJI32.DLL
c:\windows\system32\PJCSTORE.DLL
c:\windows\system32\OI30.DLL
c:\windows\system32\mcidntld.dll
c:\windows\system32\SZLAD2.dll
c:\windows\system32\MYREPL40.DLL
c:\windows\system32\DECOBJ.DLL
c:\windows\system32\WXHEXT.DLL
c:\windows\system32\RIABASE.DLL
c:\windows\system32\mdbe.dll
c:\windows\system32\KLUSER.DLL
c:\windows\system32\MPJT3032.DLL
c:\windows\system32\CJC.DLL
c:\windows\system32\OKEDLG.DLL
c:\windows\system32\ICETCPLC.DLL
c:\windows\system32\mqidntld.dll
c:\windows\system32\OME2NLS.DLL
c:\windows\system32\wiadmod.dll
c:\windows\system32\pvbrowse.dll
c:\windows\system32\DAMSRPCN.DLL

After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

#7 woovin

woovin
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:10:39 AM

Posted 09 February 2005 - 09:43 PM

I did what you told me to. I don't know if this makes a difference or not, but the first time I ran Findit it only took less than 2 seconds to get the log. This time when I ran it, it took about 5 minutes or more. I don't know what the difference was. Also when I did everything you asked for the killbox it never asked me anything about Pending Operations and it never asked me if it wanted me to reboot on its own. I just shut it down and rebooted the computer. I copied and pasted all the files that you told me to into killbox, checked the temp box, and said yes to replace on reboot. Was it ok to c/p the files or did I have to manually find them in a folder? I sure hope I did this right! Anyways, here's the findit log I just ran.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0547-0FEB
Directory of C:\WINDOWS\SYSTEM

FDWPP DLL 217,088 12-29-04 10:58a FDWPP.DLL
WOVDMOD DLL 217,088 12-29-04 10:58a WOVDMOD.DLL
OSEXL32 DLL 217,088 12-29-04 10:58a OSEXL32.DLL
MVSHRUI DLL 217,088 12-29-04 10:58a MVSHRUI.DLL
SLELL DLL 217,088 12-29-04 10:58a SLELL.DLL
MUFS32 DLL 217,088 12-29-04 10:58a MUFS32.DLL
IWETCPLC DLL 217,088 12-29-04 10:58a IWETCPLC.DLL
LJCMP70N DLL 217,088 12-29-04 10:58a LJCMP70n.DLL
LDAIPRPR DLL 217,088 12-29-04 10:58a LDAIPRPR.DLL
ROCMQCL DLL 217,088 12-29-04 10:58a ROCMQCL.DLL
RUSAPI16 DLL 217,088 12-29-04 10:58a RUSAPI16.DLL
TUEMBED DLL 217,088 12-29-04 10:58a tUembed.dll
WTVCORE DLL 217,088 12-29-04 10:58a WTVCORE.DLL
MRJET40 DLL 217,088 12-29-04 10:58a MRJET40.DLL
CYSWPP DLL 217,088 12-29-04 10:58a CYSWPP.DLL
MWINCP16 DLL 217,088 12-29-04 10:58a MWINCP16.DLL
UZIDRV DLL 217,088 12-29-04 10:58a UZIDRV.DLL
RFCMQCL DLL 217,088 12-29-04 10:58a RFCMQCL.DLL
TEEMBED DLL 217,088 12-29-04 10:58a tEembed.dll
OGEACC DLL 217,088 12-29-04 10:58a OGEACC.DLL
ANYCFILT DLL 217,088 12-29-04 10:58a ANYCFILT.DLL
RVCMQCL DLL 217,088 12-29-04 10:58a RVCMQCL.DLL
MTCUIW32 DLL 217,088 12-29-04 10:58a Mtcuiw32.dll
DZRAWEX DLL 217,088 12-29-04 10:58a DZRAWEX.DLL
PPDLIB32 DLL 217,088 12-29-04 10:58a PPDLIB32.dll
UODMXFRM DLL 217,088 12-29-04 10:58a UODMXFRM.DLL
MLACM DLL 217,088 12-29-04 10:58a MLACM.DLL
SKORTS DLL 217,088 12-29-04 10:58a Skorts.dll
MPSIP32 DLL 217,088 12-29-04 10:58a MPSIP32.DLL
WHHEXT DLL 217,088 12-29-04 10:58a WHHEXT.DLL
OYBCJT32 DLL 217,088 12-29-04 10:58a OYBCJT32.DLL
OIDBSE32 DLL 217,088 12-29-04 10:58a OIDBSE32.DLL
IORNONCE DLL 217,088 12-29-04 10:58a IORNONCE.DLL
OSBCJI32 DLL 217,088 12-29-04 10:58a OSBCJI32.DLL
PJCSTORE DLL 217,088 12-29-04 10:58a PJCSTORE.DLL
OI30 DLL 217,088 12-29-04 10:58a OI30.DLL
MCIDNTLD DLL 217,088 12-29-04 10:58a mcidntld.dll
SZLAD2 DLL 217,088 12-29-04 10:58a SZLAD2.dll
MYREPL40 DLL 217,088 12-29-04 10:58a MYREPL40.DLL
DECOBJ DLL 217,088 12-29-04 10:58a DECOBJ.DLL
WXHEXT DLL 217,088 12-29-04 10:58a WXHEXT.DLL
RIABASE DLL 217,088 12-29-04 10:58a RIABASE.DLL
MDBE DLL 217,088 12-29-04 10:58a mdbe.dll
KLUSER DLL 217,088 12-29-04 10:58a KLUSER.DLL
MPJT3032 DLL 217,088 12-29-04 10:58a MPJT3032.DLL
CJC DLL 217,088 12-29-04 10:58a CJC.DLL
OKEDLG DLL 217,088 12-29-04 10:58a OKEDLG.DLL
ICETCPLC DLL 217,088 12-29-04 10:58a ICETCPLC.DLL
MQIDNTLD DLL 217,088 12-29-04 10:58a mqidntld.dll
OME2NLS DLL 217,088 12-29-04 10:58a OME2NLS.DLL
WIADMOD DLL 217,088 12-29-04 10:58a wiadmod.dll
PVBROWSE DLL 217,088 12-29-04 10:58a pvbrowse.dll
DAMSRPCN DLL 217,088 12-29-04 10:58a DAMSRPCN.DLL
53 file(s) 11,505,664 bytes
0 dir(s) 6,008.92 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0547-0FEB
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 01-23-05 1:48p folder.htt
DESKTOP INI 266 01-23-05 1:48p desktop.ini
LXAIMA GID 45,735 03-26-04 11:05a lxaima.GID
EPIUIE3N GID 10,832 11-05-01 3:08p EPIUIE3N.GID
4 file(s) 69,955 bytes
0 dir(s) 6,008.91 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E180DF60-7ABC-11D9-B8B0-8C62E9FB182C}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
fdwpp.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
wovdmod.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
folder.htt Sun Jan 23 2005 1:48:56p ...H. 13,122 12.81 K
osexl32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mvshrui.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
desktop.ini Sun Jan 23 2005 1:48:56p ...H. 266 0.26 K
slell.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mufs32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
iwetcplc.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ljcmp70n.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ldaiprpr.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
rocmqcl.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
rusapi16.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
tuembed.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
wtvcore.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mrjet40.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
cyswpp.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mwincp16.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
uzidrv.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
rfcmqcl.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
teembed.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ogeacc.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
anycfilt.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
rvcmqcl.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mtcuiw32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
dzrawex.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ppdlib32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
uodmxfrm.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mlacm.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
skorts.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mpsip32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
whhext.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
oybcjt32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
oidbse32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
iornonce.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
osbcji32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
pjcstore.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
oi30.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mcidntld.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
szlad2.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
myrepl40.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
decobj.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
wxhext.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
riabase.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mdbe.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
kluser.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mpjt3032.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
cjc.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
okedlg.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
icetcplc.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mqidntld.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ome2nls.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
wiadmod.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
pvbrowse.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
damsrpcn.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K

55 items found: 55 files, 0 directories.
Total of file sizes: 11,519,052 bytes 10.98 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\ttegna.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,u.clkoptimizer.com,ezula.com,ads2.revenue.net,banners.pennyweb.com,counters.honesty.com,ads.bidclix.com,oz.valueclick.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickit.go2net.com,us.update.companion.yahoo.com,kill-pop-ups.com,qksrv.net,clickspring.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,paypopup.com,popuptraffic.com,cdn-cf.aol.com,allaboutsearching.com,hotmail.msn.com,adfarm.mediaplex.com,by.optimost.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,master.mx-targeting.com,hotmail.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,jmnad1.com,topicks.com,ad.doubleclick.net,m3.doubleclick.net,as.casalemedia.com,pgq.yahoo.com,webpdp.gator.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,as.adwave.com,popuppers.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,weatherbug.com,jicmedia.cjt1.net,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,messenger.zango.com,wwp.icq.com,smileycentral.com,adserv1.gruvmedia.com,cdn.icq.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,download.abetterinternet.com,adserv.internetfuel.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,adverts.lzio.com,windowsupdate.microsoft.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,trk.pcsecurityshield.com,web.icq.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,yahoo.com,aol.com,anrdoezrs.net,microsoft.com,target.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,couponage.com,c5.zedo.com,ekmas.com,ads.mydailyhoroscope.net,creativeby.viewpoint.com,affiliates.4lowrates.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,popups.ad-logics.com,adlog2.lzio.com,host239.ipowerweb.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,http300.edge.ru4.com,adlog.com.com,rs.websearch.com,ads.com.com,server.iad.liveperson.net,
C:\WINDOWS\uubaiz.dll: updates.qoologic.com
C:\WINDOWS\mmwqlp.exe: updates.qoologic.com
C:\WINDOWS\zzoplg.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\installer.exe: .aspack
C:\WINDOWS\yybvwq.dat: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\FDWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\WOVDMOD.DLL: UMonitor
C:\WINDOWS\SYSTEM\OSEXL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MVSHRUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\ipebase12.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
C:\WINDOWS\SYSTEM\SLELL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUFS32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IWETCPLC.DLL: UMonitor
C:\WINDOWS\SYSTEM\LJCMP70n.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLVCIRT.DLL: UMonitor
C:\WINDOWS\SYSTEM\LDAIPRPR.DLL: UMonitor
C:\WINDOWS\SYSTEM\ROCMQCL.DLL: UMonitor
C:\WINDOWS\SYSTEM\RUSAPI16.DLL: UMonitor
C:\WINDOWS\SYSTEM\tUembed.dll: UMonitor
C:\WINDOWS\SYSTEM\WTVCORE.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRJET40.DLL: UMonitor
C:\WINDOWS\SYSTEM\CYSWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWINCP16.DLL: UMonitor
C:\WINDOWS\SYSTEM\UZIDRV.DLL: UMonitor
C:\WINDOWS\SYSTEM\RFCMQCL.DLL: UMonitor
C:\WINDOWS\SYSTEM\tEembed.dll: UMonitor
C:\WINDOWS\SYSTEM\OGEACC.DLL: UMonitor
C:\WINDOWS\SYSTEM\ANYCFILT.DLL: UMonitor
C:\WINDOWS\SYSTEM\RVCMQCL.DLL: UMonitor
C:\WINDOWS\SYSTEM\Mtcuiw32.dll: UMonitor
C:\WINDOWS\SYSTEM\DZRAWEX.DLL: UMonitor
C:\WINDOWS\SYSTEM\PPDLIB32.dll: UMonitor
C:\WINDOWS\SYSTEM\UODMXFRM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLACM.DLL: UMonitor
C:\WINDOWS\SYSTEM\Skorts.dll: UMonitor
C:\WINDOWS\SYSTEM\MPSIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\WHHEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYBCJT32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OIDBSE32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IORNONCE.DLL: UMonitor
C:\WINDOWS\SYSTEM\OSBCJI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\PJCSTORE.DLL: UMonitor
C:\WINDOWS\SYSTEM\OI30.DLL: UMonitor
C:\WINDOWS\SYSTEM\mcidntld.dll: UMonitor
C:\WINDOWS\SYSTEM\SZLAD2.dll: UMonitor
C:\WINDOWS\SYSTEM\MYREPL40.DLL: UMonitor
C:\WINDOWS\SYSTEM\DECOBJ.DLL: UMonitor
C:\WINDOWS\SYSTEM\WXHEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\RIABASE.DLL: UMonitor
C:\WINDOWS\SYSTEM\mdbe.dll: UMonitor
C:\WINDOWS\SYSTEM\KLUSER.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPJT3032.DLL: UMonitor
C:\WINDOWS\SYSTEM\CJC.DLL: UMonitor
C:\WINDOWS\SYSTEM\OKEDLG.DLL: UMonitor
C:\WINDOWS\SYSTEM\ICETCPLC.DLL: UMonitor
C:\WINDOWS\SYSTEM\mqidntld.dll: UMonitor
C:\WINDOWS\SYSTEM\OME2NLS.DLL: UMonitor
C:\WINDOWS\SYSTEM\wiadmod.dll: UMonitor
C:\WINDOWS\SYSTEM\pvbrowse.dll: UMonitor
C:\WINDOWS\SYSTEM\DAMSRPCN.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"VBouncer"="C:\\PROGRA~1\\VBOUNCER\\VirtualBouncer.exe"
"ntechin"="C:\\N20050308.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:39 AM

Posted 09 February 2005 - 10:20 PM

Lets try this a bit differently. Reboot your comptuer, and press F8 when it start windows. Then choose command prompt only.

At the command prompt delete each of the following files:

c:\windows\system\fdwpp.dll
c:\windows\system\wovdmod.dll
c:\windows\system\osexl32.dll
c:\windows\system\mvshrui.dll
c:\windows\system\slell.dll
c:\windows\system\mufs32.dll
c:\windows\system\iwetcplc.dll
c:\windows\system\ljcmp70n.dll
c:\windows\system\ldaiprpr.dll
c:\windows\system\rocmqcl.dll
c:\windows\system\rusapi16.dll
c:\windows\system\tuembed.dll
c:\windows\system\wtvcore.dll
c:\windows\system\mrjet40.dll
c:\windows\system\cyswpp.dll
c:\windows\system\mwincp16.dll
c:\windows\system\uzidrv.dll
c:\windows\system\rfcmqcl.dll
c:\windows\system\teembed.dll
c:\windows\system\ogeacc.dll
c:\windows\system\anycfilt.dll
c:\windows\system\rvcmqcl.dll
c:\windows\system\mtcuiw32.dll
c:\windows\system\dzrawex.dll
c:\windows\system\ppdlib32.dll
c:\windows\system\uodmxfrm.dll
c:\windows\system\mlacm.dll
c:\windows\system\skorts.dll
c:\windows\system\mpsip32.dll
c:\windows\system\whhext.dll
c:\windows\system\oybcjt32.dll
c:\windows\system\oidbse32.dll
c:\windows\system\iornonce.dll
c:\windows\system\osbcji32.dll
c:\windows\system\pjcstore.dll
c:\windows\system\oi30.dll
c:\windows\system\mcidntld.dll
c:\windows\system\szlad2.dll
c:\windows\system\myrepl40.dll
c:\windows\system\decobj.dll
c:\windows\system\wxhext.dll
c:\windows\system\riabase.dll
c:\windows\system\mdbe.dll
c:\windows\system\kluser.dll
c:\windows\system\mpjt3032.dll
c:\windows\system\cjc.dll
c:\windows\system\okedlg.dll
c:\windows\system\icetcplc.dll
c:\windows\system\mqidntld.dll
c:\windows\system\ome2nls.dll
c:\windows\system\wiadmod.dll
c:\windows\system\pvbrowse.dll
c:\windows\system\damsrpcn.dll


To delete a file simply type:

del filename

and press enter.

For example:

del c:\windows\system\damsrpcn.dll

and press enter.

When you are done deleting all of these. Reboot and post a new findit log

#9 woovin

woovin
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:10:39 AM

Posted 09 February 2005 - 11:16 PM

After several tries and finally taping a huge "Stupid" sign on my forehead I decided to contact you again to see what I'm messing up this time. I went to the command prompt only. Then I typed in del c:\windows\system\fdwpp.dll When I clicked on enter it came up as file not found. I typed in quite a few from the list you gave me and all of them came up the same way. Then when I got back into Windows I manually searched for these dll's and they were right there in the system folder. I didn't do anything to them. I'm just wondering why they were coming up as not found on the command prompt, but they're in the system folder.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:39 AM

Posted 10 February 2005 - 09:46 AM

Are you getting a message similar to this:

'delc:' is not recognized as an internal or external command,
operable program or batch file.


Or similar to this:

Could Not Find C:\asd.txt

#11 woovin

woovin
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:10:39 AM

Posted 11 February 2005 - 12:58 AM

No. All it said underneath the file I typed in was "File not found". That was it.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:39 AM

Posted 11 February 2005 - 02:01 PM

Download the attached file to the c:\ drive. Reboot to the command prompt again and type c:\dellm2.bat

Then reboot and post a new findit log

Attached Files



#13 woovin

woovin
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:10:39 AM

Posted 13 February 2005 - 03:43 PM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0547-0FEB
Directory of C:\WINDOWS\SYSTEM

FDWPP DLL 217,088 12-29-04 10:58a FDWPP.DLL
DKMODEMX DLL 217,088 12-29-04 10:58a DKMODEMX.DLL
OSEXL32 DLL 217,088 12-29-04 10:58a OSEXL32.DLL
MVSHRUI DLL 217,088 12-29-04 10:58a MVSHRUI.DLL
SLELL DLL 217,088 12-29-04 10:58a SLELL.DLL
MUFS32 DLL 217,088 12-29-04 10:58a MUFS32.DLL
IWETCPLC DLL 217,088 12-29-04 10:58a IWETCPLC.DLL
LJCMP70N DLL 217,088 12-29-04 10:58a LJCMP70n.DLL
LDAIPRPR DLL 217,088 12-29-04 10:58a LDAIPRPR.DLL
ROCMQCL DLL 217,088 12-29-04 10:58a ROCMQCL.DLL
RUSAPI16 DLL 217,088 12-29-04 10:58a RUSAPI16.DLL
TUEMBED DLL 217,088 12-29-04 10:58a tUembed.dll
WTVCORE DLL 217,088 12-29-04 10:58a WTVCORE.DLL
MRJET40 DLL 217,088 12-29-04 10:58a MRJET40.DLL
CYSWPP DLL 217,088 12-29-04 10:58a CYSWPP.DLL
MWINCP16 DLL 217,088 12-29-04 10:58a MWINCP16.DLL
UZIDRV DLL 217,088 12-29-04 10:58a UZIDRV.DLL
RFCMQCL DLL 217,088 12-29-04 10:58a RFCMQCL.DLL
TEEMBED DLL 217,088 12-29-04 10:58a tEembed.dll
OGEACC DLL 217,088 12-29-04 10:58a OGEACC.DLL
ANYCFILT DLL 217,088 12-29-04 10:58a ANYCFILT.DLL
RVCMQCL DLL 217,088 12-29-04 10:58a RVCMQCL.DLL
MTCUIW32 DLL 217,088 12-29-04 10:58a Mtcuiw32.dll
DZRAWEX DLL 217,088 12-29-04 10:58a DZRAWEX.DLL
PPDLIB32 DLL 217,088 12-29-04 10:58a PPDLIB32.dll
UODMXFRM DLL 217,088 12-29-04 10:58a UODMXFRM.DLL
MLACM DLL 217,088 12-29-04 10:58a MLACM.DLL
SKORTS DLL 217,088 12-29-04 10:58a Skorts.dll
MPSIP32 DLL 217,088 12-29-04 10:58a MPSIP32.DLL
WHHEXT DLL 217,088 12-29-04 10:58a WHHEXT.DLL
OYBCJT32 DLL 217,088 12-29-04 10:58a OYBCJT32.DLL
OIDBSE32 DLL 217,088 12-29-04 10:58a OIDBSE32.DLL
IORNONCE DLL 217,088 12-29-04 10:58a IORNONCE.DLL
OSBCJI32 DLL 217,088 12-29-04 10:58a OSBCJI32.DLL
PJCSTORE DLL 217,088 12-29-04 10:58a PJCSTORE.DLL
OI30 DLL 217,088 12-29-04 10:58a OI30.DLL
MCIDNTLD DLL 217,088 12-29-04 10:58a mcidntld.dll
SZLAD2 DLL 217,088 12-29-04 10:58a SZLAD2.dll
MYREPL40 DLL 217,088 12-29-04 10:58a MYREPL40.DLL
DECOBJ DLL 217,088 12-29-04 10:58a DECOBJ.DLL
WXHEXT DLL 217,088 12-29-04 10:58a WXHEXT.DLL
RIABASE DLL 217,088 12-29-04 10:58a RIABASE.DLL
MDBE DLL 217,088 12-29-04 10:58a mdbe.dll
KLUSER DLL 217,088 12-29-04 10:58a KLUSER.DLL
MPJT3032 DLL 217,088 12-29-04 10:58a MPJT3032.DLL
CJC DLL 217,088 12-29-04 10:58a CJC.DLL
OKEDLG DLL 217,088 12-29-04 10:58a OKEDLG.DLL
ICETCPLC DLL 217,088 12-29-04 10:58a ICETCPLC.DLL
MQIDNTLD DLL 217,088 12-29-04 10:58a mqidntld.dll
OME2NLS DLL 217,088 12-29-04 10:58a OME2NLS.DLL
WIADMOD DLL 217,088 12-29-04 10:58a wiadmod.dll
PVBROWSE DLL 217,088 12-29-04 10:58a pvbrowse.dll
DAMSRPCN DLL 217,088 12-29-04 10:58a DAMSRPCN.DLL
LNGIF70N DLL 217,088 12-29-04 10:58a lngif70n.dll
CKCFG32 DLL 217,088 12-29-04 10:58a CKCFG32.DLL
55 file(s) 11,939,840 bytes
0 dir(s) 5,992.45 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0547-0FEB
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 01-23-05 1:48p folder.htt
DESKTOP INI 266 01-23-05 1:48p desktop.ini
LXAIMA GID 45,735 03-26-04 11:05a lxaima.GID
EPIUIE3N GID 10,832 11-05-01 3:08p EPIUIE3N.GID
4 file(s) 69,955 bytes
0 dir(s) 5,992.45 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E180DF60-7ABC-11D9-B8B0-8C62E9FB182C}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
fdwpp.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
dkmodemx.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
folder.htt Sun Jan 23 2005 1:48:56p ...H. 13,122 12.81 K
osexl32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mvshrui.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
desktop.ini Sun Jan 23 2005 1:48:56p ...H. 266 0.26 K
slell.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mufs32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
iwetcplc.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ljcmp70n.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ldaiprpr.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
rocmqcl.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
rusapi16.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
tuembed.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
wtvcore.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mrjet40.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
cyswpp.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mwincp16.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
uzidrv.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
rfcmqcl.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
teembed.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ogeacc.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
anycfilt.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
rvcmqcl.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mtcuiw32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
dzrawex.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ppdlib32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
uodmxfrm.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mlacm.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
skorts.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mpsip32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
whhext.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
oybcjt32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
oidbse32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
iornonce.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
osbcji32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
pjcstore.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
oi30.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mcidntld.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
szlad2.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
myrepl40.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
decobj.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
wxhext.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
riabase.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mdbe.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
kluser.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mpjt3032.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
cjc.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
okedlg.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
icetcplc.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
mqidntld.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ome2nls.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
wiadmod.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
pvbrowse.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
damsrpcn.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
lngif70n.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K
ckcfg32.dll Wed Dec 29 2004 10:58:32a ..S.R 217,088 212.00 K

57 items found: 57 files, 0 directories.
Total of file sizes: 11,953,228 bytes 11.40 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\ttegna.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,u.clkoptimizer.com,ezula.com,ads2.revenue.net,banners.pennyweb.com,counters.honesty.com,ads.bidclix.com,oz.valueclick.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickit.go2net.com,us.update.companion.yahoo.com,kill-pop-ups.com,qksrv.net,clickspring.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,paypopup.com,popuptraffic.com,cdn-cf.aol.com,allaboutsearching.com,hotmail.msn.com,adfarm.mediaplex.com,by.optimost.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,master.mx-targeting.com,hotmail.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,jmnad1.com,topicks.com,ad.doubleclick.net,m3.doubleclick.net,as.casalemedia.com,pgq.yahoo.com,webpdp.gator.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,as.adwave.com,popuppers.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,weatherbug.com,jicmedia.cjt1.net,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,messenger.zango.com,wwp.icq.com,smileycentral.com,adserv1.gruvmedia.com,cdn.icq.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,download.abetterinternet.com,adserv.internetfuel.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,adverts.lzio.com,windowsupdate.microsoft.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,trk.pcsecurityshield.com,web.icq.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,yahoo.com,aol.com,anrdoezrs.net,microsoft.com,target.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,couponage.com,c5.zedo.com,ekmas.com,ads.mydailyhoroscope.net,creativeby.viewpoint.com,affiliates.4lowrates.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,popups.ad-logics.com,adlog2.lzio.com,host239.ipowerweb.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,http300.edge.ru4.com,adlog.com.com,rs.websearch.com,ads.com.com,server.iad.liveperson.net,
C:\WINDOWS\uubaiz.dll: updates.qoologic.com
C:\WINDOWS\mmwqlp.exe: updates.qoologic.com
C:\WINDOWS\zzoplg.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\oorkvy.exe: .aspack
C:\WINDOWS\installer.exe: .aspack
C:\WINDOWS\yybvwq.dat: .aspack
C:\WINDOWS\Start Menu\Programs\StartUp\pptnky.exe: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\FDWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DKMODEMX.DLL: UMonitor
C:\WINDOWS\SYSTEM\OSEXL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MVSHRUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\ipebase12.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
C:\WINDOWS\SYSTEM\SLELL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUFS32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IWETCPLC.DLL: UMonitor
C:\WINDOWS\SYSTEM\LJCMP70n.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLVCIRT.DLL: UMonitor
C:\WINDOWS\SYSTEM\LDAIPRPR.DLL: UMonitor
C:\WINDOWS\SYSTEM\ROCMQCL.DLL: UMonitor
C:\WINDOWS\SYSTEM\RUSAPI16.DLL: UMonitor
C:\WINDOWS\SYSTEM\tUembed.dll: UMonitor
C:\WINDOWS\SYSTEM\WTVCORE.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRJET40.DLL: UMonitor
C:\WINDOWS\SYSTEM\CYSWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWINCP16.DLL: UMonitor
C:\WINDOWS\SYSTEM\UZIDRV.DLL: UMonitor
C:\WINDOWS\SYSTEM\RFCMQCL.DLL: UMonitor
C:\WINDOWS\SYSTEM\tEembed.dll: UMonitor
C:\WINDOWS\SYSTEM\OGEACC.DLL: UMonitor
C:\WINDOWS\SYSTEM\ANYCFILT.DLL: UMonitor
C:\WINDOWS\SYSTEM\RVCMQCL.DLL: UMonitor
C:\WINDOWS\SYSTEM\Mtcuiw32.dll: UMonitor
C:\WINDOWS\SYSTEM\DZRAWEX.DLL: UMonitor
C:\WINDOWS\SYSTEM\PPDLIB32.dll: UMonitor
C:\WINDOWS\SYSTEM\UODMXFRM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLACM.DLL: UMonitor
C:\WINDOWS\SYSTEM\Skorts.dll: UMonitor
C:\WINDOWS\SYSTEM\MPSIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\WHHEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYBCJT32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OIDBSE32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IORNONCE.DLL: UMonitor
C:\WINDOWS\SYSTEM\OSBCJI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\PJCSTORE.DLL: UMonitor
C:\WINDOWS\SYSTEM\OI30.DLL: UMonitor
C:\WINDOWS\SYSTEM\mcidntld.dll: UMonitor
C:\WINDOWS\SYSTEM\SZLAD2.dll: UMonitor
C:\WINDOWS\SYSTEM\MYREPL40.DLL: UMonitor
C:\WINDOWS\SYSTEM\DECOBJ.DLL: UMonitor
C:\WINDOWS\SYSTEM\WXHEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\RIABASE.DLL: UMonitor
C:\WINDOWS\SYSTEM\mdbe.dll: UMonitor
C:\WINDOWS\SYSTEM\KLUSER.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPJT3032.DLL: UMonitor
C:\WINDOWS\SYSTEM\CJC.DLL: UMonitor
C:\WINDOWS\SYSTEM\OKEDLG.DLL: UMonitor
C:\WINDOWS\SYSTEM\ICETCPLC.DLL: UMonitor
C:\WINDOWS\SYSTEM\mqidntld.dll: UMonitor
C:\WINDOWS\SYSTEM\OME2NLS.DLL: UMonitor
C:\WINDOWS\SYSTEM\wiadmod.dll: UMonitor
C:\WINDOWS\SYSTEM\pvbrowse.dll: UMonitor
C:\WINDOWS\SYSTEM\DAMSRPCN.DLL: UMonitor
C:\WINDOWS\SYSTEM\lngif70n.dll: UMonitor
C:\WINDOWS\SYSTEM\CKCFG32.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"Narrator"="C:\\WINDOWS\\oorkvy.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:39 AM

Posted 13 February 2005 - 08:50 PM

Download the attached bat file to your desktop and run it . Its been updated so dont use the old one.

Attached Files



#15 woovin

woovin
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:10:39 AM

Posted 14 February 2005 - 12:57 PM

I d/l it and clicked on it and all that came up was c:\WINDOWS\Desktop>

Is that all I'm suppose to do?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users