Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
25 replies to this topic

#1 chalk61

chalk61

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 07:49 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:39:50 AM, on 9/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\vehhkyr.EXE
C:\WINNT\system\rkoatpcv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://simplexgrinnell.ia
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SimplexGrinnell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy1:9998;http=proxy1:9998;https=proxy1:9998
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ia; *.simplexnet.com; *.simplexgrinnell.net; scapp01*; scapb02*; E113992*; <local>
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINNT\system32\pkshkczj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [vehhkyr] C:\WINNT\vehhkyr.EXE
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kgddld.exe reg_run
O4 - HKCU\..\Run: [pshower] C:\WINNT\system32\pshwr.exe
O4 - Startup: setIE.vbs
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://simplexgrinnell.ia
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121195534949
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121195520748
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://qap.ace.ia:8002/jinitiator/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://simplexgrinnell.webex.com/client/v_...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Edited by chalk61, 01 September 2005 - 07:49 AM.


BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:47 AM

Posted 01 September 2005 - 08:31 AM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINNT\system32\pkshkczj.dll
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [vehhkyr] C:\WINNT\vehhkyr.EXE
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kgddld.exe reg_run
O4 - HKCU\..\Run: [pshower] C:\WINNT\system32\pshwr.exe
O4 - Startup: setIE.vbs
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab


Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

C:\WINNT\system32\exp.exe
C:\WINNT\vehhkyr.EXE
C:\WINNT\system32\kgddld.exe
C:\WINNT\system32\pshwr.exe

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 08:59 AM

The only entry I did not remove was the SetIE.vbs That process is ok

Logfile of HijackThis v1.99.1
Scan saved at 9:56:55 AM, on 9/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system\rkoatpcv.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://simplexgrinnell.ia
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SimplexGrinnell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy1:9998;http=proxy1:9998;https=proxy1:9998
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ia; *.simplexnet.com; *.simplexgrinnell.net; scapp01*; scapb02*; E113992*; <local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kgddld.exe reg_run
O4 - Startup: setIE.vbs
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://simplexgrinnell.ia
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121195534949
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121195520748
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://qap.ace.ia:8002/jinitiator/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://simplexgrinnell.webex.com/client/v_...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:47 AM

Posted 01 September 2005 - 09:01 AM

Click here to download FindQoologic-Narrator.

Save it to your Desktop then extract the files from the zip into their own folder called FindQoologic. Open the FindQoologic folder. Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text opens, save it to your desktop, then post it in your next reply here.

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So, I need 3 logs in your next reply: FindQoologic, WinPFind, and TrackQoo.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 09:26 AM

I could not download WinPFind 1.3.1, the link is broken

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:47 AM

Posted 01 September 2005 - 09:30 AM

So it is, just post the other two logs for me then.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 09:46 AM

Find Qoologic last edited 8/30/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* winsync C:\WINNT\System32\DJDDSDS.DLL
* winsync C:\WINNT\System32\DNKKJ.DLL
* winsync C:\WINNT\System32\WUAUCLT.DLL
If this string search find's both and an exe and dat it's bad.
»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* UPX! C:\WINNT\System32\MC-110~1.EXE
* UPX! C:\WINNT\System32\MTE2OD~1.EXE
* aspack C:\WINNT\System32\MRT.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\DKCC.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f8883c

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
dkcc.exe

User Startup:
C:\Documents and Settings\wantonucci\Start Menu\Programs\Startup
.
..
setIE.vbs

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...

C:\WINNT\SYSTEM32\KGDDLD.EXE
C:\WINNT\SYSTEM32\CNQQBQM.EXE
C:\WINNT\SYSTEM32\DNKKJ.DLL
C:\WINNT\SYSTEM32\DJDDSDS.DLL
C:\WINNT\SYSTEM32\PNGFILT.DLL
C:\WINNT\SYSTEM32\QAYYP.DAT
C:\WINNT\SYSTEM32\VGACTL.CPL
C:\WINNT\SYSTEM32\WUAUCLT.DLL
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\DKCC.EXE

#8 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 09:46 AM

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"SxgTkBar"="SxgTkBar.exe"
"TCASUTIEXE"="TCAUDIAG -off"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client

Access\\cwbsvstr.exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client

Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client

Access\\cwbckver.exe\" LOGIN"
"Client Access Express Welcome"="\"C:\\Program Files\\IBM\\Client

Access\\cwbwlwiz.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"winsync"="C:\\WINNT\\system32\\kgddld.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCom

ponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCom

ponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCom

ponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCom

ponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- gnkkfkxt
{b07a8fe3-48ce-4c8f-8993-c58e66aff5d8}
C:\WINNT\system32\dnkkj.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINNT\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINNT\system32\shell32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINNT\System32\docprop2.dll

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINNT\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINNT\System32\docprop2.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

dkcc.exe
==============================
C:\Documents and Settings\wantonucci\Start Menu\Programs\Startup

dkcc.exe
setIE.vbs
==============================
C:\WINNT\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
ca400cpl.cpl IBM Corporation
DESK.CPL Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sticpl.cpl Microsoft Corporation
Sxgbcpl.cpl YAMAHA CORPORATION
SYSDM.CPL Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wuaucpl.cpl Microsoft Corporation

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:47 AM

Posted 01 September 2005 - 10:13 AM

OK, we've got some of them - let's just double check the others.

Go to Jotti's malware scan

Copy and paste the following file paths one by one into the "File to upload & scan" box on the top of the page:

C:\WINNT\system32\vgactl.cpl
C:\WINNT\System32\DJDDSDS.DLL
C:\WINNT\System32\WUAUCLT.DLL
C:\WINNT\SYSTEM32\CNQQBQM.EXE
C:\WINNT\SYSTEM32\QAYYP.DAT


Click on the submit button. Please post the results for each in your next reply.

Edited by Daemon, 01 September 2005 - 10:18 AM.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 10:18 AM

File: vgactl.cpl
Status: INFECTED/MALWARE
MD5 6ad05b0dcb77ab471f7bb1e7ef9fb1ae
Packers detected: ASPACK
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Qoologic.ad
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

#11 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 10:19 AM

File: DJDDSDS.DLL
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 938b0ba65ae2a54db2553a43dd23dd8f
Packers detected: ASPACK
Scanner results
AntiVir Found TR/Dldr.Qoologic.AC
ArcaVir Found Trojan.Downloader.Qoologic.Ac
Avast Found Win32:Qoologic-T
AVG Antivirus Found Downloader.Generic.DBI
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found not a virus Adware.Nexus
F-Prot Antivirus Found W32/Qoologic.F
Fortinet Found W32/Qoologic.AC-dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Qoologic.ac
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Qoologic.ac

#12 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 10:20 AM

File: WUAUCLT.DLL
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 358fd2546297771930d59db848ae96ec
Packers detected: ASPACK
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:Qoologic-T
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

#13 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 10:21 AM

File: CNQQBQM.EXE
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 2808ed0086fd120e646bb9050bd95f2d
Packers detected: ASPACK
Scanner results
AntiVir Found TR/Dldr.Qoologic.AC.5
ArcaVir Found Trojan.Small.A19.A3
Avast Found Win32:Qoologic-U
AVG Antivirus Found Downloader.Generic.DMH
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found not a virus Adware.Nexus
F-Prot Antivirus Found W32/Qoologic.F
Fortinet Found W32/Qoologic.AC-dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Qoologic.ac
NOD32 Found Win32/TrojanDownloader.Qoologic.AC
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Qoologic.ac

#14 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:47 AM

Posted 01 September 2005 - 10:22 AM

I added a few more - could you check those also.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#15 chalk61

chalk61
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 September 2005 - 10:22 AM

File: QAYYP.DAT
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f1e0eab4701634019f2833869f903661
Packers detected: Analyzing...
Scanner results
AntiVir Found TR/Dldr.Qoologic.AC.3
ArcaVir Found Trojan.Downloader.Qoologic.Ac
Avast Found Win32:Qoologic-R
AVG Antivirus Found Downloader.Generic.DNP
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found not a virus Adware.Nexus
F-Prot Antivirus Found dropper for W32/Qoologic.F
Fortinet Found Adware/Qoolaid
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Qoologic.ac
NOD32 Found Win32/TrojanDownloader.Qoologic
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Qoologic.ac




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users