Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

plese help se.dll about.blank and others


  • This topic is locked This topic is locked
28 replies to this topic

#1 knish

knish

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 13 March 2005 - 04:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:29:51 PM, on 03/13/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {F0423F7F-93D9-11D9-8575-0050AF36ECBB} - C:\WINDOWS\SYSTEM\DFCF.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\SYSTEM\EZPOPSTUB.EXE /UninstPOP2 C:\Program Files\Web Offer
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n6/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramework...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.u-239.com/6c64734d/msits.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O18 - Filter: text/html - {33FF0D80-8F02-11D9-8575-0050E316B8FC} - C:\WINDOWS\SYSTEM\DFCF.DLL
O18 - Filter: text/plain - {33FF0D80-8F02-11D9-8575-0050E316B8FC} - C:\WINDOWS\SYSTEM\DFCF.DLL

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 13 March 2005 - 05:45 PM

Hi there, nice collection there..
First we are going to get rid of the se.dll and then we take the Look2Me.
I'm already going to tell you this is going to be a long removalprocedure.
So it is really important you follow all the orders i give.

* Download and install CCleaner
Do not use it yet.

* Please set your system to show
all files; please see here if you're unsure how to do this.

Download: http://www.derbilk.de/SpSeHjfix_Beta7.zip
Unzip it and place it on your desktop.


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {F0423F7F-93D9-11D9-8575-0050AF36ECBB} - C:\WINDOWS\SYSTEM\DFCF.DLL
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\SYSTEM\EZPOPSTUB.EXE /UninstPOP2 C:\Program Files\Web Offer
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n6/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.u-239.com/6c64734d/msits.exe
O18 - Filter: text/html - {33FF0D80-8F02-11D9-8575-0050E316B8FC} - C:\WINDOWS\SYSTEM\DFCF.DLL
O18 - Filter: text/plain - {33FF0D80-8F02-11D9-8575-0050E316B8FC} - C:\WINDOWS\SYSTEM\DFCF.DLL


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\SYSTEM\WSXSVC <==this folder
C:\WINDOWS\SYSTEM\VMSS <== this folder
C:\PROGRAM FILES\VBOUNCER <== this folder
C:\WINDOWS\SYSTEM\EZPOPSTUB.EXE
C:\Program Files\Web Offer <== this folder

* Start Ccleaner and click Run Cleaner

* Doubleclick SpSeHjfix_Beta.exe and click Start disinfection.

Reboot back to normal mode.

Post the log you will get from SpSeHjfix_Beta.exe (is in the same folder where SpSeHjfix_Beta.exe is present)together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 13 March 2005 - 06:38 PM

Thanks for your help, I ran into one error with 01 hosts where hijack couldn't remove the file, here are the new logs



03/13/2005 6:43:39 PM SPSeHjFix started v1.07
03/13/2005 6:43:40 PM OS: Win98SE A (4.10.67766446)
03/13/2005 6:43:40 PM Bad-Dll(IEP): (not found)
03/13/2005 6:43:40 PM BHO-DLL: (not found)
03/13/2005 6:43:40 PM Searchassistant Unintaller found
03/13/2005 6:43:40 PM Searchassistant Unintaller - Keys Deleted
03/13/2005 6:43:40 PM UBF: 4
03/13/2005 6:43:40 PM UBB: 0
03/13/2005 6:43:40 PM UBR: 13
03/13/2005 6:43:40 PM Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank

Logfile of HijackThis v1.99.1
Scan saved at 6:47:19 PM, on 03/13/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramework...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 13 March 2005 - 06:43 PM

Looks better now, but not done yet.. I also see that spydeleter wont get fixed too in your log (O9), but that's for later.
Now, we will handle the O1's... and that's the big job. :thumbsup:

Download http://lineofire.geekstogo.com/FindIt%209x-ME.zip
Unzip it and double click on FindIt9xME.bat
Let it run (this will take a while)
Post the log it produces afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 13 March 2005 - 06:58 PM

Hmm.. link doesn't work.

Download it here: http://main.thatcomputerguy.us/modules/wfd...php?cid=5&lid=3
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 13 March 2005 - 07:00 PM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is C DRIVE
Volume Serial Number is 275D-18E5
Directory of C:\WINDOWS\SYSTEM

MVAWT DLL 227,104 08/03/05 23:14 MVAWT.DLL
MLSIGN32 DLL 227,104 08/03/05 23:14 MLSIGN32.DLL
RLCRES DLL 227,104 08/03/05 23:14 RLCRES.dll
IPIGN32 DLL 227,104 08/03/05 23:14 ipign32.dll
VPPUBAPI DLL 227,104 08/03/05 23:14 vppubapi.dll
DWMCLIEN DLL 227,104 08/03/05 23:14 dwmclien.dll
ITWPHBK DLL 227,104 08/03/05 23:14 itwphbk.dll
DLVMGR32 DLL 227,104 08/03/05 23:14 DLVMGR32.DLL
MJCD30 DLL 227,104 08/03/05 23:14 MJCD30.DLL
CIYPTUI DLL 227,104 08/03/05 23:14 CIYPTUI.DLL
SWI_CI DLL 227,104 08/03/05 23:14 SWI_CI.DLL
CEFVIEW DLL 227,104 08/03/05 23:14 cefview.dll
MTXMLR DLL 227,104 08/03/05 23:14 MTXMLR.DLL
CZYPTNET DLL 227,104 08/03/05 23:14 CZYPTNET.DLL
DA3J DLL 227,104 08/03/05 23:14 DA3J.DLL
DHDMO DLL 227,104 08/03/05 23:14 dhdmo.dll
WWPUI DLL 227,104 08/03/05 23:14 wwpui.dll
VHHELPER DLL 227,104 08/03/05 23:14 VHHELPER.DLL
MECXDD16 DLL 222,568 30/01/05 18:39 MECXDD16.DLL
AHIPITA DLL 222,568 30/01/05 18:39 AHIPITA.DLL
MEIMUSIC DLL 222,568 30/01/05 18:39 MEIMUSIC.DLL
DFSPDIB DLL 222,568 30/01/05 18:39 DFSPDIB.DLL
AOVIEW32 DLL 222,568 30/01/05 18:39 AOVIEW32.DLL
INS DLL 222,568 30/01/05 18:39 INS.DLL
ILGCMN DLL 222,568 30/01/05 18:39 ILGCMN.DLL
MXPP32 DLL 222,568 30/01/05 18:39 MXPP32.DLL
PKNMAP DLL 222,568 30/01/05 18:39 PKNMAP.DLL
DRLAY DLL 222,568 30/01/05 18:39 DRLAY.DLL
MUVIDEO DLL 222,568 30/01/05 18:39 MUVIDEO.DLL
HYINK DLL 222,568 30/01/05 18:39 HYINK.DLL
DGKAPI16 DLL 222,568 30/01/05 18:39 DGKAPI16.DLL
OKESVR32 DLL 222,568 30/01/05 18:39 OKESVR32.DLL
ONEPRO32 DLL 222,568 30/01/05 18:39 ONEPRO32.DLL
MTRD2X40 DLL 222,568 30/01/05 18:39 MTRD2X40.DLL
DADIM DLL 222,568 30/01/05 18:39 DADIM.DLL
MOIEFTP DLL 222,568 30/01/05 18:39 MOIEFTP.DLL
STDOC401 DLL 222,568 30/01/05 18:39 STDOC401.DLL
MEMIXMGR DLL 222,568 30/01/05 18:39 MEMIXMGR.DLL
DFUSIC16 DLL 222,568 30/01/05 18:39 DFUSIC16.DLL
XINROLL DLL 222,568 30/01/05 18:39 XINROLL.DLL
MZIDLE DLL 222,568 30/01/05 18:39 mzidle.dll
HOINV DLL 222,568 30/01/05 18:39 hoinv.dll
DYSYNC DLL 222,568 30/01/05 18:39 dysync.dll
NKSWAN32 DLL 222,568 30/01/05 18:39 NkSWAN32.DLL
LQCMGR10 DLL 222,568 30/01/05 18:39 lqcmgr10.dll
MIJETO~1 DLL 222,568 30/01/05 18:39 mijetoledb40.dll
DAMAP DLL 222,568 30/01/05 18:39 damap.dll
CPGWIZ DLL 222,568 30/01/05 18:39 CpGWIZ.DLL
DJSBASE DLL 222,568 30/01/05 18:39 DJSBASE.DLL
DQUSIC DLL 222,568 30/01/05 18:39 DQUSIC.DLL
QHGR DLL 222,568 30/01/05 18:39 QHGR.DLL
JYT DLL 222,568 30/01/05 18:39 JYT.DLL
WKNINET DLL 222,568 30/01/05 18:39 WKNINET.DLL
BTOWSEWM DLL 222,568 30/01/05 18:39 BTOWSEWM.DLL
MRSIGN32 DLL 222,568 30/01/05 18:39 MRSIGN32.DLL
DGCNDI DLL 222,568 30/01/05 18:39 DgCNDI.DLL
CXMCAT DLL 222,568 30/01/05 18:39 CXMCAT.DLL
PKPNDI DLL 222,568 30/01/05 18:39 PkPNDI.DLL
MKSTKPRP DLL 222,568 30/01/05 18:39 MKSTKPRP.DLL
MUR2C DLL 222,568 30/01/05 18:39 MUR2C.DLL
JIAW400 DLL 222,568 30/01/05 18:39 jiaw400.dll
DNOUND DLL 222,568 30/01/05 18:39 DNOUND.DLL
IARNONCE DLL 222,568 30/01/05 18:39 IARNONCE.DLL
DNUSIC32 DLL 222,568 30/01/05 18:39 DNUSIC32.DLL
AADENC32 DLL 222,568 30/01/05 18:39 AADENC32.DLL
IBAGEHLP DLL 222,568 30/01/05 18:39 IBAGEHLP.DLL
APICAP DLL 222,568 30/01/05 18:39 APICAP.DLL
SGORAGE DLL 222,568 30/01/05 18:39 SGORAGE.DLL
MQNSSPC DLL 222,568 30/01/05 18:39 MQNSSPC.DLL
DFDXOF DLL 222,568 30/01/05 18:39 DFDXOF.DLL
II50_QCX DLL 222,568 30/01/05 18:39 II50_QCX.DLL
DGKAPI32 DLL 222,568 30/01/05 18:39 DGKAPI32.DLL
CJMPOBJ DLL 222,568 30/01/05 18:39 CJMPOBJ.DLL
DPIME DLL 222,568 30/01/05 18:39 DPIME.DLL
NWSWAN32 DLL 222,568 30/01/05 18:39 NWSWAN32.DLL
RHATHUNK DLL 222,568 30/01/05 18:39 RHATHUNK.DLL
FUAMEBUF DLL 222,568 30/01/05 18:39 FUAMEBUF.DLL
CWL3D32 DLL 222,568 30/01/05 18:39 CWL3D32.DLL
JQAW400 DLL 222,568 30/01/05 18:39 jqaw400.dll
NZSWAN32 DLL 222,568 30/01/05 18:39 NZSWAN32.DLL
MWVBVM50 DLL 222,568 30/01/05 18:39 MWVBVM50.DLL
SUCUR32 DLL 222,568 30/01/05 18:39 SUCUR32.DLL
WTADMOD DLL 222,568 30/01/05 18:39 wtadmod.dll
PDPNDI DLL 222,568 30/01/05 18:39 PdPNDI.DLL
DPTMSFT DLL 222,568 30/01/05 18:39 DPTMSFT.DLL
LDPRXY DLL 222,568 30/01/05 18:39 lDprxy.dll
DVWAVE DLL 222,568 30/01/05 18:39 dvwave.dll
IKWPHBK DLL 222,568 30/01/05 18:39 ikwphbk.dll
PFWRPROF DLL 222,568 30/01/05 18:39 PFWRPROF.DLL
WGW32 DLL 222,568 30/01/05 18:39 WGW32.DLL
ICGUTIL DLL 222,568 30/01/05 18:39 ICGUTIL.DLL
WRASF DLL 222,568 30/01/05 18:39 wrasf.dll
DVCORE DLL 222,568 30/01/05 18:39 dvcore.dll
UGBUI DLL 222,568 30/01/05 18:39 UGBUI.DLL
NVSWAN16 DLL 222,568 30/01/05 18:39 NvSWAN16.DLL
DCGSIG DLL 222,568 30/01/05 18:39 DCGSIG.DLL
IZMUPG DLL 222,568 30/01/05 18:39 IZMUPG.DLL
AWIVTVPM DLL 222,568 30/01/05 18:39 AWIVTVPM.DLL
IBROP DLL 222,568 30/01/05 18:39 IBROP.DLL
MBTCP DLL 222,568 30/01/05 18:39 MBTCP.DLL
RFASIG DLL 222,568 30/01/05 18:39 RFASIG.DLL
KGJNLLIB DLL 222,568 30/01/05 18:39 KGJNLLIB.DLL
ATDENC32 DLL 222,568 30/01/05 18:39 ATDENC32.DLL
MUPI DLL 222,568 30/01/05 18:39 MUPI.DLL
MZOEACCT DLL 222,568 30/01/05 18:39 mzoeacct.dll
MESCP DLL 222,568 30/01/05 18:39 mescp.dll
MJ3216 DLL 222,568 30/01/05 18:39 MJ3216.DLL
MPWEBDVD DLL 222,568 30/01/05 18:39 mpwebdvd.dll
DDSPEX DLL 222,568 30/01/05 18:39 DDSPEX.DLL
AWVPACK DLL 222,568 30/01/05 18:39 awvpack.dll
ABDENC32 DLL 222,568 30/01/05 18:39 ABDENC32.DLL
MSG200~1 DLL 222,568 30/01/05 18:39 msg200.cpy.dll
MTVIDEO DLL 222,568 30/01/05 18:39 MTVIDEO.DLL
MUSIGN32 DLL 222,568 30/01/05 18:39 MUSIGN32.DLL
MCVCP50 DLL 222,568 30/01/05 18:39 MCVCP50.DLL
QSAP DLL 222,568 30/01/05 18:39 QSAP.DLL
MPPBDE40 DLL 222,568 30/01/05 18:39 MPPBDE40.DLL
OPE2CONV DLL 222,568 30/01/05 18:39 OPE2CONV.DLL
MGXOCI DLL 222,568 30/01/05 18:39 MGXOCI.DLL
AYDENC32 DLL 222,568 30/01/05 18:39 AYDENC32.DLL
NTTAPI DLL 222,568 30/01/05 18:39 NtTAPI.DLL
MDR2CENU DLL 222,568 30/01/05 18:39 MDR2CENU.DLL
MNSIGN32 DLL 222,568 30/01/05 18:39 MNSIGN32.DLL
123 file(s) 27,457,512 bytes
0 dir(s) 16,866.08 MB free

------- Hidden Files in System Directory -------


Volume in drive C is C DRIVE
Volume Serial Number is 275D-18E5
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 890 13/03/05 18:44 vsconfig.xml
ZLLICTBL DAT 4,212 07/03/05 20:28 zllictbl.dat
BJC4000 GID 8,628 15/11/04 11:36 BJC4000.GID
CJ1000 GID 12,909 18/12/03 0:33 CJ1000.GID
NTICDM~1 DLL 114 06/03/03 21:53 NTICDMK32.dll
FOLDER HTT 13,122 20/02/03 19:50 folder.htt
DESKTOP INI 266 20/02/03 19:50 desktop.ini
ATI98DEF GID 10,844 13/02/03 18:50 ati98def.GID
8 file(s) 50,985 bytes
0 dir(s) 16,866.06 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0C593FE9-697A-3B3F-B134-D6A717BBDF4F}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
mecxdd16.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ahipita.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
meimusic.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dfspdib.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
aoview32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ins.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ilgcmn.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mxpp32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
pknmap.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
drlay.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
muvideo.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
hyink.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dgkapi16.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
okesvr32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
onepro32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mtrd2x40.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dadim.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
moieftp.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
stdoc401.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
vsconfig.xml Sun 13 Mar 2005 18:44:56 A..H. 890 0.87 K
memixmgr.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dfusic16.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
xinroll.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mzidle.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
hoinv.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dysync.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
nkswan32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
lqcmgr10.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mijeto~1.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
damap.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
cpgwiz.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
djsbase.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dqusic.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
qhgr.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
jyt.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
wkninet.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
btowsewm.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mrsign32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dgcndi.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
cxmcat.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
pkpndi.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mkstkprp.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mur2c.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
jiaw400.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dnound.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
iarnonce.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dnusic32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
aadenc32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ibagehlp.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
apicap.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
sgorage.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mqnsspc.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
zllictbl.dat Mon 7 Mar 2005 20:28:42 ...H. 4,212 4.11 K
dfdxof.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ii50_qcx.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dgkapi32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
cjmpobj.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dpime.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
nwswan32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
rhathunk.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
fuamebuf.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
cwl3d32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mvawt.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
mlsign32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
jqaw400.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
nzswan32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mwvbvm50.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
sucur32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
rlcres.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
ipign32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
vppubapi.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
dwmclien.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
wtadmod.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
itwphbk.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
dlvmgr32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
mjcd30.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
ciyptui.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
swi_ci.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
cefview.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
mtxmlr.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
czyptnet.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
da3j.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
dhdmo.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
wwpui.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
vhhelper.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
pdpndi.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dptmsft.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ldprxy.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dvwave.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ikwphbk.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
pfwrprof.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
wgw32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
icgutil.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
wrasf.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dvcore.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ugbui.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
nvswan16.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
dcgsig.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
izmupg.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
awivtvpm.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ibrop.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mbtcp.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
rfasig.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
kgjnllib.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
atdenc32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mupi.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mzoeacct.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mescp.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mj3216.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mpwebdvd.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ddspex.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
awvpack.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
abdenc32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
msg200~1.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mtvideo.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
musign32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mcvcp50.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
qsap.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mppbde40.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
ope2conv.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mgxoci.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
aydenc32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
nttapi.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mdr2cenu.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K
mnsign32.dll Sun 30 Jan 2005 18:39:22 ..S.R 222,568 217.35 K

125 items found: 125 files, 0 directories.
Total of file sizes: 27,462,614 bytes 26.19 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\MECXDD16.DLL: UMonitor
C:\WINDOWS\SYSTEM\AHIPITA.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEIMUSIC.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFSPDIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\AOVIEW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\INS.DLL: UMonitor
C:\WINDOWS\SYSTEM\ILGCMN.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXPP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\PKNMAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DRLAY.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUVIDEO.DLL: UMonitor
C:\WINDOWS\SYSTEM\HYINK.DLL: UMonitor
C:\WINDOWS\SYSTEM\DGKAPI16.DLL: UMonitor
C:\WINDOWS\SYSTEM\OKESVR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ONEPRO32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTRD2X40.DLL: UMonitor
C:\WINDOWS\SYSTEM\DADIM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOIEFTP.DLL: UMonitor
C:\WINDOWS\SYSTEM\STDOC401.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEMIXMGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFUSIC16.DLL: UMonitor
C:\WINDOWS\SYSTEM\XINROLL.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzidle.dll: UMonitor
C:\WINDOWS\SYSTEM\hoinv.dll: UMonitor
C:\WINDOWS\SYSTEM\dysync.dll: UMonitor
C:\WINDOWS\SYSTEM\NkSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lqcmgr10.dll: UMonitor
C:\WINDOWS\SYSTEM\mijetoledb40.dll: UMonitor
C:\WINDOWS\SYSTEM\damap.dll: UMonitor
C:\WINDOWS\SYSTEM\CpGWIZ.DLL: UMonitor
C:\WINDOWS\SYSTEM\DJSBASE.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQUSIC.DLL: UMonitor
C:\WINDOWS\SYSTEM\QHGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JYT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WKNINET.DLL: UMonitor
C:\WINDOWS\SYSTEM\BTOWSEWM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRSIGN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DgCNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CXMCAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PkPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MKSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUR2C.DLL: UMonitor
C:\WINDOWS\SYSTEM\jiaw400.dll: UMonitor
C:\WINDOWS\SYSTEM\DNOUND.DLL: UMonitor
C:\WINDOWS\SYSTEM\IARNONCE.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNUSIC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\AADENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IBAGEHLP.DLL: UMonitor
C:\WINDOWS\SYSTEM\APICAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\SGORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\MQNSSPC.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFDXOF.DLL: UMonitor
C:\WINDOWS\SYSTEM\II50_QCX.DLL: UMonitor
C:\WINDOWS\SYSTEM\DGKAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\CJMPOBJ.DLL: UMonitor
C:\WINDOWS\SYSTEM\DPIME.DLL: UMonitor
C:\WINDOWS\SYSTEM\NWSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\RHATHUNK.DLL: UMonitor
C:\WINDOWS\SYSTEM\FUAMEBUF.DLL: UMonitor
C:\WINDOWS\SYSTEM\CWL3D32.DLL: UMonitor
C:\WINDOWS\SYSTEM\jqaw400.dll: UMonitor
C:\WINDOWS\SYSTEM\NZSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWVBVM50.DLL: UMonitor
C:\WINDOWS\SYSTEM\SUCUR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\wtadmod.dll: UMonitor
C:\WINDOWS\SYSTEM\PdPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DPTMSFT.DLL: UMonitor
C:\WINDOWS\SYSTEM\lDprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\dvwave.dll: UMonitor
C:\WINDOWS\SYSTEM\ikwphbk.dll: UMonitor
C:\WINDOWS\SYSTEM\PFWRPROF.DLL: UMonitor
C:\WINDOWS\SYSTEM\WGW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ICGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\wrasf.dll: UMonitor
C:\WINDOWS\SYSTEM\dvcore.dll: UMonitor
C:\WINDOWS\SYSTEM\UGBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\NvSWAN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\DCGSIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\IZMUPG.DLL: UMonitor
C:\WINDOWS\SYSTEM\AWIVTVPM.DLL: UMonitor
C:\WINDOWS\SYSTEM\IBROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MBTCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\RFASIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\KGJNLLIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\ATDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzoeacct.dll: UMonitor
C:\WINDOWS\SYSTEM\mescp.dll: UMonitor
C:\WINDOWS\SYSTEM\MJ3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\mpwebdvd.dll: UMonitor
C:\WINDOWS\SYSTEM\DDSPEX.DLL: UMonitor
C:\WINDOWS\SYSTEM\awvpack.dll: UMonitor
C:\WINDOWS\SYSTEM\ABDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\msg200.cpy.dll: UMonitor
C:\WINDOWS\SYSTEM\MTVIDEO.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUSIGN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MCVCP50.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPPBDE40.DLL: UMonitor
C:\WINDOWS\SYSTEM\OPE2CONV.DLL: UMonitor
C:\WINDOWS\SYSTEM\MGXOCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\AYDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NtTAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MDR2CENU.DLL: UMonitor
C:\WINDOWS\SYSTEM\MNSIGN32.DLL: UMonitor




#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 14 March 2005 - 04:35 AM

Nice collection.
Seems like you are having both versions of Look2Me.

Ok, here we go...

* Download and unzip Killbox. <==this is the new version, so if you have an older version of it, please download this one:
Click killbox.exe.
Select the option Replace on Reboot and check the "Use Dummy" box.

Now copy the next bold:

C:\WINDOWS\SYSTEM\MECXDD16.DLL
C:\WINDOWS\SYSTEM\AHIPITA.DLL
C:\WINDOWS\SYSTEM\MEIMUSIC.DLL
C:\WINDOWS\SYSTEM\DFSPDIB.DLL
C:\WINDOWS\SYSTEM\AOVIEW32.DLL
C:\WINDOWS\SYSTEM\INS.DLL
C:\WINDOWS\SYSTEM\ILGCMN.DLL
C:\WINDOWS\SYSTEM\MXPP32.DLL
C:\WINDOWS\SYSTEM\PKNMAP.DLL
C:\WINDOWS\SYSTEM\DRLAY.DLL
C:\WINDOWS\SYSTEM\MUVIDEO.DLL
C:\WINDOWS\SYSTEM\HYINK.DLL
C:\WINDOWS\SYSTEM\DGKAPI16.DLL
C:\WINDOWS\SYSTEM\OKESVR32.DLL
C:\WINDOWS\SYSTEM\ONEPRO32.DLL
C:\WINDOWS\SYSTEM\MTRD2X40.DLL
C:\WINDOWS\SYSTEM\DADIM.DLL
C:\WINDOWS\SYSTEM\MOIEFTP.DLL
C:\WINDOWS\SYSTEM\STDOC401.DLL
C:\WINDOWS\SYSTEM\MEMIXMGR.DLL
C:\WINDOWS\SYSTEM\DFUSIC16.DLL
C:\WINDOWS\SYSTEM\XINROLL.DLL
C:\WINDOWS\SYSTEM\mzidle.dll
C:\WINDOWS\SYSTEM\hoinv.dll
C:\WINDOWS\SYSTEM\dysync.dll
C:\WINDOWS\SYSTEM\NkSWAN32.DLL
C:\WINDOWS\SYSTEM\lqcmgr10.dll
C:\WINDOWS\SYSTEM\mijetoledb40.dll
C:\WINDOWS\SYSTEM\damap.dll
C:\WINDOWS\SYSTEM\CpGWIZ.DLL
C:\WINDOWS\SYSTEM\DJSBASE.DLL
C:\WINDOWS\SYSTEM\DQUSIC.DLL
C:\WINDOWS\SYSTEM\QHGR.DLL
C:\WINDOWS\SYSTEM\JYT.DLL
C:\WINDOWS\SYSTEM\WKNINET.DLL
C:\WINDOWS\SYSTEM\BTOWSEWM.DLL
C:\WINDOWS\SYSTEM\MRSIGN32.DLL
C:\WINDOWS\SYSTEM\DgCNDI.DLL
C:\WINDOWS\SYSTEM\CXMCAT.DLL
C:\WINDOWS\SYSTEM\PkPNDI.DLL
C:\WINDOWS\SYSTEM\MKSTKPRP.DLL
C:\WINDOWS\SYSTEM\MUR2C.DLL
C:\WINDOWS\SYSTEM\jiaw400.dll
C:\WINDOWS\SYSTEM\DNOUND.DLL
C:\WINDOWS\SYSTEM\IARNONCE.DLL
C:\WINDOWS\SYSTEM\DNUSIC32.DLL
C:\WINDOWS\SYSTEM\AADENC32.DLL
C:\WINDOWS\SYSTEM\IBAGEHLP.DLL
C:\WINDOWS\SYSTEM\APICAP.DLL
C:\WINDOWS\SYSTEM\SGORAGE.DLL
C:\WINDOWS\SYSTEM\MQNSSPC.DLL
C:\WINDOWS\SYSTEM\DFDXOF.DLL
C:\WINDOWS\SYSTEM\II50_QCX.DLL
C:\WINDOWS\SYSTEM\DGKAPI32.DLL
C:\WINDOWS\SYSTEM\CJMPOBJ.DLL
C:\WINDOWS\SYSTEM\DPIME.DLL
C:\WINDOWS\SYSTEM\NWSWAN32.DLL
C:\WINDOWS\SYSTEM\RHATHUNK.DLL
C:\WINDOWS\SYSTEM\FUAMEBUF.DLL
C:\WINDOWS\SYSTEM\CWL3D32.DLL
C:\WINDOWS\SYSTEM\jqaw400.dll
C:\WINDOWS\SYSTEM\NZSWAN32.DLL
C:\WINDOWS\SYSTEM\MWVBVM50.DLL
C:\WINDOWS\SYSTEM\SUCUR32.DLL
C:\WINDOWS\SYSTEM\wtadmod.dll
C:\WINDOWS\SYSTEM\PdPNDI.DLL
C:\WINDOWS\SYSTEM\DPTMSFT.DLL
C:\WINDOWS\SYSTEM\lDprxy.dll
C:\WINDOWS\SYSTEM\dvwave.dll
C:\WINDOWS\SYSTEM\ikwphbk.dll
C:\WINDOWS\SYSTEM\PFWRPROF.DLL
C:\WINDOWS\SYSTEM\WGW32.DLL
C:\WINDOWS\SYSTEM\ICGUTIL.DLL
C:\WINDOWS\SYSTEM\wrasf.dll
C:\WINDOWS\SYSTEM\dvcore.dll
C:\WINDOWS\SYSTEM\UGBUI.DLL
C:\WINDOWS\SYSTEM\NvSWAN16.DLL
C:\WINDOWS\SYSTEM\DCGSIG.DLL
C:\WINDOWS\SYSTEM\IZMUPG.DLL
C:\WINDOWS\SYSTEM\AWIVTVPM.DLL
C:\WINDOWS\SYSTEM\IBROP.DLL
C:\WINDOWS\SYSTEM\MBTCP.DLL
C:\WINDOWS\SYSTEM\RFASIG.DLL
C:\WINDOWS\SYSTEM\KGJNLLIB.DLL
C:\WINDOWS\SYSTEM\ATDENC32.DLL
C:\WINDOWS\SYSTEM\MUPI.DLL
C:\WINDOWS\SYSTEM\mzoeacct.dll
C:\WINDOWS\SYSTEM\mescp.dll
C:\WINDOWS\SYSTEM\MJ3216.DLL
C:\WINDOWS\SYSTEM\mpwebdvd.dll
C:\WINDOWS\SYSTEM\DDSPEX.DLL
C:\WINDOWS\SYSTEM\awvpack.dll
C:\WINDOWS\SYSTEM\ABDENC32.DLL
C:\WINDOWS\SYSTEM\msg200.cpy.dll
C:\WINDOWS\SYSTEM\MTVIDEO.DLL
C:\WINDOWS\SYSTEM\MUSIGN32.DLL
C:\WINDOWS\SYSTEM\MCVCP50.DLL
C:\WINDOWS\SYSTEM\QSAP.DLL
C:\WINDOWS\SYSTEM\MPPBDE40.DLL
C:\WINDOWS\SYSTEM\OPE2CONV.DLL
C:\WINDOWS\SYSTEM\MGXOCI.DLL
C:\WINDOWS\SYSTEM\AYDENC32.DLL
C:\WINDOWS\SYSTEM\NtTAPI.DLL
C:\WINDOWS\SYSTEM\MDR2CENU.DLL
C:\WINDOWS\SYSTEM\MNSIGN32.DLL


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, all these must be there together!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
(if you don't get the prompt: would you like to reboot now, reboot manually!)

You computer must reboot now.

Ignore the errors you get... this is normal.

When rebooted, open killbox again, choose file on top and select: Delete all dummy files.
Then, choose Tools on top and select: Delete Temp Files.

Run FindIt again and post a new log here.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 14 March 2005 - 06:52 AM

Hmmm.. doesn't seem to work always, copying and pasting so many together. It works for a few though.. Just try it.. if not, I advise here to copy and paste each line seperately in the field 'Full Path of File to Delete'
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click NO (if asked)

Click yes.. or reboot when you have copied and pasted the last line in it.

Edited by miekiemoes, 14 March 2005 - 06:59 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 15 March 2005 - 06:29 PM

I think se.dll is back again, I'll try to go through the steps again to remove

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is C DRIVE
Volume Serial Number is 275D-18E5
Directory of C:\WINDOWS\SYSTEM

MVAWT DLL 227,104 08/03/05 23:14 MVAWT.DLL
MLSIGN32 DLL 227,104 08/03/05 23:14 MLSIGN32.DLL
WX5INF32 DLL 227,104 08/03/05 23:14 WX5INF32.DLL
RLCRES DLL 227,104 08/03/05 23:14 RLCRES.dll
IPIGN32 DLL 227,104 08/03/05 23:14 ipign32.dll
VPPUBAPI DLL 227,104 08/03/05 23:14 vppubapi.dll
DWMCLIEN DLL 227,104 08/03/05 23:14 dwmclien.dll
DIOUND DLL 227,104 08/03/05 23:14 DIOUND.DLL
RXASIG DLL 227,104 08/03/05 23:14 RXASIG.DLL
SQRIALUI DLL 227,104 08/03/05 23:14 SQRIALUI.DLL
QMDIT DLL 227,104 08/03/05 23:14 qmdit.dll
IAROP DLL 227,104 08/03/05 23:14 IAROP.DLL
ITWPHBK DLL 227,104 08/03/05 23:14 itwphbk.dll
DLVMGR32 DLL 227,104 08/03/05 23:14 DLVMGR32.DLL
MJCD30 DLL 227,104 08/03/05 23:14 MJCD30.DLL
CIYPTUI DLL 227,104 08/03/05 23:14 CIYPTUI.DLL
SWI_CI DLL 227,104 08/03/05 23:14 SWI_CI.DLL
CEFVIEW DLL 227,104 08/03/05 23:14 cefview.dll
MTXMLR DLL 227,104 08/03/05 23:14 MTXMLR.DLL
CZYPTNET DLL 227,104 08/03/05 23:14 CZYPTNET.DLL
DA3J DLL 227,104 08/03/05 23:14 DA3J.DLL
DHDMO DLL 227,104 08/03/05 23:14 dhdmo.dll
WWPUI DLL 227,104 08/03/05 23:14 wwpui.dll
VHHELPER DLL 227,104 08/03/05 23:14 VHHELPER.DLL
24 file(s) 5,450,496 bytes
0 dir(s) 16,841.67 MB free

------- Hidden Files in System Directory -------


Volume in drive C is C DRIVE
Volume Serial Number is 275D-18E5
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 890 15/03/05 18:21 vsconfig.xml
ZLLICTBL DAT 4,212 07/03/05 20:28 zllictbl.dat
BJC4000 GID 8,628 15/11/04 11:36 BJC4000.GID
CJ1000 GID 12,909 18/12/03 0:33 CJ1000.GID
NTICDM~1 DLL 114 06/03/03 21:53 NTICDMK32.dll
FOLDER HTT 13,122 20/02/03 19:50 folder.htt
DESKTOP INI 266 20/02/03 19:50 desktop.ini
ATI98DEF GID 10,844 13/02/03 18:50 ati98def.GID
8 file(s) 50,985 bytes
0 dir(s) 16,841.66 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0C593FE9-697A-3B3F-B134-D6A717BBDF4F}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vsconfig.xml Tue 15 Mar 2005 18:21:48 A..H. 890 0.87 K
zllictbl.dat Mon 7 Mar 2005 20:28:42 ...H. 4,212 4.11 K
mvawt.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
mlsign32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
wx5inf32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
rlcres.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
ipign32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
vppubapi.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
dwmclien.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
diound.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
rxasig.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
sqrialui.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
qmdit.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
iarop.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
itwphbk.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
dlvmgr32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
mjcd30.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
ciyptui.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
swi_ci.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
cefview.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
mtxmlr.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
czyptnet.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
da3j.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
dhdmo.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
wwpui.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
vhhelper.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K

26 items found: 26 files, 0 directories.
Total of file sizes: 5,455,598 bytes 5.20 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\MECXDD16.DLL: UMonitor
C:\WINDOWS\SYSTEM\AHIPITA.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEIMUSIC.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFSPDIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\AOVIEW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\INS.DLL: UMonitor
C:\WINDOWS\SYSTEM\ILGCMN.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXPP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\PKNMAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DRLAY.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUVIDEO.DLL: UMonitor
C:\WINDOWS\SYSTEM\HYINK.DLL: UMonitor
C:\WINDOWS\SYSTEM\DGKAPI16.DLL: UMonitor
C:\WINDOWS\SYSTEM\OKESVR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ONEPRO32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTRD2X40.DLL: UMonitor
C:\WINDOWS\SYSTEM\DADIM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOIEFTP.DLL: UMonitor
C:\WINDOWS\SYSTEM\STDOC401.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEMIXMGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFUSIC16.DLL: UMonitor
C:\WINDOWS\SYSTEM\XINROLL.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzidle.dll: UMonitor
C:\WINDOWS\SYSTEM\hoinv.dll: UMonitor
C:\WINDOWS\SYSTEM\dysync.dll: UMonitor
C:\WINDOWS\SYSTEM\NkSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lqcmgr10.dll: UMonitor
C:\WINDOWS\SYSTEM\mijetoledb40.dll: UMonitor
C:\WINDOWS\SYSTEM\damap.dll: UMonitor
C:\WINDOWS\SYSTEM\CpGWIZ.DLL: UMonitor
C:\WINDOWS\SYSTEM\DJSBASE.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQUSIC.DLL: UMonitor
C:\WINDOWS\SYSTEM\QHGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JYT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WKNINET.DLL: UMonitor
C:\WINDOWS\SYSTEM\BTOWSEWM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRSIGN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DgCNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CXMCAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PkPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MKSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUR2C.DLL: UMonitor
C:\WINDOWS\SYSTEM\jiaw400.dll: UMonitor
C:\WINDOWS\SYSTEM\DNOUND.DLL: UMonitor
C:\WINDOWS\SYSTEM\IARNONCE.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNUSIC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\AADENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IBAGEHLP.DLL: UMonitor
C:\WINDOWS\SYSTEM\APICAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\SGORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\MQNSSPC.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFDXOF.DLL: UMonitor
C:\WINDOWS\SYSTEM\II50_QCX.DLL: UMonitor
C:\WINDOWS\SYSTEM\DGKAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\CJMPOBJ.DLL: UMonitor
C:\WINDOWS\SYSTEM\DPIME.DLL: UMonitor
C:\WINDOWS\SYSTEM\NWSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\RHATHUNK.DLL: UMonitor
C:\WINDOWS\SYSTEM\FUAMEBUF.DLL: UMonitor
C:\WINDOWS\SYSTEM\CWL3D32.DLL: UMonitor
C:\WINDOWS\SYSTEM\jqaw400.dll: UMonitor
C:\WINDOWS\SYSTEM\NZSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWVBVM50.DLL: UMonitor
C:\WINDOWS\SYSTEM\SUCUR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\wtadmod.dll: UMonitor
C:\WINDOWS\SYSTEM\PdPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DPTMSFT.DLL: UMonitor
C:\WINDOWS\SYSTEM\lDprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\dvwave.dll: UMonitor
C:\WINDOWS\SYSTEM\ikwphbk.dll: UMonitor
C:\WINDOWS\SYSTEM\PFWRPROF.DLL: UMonitor
C:\WINDOWS\SYSTEM\WGW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ICGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\wrasf.dll: UMonitor
C:\WINDOWS\SYSTEM\dvcore.dll: UMonitor
C:\WINDOWS\SYSTEM\UGBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\NvSWAN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\DCGSIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\IZMUPG.DLL: UMonitor
C:\WINDOWS\SYSTEM\AWIVTVPM.DLL: UMonitor
C:\WINDOWS\SYSTEM\IBROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MBTCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\RFASIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\KGJNLLIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\ATDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzoeacct.dll: UMonitor
C:\WINDOWS\SYSTEM\mescp.dll: UMonitor
C:\WINDOWS\SYSTEM\MJ3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\mpwebdvd.dll: UMonitor
C:\WINDOWS\SYSTEM\DDSPEX.DLL: UMonitor
C:\WINDOWS\SYSTEM\awvpack.dll: UMonitor
C:\WINDOWS\SYSTEM\ABDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\msg200.cpy.dll: UMonitor
C:\WINDOWS\SYSTEM\MTVIDEO.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUSIGN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MCVCP50.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPPBDE40.DLL: UMonitor
C:\WINDOWS\SYSTEM\OPE2CONV.DLL: UMonitor
C:\WINDOWS\SYSTEM\MGXOCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\AYDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NtTAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MDR2CENU.DLL: UMonitor
C:\WINDOWS\SYSTEM\MNSIGN32.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"AtiCwd32"="Aticwd32.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"CountrySelection"="pctptt.exe"
"PTSNOOP"="ptsnoop.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



#10 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 15 March 2005 - 06:40 PM

Here is my latest hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 6:48:44 PM, on 03/15/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {B5953C3F-9532-11D9-8575-00502B39CF86} - C:\WINDOWS\SYSTEM\NENIMGA.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramework...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O18 - Filter: text/html - {82B93D33-9407-11D9-8575-005082B32036} - C:\WINDOWS\SYSTEM\NENIMGA.DLL
O18 - Filter: text/plain - {82B93D33-9407-11D9-8575-005082B32036} - C:\WINDOWS\SYSTEM\NENIMGA.DLL

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 15 March 2005 - 06:55 PM

Much better! While i prepare the fix for the other files, i'll let you fix that se.dll again.

Download: http://www.derbilk.de/SpSeHjfix_Beta7.zip
Unzip it and place it on your desktop.

Reboot into SAFE MODE

Doubleclick on SpSeHjfix_Beta.exe and click Start disinfection.
Let it finish the job.

Post the log that you will find in the SpSeHjfix-folder together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 15 March 2005 - 07:04 PM

03/13/2005 6:43:39 PM SPSeHjFix started v1.07
03/13/2005 6:43:40 PM OS: Win98SE A (4.10.67766446)
03/13/2005 6:43:40 PM Bad-Dll(IEP): (not found)
03/13/2005 6:43:40 PM BHO-DLL: (not found)
03/13/2005 6:43:40 PM Searchassistant Unintaller found
03/13/2005 6:43:40 PM Searchassistant Unintaller - Keys Deleted
03/13/2005 6:43:40 PM UBF: 4
03/13/2005 6:43:40 PM UBB: 0
03/13/2005 6:43:40 PM UBR: 13
03/13/2005 6:43:40 PM Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
03/13/2005 6:43:40 PM Stealth-String found: C:\WINDOWS\HLPGLOEE.GIF
03/13/2005 6:43:40 PM File added to delete: c:\windows\system\dfcf.dll
03/13/2005 6:43:40 PM File added to delete: c:\windows\hlpgloee.gif
03/13/2005 6:43:40 PM Reboot
03/15/2005 6:46:41 PM SPSeHjFix 2nd Step
03/15/2005 6:46:42 PM RunServicesOnce-Key: (alex)
03/15/2005 6:46:50 PM Cleaned
03/15/2005 7:10:38 PM SPSeHjFix started v1.07
03/15/2005 7:10:38 PM OS: Win98SE A (4.10.67766446)
03/15/2005 7:10:38 PM Bad-Dll(IEP): se.dll
03/15/2005 7:10:38 PM Searchassistant Unintaller found
03/15/2005 7:10:38 PM Searchassistant Unintaller - Keys Deleted
03/15/2005 7:10:38 PM UBF: 6
03/15/2005 7:10:38 PM UBB: 0
03/15/2005 7:10:38 PM FilterKey: HKEY_CLASSES_ROOT\text/html (deleted)
03/15/2005 7:10:38 PM FilterKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\text/html (error while deleting)
03/15/2005 7:10:38 PM FilterKey: HKEY_CLASSES_ROOT\CLSID\{82B93D33-9407-11D9-8575-005082B32036} (deleted)
03/15/2005 7:10:38 PM FilterKey: HKEY_CLASSES_ROOT\text/plain (deleted)
03/15/2005 7:10:38 PM FilterKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\text/plain (error while deleting)
03/15/2005 7:10:38 PM FilterKey: HKEY_CLASSES_ROOT\CLSID\{82B93D33-9407-11D9-8575-005082B32036} (error while deleting)
03/15/2005 7:10:38 PM UBR: 13
03/15/2005 7:10:38 PM Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
03/15/2005 7:10:38 PM Stealth-String found: C:\WINDOWS\HLPGLOEE.GIF
03/15/2005 7:10:38 PM File added to delete: c:\windows\system\nenimga.dll
03/15/2005 7:10:38 PM File added to delete: c:\windows\hlpgloee.gif
03/15/2005 7:10:38 PM Reboot

Logfile of HijackThis v1.99.1
Scan saved at 7:13:36 PM, on 03/15/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramework...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 15 March 2005 - 07:09 PM

Ok..

Now restore your websettings: Go to controlpanel - Internetoptions - tab Programs
Click "restore websettings"

Okay.. the following files, you have to killbox again.

Select the option Replace on Reboot and check the "Use Dummy" box.
Now copy the next bold:

C:\WINDOWS\SYSTEM\mvawt.dll
C:\WINDOWS\SYSTEM\mlsign32.dll
C:\WINDOWS\SYSTEM\wx5inf32.dll
C:\WINDOWS\SYSTEM\rlcres.dll
C:\WINDOWS\SYSTEM\ipign32.dll
C:\WINDOWS\SYSTEM\vppubapi.dll
C:\WINDOWS\SYSTEM\dwmclien.dll
C:\WINDOWS\SYSTEM\diound.dll
C:\WINDOWS\SYSTEM\rxasig.dll
C:\WINDOWS\SYSTEM\sqrialui.dll
C:\WINDOWS\SYSTEM\qmdit.dll
C:\WINDOWS\SYSTEM\iarop.dll
C:\WINDOWS\SYSTEM\itwphbk.dll
C:\WINDOWS\SYSTEM\dlvmgr32.dll
C:\WINDOWS\SYSTEM\mjcd30.dll
C:\WINDOWS\SYSTEM\ciyptui.dll
C:\WINDOWS\SYSTEM\swi_ci.dll
C:\WINDOWS\SYSTEM\cefview.dll
C:\WINDOWS\SYSTEM\mtxmlr.dll
C:\WINDOWS\SYSTEM\czyptnet.dll
C:\WINDOWS\SYSTEM\da3j.dll
C:\WINDOWS\SYSTEM\dhdmo.dll
C:\WINDOWS\SYSTEM\wwpui.dll
C:\WINDOWS\SYSTEM\vhhelper.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
(if you don't get the prompt: would you like to reboot now, reboot manually!)

You computer must reboot now.

When rebooted, open killbox again, choose file on top and select: Delete all dummy files.
Then, choose Tools on top and select: Delete Temp Files.

Could you check something for me afterwards?
When done this, look in your system-folder and look if the files you deleted previously are still there.
If so, rightclick on one or two and rename it to a txt-file (eg: ipign32.dll becomes ipign32.txt)
Open it and look if it says :'Dummy file, it's safe to delete'
Just tell me afterwards.. so i know if the 'delete all dummy files'-option really works here.

Then, Run FindIt again and post a new log here.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 15 March 2005 - 07:32 PM

It didn't work, I renamed the file, opened and it was all gibberish. Here is a new log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is C DRIVE
Volume Serial Number is 275D-18E5
Directory of C:\WINDOWS\SYSTEM

MYC40 DLL 227,104 15/03/05 19:04 MYC40.DLL
WLNINET DLL 227,104 15/03/05 19:04 WLNINET.DLL
IWIGN32 DLL 227,104 08/03/05 23:14 iwign32.dll
MYVBVM50 DLL 227,104 08/03/05 23:14 MYVBVM50.DLL
DWVMGR32 DLL 227,104 08/03/05 23:14 DWVMGR32.DLL
5 file(s) 1,135,520 bytes
0 dir(s) 16,857.19 MB free

------- Hidden Files in System Directory -------


Volume in drive C is C DRIVE
Volume Serial Number is 275D-18E5
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 890 15/03/05 19:26 vsconfig.xml
ZLLICTBL DAT 4,212 07/03/05 20:28 zllictbl.dat
BJC4000 GID 8,628 15/11/04 11:36 BJC4000.GID
CJ1000 GID 12,909 18/12/03 0:33 CJ1000.GID
NTICDM~1 DLL 114 06/03/03 21:53 NTICDMK32.dll
FOLDER HTT 13,122 20/02/03 19:50 folder.htt
DESKTOP INI 266 20/02/03 19:50 desktop.ini
ATI98DEF GID 10,844 13/02/03 18:50 ati98def.GID
8 file(s) 50,985 bytes
0 dir(s) 16,857.17 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0C593FE9-697A-3B3F-B134-D6A717BBDF4F}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vsconfig.xml Tue 15 Mar 2005 19:26:08 A..H. 890 0.87 K
zllictbl.dat Mon 7 Mar 2005 20:28:42 ...H. 4,212 4.11 K
iwign32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
myvbvm50.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
dwvmgr32.dll Tue 8 Mar 2005 23:14:38 ..S.R 227,104 221.78 K
myc40.dll Tue 15 Mar 2005 19:04:02 ..S.R 227,104 221.78 K
wlninet.dll Tue 15 Mar 2005 19:04:02 ..S.R 227,104 221.78 K

7 items found: 7 files, 0 directories.
Total of file sizes: 1,140,622 bytes 1.09 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\MECXDD16.DLL: UMonitor
C:\WINDOWS\SYSTEM\AHIPITA.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEIMUSIC.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFSPDIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\AOVIEW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\INS.DLL: UMonitor
C:\WINDOWS\SYSTEM\ILGCMN.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXPP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\PKNMAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DRLAY.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUVIDEO.DLL: UMonitor
C:\WINDOWS\SYSTEM\HYINK.DLL: UMonitor
C:\WINDOWS\SYSTEM\DGKAPI16.DLL: UMonitor
C:\WINDOWS\SYSTEM\OKESVR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ONEPRO32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTRD2X40.DLL: UMonitor
C:\WINDOWS\SYSTEM\DADIM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOIEFTP.DLL: UMonitor
C:\WINDOWS\SYSTEM\STDOC401.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEMIXMGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFUSIC16.DLL: UMonitor
C:\WINDOWS\SYSTEM\XINROLL.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzidle.dll: UMonitor
C:\WINDOWS\SYSTEM\hoinv.dll: UMonitor
C:\WINDOWS\SYSTEM\dysync.dll: UMonitor
C:\WINDOWS\SYSTEM\NkSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lqcmgr10.dll: UMonitor
C:\WINDOWS\SYSTEM\mijetoledb40.dll: UMonitor
C:\WINDOWS\SYSTEM\damap.dll: UMonitor
C:\WINDOWS\SYSTEM\CpGWIZ.DLL: UMonitor
C:\WINDOWS\SYSTEM\DJSBASE.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQUSIC.DLL: UMonitor
C:\WINDOWS\SYSTEM\QHGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JYT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WKNINET.DLL: UMonitor
C:\WINDOWS\SYSTEM\BTOWSEWM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRSIGN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DgCNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CXMCAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PkPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MKSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUR2C.DLL: UMonitor
C:\WINDOWS\SYSTEM\jiaw400.dll: UMonitor
C:\WINDOWS\SYSTEM\DNOUND.DLL: UMonitor
C:\WINDOWS\SYSTEM\IARNONCE.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNUSIC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\AADENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IBAGEHLP.DLL: UMonitor
C:\WINDOWS\SYSTEM\APICAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\SGORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\MQNSSPC.DLL: UMonitor
C:\WINDOWS\SYSTEM\DFDXOF.DLL: UMonitor
C:\WINDOWS\SYSTEM\II50_QCX.DLL: UMonitor
C:\WINDOWS\SYSTEM\DGKAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\CJMPOBJ.DLL: UMonitor
C:\WINDOWS\SYSTEM\DPIME.DLL: UMonitor
C:\WINDOWS\SYSTEM\NWSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\RHATHUNK.DLL: UMonitor
C:\WINDOWS\SYSTEM\FUAMEBUF.DLL: UMonitor
C:\WINDOWS\SYSTEM\CWL3D32.DLL: UMonitor
C:\WINDOWS\SYSTEM\jqaw400.dll: UMonitor
C:\WINDOWS\SYSTEM\NZSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWVBVM50.DLL: UMonitor
C:\WINDOWS\SYSTEM\SUCUR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\wtadmod.dll: UMonitor
C:\WINDOWS\SYSTEM\PdPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DPTMSFT.DLL: UMonitor
C:\WINDOWS\SYSTEM\lDprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\dvwave.dll: UMonitor
C:\WINDOWS\SYSTEM\ikwphbk.dll: UMonitor
C:\WINDOWS\SYSTEM\PFWRPROF.DLL: UMonitor
C:\WINDOWS\SYSTEM\WGW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ICGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\wrasf.dll: UMonitor
C:\WINDOWS\SYSTEM\dvcore.dll: UMonitor
C:\WINDOWS\SYSTEM\UGBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\NvSWAN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\DCGSIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\IZMUPG.DLL: UMonitor
C:\WINDOWS\SYSTEM\AWIVTVPM.DLL: UMonitor
C:\WINDOWS\SYSTEM\IBROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MBTCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\RFASIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\KGJNLLIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\ATDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzoeacct.dll: UMonitor
C:\WINDOWS\SYSTEM\mescp.dll: UMonitor
C:\WINDOWS\SYSTEM\MJ3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\mpwebdvd.dll: UMonitor
C:\WINDOWS\SYSTEM\DDSPEX.DLL: UMonitor
C:\WINDOWS\SYSTEM\awvpack.dll: UMonitor
C:\WINDOWS\SYSTEM\ABDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\msg200.cpy.dll: UMonitor
C:\WINDOWS\SYSTEM\MTVIDEO.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUSIGN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MCVCP50.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPPBDE40.DLL: UMonitor
C:\WINDOWS\SYSTEM\OPE2CONV.DLL: UMonitor
C:\WINDOWS\SYSTEM\MGXOCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\AYDENC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NtTAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MDR2CENU.DLL: UMonitor
C:\WINDOWS\SYSTEM\MNSIGN32.DLL: UMonitor




#15 knish

knish
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 15 March 2005 - 07:45 PM

I have to go for the night, I'll try to get back on soon. Thanks for the help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users