Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

really persistent malware


  • Please log in to reply
22 replies to this topic

#1 youngsy

youngsy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 28 June 2005 - 11:03 PM

Hi folks, this is my first post, but I have been reading up on your forum for a while trying to follow suggestions. I thought I could get this taken care of on my own, but alas, I must yield to some greater powers. Ok, I'm running Windows 2000 in which there are multiple user accounts. I've got Adelphia's Freedom anti-virus/anti-spyware/firewall running. I also have the latest Ad-aware SE. I have downloaded HJT and killbox and have been using them to battle this infection. Just when I think I've gotten rid of everything, I restart the computer, and some of them are back. I have the firewall blocking a "run a dll as an app" that tries to connect to a random IP, which comes up each time windows loads. I delete the TEMP folder after fixing the known malwares with HJT, and manually deleting some of the files with killbox in safe mode, but somehow, this file called "load.htm" keeps coming back. I've also noticed that I can't seem to shake a couple of entries in HJT--"nkni.exe" and "rjrpjk.exe". I can fix one, and the other will appear upon rescanning. I have been able to delete many of the files that this malware is creating in the system32 folder by identifying them by creation date. However, the problem has not gone away. And I have just noticed AdDestroyer and VBouncer folders in program files, but there is no listing in ad/remove programs.

I recently used Find It NT-2K-XP and I think I'm very close to figuring this out, but I wanted to ask you what to do next. Here is my log from Find It NT-2K-XP followed by my log from HJT.
*Please note, when I fix the "rjrpjk.exe" entry, it is replaced by "nkni.exe".

Thanks a bunch.
----
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find it\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 606A-FB3F

Directory of C:\WINNT\System32

06/21/2005 02:00a <DIR> dllcache
06/17/2005 03:31a 417,792 guard.tmp
1 File(s) 417,792 bytes
1 Dir(s) 64,119,648,256 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 606A-FB3F

Directory of C:\WINNT\System32

06/21/2005 02:00a <DIR> dllcache
04/27/2005 09:05p 4,212 zllictbl.dat
03/28/2004 01:05p 554 fiz3
03/28/2004 01:05p 30,083 fiz2
03/25/2004 05:59p 1,914 fiz1
03/25/2004 05:50p 0 kyf.dat
02/16/2004 10:39p 3,377,939 kyf.dat.old
10/09/2003 10:37p <DIR> GroupPolicy
10/09/2003 10:31p 271 desktop.ini
10/09/2003 10:31p 21,692 folder.htt
8 File(s) 3,436,665 bytes
2 Dir(s) 64,119,648,256 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 606A-FB3F

Directory of C:\WINNT\System32

06/17/2005 03:31a 417,792 guard.tmp
1 File(s) 417,792 bytes
0 Dir(s) 64,119,644,160 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 606A-FB3F

Directory of C:\WINNT\System32

06/17/2005 03:31a 417,792 guard.tmp
03/25/2004 03:59p 776 tmpmpt1.tmp
10/08/2001 12:58p 82,944 SET588.tmp
12/07/1999 08:00a 2,577 CONFIG.TMP
4 File(s) 504,089 bytes
0 Dir(s) 64,119,644,160 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5AC86F04-E3EA-E618-E8E3-578690C52C0C}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\ddnput8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
guard.tmp Fri Jun 17 2005 3:31:52a ..S.R 417,792 408.00 K
zllictbl.dat Wed Apr 27 2005 9:06:00p ...H. 4,212 4.11 K

2 items found: 2 files, 0 directories.
Total of file sizes: 422,004 bytes 412.11 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINNT\system32\bnbmncd.exe: .aspack
C:\WINNT\system32\lame_enc.dll: .aspack
C:\WINNT\system32\NCTAudioFile.dll: .aspack
C:\WINNT\system32\NCTWMAFile.dll: .aspack
C:\WINNT\system32\papka.dat: .aspack
C:\WINNT\system32\rjrpjk.exe: .aspack
C:\WINNT\system32\rpripen.dll: .aspack
C:\WINNT\system32\uwusw.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\nkni.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"RjLyraInstaller"="F:\\setup.exe F:\\"
"Freedom"="C:\\Program Files\\Zero Knowledge\\Freedom\\Freedom.exe"
"KavSvc"="C:\\WINNT\\system32\\rjrpjk.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
---
Logfile of HijackThis v1.99.1
Scan saved at 11:59:57 PM, on 6/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rjrpjk.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\freebhor.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RjLyraInstaller] F:\setup.exe F:\
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rjrpjk.exe reg_run
O4 - HKCU\..\RunOnce: [East-Tec Eraser 2005] "C:\Program Files\East-Tec Eraser 2005\silent.exe" /R
O4 - Global Startup: DMSTART.lnk = C:\Program Files\Diamond\Display\dmstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O20 - Winlogon Notify: URL - C:\WINNT\system32\ddnput8.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 29 June 2005 - 08:54 AM

Hi youngsy and Welcome!

You are so right on track with this Infection!

There is Fix for it also that will make it much easier for us!

Download the L2MFix from
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.

#3 youngsy

youngsy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 29 June 2005 - 09:23 AM

Thanks for the reply. Here is the L2MFIX log.


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\ddnput8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5AC86F04-E3EA-E618-E8E3-578690C52C0C}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{2B232F20-FA0D-11D1-8A3E-00C0F64105CD}"="Shell Extension for Shuttle Drive"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{597C8D9B-4729-4F55-8E93-3299C95EC9E3}"="MimarSinan Codex: InfoTip"
"{7918F428-735F-4BB2-A8E5-9A5EA532CD1F}"="MimarSinan Codex Recursive Extract"
"{8A1A763A-B9FC-4F6C-B96C-D2B487A642DD}"="MimarSinan Codex: Property Sheet"
"{D8565451-45A1-11D6-A72A-00002127B9F9}"="MimarSinan Codex: Compress"
"{A8F864A1-440C-11D6-A729-00002127B9F9}"="MimarSinan Codex: Extract"
"{E8B6E261-4594-11D6-A72A-00002127B9F9}"="MimarSinan Codex: Drag-and-Drop"
"{24611221-466F-11D6-A72B-00002127B9F9}"="MimarSinan Codex: Folder-Drop"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{D2359F53-2714-4860-B27C-F6BF5ABFEC4C}"=""
"{DADE9A6C-C492-48C9-8873-AAAB21C8766C}"=""
"{36837C32-1994-4634-950C-47D52B535D00}"=""
"{E0BD38EB-C8EC-11D2-B274-B493B003B125}"="East-Tec Eraser Context Menu Shell Extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\MSIN]

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D2359F53-2714-4860-B27C-F6BF5ABFEC4C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D2359F53-2714-4860-B27C-F6BF5ABFEC4C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D2359F53-2714-4860-B27C-F6BF5ABFEC4C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D2359F53-2714-4860-B27C-F6BF5ABFEC4C}\InprocServer32]
@="C:\\WINNT\\system32\\coutil.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DADE9A6C-C492-48C9-8873-AAAB21C8766C}]
@=""
"IDEx"="ST005"

[HKEY_CLASSES_ROOT\CLSID\{DADE9A6C-C492-48C9-8873-AAAB21C8766C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DADE9A6C-C492-48C9-8873-AAAB21C8766C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DADE9A6C-C492-48C9-8873-AAAB21C8766C}\InprocServer32]
@="C:\\WINNT\\system32\\ayledit.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{36837C32-1994-4634-950C-47D52B535D00}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{36837C32-1994-4634-950C-47D52B535D00}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{36837C32-1994-4634-950C-47D52B535D00}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{36837C32-1994-4634-950C-47D52B535D00}\InprocServer32]
@="C:\\WINNT\\system32\\knsys32.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
ddnput8.dll Mon Jun 20 2005 11:51:04p ..... 417,792 408.00 K
hhsetup.dll Thu Apr 21 2005 7:16:56a A.... 38,912 38.00 K
inetcomm.dll Tue May 3 2005 4:26:50p A.... 596,480 582.50 K
itircl.dll Thu Apr 21 2005 7:16:56a A.... 143,872 140.50 K
itss.dll Thu Apr 21 2005 7:16:56a A.... 128,000 125.00 K
knsys32.dll Tue Jun 28 2005 11:02:30p ..... 417,792 408.00 K
mshtml.dll Wed Apr 27 2005 10:52:56a A.... 2,698,752 2.57 M
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
pncrt.dll Thu May 12 2005 12:03:20p A.... 278,528 272.00 K
pndx5016.dll Thu May 12 2005 12:03:22p A.... 6,656 6.50 K
pndx5032.dll Thu May 12 2005 12:03:22p A.... 5,632 5.50 K
pngfilt.dll Wed Apr 27 2005 10:53:06a A.... 34,816 34.00 K
rmoc3260.dll Thu May 12 2005 12:03:40p A.... 176,167 172.04 K
rpripen.dll Sun Jun 26 2005 5:27:22a ..... 27,648 27.00 K
shdocvw.dll Wed Apr 27 2005 2:50:48p A.... 1,338,368 1.27 M
sp3res.dll Thu Apr 21 2005 6:07:06a A.... 6,309,376 6.02 M
uwusw.dll Sun Jun 26 2005 5:27:24a ..... 9,728 9.50 K
webvw.dll Fri Apr 29 2005 12:16:10a A.... 1,119,504 1.07 M
wininet.dll Wed Apr 27 2005 10:54:24a A.... 574,976 561.50 K

19 items found: 19 files, 0 directories.
Total of file sizes: 17,213,239 bytes 16.41 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Fri Jun 17 2005 3:31:52a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 606A-FB3F

Directory of C:\WINNT\System32

06/21/2005 02:00a <DIR> dllcache
06/17/2005 03:31a 417,792 guard.tmp
1 File(s) 417,792 bytes
1 Dir(s) 64,122,318,848 bytes free

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 29 June 2005 - 10:29 AM

OK,Something is different,the file sizes seem different!

Please locate these files and Place them in a Zipped folder

C:\WINNT\System32\ddnput8.dll

C:\WINNT\System32\knsys32.dll

C:\WINNT\System32\guard.tmp

You may have to be Viewing Hidden Files, Here is a link to help with that
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

You may also have to look in this location

C:\WINNT\System32\dllcache

Once all are placed in the Zip folder before you close up that Zip Folder,Click on File and add a Password to the Zip Folder

Make the Password "infected"

After all that email here>> filesubmit@charter.net

Once all is completed Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

As soon as that is all done,Scan with L2MFix again selecting Option 1

Place those results in a post by themselves!

Because this Drops the nasty Qoologic Infection,You will need to run a Particular Online Scan here
http://www.kaspersky.com/beta?product=161744315

Run the Online Scan as soon as you are done saving that last log!

Have plenty of time on your hands because this Scan may take a while to complete!

Once the Online Scan Completes and Because the Registry will be filled with Dead Ends you will need to download and Run
RegSupreme Pro
http://www.macecraft.com/downloads/RegSupremePro_setup.exe

or

Regsupreme 1.3 from
http://www.macecraft.com/

Open it and click on deep scan.

When it's finished just give the backup a name and save it!

I think both have a free trial,so try the Pro Version first!

Once all is completed,Post a fresh HijackThis log along with the other 2 I asked for!

#5 youngsy

youngsy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 29 June 2005 - 08:57 PM

Here is my first L2MFix log. When I tried to place the files you requested in a zip folder, I could not access two of them because they were apparently being used by windows. So I tried copying the files, but they wouldn't copy either. Then I rebooted into safe mode and tried to add them to a zip, but that wouldn't work. So I went to the command prompt and tried to copy them into another folder to zip, but the directory didn't even list those files; the copy command did not recognize those files as well. I did notice however that one of the files had been replaced, and I was able to copy one into the zip folder. I also copied other suspicous new .dlls into the zip folder as well. Althought I was able to get 2 of the three you asked for, I could not access ddnput8.dll, and when I rebooted, some .dlls were deleted and replaced with new names. I'm going to finish with the rest of your instructions now.

Anyway, here's the first log.
---

L2Mfix 1.03

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1032 'explorer.exe'
Killing PID 1032 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1084 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\ahcups.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ahcups.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ddnput8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ddnput8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\knsys32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\knsys32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mvvcr70.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mvvcr70.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\ahcups.dll
Successfully Deleted: C:\WINNT\system32\ahcups.dll
deleting: C:\WINNT\system32\ahcups.dll
Successfully Deleted: C:\WINNT\system32\ahcups.dll
deleting: C:\WINNT\system32\ddnput8.dll
Successfully Deleted: C:\WINNT\system32\ddnput8.dll
deleting: C:\WINNT\system32\ddnput8.dll
Successfully Deleted: C:\WINNT\system32\ddnput8.dll
deleting: C:\WINNT\system32\knsys32.dll
Successfully Deleted: C:\WINNT\system32\knsys32.dll
deleting: C:\WINNT\system32\knsys32.dll
Successfully Deleted: C:\WINNT\system32\knsys32.dll
deleting: C:\WINNT\system32\mvvcr70.dll
Successfully Deleted: C:\WINNT\system32\mvvcr70.dll
deleting: C:\WINNT\system32\mvvcr70.dll
Successfully Deleted: C:\WINNT\system32\mvvcr70.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp


Zipping up files for submission:
adding: ahcups.dll (152 bytes security) (deflated 48%)
adding: ddnput8.dll (152 bytes security) (deflated 48%)
adding: knsys32.dll (152 bytes security) (deflated 48%)
adding: mvvcr70.dll (152 bytes security) (deflated 48%)
adding: guard.tmp (152 bytes security) (deflated 48%)
adding: clear.reg (152 bytes security) (deflated 46%)
adding: echo.reg (152 bytes security) (deflated 10%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 80%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: report.txt (152 bytes security) (deflated 64%)
adding: test.txt (152 bytes security) (deflated 80%)
adding: test2.txt (152 bytes security) (deflated 27%)
adding: test3.txt (152 bytes security) (deflated 27%)
adding: test5.txt (152 bytes security) (deflated 27%)
adding: xfind.txt (152 bytes security) (deflated 76%)
adding: backregs/36837C32-1994-4634-950C-47D52B535D00.reg (152 bytes security) (deflated 70%)
adding: backregs/D2359F53-2714-4860-B27C-F6BF5ABFEC4C.reg (152 bytes security) (deflated 70%)
adding: backregs/DADE9A6C-C492-48C9-8873-AAAB21C8766C.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 75%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: ahcups.dll
deleting local copy: ahcups.dll
deleting local copy: ddnput8.dll
deleting local copy: ddnput8.dll
deleting local copy: knsys32.dll
deleting local copy: knsys32.dll
deleting local copy: mvvcr70.dll
deleting local copy: mvvcr70.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINNT\system32\ahcups.dll
C:\WINNT\system32\ahcups.dll
C:\WINNT\system32\ddnput8.dll
C:\WINNT\system32\ddnput8.dll
C:\WINNT\system32\knsys32.dll
C:\WINNT\system32\knsys32.dll
C:\WINNT\system32\mvvcr70.dll
C:\WINNT\system32\mvvcr70.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D2359F53-2714-4860-B27C-F6BF5ABFEC4C}"=-
"{DADE9A6C-C492-48C9-8873-AAAB21C8766C}"=-
"{36837C32-1994-4634-950C-47D52B535D00}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D2359F53-2714-4860-B27C-F6BF5ABFEC4C}]
[-HKEY_CLASSES_ROOT\CLSID\{DADE9A6C-C492-48C9-8873-AAAB21C8766C}]
[-HKEY_CLASSES_ROOT\CLSID\{36837C32-1994-4634-950C-47D52B535D00}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


#6 youngsy

youngsy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 29 June 2005 - 09:01 PM

Here's the second L2MFix log.
---

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{2B232F20-FA0D-11D1-8A3E-00C0F64105CD}"="Shell Extension for Shuttle Drive"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{597C8D9B-4729-4F55-8E93-3299C95EC9E3}"="MimarSinan Codex: InfoTip"
"{7918F428-735F-4BB2-A8E5-9A5EA532CD1F}"="MimarSinan Codex Recursive Extract"
"{8A1A763A-B9FC-4F6C-B96C-D2B487A642DD}"="MimarSinan Codex: Property Sheet"
"{D8565451-45A1-11D6-A72A-00002127B9F9}"="MimarSinan Codex: Compress"
"{A8F864A1-440C-11D6-A729-00002127B9F9}"="MimarSinan Codex: Extract"
"{E8B6E261-4594-11D6-A72A-00002127B9F9}"="MimarSinan Codex: Drag-and-Drop"
"{24611221-466F-11D6-A72B-00002127B9F9}"="MimarSinan Codex: Folder-Drop"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{E0BD38EB-C8EC-11D2-B274-B493B003B125}"="East-Tec Eraser Context Menu Shell Extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\MSIN]

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
hhsetup.dll Thu Apr 21 2005 7:16:56a A.... 38,912 38.00 K
inetcomm.dll Tue May 3 2005 4:26:50p A.... 596,480 582.50 K
itircl.dll Thu Apr 21 2005 7:16:56a A.... 143,872 140.50 K
itss.dll Thu Apr 21 2005 7:16:56a A.... 128,000 125.00 K
mshtml.dll Wed Apr 27 2005 10:52:56a A.... 2,698,752 2.57 M
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
pncrt.dll Thu May 12 2005 12:03:20p A.... 278,528 272.00 K
pndx5016.dll Thu May 12 2005 12:03:22p A.... 6,656 6.50 K
pndx5032.dll Thu May 12 2005 12:03:22p A.... 5,632 5.50 K
pngfilt.dll Wed Apr 27 2005 10:53:06a A.... 34,816 34.00 K
rmoc3260.dll Thu May 12 2005 12:03:40p A.... 176,167 172.04 K
rpripen.dll Sun Jun 26 2005 5:27:22a ..... 27,648 27.00 K
shdocvw.dll Wed Apr 27 2005 2:50:48p A.... 1,338,368 1.27 M
sp3res.dll Thu Apr 21 2005 6:07:06a A.... 6,309,376 6.02 M
uwusw.dll Sun Jun 26 2005 5:27:24a ..... 9,728 9.50 K
webvw.dll Fri Apr 29 2005 12:16:10a A.... 1,119,504 1.07 M
wininet.dll Wed Apr 27 2005 10:54:24a A.... 574,976 561.50 K

17 items found: 17 files, 0 directories.
Total of file sizes: 16,377,655 bytes 15.62 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 606A-FB3F

Directory of C:\WINNT\System32

06/21/2005 02:00a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 64,115,404,800 bytes free

#7 youngsy

youngsy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 30 June 2005 - 12:55 AM

Ok, we're not out of the woods yet. I've still got a "load.htm" file being created in the TEMP directory after reboot despite my deleting it. I also notice this darn "rjrpjk.exe" still existing in the HJT log, but I have looked and looked for it in the system32 folder, and I can't find it. The popups continue until I delete the "load.htm" from the TEMP folder.
When I ran the online virus scan it found a trojan dropper "bks.dll" in the system32 folder. I deleted it with kill box, and it has not reappeared even after reboot.

----

Logfile of HijackThis v1.99.1
Scan saved at 1:34:59 AM, on 6/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\WINNT\system32\rjrpjk.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\freebhor.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RjLyraInstaller] F:\setup.exe F:\
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rjrpjk.exe reg_run
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - Global Startup: DMSTART.lnk = C:\Program Files\Diamond\Display\dmstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 June 2005 - 06:47 AM

Have you allready run the Online Scan and used the Reg Cleaner?

#9 youngsy

youngsy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 30 June 2005 - 09:08 AM

yes. The online scan identified 2 viruses. I successfully deleted all of the files it identified. But I wasn't sure what to do when the regcleaner was finished scanning. I did save a backup log like you asked, but that's all.

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 June 2005 - 09:26 AM

OK,Gimmie a bit to get this all fixed up!

Go ahead and Run the L2MFix again and this time Select Option 4 and let it roll!

I will post back in a bit once I have it all together!

Thanks for your Patience!

#11 youngsy

youngsy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 30 June 2005 - 09:30 AM

Here's the log of option 4 for L2MFix.
---

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 June 2005 - 12:55 PM

Well it looks like we have to start over,I had a bad feeling this bugger had changed!

Either that or repair the Notify Key just allowed a Reinfection,either way we gotta do it all over!

Click Start> Run> Copy&Paste the Text below into the Open Box and Click OK!

regedit /e c:\key.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\MSIN"


This time No online Scan,We will use a scanner that works off the same DataBase.

I will add one other that is good at getting l2m bugs!

Copy these Instructions to Notepad and Save them to the Desktop for reference in Safe Mode

Please Download the MWAV Scanner from Here

Unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update!

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!

When you see "Updates downloaded Successfully"

Please Press Enter to Continue!

It should open automatically>Leave the "Default Settings ticked" and add a "tick" "Drives">this will light up "All Drives">Click "Scan Clean" to begin!

This Scan will take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

Once the Scan has finished,All entries Identified as Infected will displayed in the lower pane!

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it!

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net/en/download/updates/

Download "The Hoster" from here
http://www.funkytoad.com/download/hoster.zip

Restart in Safe Mode and Physically Unplug your Internet Connection!

Open it and Press "Restore Original Hosts" then press "OK".

Exit Program.

Open the l2mfix and run Options 1 and 2 again, Save the Reports

Open both Ewido and MWAV but dont run them or Minimize them just yet!

Right Click the TaskBar and Select Task Manager>> Click Processes>> Look for

rjrpjk.exe<< Click once and Select End Process
(The name may have changed but it will look like that goobly gob above)

Do the Exact Same for these 2 Processes

Rundll32.exe<< Click once and Select End Process

Explorer.exe<< Click once and Select End Process

When you Drop the Explorer process the Desktop and Taskbar will disappear,dont panic this is Normal,leave the Task Manager Open!

MWAV and Ewido will remain Open!

Scan the System with MWAV and Save a log just as described above!

Scan with Ewido>when prompted>Select to clean and place a check by the box to use this action for all infections!

Once it completes,Click the tab to Save the report and Save it to your Desktop for easy access!

Once the Scan is Done,in the Task Manager>> Click File>> New Task(Run...)

Type or Copy&Paste C:\WINNT\Explorer.EXE into the Open Box and Click OK!

The Desktop and TaskBar will reappear,Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [RjLyraInstaller] F:\setup.exe F:\<< Unless you know what that is!

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rjrpjk.exe reg_run

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

If the funky named file does exist in the processes while in Safe Mode

Open HijackThis and leave it open>> Drop Explorer and Rundll32 again and

In HijackThis and Select Config> Misc Tools> Delete a file on reboot

When the Explorer Window pops up navigate to the file location

C:\WINNT\system32\rjrpjk.exe

Click Open to load the file and When prompted if you want to reboot click "YES"

It may be this file we are dealing with now>> wzcdlg.dll>> Same location though!

Restart Normal and Post a fresh HijackThis log,The reports from MWAV and Ewido and locate and Post C:\Key.txt

#13 youngsy

youngsy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 01 July 2005 - 01:40 AM

Ok here's my final HJT log below. I think it's clean now, but let me know if you see anything suspicious. I had to do a variation on what you told me to be rid of the thing. I think you will find it interesting. I will explain in my next post.
----


Logfile of HijackThis v1.99.1
Scan saved at 2:32:19 AM, on 7/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\freebhor.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: DMSTART.lnk = C:\Program Files\Diamond\Display\dmstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 July 2005 - 01:59 AM

Wel if I can My Internet to stay alive long enough,I would be most interested in hearing about it!

The HijackThis log looks fine!

So go on,please do tell!

#15 youngsy

youngsy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 01 July 2005 - 02:01 AM

So, I followed your instructions...scanning with each scanner, and finally having to go into safe mode and get rid of those files manually. But there was one problem. The process was listed in HJT, and it was listed in the task manager, but it would not let me end ANY task at all! I knew this would be a problem, so I downloaded a program called Process Explorer. This program did let me end the process. But before I ended it, I clicked on a properties button for the process. Then I clicked on the "strings" tab. What I found was amazing! The strings tab listed basically everything that the malware process was associated with and its functions. While I could not understand all of it, I did manage to scroll through the document and found an entire list of aliases and associated .exe's!! (I will post this list at the bottom for your to look at!) Now that I had a way to identify this malware's other names and faces, I used the HJT function to delete ALL of the associated files on reboot, not just rjrpjk.exe. I am not sure why they couldn't be found in normal mode when I was looking for these files before. Apparently they were "packed" or something?? I don't know what that means. After I fixed the process in HJT, I rebooted into safemode again and looked for more files. It looked clean. Then I rebooted normally, and everything seemed back to normal. So the only thing left for me to ask you is there anything that I need to do once you see the file lists from the virus scans that I ran? I don't know if all of the files were deleted or just quarantined. Also, I would like you to talk me through that regSupremePro program again to make sure that I do it right. Ok here's the cool log from the Process Explorer. I will post the scan and other logs you asked for in the next post.

Sorry for so many posts!
If you scroll about halfway down this list you'll see the directory and file listings that I was talking about. The whole log is amazing though!
---

PROCESS EXPLORER
------ "STRINGS" TAB SAVED LOG------
---------------------------------------------
jjjj
Ajj
jjjjjjj
jjjj
jjj
jjj
jjj
@jjj
(null)
!This program cannot be run in DOS mode.
Rich
.text
.rdata
.data
.rsrc
.aspack
.adata
jdjdh
WQP
PjdV
jeV
jgV
jdV
jeV
jfV
jgV
jiV
VWS
VWS
SVW3
SSSf
D$(PSSh
L$$QSh
L$$QSh
QSUV3
L$tR
QhL
QhP
RSh
PSh
QSh
PVj
QRPh
L$DjdQ
$VSW
PhX
SVW
jej
WWj
tsh
QjJ
UWhL
D$ Ph
SSS
SSj
RSh
tyHtK
tZj
jdht
jdhh
FT@h
FTh
jeS
uPh
RjeS
jgS
T$TRSSSSSSh
D$xD
jgS
jeS
jhS
SSS
VPQ
jcQ
SVW3
L$$Qh
Vh@1A
QPRW
PVQ
SVWt*
RWSV
8VWj
T$(RV
l$Lj
T$(RV
PQRV
tbf
tNf
SUV
~BVh8
PVj
t@Wh
\$@UVW~
L$XQS
SVW3
UWV
QUWV
BRj
QUWV
SVW3
T$8RS
PQj
VWh
PQj
VWh
PQj
VWh
PQj
VWh
PQj
VWh
PQj
VWh
SUVW
Qjhj
PQj
VWh
QRVP
PQh4
PQRh4
RPQ
PQh4
PQR
QhH
QRVh
PQhP
PhP
D$@PVh
Phd
Phl
Pht
PQh
PQW
SVW3
D$Xh
T$,RSSSSSS
t?jd
T$tRP
T$tR
D$tP
L$tQR
T$tR
D$tP
uPh
u*hp
uOh
tVHt
tdj
PQj
QRP
fIf
L$ Qh
D$%VW3
9l$xSSu
USSShL
L$$QSSh
L$PQV
L$TQV
SVW
Pjh
Pjj
SVW
SVW
D$ SUV
SVW
tJU
PQRh
T$DR
L$HQ
T$@RP
SVW
uEj
SVW
ChT
SVW
hD4A
uxh
ulh
uTh
uHh
VSh
uChx
u0hp
u$hh
tcj=V
SVW
PQj
QSUVWh
SVW
SVW
SUVW
L$Hhh
D$PPj
L$DQ
L$|Qh
D$xPh
D$xPh
D$xPh
D$xPQ
UVWh
D$ RVP
VhT
PhD
T$ Rh0
jhj
PjdWh
tMU
xdPj
UVW
SUV
D$(Ph
RSj
D$ PUVhD
D$ PUVh
D$ PUVh
D$ PUVh
tCh
D$ PUVh
D$(Ph
SUV
K0Qh
D$,Ph
D$,Ph
D$,Ph
D$,Ph
D$,Phh
D$,Ph@
D$,Ph
D$,Ph
D$,Ph
D$,Ph
k Uh
D$,Ph
k(Uh
sPVhx
T$,Rh8
L$$QV
T$,Rh8
D$ PW
SVWUj
SVW
t.;t$$t(
VC20XC00U
SVWU
tEVU
xJA
pJA
lJA
lJA
pJA
lJA
8MZu
dJA
5pJA
lJA
pJA
YYu
5pJA
YYu
lJA
pJA
pJA
lJA
lJA
pJA
pJA
lJA
=tJA
5dJA
tJA
VWu
t7VP
hJA
QQSVW3
9=tJA
dJA
SUVW
tyf9
SSS+
@PVSS
t#SSUP
t$$VSS
UVW
SVW
SVW
UWu
wHVSU
PSW
PSW
VSj
FVSj
VPV
VPV
=tJA
tJA
u8SS3
FVh$
E SS
SSV
t!SS9]
VSW
YVt
PPPPPPPP
SVW3
F;5`JA
Yu+Vj
VWj
YF;5`JA
VWumh
uiSj
NCu
GWh$
WWS
6PWS
t WW
VSW
WWWWVSW
tCVj
t2WWVPVSW
HSVWj
WVS
WWQ
tGj
VWsr
YtD
VWsU
SUVW
tiW
YYt
OY|R
wUV
xY|riY|
iY|\qX|
uX|Q
Y|m~W|?
Y|PcX|BeX|haX|
Y|MrX|
hX|5hX|
Y|rXX|
kX|k+Y|8
Y| nY|
kY|E
zY|5iX|E
Z|-rX|
pjM
wTG
yourkey
mykey
KavSvc
dl.web-nexus.net
open
adloc
cid
Software\%d
excl_urls
ProductId
Software\Microsoft\Windows\CurrentVersion
cn=%s|cpui=%s|cpuvi=%s|mac=%s|uid=%s|wid=%s
%02X:%02X:%02X:%02X:%02X:%02X
VendorIdentifier
Identifier
~MHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
%sf%d.exe
%sf%d.htm
SendSomethingToHookLib
SetHook
CoolGetVersion
altavista.com
yahoo.com
google.com
%s.tmp
ulapi32.dll
Software\Microsoft\Windows\CurrentVersion\Run
_mymeanmap_
unknown
startup
RegisterServiceProcess
kernel32.dll
_dll_mmap_shared_2o2o_z_v2.8.7.5
\unadbeh.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdBehavior
mtx_temp_app2_qool
NUL
[RENAME]
[RENAME]
\WININIT.INI
exec
TASK_%s
TASK_
executed
MozillaWindowClass
FRAMES2
IEFrame
Internet Explorer_Server
.exe
http\shell\open\command
firefox.exe
netscp.exe
mozilla.exe
opera.exe
iexplore.exe
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
pclie_wm_clear_popups
pclie_wm_setforeground
pclie_wm_remove_from_taskbar
pclie_wm_fire_big_popup
pclie_wm_nacrtaj_traku
pclie_wm_gen_exception
pclie_wm_check_hook
pclie_wm_report_task_exec
pclie_wm_fire_popup
pclie_wm_debug_dump_status
pcli_wm_report_uninstall
pcli_wm_uninstall
pcli_wm_get_excl_urls
pcli_wm_exec_tasks
pcli_wm_check_popup
pcli_wm_get_update_file
pcli_wm_check_for_updates
pcli_wm_showmsg
pcli_wm_getmsg
pcli_wm_getdb
pcli_wm_myhook_wm_lbuttondown
pcli_wm_myhook_wm_char
\explorer.exe
reg_run
StubPath
Software\Microsoft\Active Setup\Installed Components\
\Start Menu\Programs\Startup
GetAllUsersProfileDirectoryA
Userenv.dll
arkhmnjpul
krenuopicy
.dll
kurinqwsvgx
abcdornmqx
upqwvbakygr
.dat
andrtpkicu
DllRegisterServer
njamkhozvr
GENERAL
test_write
sd_test
omids
mppd
pint
ntpint
pdisabled
uuid
exclurls_seq
mppd_nt
s.clkoptimizer.com
chpop_srv
defcfg_srv
\symlink.dat
send
ws2_32.dll
tntdelay
maxchpop
www4.yesadvertising.com
bannerserver.gator.com
license.hotbar.com
web.icq.com
v4.windowsupdate.microsoft.com
windowsupdate.microsoft.com
ads.bidclix.com
oz.valueclick.com
odysseusmarketing.com
join1.winhundred.com
advert.runescape.com
sr.websearch.com
adserv.internetfuel.com
messenger.msn.com
top-banners.com
pops.browseraid.com
download.abetterinternet.com
tv.180solutions.com
banners.pennyweb.com
smileycentral.com
ww2.weatherbug.com
games.yahoo.com
rightmedia.net
counters.honesty.com
zone.msn.com
xlime.offeroptimizer.com
radio.launch.yahoo.com
sr.adwave.com
clickit.go2net.com
us.update.companion.yahoo.com
cdn-aimtoday.aol.com
kill-pop-ups.com
qksrv.net
xadsq.offeroptimizer.com
count.exitexchange.com
search200.com
servedby.adscpm.com
allaboutsearching.com
jnictech.cjt1.net
paypopup.com
adfarm.mediaplex.com
cdn-cf.aol.com
searcheffect.com
popuptraffic.com
akapp.whenu.com
amch.questionmarket.com
by.optimost.com
hotmail.msn.com
newupdates.lzio.com
ads.delfinproject.com
cfg.mywebsearch.com
insider.msg.yahoo.com
master.mx-targeting.com
hotmail.com
ctl.twain-tech.com
m2.doubleclick.net
mail.yahoo.com
focusin.ads.targetnet.com
jmnad1.com
e.rn11.com
topicks.com
ad.doubleclick.net
as.casalemedia.com
m3.doubleclick.net
webpdp.gator.com
ayb.lop.com
pgq.yahoo.com
xadso.offeroptimizer.com
c.qckjmp.com
media.fastclick.net
xzoomy.com
stopzilla.com
download.smileycentral.com
ads.clickagents.com
delfinproject.com
mm.delfinproject.com
jbns2.cydoor.com
bannerfarm.ace.advertising.com
popuppers.com
view.atdmt.com
as.adwave.com
ads.addynamix.com
look2me.com
ad.trafficmp.com
weatherbug.com
wisapidata.weatherbug.com
jicmedia.cjt1.net
ads1.revenue.net
servedby.advertising.com
aim-charts.pf.aol.com
sandboxer.com
ar.atwola.com
Microsoft Internet Explorer
Cannot find server
about:blank
file://%s
<html><head><title></title><meta http-equiv="refresh" content="1;URL=%s"></head></html>
load.html
-url %s
firefox
iexplore
http://
\\.\PhysicalDrive0
\\.\SMARTVSD
mut_data_check_njanja
ppids_t
ppids_nt
%d:%d:%d
mutt_sync_fired_popups
traka_url
traka_height
validity
scroll
nomppd
pid
title
height
width
style
size
show
type
url
.com
.biz
.org
.net
www.
HOST:
.jif
.css
.doc
.ico
.avi
.mov
.pdf
.jpe
.sgi
.psd
.wmf
.tga
.dib
.pic
.dcx
.pcd
.txt
.pcx
.emf
.tif
.png
.cab
.ace
.tar
.tbz
.tgz
.rar
.zip
.bmp
.gif
.jpeg
.jpg
HTTP
GET
mmap_sniping_rules
mutex_sync_mmap_sniping_rules
CLSID\%s
CLSID\%s\InProcServer32
CLSID\%s\ProgId
*\shellex\ContextMenuHandlers\%s
yfgmqtnxks
xeroiuerjf
.class
Cool
Clr Class
\unq32.dat
CLSID\{46E0807E-D421-4D67-BA84-E13E187AE3DA}
Software\Microsoft\Active Setup\Installed Components\%s
</popup>
<attrib>
</attrib>
<url>
</url>
<popup>
<seq>
</seq>
</data>
<data>
<message>
<param_value>
</param_value>
<param_name>
</param_name>
<action>
</action>
<type>
</type>
<snipe>
</snipe>
<sniping>
</sniping>
<search_engine>
</search_engine>
</execUrl>
<execUrl>
<task>
<defcfgsvr>
</defcfgsvr>
<chpopsvr>
</chpopsvr>
<eus>
</eus>
<disabled>
</disabled>
<maxchpopup>
</maxchpopup>
<urlinterval>
</urlinterval>
<tntpopupdelay>
</tntpopupdelay>
<ntpopupinterval>
</ntpopupinterval>
<tpopupinterval>
</tpopupinterval>
<queryinterval>
</queryinterval>
<mppd_nt>
</mppd_nt>
<mppd>
</mppd>
<loc>
</loc>
<clientid>
</clientid>
CorExitProcess
mscoree.dll
EEE
ppxxxx
(null)
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
Program:
A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state. The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
StrToIntA
StrChrA
wnsprintfA
StrStrA
StrStrIA
StrNCatA
SHLWAPI.dll
InternetGetConnectedState
WININET.dll
RPCRT4.dll
GetAdaptersInfo
iphlpapi.dll
Sleep
GetModuleFileNameA
lstrlenA
GetVolumeInformationA
HeapFree
lstrcpyA
HeapAlloc
GetProcessHeap
HeapReAlloc
GetComputerNameA
lstrcpynA
GetLastError
CreateProcessA
SetLastError
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetTempPathA
GetTickCount
GetCurrentProcessId
ExitProcess
FreeLibrary
lstrcmpA
GetProcAddress
LoadLibraryA
InitializeCriticalSection
CopyFileA
TerminateProcess
OpenProcess
MapViewOfFile
CreateFileMappingA
lstrcmpiA
GetModuleHandleA
IsBadWritePtr
DeleteFileA
lstrcatA
GetWindowsDirectoryA
SetUnhandledExceptionFilter
CreateMutexA
CloseHandle
OpenMutexA
Process32Next
Process32First
CreateToolhelp32Snapshot
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetShortPathNameA
MoveFileExA
LockResource
SizeofResource
LoadResource
FindResourceA
SetFileAttributesA
SetFileTime
GetFileTime
VirtualQuery
WideCharToMultiByte
GetVersionExA
FindClose
FindFirstFileA
GetFileSize
GetSystemDirectoryA
WritePrivateProfileStringA
GetPrivateProfileStringA
DeviceIoControl
GetLocalTime
ReleaseMutex
WaitForSingleObject
UnmapViewOfFile
KERNEL32.dll
CreateWindowExA
PostMessageA
SetTimer
KillTimer
wsprintfA
DefWindowProcA
PostQuitMessage
DestroyWindow
RegisterClassExA
DispatchMessageA
TranslateMessage
GetMessageA
SendMessageA
FindWindowA
GetClassNameA
GetWindowThreadProcessId
EnumWindows
RegisterWindowMessageA
GetWindowTextA
SetForegroundWindow
SetWindowPos
ShowWindow
ShowWindowAsync
EnumThreadWindows
EnumChildWindows
GetForegroundWindow
USER32.dll
RegDeleteKeyA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyA
RegDeleteValueA
RegOpenKeyA
RegSetValueExA
RegQueryValueA
My Host Name
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
RtlUnwind
GetCurrentProcess
GetStartupInfoA
GetCommandLineA
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapSize
GetACP
GetOEMCP
GetCPInfo
LCMapStringA
MultiByteToWideChar
LCMapStringW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
VirtualAlloc
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
VirtualProtect
GetSystemInfo
FlushFileBuffers
SetStdHandle
HookSrv.exe
DDE Server
SysOleClass
rec_run
PST
PDT
C:\WINNT\system32\rjrpjk.exe
C:\WINNT\system32\rpripen.dll
C:\WINNT\system32\rjrpjk.exe
C:\WINNT\system32\bnbmncd.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nkni.exe
C:\WINNT\jojzo.dll
C:\WINNT\system32\papka.dat
C:\WINNT\system32\uwusw.dll
03;606afb3f
gimage is probably packed
C:\WINNT\system32\rpripen.dll
3JV3T9JR
.360 TS830011 A
C:\WINNT\system32\rjrpjk.exe
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
!This program cannot be run in DOS mode.
Rich!^
.text
.rdata
.data
.aspack
.adata
cr<<y+
Nur
Gdj
HOR
pKE
~oGMl
VA J
lIWE{
QHT&
MtB
vd'y
nrQ(R#\
NTQ$v
dCh`)2
,~vFK
bIf
g('nq
/J)AO
lHe
ZPzL
Xx_Fsy
brJR
/9Vbc
GZE]F
vGfD
DnMW
eNHZ#
mgi
Eo.BT
;yiu
pJur
QICJ
EK`E+
hPO
byV#
?NRn
FxM
WUP
zsz
G9\KUq
hM'l'
QJy
ru~V=X`
psS
Woo_M
~_S}yE
iMS
hLu
wzr
O\^KH
GFz
EDq&Zb:
FYg
l*Hb
watqM#
xeq
sJW<
NUqK
NjV
Wi=0G
VdLA
B=CR
h0T<f
bqxT
'kXke
ck1N
KlU
yEJ
_o7Jo9B{
Wri
2vxLO
O|ZJ
UaJ}V
IlxX
wnoy
La*$d
!LCl
o:VMt)
evGR,
SoJ
ZEP
Jcl
3l^SFl
#cNY
JO|hX
yPV
EQk
kOux
Y:cq
vce3
ZF5r
dfHeI
F*jb8k
&LvI
leD
@PG^cxq
Dpi
ZET
Ll}f
a<a]s
EfF'
XYv(
XIm
XtVe
RFe
zp4sw
El1/y
uRR
bUo
W=I8l
L@sRa
w8`SL
f,Xo
GYsH
qy<N3p
eoZ
+-DNh
yqq
"sIA
@x0kb
bqV,(
yourkey
mykey
KavSvc
dl.web-nexus.net
taskmgr.exe
_dll_mmap_shared_2o2o_z_v2.8.7.5
explorer.exe
firefox
iexplore
hidden
mut_wm_report_task_exec_nja
mut_wm_fire_popup_sync
mut_wm_check_popup_sync
mut_wm_check_for_updates_njanja
ghttp://www.google.com
http://clkoptimizer.com/learnmore_bottom.html
Test popup
gcasServ.exe
exec
TASK_%d
MozillaWindowClass
FRAMES2
IEFrame
Internet Explorer_Server
.exe
http\shell\open\command
firefox.exe
netscp.exe
mozilla.exe
opera.exe
iexplore.exe
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
pclie_wm_clear_popups
pclie_wm_setforeground
pclie_wm_remove_from_taskbar
pclie_wm_fire_big_popup
pclie_wm_nacrtaj_traku
pclie_wm_gen_exception
pclie_wm_check_hook
pclie_wm_report_task_exec
pclie_wm_fire_popup
pclie_wm_debug_dump_status
pcli_wm_report_uninstall
pcli_wm_uninstall
pcli_wm_get_excl_urls
pcli_wm_exec_tasks
pcli_wm_check_popup
pcli_wm_get_update_file
pcli_wm_check_for_updates
pcli_wm_showmsg
pcli_wm_getmsg
pcli_wm_getdb
pcli_wm_myhook_wm_lbuttondown
pcli_wm_myhook_wm_char
reg_run
Software\Microsoft\Windows\CurrentVersion\Run
\Start Menu\Programs\Startup
GetAllUsersProfileDirectoryA
Userenv.dll
arkhmnjpul
krenuopicy
.dll
kurinqwsvgx
abcdornmqx
upqwvbakygr
.dat
andrtpkicu
DllRegisterServer
njamkhozvr
GENERAL
omids
adloc
exclurls_seq
s.clkoptimizer.com
chpop_srv
defcfg_srv
\symlink.dat
send
ws2_32.dll
application/*
text/*
GET
</config>
<config>
my_thr_mut_%d
g%s?obj_ids=%s&loc=%s
/cgi-bin/msg_get.cgi
%s?loc=%s&cid=%s&eus=%d&pe=%d&is=%d&hash=%s&app_src=%s&crc=%s&app_run=%s
/cconfig.php
installer
Qool-Uptime: %d
Win-Version: %s
QoolIE-Version: %s
unknown
gQoolShown-Popups: %s
QoolShown-Popups-nt: %s
mutt_sync_fired_popups
%s?loc=%s&cid=%s&u=%s&en=%s&pt=%d&app_src=%s&app_run=%s&crc=%s
/checkpopup.php
gMA
g%s?loc=%s&cid=%s&eus=%d
/exclurls.php
gHB
g%s?loc=%s&cid=%s&uuid=%s
/uninstall.php
%s?loc=%s&cid=%s&uuid=%s&tid=%d&ret=%d
/getfile_status.php
poptraka
g - Microsoft Internet Explorer
- Mozilla
- Mozilla Firefox
- Netscape
IFRAME
fcp_bg_map_please_work
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
NtQueryDirectoryFile
ntdll.dll
Microsoft Internet Explorer
Cannot find server
about:blank
file://%s
<html><head><title></title><meta http-equiv="refresh" content="1;URL=%s"></head></html>
load.html
-url %s
http://
msctls_statusbar32
Edit
ComboBox
ComboBoxEx32
ReBarWindow32
WorkerW
TEST
gNtQuerySystemInformation
SysOleClass
DDE Server
Process32Next
RegQueryInfoKeyW
RegQueryInfoKeyA
RegEnumValueW
advapi32.dll
RegEnumValueA
FindNextFileW
FindNextFileA
LoadLibraryExW
LoadLibraryExA
LoadLibraryW
kernel32.dll
LoadLibraryA
NtEnumerateValueKey
mmap_sniping_rules
mutex_sync_mmap_sniping_rules
SMTP Email Address
Software\Microsoft\Internet Account Manager\Accounts
Default Mail Account
Software\Microsoft\Internet Account Manager
%s %d.%d
Windows 3x
Windows 9x
Windows NT
Unknown
Version
Software\Microsoft\Internet Explorer
wsock32.dll
GET %s
GET %s%s
HTTP/1.
www.
Host:
gFx
StrStrIA
wnsprintfA
StrStrA
StrToIntA
StrChrA
StrNCatA
StrCmpNA
SHLWAPI.dll
ImageDirectoryEntryToData
IMAGEHLP.dll
InternetGetConnectedState
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenA
WININET.dll
WS2_32.dll
RPCRT4.dll
GetModuleFileNameA
GetCurrentProcessId
DisableThreadLibraryCalls
lstrcpyA
SetUnhandledExceptionFilter
CloseHandle
ReleaseMutex
WaitForSingleObject
CreateMutexA
lstrcpynA
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
lstrlenA
lstrcatA
HeapFree
WriteFile
ReadFile
HeapAlloc
GetProcessHeap
CreateFileA
GetWindowsDirectoryA
lstrcmpA
GlobalFree
GlobalAlloc
MultiByteToWideChar
LockResource
SizeofResource
LoadResource
FindResourceA
VirtualQuery
GetTickCount
GetVolumeInformationA
WideCharToMultiByte
GetVersionExA
FreeLibrary
GetProcAddress
LoadLibraryA
FindClose
FindFirstFileA
GetFileSize
GetSystemDirectoryA
GetPrivateProfileStringA
HeapReAlloc
Sleep
GetLastError
HeapDestroy
HeapCreate
IsBadReadPtr
CreateThread
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
GetModuleHandleA
FindNextFileA
FindNextFileW
TerminateProcess
CreateProcessA
GetTempPathA
VirtualProtect
Module32Next
Module32First
FlushInstructionCache
WriteProcessMemory
VirtualAlloc
ReadProcessMemory
IsBadCodePtr
GetCurrentProcess
LoadLibraryW
LoadLibraryExA
LoadLibraryExW
RtlUnwind
KERNEL32.dll
CallNextHookEx
SetForegroundWindow
ShowWindow
CreateWindowExA
GetWindowLongA
PostMessageA
UnhookWindowsHookEx
SetWindowsHookExA
wsprintfA
SetWindowLongA
GetClientRect
GetClassNameA
GetWindowThreadProcessId
EnumWindows
RegisterWindowMessageA
SendMessageA
SetWindowPos
DefWindowProcA
DestroyWindow
SetTimer
RegisterClassA
UpdateWindow
KillTimer
PostQuitMessage
DispatchMessageA
TranslateMessage
GetMessageA
GetSystemMetrics
RegisterClassExA
GetWindowTextA
ShowWindowAsync
EnumThreadWindows
EnumChildWindows
GetForegroundWindow
GetWindowRect
IsWindowVisible
FindWindowExA
IsWindow
FindWindowA
USER32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegSetValueExA
RegOpenKeyA
RegCreateKeyA
RegEnumValueA
RegEnumValueW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegCreateKeyExA
ADVAPI32.dll
ExtractIconExA
SHELL32.dll
OleSetContainedObject
OleCreate
OleUninitialize
OleInitialize
ole32.dll
OLEAUT32.dll
HookLib.dll
FireCoolPopup
BindIEBrowser
CoolGetVersion
SendSomethingToHookLib
SetHook
TestPopup
HZsX&R
E!gqz
fMz<
n5HGj
]kSW
VirtualAlloc
VirtualFree
PQVS
CCS
SWj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
SUV
D4l|M
QSV
SVW
SUV
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
shlwapi.dll
imagehlp.dll
wininet.dll
user32.dll
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
StrChrA
ImageDirectoryEntryToData
InternetQueryDataAvailable
wsprintfA
RegQueryInfoKeyW
ExtractIconExA
OleSetContainedObject
!This program cannot be run in DOS mode.
RichX}
.text
.rdata
.data
.aspack
.adata
dw&FY
4XuF#
[cmmk[/
EpA
yRY
Fa;x
hSR
LUc
xB4g
=qOZ
giW
JD!ad
]kSW
VirtualAlloc
VirtualFree
PQVS
CCS
SWj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
SUV
D4l|M
QSV
SVW
SUV
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
shlwapi.dll
user32.dll
wnsprintfA
wsprintfA
!This program cannot be run in DOS mode.
"Rich
.text
.rdata
.data
.reloc
.aspack
.adata
QcxZ
CVN
KRV
qxX
#ThY
4lXF
XYXa
ccS.
p4Ij*
wOw_
TnhE
yourkey
mykey
KavSvc
dl.web-nexus.net
open
rec_run
*\shellex\ContextMenuHandlers\%s
CLSID\%s\ProgId
ThreadingModel
Apartment
CLSID\%s\InProcServer32
CLSID\%s
yfgmqtnxks
xeroiuerjf
.class
Cool
Clr Class
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
_mymeanmap_
arkhmnjpul
.exe
upqwvbakygr
.dat
SHLWAPI.dll
WININET.dll
RpcStringFreeA
UuidToStringA
UuidCreate
RPCRT4.dll
CopyFileA
Sleep
GetModuleFileNameA
lstrlenA
CreateThread
CloseHandle
GetWindowsDirectoryA
GetVolumeInformationA
GetVersionExA
lstrcatA
OpenFileMappingA
GetSystemDirectoryA
KERNEL32.dll
wsprintfA
USER32.dll
RegSetValueExA
RegCloseKey
RegSetValueA
RegCreateKeyA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
RecoverClient.dll
DllCanUnloadNow
DllRegisterServer
DllUnregisterServer
gPD
HYKI(
E!LJ
]kSW
VirtualAlloc
VirtualFree
PQVS
CCS
SWj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
SUV
D4l|M
QSV
SVW
SUV
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
rpcrt4.dll
user32.dll
advapi32.dll
shell32.dll
UuidCreate
wsprintfA
RegCloseKey
ShellExecuteA
]kSW
VirtualAlloc
VirtualFree
PQVS
CCS
SWj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
SUV
D4l|M
QSV
SVW
SUV
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
shlwapi.dll
wininet.dll
iphlpapi.dll
user32.dll
advapi32.dll
shell32.dll
StrNCatA
InternetGetConnectedState
GetAdaptersInfo
EnumWindows
RegSetValueA
ShellExecuteA
--------------------------------------------------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users