Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Insane Popups


  • Please log in to reply
12 replies to this topic

#1 aussiepaul

aussiepaul

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 12 January 2005 - 09:47 PM

Somehow I have been infected with malware that keeps popping up IE windows, even if I don't have IE opened.

I have tried using many adware and spyware programs, but nothing seems to work. Adaware seems to cause a problem with explorer and doesn't complete. So therfore I've decided to try hijack this.

Here is my logfile

Logfile of HijackThis v1.99.0
Scan saved at 9:32:36 PM, on 1/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
D:\PROGRAM FILES 2\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\PROGRAM FILES 2\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Gulfstream Aerospace
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sav.gulfaero.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\nhu4u7hi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CPROGRAM%20FILES%202%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\nhu4u7hi.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: CAMEDIA Master.lnk = D:\Program Files 2\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - D:\Program Files 2\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16432d32f07036...ip/RdxIE601.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab



What should I do?

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:14 AM

Posted 13 January 2005 - 02:15 AM

Download the following file:

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip


and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

#3 aussiepaul

aussiepaul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 13 January 2005 - 01:39 PM

I presume you mean findit9xme.zip, since I'm using win98 SE. I'll try it later this afternoon.

Thanks.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:14 AM

Posted 13 January 2005 - 03:53 PM

You are correct...yes that is what i want you to do

#5 aussiepaul

aussiepaul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 13 January 2005 - 07:14 PM

Here is the FindIt log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

LJEPS12N DLL 217,088 12-28-04 5:32p ljeps12n.dll
HZZJUI07 DLL 217,088 12-28-04 5:32p hzzjui07.dll
MDIEFTP DLL 217,088 12-28-04 5:32p MDIEFTP.DLL
OYIDLL16 DLL 217,088 12-28-04 5:32p OYIDLL16.DLL
DBMSTOR DLL 217,088 12-28-04 5:32p dbmstor.dll
OGEAUT32 DLL 217,088 12-28-04 5:32p OGEAUT32.DLL
HZD DLL 217,088 12-28-04 5:32p HZD.DLL
MGNDEX DLL 217,088 12-28-04 5:32p mgndex.dll
DVLAY DLL 217,088 12-28-04 5:32p DVLAY.DLL
WZPCD DLL 217,088 12-28-04 5:32p wzpcd.dll
COYPTUI DLL 217,088 12-28-04 5:32p COYPTUI.DLL
SHI_CI DLL 217,088 12-28-04 5:32p SHI_CI.DLL
CKNWIN16 DLL 217,088 12-28-04 5:32p CKNWIN16.DLL
LPONAR~1 DLL 217,088 12-28-04 5:32p Lponardo da Vinci.dll
DHMSTOR DLL 217,088 12-28-04 5:32p dhmstor.dll
MVC40 DLL 217,088 12-28-04 5:32p MVC40.DLL
OPBCCURS DLL 217,088 12-28-04 5:32p OPBCCURS.DLL
WXPOLHLP DLL 217,088 12-28-04 5:32p WXPOLHLP.DLL
RCVPSP DLL 217,088 12-28-04 5:32p RCVPSP.DLL
DHMIGR DLL 217,088 12-28-04 5:32p DHMIGR.DLL
JFVALE DLL 217,088 12-28-04 5:32p JFVALE.DLL
MZGAPA~1 DLL 217,088 12-28-04 5:32p mzgaparse.dll
LEGL12N DLL 217,088 12-28-04 5:32p Legl12n.dll
LSCUT12N DLL 217,088 12-28-04 5:32p lsCUT12n.dll
CEYPTUI DLL 217,088 12-28-04 5:32p CEYPTUI.DLL
HNHIPR11 DLL 217,088 12-28-04 5:32p hnhipr11.dll
WNASF DLL 217,088 12-28-04 5:32p wnasf.dll
HMD DLL 217,088 12-28-04 5:32p HMD.DLL
LHDLG12N DLL 217,088 12-28-04 5:32p lhdlg12n.dll
SBHANNEL DLL 217,088 12-28-04 5:32p SBHANNEL.DLL
TFP3216S DLL 217,088 12-28-04 5:32p TFP3216S.DLL
SSNDMAIL DLL 217,088 12-28-04 5:32p SSNDMAIL.DLL
WOPLENC DLL 217,088 12-28-04 5:32p woplenc.dll
SCTUPAPI DLL 217,088 12-28-04 5:32p SCTUPAPI.DLL
CFYPTEXT DLL 217,088 12-28-04 5:32p CFYPTEXT.DLL
35 file(s) 7,598,080 bytes
0 dir(s) 2,221.64 MB free

------- Hidden Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

HPHPHT04 GID 8,628 05-02-04 7:26p hphpht04.GID
RATINGS POL 53,280 05-01-04 11:04a RATINGS.POL
FOLDER HTT 13,122 10-19-01 12:09a folder.htt
DESKTOP INI 266 10-19-01 12:09a desktop.ini
4 file(s) 75,296 bytes
0 dir(s) 2,221.63 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{694D1A01-58F6-11D9-88CF-0004E21EE72D}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ljeps12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hzzjui07.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mdieftp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
oyidll16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dbmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ogeaut32.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hzd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mgndex.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dvlay.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wzpcd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
coyptui.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
shi_ci.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cknwin16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lponar~1.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dhmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mvc40.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
opbccurs.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wxpolhlp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
rcvpsp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dhmigr.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
jfvale.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mzgapa~1.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
legl12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lscut12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ceyptui.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hnhipr11.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wnasf.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hmd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lhdlg12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
sbhannel.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
tfp3216s.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ssndmail.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
woplenc.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
sctupapi.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cfyptext.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K

35 items found: 35 files, 0 directories.
Total of file sizes: 7,598,080 bytes 7.25 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: :.aspackze
C:\WINDOWS\PAV.SIG: .aspack.text
C:\WINDOWS\PAV.SIG: H.aspack.text
C:\WINDOWS\PAV.SIG: .aspack.text
C:\WINDOWS\PAV.SIG: 4.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: F<SW.aspack
C:\WINDOWS\PAV.SIG: [.aspack
C:\WINDOWS\PAV.SIG: H@.aspack.text.pmj
C:\WINDOWS\PAV.SIG: AsPack
C:\WINDOWS\PAV.SIG: :.aspack
C:\WINDOWS\PAV.SIG: H@.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: H.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: 4.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: [.aspack
C:\WINDOWS\PAV.SIG: F<SW.aspack
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ljeps12n.dll: UMonitor
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
C:\WINDOWS\SYSTEM\hzzjui07.dll: UMonitor
C:\WINDOWS\SYSTEM\MDIEFTP.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYIDLL16.DLL: UMonitor
C:\WINDOWS\SYSTEM\dbmstor.dll: UMonitor
C:\WINDOWS\SYSTEM\OGEAUT32.DLL: UMonitor
C:\WINDOWS\SYSTEM\HZD.DLL: UMonitor
C:\WINDOWS\SYSTEM\mgndex.dll: UMonitor
C:\WINDOWS\SYSTEM\DVLAY.DLL: UMonitor
C:\WINDOWS\SYSTEM\wzpcd.dll: UMonitor
C:\WINDOWS\SYSTEM\COYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\SHI_CI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CKNWIN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lponardo da Vinci.dll: UMonitor
C:\WINDOWS\SYSTEM\dhmstor.dll: UMonitor
C:\WINDOWS\SYSTEM\MVC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\OPBCCURS.DLL: UMonitor
C:\WINDOWS\SYSTEM\WXPOLHLP.DLL: UMonitor
C:\WINDOWS\SYSTEM\RCVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DHMIGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JFVALE.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzgaparse.dll: UMonitor
C:\WINDOWS\SYSTEM\Legl12n.dll: UMonitor
C:\WINDOWS\SYSTEM\lsCUT12n.dll: UMonitor
C:\WINDOWS\SYSTEM\CEYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\hnhipr11.dll: UMonitor
C:\WINDOWS\SYSTEM\wnasf.dll: UMonitor
C:\WINDOWS\SYSTEM\HMD.DLL: UMonitor
C:\WINDOWS\SYSTEM\lhdlg12n.dll: UMonitor
C:\WINDOWS\SYSTEM\SBHANNEL.DLL: UMonitor
C:\WINDOWS\SYSTEM\TFP3216S.DLL: UMonitor
C:\WINDOWS\SYSTEM\SSNDMAIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\woplenc.dll: UMonitor
C:\WINDOWS\SYSTEM\SCTUPAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CFYPTEXT.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Adaptec DirectCD"="C:\\Program Files\\DirectCD\\DIRECTCD.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb07.exe"
"HPHmon04"="C:\\WINDOWS\\SYSTEM\\HPHMON04.EXE"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"EM_EXEC"="c:\\MOUSE\\SYSTEM\\EM_EXEC.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"
"kalvsys"="C:\\WINDOWS\\SYSTEM\\KALVXRD32.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




#6 aussiepaul

aussiepaul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 14 January 2005 - 12:04 AM

Ignore the last post. My machine froze (due to one of the popups), and I had to reboot.

This is the latest log from FindIt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

LJEPS12N DLL 217,088 12-28-04 5:32p ljeps12n.dll
HZZJUI07 DLL 217,088 12-28-04 5:32p hzzjui07.dll
MDIEFTP DLL 217,088 12-28-04 5:32p MDIEFTP.DLL
OYIDLL16 DLL 217,088 12-28-04 5:32p OYIDLL16.DLL
DBMSTOR DLL 217,088 12-28-04 5:32p dbmstor.dll
OGEAUT32 DLL 217,088 12-28-04 5:32p OGEAUT32.DLL
HZD DLL 217,088 12-28-04 5:32p HZD.DLL
MGNDEX DLL 217,088 12-28-04 5:32p mgndex.dll
DVLAY DLL 217,088 12-28-04 5:32p DVLAY.DLL
WZPCD DLL 217,088 12-28-04 5:32p wzpcd.dll
COYPTUI DLL 217,088 12-28-04 5:32p COYPTUI.DLL
SHI_CI DLL 217,088 12-28-04 5:32p SHI_CI.DLL
CKNWIN16 DLL 217,088 12-28-04 5:32p CKNWIN16.DLL
LPONAR~1 DLL 217,088 12-28-04 5:32p Lponardo da Vinci.dll
DHMSTOR DLL 217,088 12-28-04 5:32p dhmstor.dll
MVC40 DLL 217,088 12-28-04 5:32p MVC40.DLL
OPBCCURS DLL 217,088 12-28-04 5:32p OPBCCURS.DLL
WXPOLHLP DLL 217,088 12-28-04 5:32p WXPOLHLP.DLL
RCVPSP DLL 217,088 12-28-04 5:32p RCVPSP.DLL
DHMIGR DLL 217,088 12-28-04 5:32p DHMIGR.DLL
JFVALE DLL 217,088 12-28-04 5:32p JFVALE.DLL
MZGAPA~1 DLL 217,088 12-28-04 5:32p mzgaparse.dll
LEGL12N DLL 217,088 12-28-04 5:32p Legl12n.dll
LSCUT12N DLL 217,088 12-28-04 5:32p lsCUT12n.dll
CEYPTUI DLL 217,088 12-28-04 5:32p CEYPTUI.DLL
HNHIPR11 DLL 217,088 12-28-04 5:32p hnhipr11.dll
WNASF DLL 217,088 12-28-04 5:32p wnasf.dll
HMD DLL 217,088 12-28-04 5:32p HMD.DLL
LHDLG12N DLL 217,088 12-28-04 5:32p lhdlg12n.dll
SBHANNEL DLL 217,088 12-28-04 5:32p SBHANNEL.DLL
TFP3216S DLL 217,088 12-28-04 5:32p TFP3216S.DLL
SSNDMAIL DLL 217,088 12-28-04 5:32p SSNDMAIL.DLL
WOPLENC DLL 217,088 12-28-04 5:32p woplenc.dll
SCTUPAPI DLL 217,088 12-28-04 5:32p SCTUPAPI.DLL
CFYPTEXT DLL 217,088 12-28-04 5:32p CFYPTEXT.DLL
HMAD32 DLL 217,088 12-28-04 5:32p hmad32.dll
36 file(s) 7,815,168 bytes
0 dir(s) 2,298.73 MB free

------- System Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

LJEPS12N DLL 217,088 12-28-04 5:32p ljeps12n.dll
HZZJUI07 DLL 217,088 12-28-04 5:32p hzzjui07.dll
MDIEFTP DLL 217,088 12-28-04 5:32p MDIEFTP.DLL
OYIDLL16 DLL 217,088 12-28-04 5:32p OYIDLL16.DLL
DBMSTOR DLL 217,088 12-28-04 5:32p dbmstor.dll
OGEAUT32 DLL 217,088 12-28-04 5:32p OGEAUT32.DLL
HZD DLL 217,088 12-28-04 5:32p HZD.DLL
MGNDEX DLL 217,088 12-28-04 5:32p mgndex.dll
DVLAY DLL 217,088 12-28-04 5:32p DVLAY.DLL
WZPCD DLL 217,088 12-28-04 5:32p wzpcd.dll
COYPTUI DLL 217,088 12-28-04 5:32p COYPTUI.DLL
SHI_CI DLL 217,088 12-28-04 5:32p SHI_CI.DLL
CKNWIN16 DLL 217,088 12-28-04 5:32p CKNWIN16.DLL
LPONAR~1 DLL 217,088 12-28-04 5:32p Lponardo da Vinci.dll
DHMSTOR DLL 217,088 12-28-04 5:32p dhmstor.dll
MVC40 DLL 217,088 12-28-04 5:32p MVC40.DLL
OPBCCURS DLL 217,088 12-28-04 5:32p OPBCCURS.DLL
WXPOLHLP DLL 217,088 12-28-04 5:32p WXPOLHLP.DLL
RCVPSP DLL 217,088 12-28-04 5:32p RCVPSP.DLL
DHMIGR DLL 217,088 12-28-04 5:32p DHMIGR.DLL
JFVALE DLL 217,088 12-28-04 5:32p JFVALE.DLL
MZGAPA~1 DLL 217,088 12-28-04 5:32p mzgaparse.dll
LEGL12N DLL 217,088 12-28-04 5:32p Legl12n.dll
LSCUT12N DLL 217,088 12-28-04 5:32p lsCUT12n.dll
CEYPTUI DLL 217,088 12-28-04 5:32p CEYPTUI.DLL
HNHIPR11 DLL 217,088 12-28-04 5:32p hnhipr11.dll
WNASF DLL 217,088 12-28-04 5:32p wnasf.dll
HMD DLL 217,088 12-28-04 5:32p HMD.DLL
LHDLG12N DLL 217,088 12-28-04 5:32p lhdlg12n.dll
SBHANNEL DLL 217,088 12-28-04 5:32p SBHANNEL.DLL
TFP3216S DLL 217,088 12-28-04 5:32p TFP3216S.DLL
SSNDMAIL DLL 217,088 12-28-04 5:32p SSNDMAIL.DLL
WOPLENC DLL 217,088 12-28-04 5:32p woplenc.dll
SCTUPAPI DLL 217,088 12-28-04 5:32p SCTUPAPI.DLL
CFYPTEXT DLL 217,088 12-28-04 5:32p CFYPTEXT.DLL
HMAD32 DLL 217,088 12-28-04 5:32p hmad32.dll
DWMSTOR DLL 217,088 12-28-04 5:32p dwmstor.dll
37 file(s) 8,032,256 bytes
0 dir(s) 2,298.06 MB free

------- Hidden Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

HPHPHT04 GID 8,628 05-02-04 7:26p hphpht04.GID
RATINGS POL 53,280 05-01-04 11:04a RATINGS.POL
FOLDER HTT 13,122 10-19-01 12:09a folder.htt
DESKTOP INI 266 10-19-01 12:09a desktop.ini
4 file(s) 75,296 bytes
0 dir(s) 2,298.73 MB free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

HPHPHT04 GID 8,628 05-02-04 7:26p hphpht04.GID
RATINGS POL 53,280 05-01-04 11:04a RATINGS.POL
FOLDER HTT 13,122 10-19-01 12:09a folder.htt
DESKTOP INI 266 10-19-01 12:09a desktop.ini
4 file(s) 75,296 bytes
0 dir(s) 2,298.06 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{694D1A01-58F6-11D9-88CF-0004E21EE72D}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ljeps12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hzzjui07.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mdieftp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
oyidll16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dbmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ogeaut32.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hzd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mgndex.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dvlay.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wzpcd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
coyptui.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
shi_ci.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cknwin16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lponar~1.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dhmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mvc40.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
opbccurs.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wxpolhlp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
rcvpsp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dhmigr.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
jfvale.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mzgapa~1.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
legl12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lscut12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ceyptui.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hnhipr11.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wnasf.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hmd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lhdlg12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
sbhannel.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
tfp3216s.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ssndmail.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
woplenc.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
sctupapi.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cfyptext.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hmad32.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dwmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K

37 items found: 37 files, 0 directories.
Total of file sizes: 8,032,256 bytes 7.66 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: :.aspackze
C:\WINDOWS\PAV.SIG: .aspack.text
C:\WINDOWS\PAV.SIG: H.aspack.text
C:\WINDOWS\PAV.SIG: .aspack.text
C:\WINDOWS\PAV.SIG: 4.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: F<SW.aspack
C:\WINDOWS\PAV.SIG: [.aspack
C:\WINDOWS\PAV.SIG: H@.aspack.text.pmj
C:\WINDOWS\PAV.SIG: AsPack
C:\WINDOWS\PAV.SIG: :.aspack
C:\WINDOWS\PAV.SIG: H@.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: H.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: 4.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: [.aspack
C:\WINDOWS\PAV.SIG: F<SW.aspack
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ljeps12n.dll: UMonitor
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
C:\WINDOWS\SYSTEM\hzzjui07.dll: UMonitor
C:\WINDOWS\SYSTEM\MDIEFTP.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYIDLL16.DLL: UMonitor
C:\WINDOWS\SYSTEM\dbmstor.dll: UMonitor
C:\WINDOWS\SYSTEM\OGEAUT32.DLL: UMonitor
C:\WINDOWS\SYSTEM\HZD.DLL: UMonitor
C:\WINDOWS\SYSTEM\mgndex.dll: UMonitor
C:\WINDOWS\SYSTEM\DVLAY.DLL: UMonitor
C:\WINDOWS\SYSTEM\wzpcd.dll: UMonitor
C:\WINDOWS\SYSTEM\COYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\SHI_CI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CKNWIN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lponardo da Vinci.dll: UMonitor
C:\WINDOWS\SYSTEM\dhmstor.dll: UMonitor
C:\WINDOWS\SYSTEM\MVC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\OPBCCURS.DLL: UMonitor
C:\WINDOWS\SYSTEM\WXPOLHLP.DLL: UMonitor
C:\WINDOWS\SYSTEM\RCVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DHMIGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JFVALE.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzgaparse.dll: UMonitor
C:\WINDOWS\SYSTEM\Legl12n.dll: UMonitor
C:\WINDOWS\SYSTEM\lsCUT12n.dll: UMonitor
C:\WINDOWS\SYSTEM\CEYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\hnhipr11.dll: UMonitor
C:\WINDOWS\SYSTEM\wnasf.dll: UMonitor
C:\WINDOWS\SYSTEM\HMD.DLL: UMonitor
C:\WINDOWS\SYSTEM\lhdlg12n.dll: UMonitor
C:\WINDOWS\SYSTEM\SBHANNEL.DLL: UMonitor
C:\WINDOWS\SYSTEM\TFP3216S.DLL: UMonitor
C:\WINDOWS\SYSTEM\SSNDMAIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\woplenc.dll: UMonitor
C:\WINDOWS\SYSTEM\SCTUPAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CFYPTEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\hmad32.dll: UMonitor
C:\WINDOWS\SYSTEM\dwmstor.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Adaptec DirectCD"="C:\\Program Files\\DirectCD\\DIRECTCD.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb07.exe"
"HPHmon04"="C:\\WINDOWS\\SYSTEM\\HPHMON04.EXE"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"EM_EXEC"="c:\\MOUSE\\SYSTEM\\EM_EXEC.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"
"kalvsys"="C:\\WINDOWS\\SYSTEM\\KALVXRD32.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:14 AM

Posted 14 January 2005 - 12:21 AM

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    c:\windows\systme\ljeps12n.dll

  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

c:\windows\systme\hzzjui07.dll
c:\windows\systme\MDIEFTP.DLL
c:\windows\systme\OYIDLL16.DLL
c:\windows\systme\dbmstor.dll
c:\windows\systme\OGEAUT32.DLL
c:\windows\systme\HZD.DLL
c:\windows\systme\mgndex.dll
c:\windows\systme\DVLAY.DLL
c:\windows\systme\wzpcd.dll
c:\windows\systme\COYPTUI.DLL
c:\windows\systme\SHI_CI.DLL
c:\windows\systme\vCKNWIN16.DLL
c:\windows\systme\Lponardo da Vinci.dll
c:\windows\systme\dhmstor.dll
c:\windows\systme\MVC40.DLL
c:\windows\systme\OPBCCURS.DLL
c:\windows\systme\WXPOLHLP.DLL
c:\windows\systme\RCVPSP.DLL
c:\windows\systme\DHMIGR.DLL
c:\windows\systme\JFVALE.DLL
c:\windows\systme\mzgaparse.dll
c:\windows\systme\Legl12n.dll
c:\windows\systme\lsCUT12n.dll
c:\windows\systme\CEYPTUI.DLL
c:\windows\systme\hnhipr11.dll
c:\windows\systme\wnasf.dll
c:\windows\systme\HMD.DLL
c:\windows\systme\lhdlg12n.dll
c:\windows\systme\SBHANNEL.DLL
c:\windows\systme\TFP3216S.DLL
c:\windows\systme\SSNDMAIL.DLL
c:\windows\systme\woplenc.dll
c:\windows\systme\SCTUPAPI.DLL
c:\windows\systme\CFYPTEXT.DLL
c:\windows\systme\hmad32.dll
C:\WINDOWS\System32\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

#8 aussiepaul

aussiepaul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 14 January 2005 - 05:07 PM

OK, lets try this again. Looking back over your post from last night, were the deleted files supposed to be C:\windows\systme\ or c:\windows\system?

Here is the latest find-it log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

LJEPS12N DLL 217,088 12-28-04 5:32p ljeps12n.dll
HZZJUI07 DLL 217,088 12-28-04 5:32p hzzjui07.dll
MDIEFTP DLL 217,088 12-28-04 5:32p MDIEFTP.DLL
OYIDLL16 DLL 217,088 12-28-04 5:32p OYIDLL16.DLL
DBMSTOR DLL 217,088 12-28-04 5:32p dbmstor.dll
OGEAUT32 DLL 217,088 12-28-04 5:32p OGEAUT32.DLL
HZD DLL 217,088 12-28-04 5:32p HZD.DLL
MGNDEX DLL 217,088 12-28-04 5:32p mgndex.dll
DVLAY DLL 217,088 12-28-04 5:32p DVLAY.DLL
WZPCD DLL 217,088 12-28-04 5:32p wzpcd.dll
COYPTUI DLL 217,088 12-28-04 5:32p COYPTUI.DLL
SHI_CI DLL 217,088 12-28-04 5:32p SHI_CI.DLL
CKNWIN16 DLL 217,088 12-28-04 5:32p CKNWIN16.DLL
LPONAR~1 DLL 217,088 12-28-04 5:32p Lponardo da Vinci.dll
DHMSTOR DLL 217,088 12-28-04 5:32p dhmstor.dll
MVC40 DLL 217,088 12-28-04 5:32p MVC40.DLL
OPBCCURS DLL 217,088 12-28-04 5:32p OPBCCURS.DLL
WXPOLHLP DLL 217,088 12-28-04 5:32p WXPOLHLP.DLL
RCVPSP DLL 217,088 12-28-04 5:32p RCVPSP.DLL
DHMIGR DLL 217,088 12-28-04 5:32p DHMIGR.DLL
JFVALE DLL 217,088 12-28-04 5:32p JFVALE.DLL
MZGAPA~1 DLL 217,088 12-28-04 5:32p mzgaparse.dll
LEGL12N DLL 217,088 12-28-04 5:32p Legl12n.dll
LSCUT12N DLL 217,088 12-28-04 5:32p lsCUT12n.dll
CEYPTUI DLL 217,088 12-28-04 5:32p CEYPTUI.DLL
HNHIPR11 DLL 217,088 12-28-04 5:32p hnhipr11.dll
WNASF DLL 217,088 12-28-04 5:32p wnasf.dll
HMD DLL 217,088 12-28-04 5:32p HMD.DLL
LHDLG12N DLL 217,088 12-28-04 5:32p lhdlg12n.dll
SBHANNEL DLL 217,088 12-28-04 5:32p SBHANNEL.DLL
TFP3216S DLL 217,088 12-28-04 5:32p TFP3216S.DLL
SSNDMAIL DLL 217,088 12-28-04 5:32p SSNDMAIL.DLL
WOPLENC DLL 217,088 12-28-04 5:32p woplenc.dll
SCTUPAPI DLL 217,088 12-28-04 5:32p SCTUPAPI.DLL
CFYPTEXT DLL 217,088 12-28-04 5:32p CFYPTEXT.DLL
CCL3D DLL 217,088 12-28-04 5:32p CCL3D.DLL
HMAD32 DLL 217,088 12-28-04 5:32p hmad32.dll
37 file(s) 8,032,256 bytes
0 dir(s) 2,292.88 MB free

------- System Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

LJEPS12N DLL 217,088 12-28-04 5:32p ljeps12n.dll
HZZJUI07 DLL 217,088 12-28-04 5:32p hzzjui07.dll
MDIEFTP DLL 217,088 12-28-04 5:32p MDIEFTP.DLL
OYIDLL16 DLL 217,088 12-28-04 5:32p OYIDLL16.DLL
DBMSTOR DLL 217,088 12-28-04 5:32p dbmstor.dll
OGEAUT32 DLL 217,088 12-28-04 5:32p OGEAUT32.DLL
HZD DLL 217,088 12-28-04 5:32p HZD.DLL
MGNDEX DLL 217,088 12-28-04 5:32p mgndex.dll
DVLAY DLL 217,088 12-28-04 5:32p DVLAY.DLL
WZPCD DLL 217,088 12-28-04 5:32p wzpcd.dll
COYPTUI DLL 217,088 12-28-04 5:32p COYPTUI.DLL
SHI_CI DLL 217,088 12-28-04 5:32p SHI_CI.DLL
CKNWIN16 DLL 217,088 12-28-04 5:32p CKNWIN16.DLL
LPONAR~1 DLL 217,088 12-28-04 5:32p Lponardo da Vinci.dll
DHMSTOR DLL 217,088 12-28-04 5:32p dhmstor.dll
MVC40 DLL 217,088 12-28-04 5:32p MVC40.DLL
OPBCCURS DLL 217,088 12-28-04 5:32p OPBCCURS.DLL
WXPOLHLP DLL 217,088 12-28-04 5:32p WXPOLHLP.DLL
RCVPSP DLL 217,088 12-28-04 5:32p RCVPSP.DLL
DHMIGR DLL 217,088 12-28-04 5:32p DHMIGR.DLL
JFVALE DLL 217,088 12-28-04 5:32p JFVALE.DLL
MZGAPA~1 DLL 217,088 12-28-04 5:32p mzgaparse.dll
LEGL12N DLL 217,088 12-28-04 5:32p Legl12n.dll
LSCUT12N DLL 217,088 12-28-04 5:32p lsCUT12n.dll
CEYPTUI DLL 217,088 12-28-04 5:32p CEYPTUI.DLL
HNHIPR11 DLL 217,088 12-28-04 5:32p hnhipr11.dll
WNASF DLL 217,088 12-28-04 5:32p wnasf.dll
HMD DLL 217,088 12-28-04 5:32p HMD.DLL
LHDLG12N DLL 217,088 12-28-04 5:32p lhdlg12n.dll
SBHANNEL DLL 217,088 12-28-04 5:32p SBHANNEL.DLL
TFP3216S DLL 217,088 12-28-04 5:32p TFP3216S.DLL
SSNDMAIL DLL 217,088 12-28-04 5:32p SSNDMAIL.DLL
WOPLENC DLL 217,088 12-28-04 5:32p woplenc.dll
SCTUPAPI DLL 217,088 12-28-04 5:32p SCTUPAPI.DLL
CFYPTEXT DLL 217,088 12-28-04 5:32p CFYPTEXT.DLL
HMAD32 DLL 217,088 12-28-04 5:32p hmad32.dll
MAWNG300 DLL 217,088 12-28-04 5:32p Mawng300.dll
37 file(s) 8,032,256 bytes
0 dir(s) 2,020.47 MB free

------- Hidden Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

HPHPHT04 GID 8,628 05-02-04 7:26p hphpht04.GID
RATINGS POL 53,280 05-01-04 11:04a RATINGS.POL
FOLDER HTT 13,122 10-19-01 12:09a folder.htt
DESKTOP INI 266 10-19-01 12:09a desktop.ini
4 file(s) 75,296 bytes
0 dir(s) 2,292.87 MB free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

HPHPHT04 GID 8,628 05-02-04 7:26p hphpht04.GID
RATINGS POL 53,280 05-01-04 11:04a RATINGS.POL
FOLDER HTT 13,122 10-19-01 12:09a folder.htt
DESKTOP INI 266 10-19-01 12:09a desktop.ini
4 file(s) 75,296 bytes
0 dir(s) 2,020.47 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{694D1A01-58F6-11D9-88CF-0004E21EE72D}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ljeps12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hzzjui07.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mdieftp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
oyidll16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dbmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ogeaut32.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hzd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mgndex.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dvlay.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wzpcd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
coyptui.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
shi_ci.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cknwin16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lponar~1.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dhmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mvc40.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
opbccurs.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wxpolhlp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
rcvpsp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dhmigr.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
jfvale.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mzgapa~1.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
legl12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lscut12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ceyptui.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hnhipr11.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wnasf.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hmd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lhdlg12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
sbhannel.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
tfp3216s.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ssndmail.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
woplenc.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
sctupapi.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cfyptext.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ccl3d.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hmad32.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K

37 items found: 37 files, 0 directories.
Total of file sizes: 8,032,256 bytes 7.66 M

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ljeps12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hzzjui07.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mdieftp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
oyidll16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dbmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ogeaut32.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hzd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mgndex.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dvlay.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wzpcd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
coyptui.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
shi_ci.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cknwin16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lponar~1.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dhmstor.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mvc40.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
opbccurs.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wxpolhlp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
rcvpsp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
dhmigr.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
jfvale.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mzgapa~1.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
legl12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lscut12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ceyptui.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hnhipr11.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
wnasf.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hmd.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
lhdlg12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
sbhannel.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
tfp3216s.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
ssndmail.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
woplenc.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
sctupapi.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cfyptext.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hmad32.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mawng300.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K

37 items found: 37 files, 0 directories.
Total of file sizes: 8,032,256 bytes 7.66 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: :.aspackze
C:\WINDOWS\PAV.SIG: .aspack.text
C:\WINDOWS\PAV.SIG: H.aspack.text
C:\WINDOWS\PAV.SIG: .aspack.text
C:\WINDOWS\PAV.SIG: 4.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: F<SW.aspack
C:\WINDOWS\PAV.SIG: [.aspack
C:\WINDOWS\PAV.SIG: H@.aspack.text.pmj
C:\WINDOWS\PAV.SIG: AsPack
C:\WINDOWS\PAV.SIG: :.aspack
C:\WINDOWS\PAV.SIG: H@.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: H.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: 4.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: [.aspack
C:\WINDOWS\PAV.SIG: F<SW.aspack
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ljeps12n.dll: UMonitor
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
C:\WINDOWS\SYSTEM\hzzjui07.dll: UMonitor
C:\WINDOWS\SYSTEM\MDIEFTP.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYIDLL16.DLL: UMonitor
C:\WINDOWS\SYSTEM\dbmstor.dll: UMonitor
C:\WINDOWS\SYSTEM\OGEAUT32.DLL: UMonitor
C:\WINDOWS\SYSTEM\HZD.DLL: UMonitor
C:\WINDOWS\SYSTEM\mgndex.dll: UMonitor
C:\WINDOWS\SYSTEM\DVLAY.DLL: UMonitor
C:\WINDOWS\SYSTEM\wzpcd.dll: UMonitor
C:\WINDOWS\SYSTEM\COYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\SHI_CI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CKNWIN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lponardo da Vinci.dll: UMonitor
C:\WINDOWS\SYSTEM\dhmstor.dll: UMonitor
C:\WINDOWS\SYSTEM\MVC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\OPBCCURS.DLL: UMonitor
C:\WINDOWS\SYSTEM\WXPOLHLP.DLL: UMonitor
C:\WINDOWS\SYSTEM\RCVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DHMIGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JFVALE.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzgaparse.dll: UMonitor
C:\WINDOWS\SYSTEM\Legl12n.dll: UMonitor
C:\WINDOWS\SYSTEM\lsCUT12n.dll: UMonitor
C:\WINDOWS\SYSTEM\CEYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\hnhipr11.dll: UMonitor
C:\WINDOWS\SYSTEM\wnasf.dll: UMonitor
C:\WINDOWS\SYSTEM\HMD.DLL: UMonitor
C:\WINDOWS\SYSTEM\lhdlg12n.dll: UMonitor
C:\WINDOWS\SYSTEM\SBHANNEL.DLL: UMonitor
C:\WINDOWS\SYSTEM\TFP3216S.DLL: UMonitor
C:\WINDOWS\SYSTEM\SSNDMAIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\woplenc.dll: UMonitor
C:\WINDOWS\SYSTEM\SCTUPAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CFYPTEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\hmad32.dll: UMonitor
C:\WINDOWS\SYSTEM\Mawng300.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Adaptec DirectCD"="C:\\Program Files\\DirectCD\\DIRECTCD.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb07.exe"
"HPHmon04"="C:\\WINDOWS\\SYSTEM\\HPHMON04.EXE"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"EM_EXEC"="c:\\MOUSE\\SYSTEM\\EM_EXEC.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"
"kalvsys"="C:\\WINDOWS\\SYSTEM\\KALVXRD32.EXE"
"ntechin"="C:\\N20050308.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:14 AM

Posted 15 January 2005 - 03:20 PM

You were right..my bad...its c:\windows\system , noit my mispelling :thumbsup:

Do my steps again with the correct spell and post a new findit log

#10 aussiepaul

aussiepaul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 15 January 2005 - 04:32 PM

Hey thanks for the response, but my understanding was that the files change every time I reboot. My problem is that my computer is knd of unstable at the moment with all of these popups, and I have rebooted again. I'll run find-it again and repost, but there is no guarantee I won't have to reboiot again. Sorry.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:14 AM

Posted 15 January 2005 - 04:42 PM

Just follow those steps and give me a new findit log. I will prob have to repeat this on any new files but there wont be a huge difference.

#12 aussiepaul

aussiepaul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 16 January 2005 - 12:14 AM

Here is the latest Find-it log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

LJEPS12N DLL 217,088 12-28-04 5:32p ljeps12n.dll
MDIEFTP DLL 217,088 12-28-04 5:32p MDIEFTP.DLL
CKNWIN16 DLL 217,088 12-28-04 5:32p CKNWIN16.DLL
HMZJUI07 DLL 217,088 12-28-04 5:32p hmzjui07.dll
4 file(s) 868,352 bytes
0 dir(s) 2,020.37 MB free

------- Hidden Files in System Directory -------


Volume in drive C is DRIVE_C
Volume Serial Number is 3130-1F01
Directory of C:\WINDOWS\SYSTEM

HPHPHT04 GID 8,628 05-02-04 7:26p hphpht04.GID
RATINGS POL 53,280 05-01-04 11:04a RATINGS.POL
FOLDER HTT 13,122 10-19-01 12:09a folder.htt
DESKTOP INI 266 10-19-01 12:09a desktop.ini
4 file(s) 75,296 bytes
0 dir(s) 2,020.36 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{694D1A01-58F6-11D9-88CF-0004E21EE72D}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ljeps12n.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
mdieftp.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
cknwin16.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K
hmzjui07.dll Tue Dec 28 2004 5:32:16p ..S.R 217,088 212.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 868,352 bytes 848.00 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: :.aspackze
C:\WINDOWS\PAV.SIG: .aspack.text
C:\WINDOWS\PAV.SIG: H.aspack.text
C:\WINDOWS\PAV.SIG: .aspack.text
C:\WINDOWS\PAV.SIG: 4.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: F<SW.aspack
C:\WINDOWS\PAV.SIG: [.aspack
C:\WINDOWS\PAV.SIG: H@.aspack.text.pmj
C:\WINDOWS\PAV.SIG: AsPack
C:\WINDOWS\PAV.SIG: :.aspack
C:\WINDOWS\PAV.SIG: H@.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: H.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: 4.aspack
C:\WINDOWS\PAV.SIG: .aspack
C:\WINDOWS\PAV.SIG: [.aspack
C:\WINDOWS\PAV.SIG: F<SW.aspack
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ljeps12n.dll: UMonitor
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
C:\WINDOWS\SYSTEM\hzzjui07.dll: UMonitor
C:\WINDOWS\SYSTEM\MDIEFTP.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYIDLL16.DLL: UMonitor
C:\WINDOWS\SYSTEM\dbmstor.dll: UMonitor
C:\WINDOWS\SYSTEM\OGEAUT32.DLL: UMonitor
C:\WINDOWS\SYSTEM\HZD.DLL: UMonitor
C:\WINDOWS\SYSTEM\mgndex.dll: UMonitor
C:\WINDOWS\SYSTEM\DVLAY.DLL: UMonitor
C:\WINDOWS\SYSTEM\wzpcd.dll: UMonitor
C:\WINDOWS\SYSTEM\COYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\SHI_CI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CKNWIN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lponardo da Vinci.dll: UMonitor
C:\WINDOWS\SYSTEM\dhmstor.dll: UMonitor
C:\WINDOWS\SYSTEM\MVC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\OPBCCURS.DLL: UMonitor
C:\WINDOWS\SYSTEM\WXPOLHLP.DLL: UMonitor
C:\WINDOWS\SYSTEM\RCVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DHMIGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JFVALE.DLL: UMonitor
C:\WINDOWS\SYSTEM\mzgaparse.dll: UMonitor
C:\WINDOWS\SYSTEM\Legl12n.dll: UMonitor
C:\WINDOWS\SYSTEM\lsCUT12n.dll: UMonitor
C:\WINDOWS\SYSTEM\CEYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\hnhipr11.dll: UMonitor
C:\WINDOWS\SYSTEM\wnasf.dll: UMonitor
C:\WINDOWS\SYSTEM\HMD.DLL: UMonitor
C:\WINDOWS\SYSTEM\lhdlg12n.dll: UMonitor
C:\WINDOWS\SYSTEM\SBHANNEL.DLL: UMonitor
C:\WINDOWS\SYSTEM\TFP3216S.DLL: UMonitor
C:\WINDOWS\SYSTEM\SSNDMAIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\woplenc.dll: UMonitor
C:\WINDOWS\SYSTEM\SCTUPAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\CFYPTEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\hmzjui07.dll: UMonitor
C:\WINDOWS\SYSTEM\ckfview.dll: UMonitor
C:\WINDOWS\SYSTEM\hmad32.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Adaptec DirectCD"="C:\\Program Files\\DirectCD\\DIRECTCD.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb07.exe"
"HPHmon04"="C:\\WINDOWS\\SYSTEM\\HPHMON04.EXE"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"EM_EXEC"="c:\\MOUSE\\SYSTEM\\EM_EXEC.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"
"kalvsys"="C:\\WINDOWS\\SYSTEM\\KALVXRD32.EXE"
"ntechin"="C:\\N20050308.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:14 AM

Posted 16 January 2005 - 04:57 PM

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    C:\WINDOWS\SYSTEM\ljeps12n.dll

  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.


C:\WINDOWS\SYSTEM\MDIEFTP.DLL
C:\WINDOWS\SYSTEM\KALVXRD32.EXE
C:\N20050308.EXE
C:\WINDOWS\SYSTEM\CKNWIN16.DLL
C:\WINDOWS\SYSTEM\hmzjui07.dll
C:\WINDOWS\SYSTEM\ljeps12n.dll
C:\WINDOWS\SYSTEM\hzzjui07.dll
C:\WINDOWS\SYSTEM\MDIEFTP.DLL
C:\WINDOWS\SYSTEM\OYIDLL16.DLL
C:\WINDOWS\SYSTEM\dbmstor.dll
C:\WINDOWS\SYSTEM\OGEAUT32.DLL
C:\WINDOWS\SYSTEM\HZD.DLL
C:\WINDOWS\SYSTEM\mgndex.dll
C:\WINDOWS\SYSTEM\DVLAY.DLL
C:\WINDOWS\SYSTEM\wzpcd.dll
C:\WINDOWS\SYSTEM\COYPTUI.DLL
C:\WINDOWS\SYSTEM\SHI_CI.DLL
C:\WINDOWS\SYSTEM\CKNWIN16.DLL
C:\WINDOWS\SYSTEM\Lponardo da Vinci.dll
C:\WINDOWS\SYSTEM\dhmstor.dll
C:\WINDOWS\SYSTEM\MVC40.DLL
C:\WINDOWS\SYSTEM\OPBCCURS.DLL
C:\WINDOWS\SYSTEM\WXPOLHLP.DLL
C:\WINDOWS\SYSTEM\RCVPSP.DLL
C:\WINDOWS\SYSTEM\DHMIGR.DLL
C:\WINDOWS\SYSTEM\JFVALE.DLL
C:\WINDOWS\SYSTEM\mzgaparse.dll
C:\WINDOWS\SYSTEM\Legl12n.dll
C:\WINDOWS\SYSTEM\lsCUT12n.dll
C:\WINDOWS\SYSTEM\CEYPTUI.DLL
C:\WINDOWS\SYSTEM\hnhipr11.dll
C:\WINDOWS\SYSTEM\wnasf.dll
C:\WINDOWS\SYSTEM\HMD.DLL
C:\WINDOWS\SYSTEM\lhdlg12n.dll
C:\WINDOWS\SYSTEM\SBHANNEL.DLL
C:\WINDOWS\SYSTEM\TFP3216S.DLL
C:\WINDOWS\SYSTEM\SSNDMAIL.DLL
C:\WINDOWS\SYSTEM\woplenc.dll
C:\WINDOWS\SYSTEM\SCTUPAPI.DLL
C:\WINDOWS\SYSTEM\CFYPTEXT.DLL
C:\WINDOWS\SYSTEM\hmzjui07.dll
C:\WINDOWS\SYSTEM\ckfview.dll
C:\WINDOWS\SYSTEM\hmad32.dll
C:\WINDOWS\System\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users