PROBLEM - CAN YOU HELP?

[fatmanstratman]

Hi,

I'm a newbie here so if I screw up please forgive me!

I'm using SpyBot, Adaware SE, SpywareGuard, VX2 Finder, PC BugDoctor etc. etc., but I just can't seem to shake off some really annoying malware.

I have run Adaware 100's of times, but although it identifies the malware (usually VX2's in the form of 3 or 4 *.dll files + an annoying thing called 'Guard.tmp' and 'Status.MPF') it just can't kill 'em! New malware *.dll files appear each time I reboot, and every time I delete the annoying 'Status.MPF' (found in WINNT\SYSTEM32) it regenerates itself. I'm running Windows 2000.

I've tried everything but I'm having to turn to you guys for help if that's ok.

Here's my HijackThis scan from earlier today:

Logfile of HijackThis v1.99.0
Scan saved at 17:06:27, on 29/01/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\McAFEE\PERSON~1\MPFSERVICE.exe
C:\Kodak Digital Camera\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\loadqm.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Digicam\ulead photo explorer 7.0\Monitor.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\UMonit2K.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I0F2. EXE
C:\WINNT\System32\keyhook.exe
C:\McAFEE\PERSON~1\MpfTray.exe
C:\Documents and Settings\Application Data\soae.exe
C:\McAFEE\PERSON~1\MpfAgent.exe
C:\Documents and Settings\Application Data\My-disgo\MyKey disgo.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
C:\Kodak Digital Camera\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINNT\explorer.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Digicam\ulead photo explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [UMonit2K.exe] "C:\WINNT\System32\UMonit2K.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I0F2. EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [MPFExe] C:\McAFEE\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [Aoss] C:\Documents and Settings\Application Data\soae.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\Application Data\My-disgo\MyKey disgo.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Kodak Digital Camera\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O12 - Plugin for .pl: C:\Program Files\Internet Explorer\PLUGINS\NPSibelius.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5E8690-26C9-4B53-B6FD-36089FFA3FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\McAFEE\PERSON~1\MPFSERVICE.exe
O23 - Service: ptssvc - KODAK - C:\Kodak Digital Camera\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\javaxk.exe (file missing)

Having read through a few other threads, I have taken the precaution of downloading KillBox and DllCompare, but haven't used them as yet. I think I would sooner follow your guidance if that's ok!

Cheers,

Fatman

[Mobo]

You on the correct site My friend..Just follow my directions correctly and well get you clear of this bugger.
Ok first lets try this and see what reports it provides us to go on..

click here: http://www.spyware911.net/downloads/FindIt.zip

Unzip it and double-click on Find.bat to run it. It should run for a few seconds, then open Output.txt file. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.


Also I want you to open windows explorer, navigate to the system32 folder. then enter it, right click on any empty space and select "View". set it to detail. Then right click again and "Arrange" then set it to date..

Now scroll down in the list and you can probably go to the bottom of the list. Look for a couple or maybe more files together with the same date and sizes which are between 215kb and 221 kb in size.

Paste those here please and be sure to include thier sizes as well so we can begin the cleaning process...

[fatmanstratman]

Mobo,

Here's the log of Output.txt after running 'Find it'.....

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Local Disk
Volume Serial Number is B8A9-5D4B

Directory of C:\WINNT\System32

29/01/2005 15:40 225,000 wqnju.dll
29/01/2005 15:32 223,625 jt0u07d9e.dll
29/01/2005 15:16 225,000 irpol5731.dll
27/01/2005 17:44 225,091 LRRAS80N.DLL
26/01/2005 14:54 223,442 lhpsd11n.dll
25/01/2005 10:23 223,442 wisdmoe2.dll
24/01/2005 13:37 <DIR> dllcache
23/01/2005 22:38 223,442 ANCWIZ.DLL
23/01/2005 20:49 223,177 gp48l3hu1.dll
23/01/2005 19:21 223,177 shrrun.dll
23/01/2005 13:21 225,407 drkquota.dll
20/01/2005 22:13 225,407 mnhcp.dll
18/01/2005 13:22 223,766 r2p80c7uef.dll
17/01/2005 13:42 226,246 ilmon.dll
16/01/2005 14:23 222,764 osdbse32.dll
15/01/2005 13:02 224,849 jKvadx32.dll
14/01/2005 23:52 223,213 tgflog.dll
13/01/2005 08:54 225,283 hjpertrm.dll
12/01/2005 20:26 224,161 cmyj.dll
11/01/2005 16:51 222,769 ptdgen.dll
10/01/2005 21:54 222,639 mbrui.dll
09/01/2005 21:45 225,246 iduv_32.dll
09/01/2005 14:55 223,854 satupapi.dll
09/01/2005 00:00 224,936 ddnet.dll
08/01/2005 21:22 223,044 mvvcrt20.dll
08/01/2005 19:22 224,689 lhtga11n.dll
08/01/2005 19:08 224,578 lcfil11n.DLL
08/01/2005 18:59 222,889 dusrslvr.dll
08/01/2005 17:11 226,290 pldgen.dll
08/01/2005 12:36 224,082 aFudio.dll
08/01/2005 12:36 224,273 dnrm0191e.dll
07/01/2005 13:33 222,708 loexpand.dll
06/01/2005 23:45 224,082 peapi.dll
05/01/2005 16:23 224,082 adpmgmts.dll
04/01/2005 12:50 224,500 s2rslc971f.dll
04/01/2005 08:21 224,741 umiplat.dll
03/01/2005 15:06 222,708 kqddv.dll
03/01/2005 15:06 223,756 g840lihm184a.dll
02/01/2005 20:36 10,772 winny32.exe
02/01/2005 15:49 223,224 jt4007hme.dll
02/01/2005 14:21 224,661 ifetcplc.dll
01/01/2005 20:52 223,605 mcc42u.dll
01/01/2005 16:15 223,139 dlmv2clt.dll
31/12/2004 18:16 11,741 addng32.exe
31/12/2004 05:46 11,221 wineq32.exe
30/12/2004 20:05 224,705 alsnw.dll
30/12/2004 19:40 224,539 kH80lglm16qa.dll
30/12/2004 19:16 224,194 pvlstore.dll
30/12/2004 17:01 224,194 mphtmler.dll
27/12/2004 02:32 10,858 netqf.exe
26/12/2004 22:17 11,176 d3ar32.exe
26/12/2004 21:20 10,752 javact32.exe
24/12/2004 15:26 11,363 crez32.exe
23/12/2004 16:32 222,806 MBJTER35.DLL
22/12/2004 22:39 222,806 chyptsvc.dll
22/12/2004 20:02 222,806 pxgfilt.dll
22/12/2004 08:59 222,806 palstore.dll
22/12/2004 03:48 10,826 ntuf32.exe
19/12/2004 23:09 222,806 dbwave.dll
19/12/2004 23:09 222,970 j46m0ej1eho.dll
19/12/2004 22:46 223,892 k680lglm16qa.dll
19/12/2004 22:34 223,158 k2no0c53ef.dll
19/12/2004 22:12 225,732 jtpu0779e.dll
19/12/2004 02:32 11,718 d3pw.exe
18/12/2004 23:00 222,996 emsadu.dll
18/12/2004 18:25 225,732 LIEPS80N.DLL
18/12/2004 17:04 11,373 ntht32.exe
17/12/2004 08:35 225,732 wM2time.dll
17/12/2004 02:32 225,732 j2l4lc3q1f.dll
16/12/2004 22:48 225,732 mcutilse.dll
16/12/2004 21:42 225,732 ixeshare.dll
16/12/2004 21:42 225,883 dnnm0151e.dll
16/12/2004 19:28 224,837 mjpmsnsv.dll
14/12/2004 13:18 11,390 ntja.exe
12/12/2004 04:39 10,871 iecg32.exe
08/12/2004 07:00 10,772 atlsa.exe
06/12/2004 12:53 389,120 l?gonui.exe
28/09/2004 09:42 3,362 udxdx.log
77 File(s) 14,434,092 bytes
1 Dir(s) 17,616,703,488 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Local Disk
Volume Serial Number is B8A9-5D4B

Directory of C:\WINNT\System32

29/01/2005 15:41 384 ffastlog.txt
24/01/2005 13:37 <DIR> dllcache
02/01/2005 20:36 10,772 winny32.exe
31/12/2004 18:16 11,741 addng32.exe
31/12/2004 05:46 11,221 wineq32.exe
27/12/2004 02:32 10,858 netqf.exe
26/12/2004 22:17 11,176 d3ar32.exe
26/12/2004 21:20 10,752 javact32.exe
24/12/2004 15:26 11,363 crez32.exe
22/12/2004 03:48 10,826 ntuf32.exe
19/12/2004 02:32 11,718 d3pw.exe
18/12/2004 17:04 11,373 ntht32.exe
14/12/2004 13:18 11,390 ntja.exe
12/12/2004 04:39 10,871 iecg32.exe
08/12/2004 07:00 10,772 atlsa.exe
06/12/2004 12:53 389,120 l?gonui.exe
28/09/2004 09:42 3,362 udxdx.log
27/09/2004 22:22 49,152 ohyrd.exe
24/05/2003 18:06 604 AX1
24/01/2003 21:06 604 T2
10/01/2003 13:05 <DIR> GroupPolicy
10/01/2003 13:00 21,692 folder.htt
10/01/2003 13:00 271 desktop.ini
21 File(s) 610,022 bytes
2 Dir(s) 17,616,756,736 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Local Disk
Volume Serial Number is B8A9-5D4B

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is Local Disk
Volume Serial Number is B8A9-5D4B

Directory of C:\WINNT\System32

25/10/2003 13:29 0 SETA.tmp
08/05/2001 12:00 2,577 CONFIG.TMP
2 File(s) 2,577 bytes
0 Dir(s) 17,616,756,736 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"{52F904AC-8981-44F2-8CC7-D877EA5EF5EB}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\irpol5731.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\WINNT\System32\IRPOL5~1.DLL +++ File read error

-------------- Locate.com Results ---------------


C:\WINNT\SYSTEM32\
addng32.exe Fri 31 Dec 2004 18:16:14 A.SH. 11,741 11.46 K
adpmgmts.dll Wed 5 Jan 2005 16:23:22 ..S.R 224,082 218.83 K
afudio.dll Sat 8 Jan 2005 12:37:00 ..S.R 224,082 218.83 K
alsnw.dll Thu 30 Dec 2004 20:05:28 ..S.R 224,705 219.44 K
ancwiz.dll Sun 23 Jan 2005 22:38:04 ..S.R 223,442 218.20 K
cmyj.dll Wed 12 Jan 2005 20:26:10 ..S.R 224,161 218.91 K
ddnet.dll Sun 9 Jan 2005 0:00:16 ..S.R 224,936 219.66 K
dlmv2clt.dll Sat 1 Jan 2005 16:15:50 ..S.R 223,139 217.91 K
dnrm01~1.dll Sat 8 Jan 2005 12:36:58 ..S.R 224,273 219.02 K
drkquota.dll Sun 23 Jan 2005 13:21:28 ..S.R 225,407 220.12 K
dusrslvr.dll Sat 8 Jan 2005 18:59:48 ..S.R 222,889 217.66 K
ffastlog.txt Sat 29 Jan 2005 15:41:02 A..H. 384 0.38 K
g840li~1.dll Mon 3 Jan 2005 15:06:56 ..S.R 223,756 218.51 K
gp48l3~1.dll Sun 23 Jan 2005 20:49:54 ..S.R 223,177 217.95 K
hjpertrm.dll Thu 13 Jan 2005 8:54:20 ..S.R 225,283 220.00 K
iduv_32.dll Sun 9 Jan 2005 21:45:02 ..S.R 225,246 219.96 K
ifetcplc.dll Sun 2 Jan 2005 14:21:20 ..S.R 224,661 219.39 K
ilmon.dll Mon 17 Jan 2005 13:42:46 ..S.R 226,246 220.94 K
irpol5~1.dll Sat 29 Jan 2005 15:16:34 ..S.R 225,000 219.73 K
jkvadx32.dll Sat 15 Jan 2005 13:02:18 ..S.R 224,849 219.58 K
jt0u07~1.dll Sat 29 Jan 2005 15:32:36 ..S.R 223,625 218.38 K
jt4007~1.dll Sun 2 Jan 2005 15:49:32 ..S.R 223,224 217.99 K
kh80lg~1.dll Thu 30 Dec 2004 19:40:56 ..S.R 224,539 219.27 K
kqddv.dll Mon 3 Jan 2005 15:06:56 ..S.R 222,708 217.49 K
lcfil11n.dll Sat 8 Jan 2005 19:08:46 ..S.R 224,578 219.31 K
lhpsd11n.dll Wed 26 Jan 2005 14:54:36 ..S.R 223,442 218.20 K
lhtga11n.dll Sat 8 Jan 2005 19:22:32 ..S.R 224,689 219.42 K
loexpand.dll Fri 7 Jan 2005 13:33:30 ..S.R 222,708 217.49 K
lrras80n.dll Thu 27 Jan 2005 17:44:02 ..S.R 225,091 219.81 K
mbrui.dll Mon 10 Jan 2005 21:54:02 ..S.R 222,639 217.42 K
mcc42u.dll Sat 1 Jan 2005 20:52:02 ..S.R 223,605 218.36 K
mnhcp.dll Thu 20 Jan 2005 22:13:14 ..S.R 225,407 220.12 K
mphtmler.dll Thu 30 Dec 2004 17:01:20 ..S.R 224,194 218.94 K
mvvcrt20.dll Sat 8 Jan 2005 21:22:58 ..S.R 223,044 217.82 K
osdbse32.dll Sun 16 Jan 2005 14:23:34 ..S.R 222,764 217.54 K
peapi.dll Thu 6 Jan 2005 23:45:56 ..S.R 224,082 218.83 K
pldgen.dll Sat 8 Jan 2005 17:11:08 ..S.R 226,290 220.98 K
ptdgen.dll Tue 11 Jan 2005 16:51:52 ..S.R 222,769 217.55 K
pvlstore.dll Thu 30 Dec 2004 19:16:38 ..S.R 224,194 218.94 K
r2p80c~1.dll Tue 18 Jan 2005 13:22:42 ..S.R 223,766 218.52 K
s2rslc~1.dll Tue 4 Jan 2005 12:50:58 ..S.R 224,500 219.24 K
satupapi.dll Sun 9 Jan 2005 14:55:34 ..S.R 223,854 218.61 K
shrrun.dll Sun 23 Jan 2005 19:21:10 ..S.R 223,177 217.95 K
tgflog.dll Fri 14 Jan 2005 23:52:58 ..S.R 223,213 217.98 K
umiplat.dll Tue 4 Jan 2005 8:21:08 ..S.R 224,741 219.47 K
wineq32.exe Fri 31 Dec 2004 5:46:36 A.SH. 11,221 10.96 K
winny32.exe Sun 2 Jan 2005 20:36:52 A.SH. 10,772 10.52 K
wisdmoe2.dll Tue 25 Jan 2005 10:23:36 ..S.R 223,442 218.20 K
wqnju.dll Sat 29 Jan 2005 15:40:18 ..S.R 225,000 219.73 K

49 items found: 49 files, 0 directories.
Total of file sizes: 10,118,737 bytes 9.65 M


[fatmanstratman]

Quote:

Originally posted by Mobo@Jan 29 2005, 05:13 PM
Also I want you to open windows explorer, navigate to the system32 folder. then enter it, right click on any empty space and select "View". set it to detail. Then right click again and "Arrange" then set it to date..

Now scroll down in the list and you can probably go to the bottom of the list. Look for a couple or maybe more files together with the same date and sizes which are between 215kb and 221 kb in size.

Paste those here please and be sure to include thier sizes as well so we can begin the cleaning process...
<div align="right">Quoted post</div>

Mobo,

From 9/11/2004 (freaky, hmmm?) up to today there are SIXTY SIX files (*.dll) that are all between 218 & 220kb. Do you want me to list 'em all? Is there any easy way of doing that without typing out the lot in NotePad?

Fatman

[Mobo]

Left click and drag the cursor over them all then right click and copy paste them here.

[fatmanstratman]

Mobo,

Couldn't get them to paste. Will this do? (A bit of long hand!!!)

Files in C:\WINNT\System32 of approx: size 215 to 220kb

29/01/2005 15:40 225,000 wqnju.dll
29/01/2005 15:32 223,625 jt0u07d9e.dll
29/01/2005 15:16 220,000 mtdm.dll
29/01/2005 15:16 225,000 irpol5731.dll
27/01/2005 17:44 225,091 LRRAS80N.DLL
26/01/2005 14:54 223,442 lhpsd11n.dll
25/01/2005 10:23 223,442 wisdmoe2.dll
25/01/2005 10:23 219,000 vw6vfw.dll
23/01/2005 22:38 223,442 ANCWIZ.DLL
23/01/2005 20:49 223,177 gp48l3hu1.dll
23/01/2005 19:21 223,177 shrrun.dll
23/01/2005 13:21 225,407 drkquota.dll
23/01/2005 13:21 221,000 iwmui.dll
20/01/2005 22:13 225,407 mnhcp.dll
18/01/2005 13:22 223,766 r2p80c7uef.dll
17/01/2005 13:42 226,246 ilmon.dll
16/01/2005 14:23 222,764 osdbse32.dll
15/01/2005 13:02 224,849 jKvadx32.dll
14/01/2005 23:52 223,213 tgflog.dll
13/01/2005 08:54 225,283 hjpertrm.dll
12/01/2005 20:26 224,161 cmyj.dll
11/01/2005 16:51 222,769 ptdgen.dll
10/01/2005 21:54 222,639 mbrui.dll
09/01/2005 21:45 225,246 iduv_32.dll
09/01/2005 14:55 223,854 satupapi.dll
09/01/2005 00:00 224,936 ddnet.dll
08/01/2005 21:22 223,044 mvvcrt20.dll
08/01/2005 19:22 224,689 lhtga11n.dll
08/01/2005 19:08 224,578 lcfil11n.DLL
08/01/2005 18:59 222,889 dusrslvr.dll
08/01/2005 17:11 226,290 pldgen.dll
08/01/2005 12:36 224,082 aFudio.dll
08/01/2005 12:36 224,273 dnrm0191e.dll
07/01/2005 13:33 222,708 loexpand.dll
06/01/2005 23:45 224,082 peapi.dll
05/01/2005 16:23 224,082 adpmgmts.dll
04/01/2005 12:50 224,500 s2rslc971f.dll
04/01/2005 08:21 224,741 umiplat.dll
03/01/2005 15:06 222,708 kqddv.dll
03/01/2005 15:06 223,756 g840lihm184a.dll
02/01/2005 15:49 223,224 jt4007hme.dll
02/01/2005 14:21 224,661 ifetcplc.dll
01/01/2005 20:52 223,605 mcc42u.dll
01/01/2005 16:15 223,139 dlmv2clt.dll
30/12/2004 20:05 224,705 alsnw.dll
30/12/2004 19:40 224,539 kH80lglm16qa.dll
30/12/2004 19:16 224,194 pvlstore.dll
30/12/2004 17:01 224,194 mphtmler.dll
23/12/2004 16:32 222,806 MBJTER35.DLL
22/12/2004 22:39 222,806 chyptsvc.dll
22/12/2004 20:02 222,806 pxgfilt.dll
22/12/2004 08:59 222,806 palstore.dll
19/12/2004 23:09 222,806 dbwave.dll
19/12/2004 23:09 222,970 j46m0ej1eho.dll
19/12/2004 22:46 223,892 k680lglm16qa.dll
19/12/2004 22:34 223,158 k2no0c53ef.dll
19/12/2004 22:12 225,732 jtpu0779e.dll
18/12/2004 23:00 222,996 emsadu.dll
18/12/2004 18:25 225,732 LIEPS80N.DLL
17/12/2004 08:35 225,732 wM2time.dll
17/12/2004 02:32 225,732 j2l4lc3q1f.dll
16/12/2004 22:48 225,732 mcutilse.dll
16/12/2004 21:42 225,732 ixeshare.dll
16/12/2004 21:42 225,883 dnnm0151e.dll
16/12/2004 19:28 224,837 mjpmsnsv.dll
09/11/2004 22:21 220,000 AOLDial.dll

[Mobo]

Ok just give me about two more minutes for the reply.

[Mobo]

Now download http://www.spyware911.net/downloads/KillBox.exe.
open and in the space provided paste this:
C:\WINNT\System32\wqnju.dll
Then tick the option "delete on reboot"
Now tick the red X to delete on reboot but warning "Do Not reboot when it asks" Click no or cancel and then continue on by doing the same for each of these entries:
<span style="color:#FF0000">Be caution not to miss any of these</span>

C:\WINNT\System32\jt0u07d9e.dll
C:\WINNT\System32\irpol5731.dll
C:\WINNT\System32\LRRAS80N.DLL
C:\WINNT\System32\lhpsd11n.dll
C:\WINNT\System32\wisdmoe2.dll
C:\WINNT\System32\ANCWIZ.DLL
C:\WINNT\System32\gp48l3hu1.dll
C:\WINNT\System32\shrrun.dll
C:\WINNT\System32\drkquota.dll
C:\WINNT\System32\mnhcp.dll
C:\WINNT\System32\r2p80c7uef.dll
C:\WINNT\System32\ilmon.dll
C:\WINNT\System32\osdbse32.dll
C:\WINNT\System32\jKvadx32.dll
C:\WINNT\System32\tgflog.dll
C:\WINNT\System32\hjpertrm.dll
C:\WINNT\System32\cmyj.dll
C:\WINNT\System32\ptdgen.dll
C:\WINNT\System32\mbrui.dll
C:\WINNT\System32\iduv_32.dll
C:\WINNT\System32\satupapi.dll
C:\WINNT\System32\ddnet.dll
C:\WINNT\System32\mvvcrt20.dll
C:\WINNT\System32\lhtga11n.dll
C:\WINNT\System32\lcfil11n.DLL
C:\WINNT\System32\dusrslvr.dll
C:\WINNT\System32\pldgen.dll
C:\WINNT\System32\aFudio.dll
C:\WINNT\System32\dnrm0191e.dll
C:\WINNT\System32\loexpand.dll
C:\WINNT\System32\peapi.dll
C:\WINNT\System32\adpmgmts.dll
C:\WINNT\System32\s2rslc971f.dll
C:\WINNT\System32\umiplat.dll
C:\WINNT\System32\kqddv.dll
C:\WINNT\System32\g840lihm184a.dll
C:\WINNT\System32\winny32.exe
C:\WINNT\System32\jt4007hme.dll
C:\WINNT\System32\ifetcplc.dll
C:\WINNT\System32\mcc42u.dll
C:\WINNT\System32\dlmv2clt.dll
C:\WINNT\System32\addng32.exe
C:\WINNT\System32\wineq32.exe
C:\WINNT\System32\alsnw.dll
C:\WINNT\System32\kH80lglm16qa.dll
C:\WINNT\System32\pvlstore.dll
C:\WINNT\System32\mphtmler.dll
C:\WINNT\System32\netqf.exe
C:\WINNT\System32\d3ar32.exe
C:\WINNT\System32\javact32.exe
C:\WINNT\System32\crez32.exe
C:\WINNT\System32\MBJTER35.DLL
C:\WINNT\System32\chyptsvc.dll
C:\WINNT\System32\pxgfilt.dll
C:\WINNT\System32\palstore.dll
C:\WINNT\System32\ntuf32.exe
C:\WINNT\System32\dbwave.dll
C:\WINNT\System32\j46m0ej1eho.dll
C:\WINNT\System32\k680lglm16qa.dll
C:\WINNT\System32\k2no0c53ef.dll
C:\WINNT\System32\jtpu0779e.dll
C:\WINNT\System32\d3pw.exe
C:\WINNT\System32\emsadu.dll
C:\WINNT\System32\LIEPS80N.DLL
C:\WINNT\System32\ntht32.exe
C:\WINNT\System32\wM2time.dll
C:\WINNT\System32\j2l4lc3q1f.dll
C:\WINNT\System32\mcutilse.dll
C:\WINNT\System32\ixeshare.dll
C:\WINNT\System32\dnnm0151e.dll
C:\WINNT\System32\mjpmsnsv.dll
C:\WINNT\System32\ntja.exe
C:\WINNT\System32\iecg32.exe
C:\WINNT\System32\atlsa.exe
C:\WINNT\System32\Guard.tmp
C:\WINNT\System32\mtdm.dll
C:\WINNT\System32\vw6vfw.dll
C:\WINNT\System32\ANCWIZ.DLL
C:\WINNT\System32\iwmui.dll
C:\WINNT\System32\loexpand.dll
C:\WINNT\System32\UMonit2K.exe
Copy and paste the text in bold below into a text editor such as Notepad.

Save this text as fix.reg
Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on fix.reg
When it asks you to merge the information to the registry click Yes.
<span style="color:#3366FF">
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"{52F904AC-8981-44F2-8CC7-D877EA5EF5EB}"=

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]</span>

Now reboot, rescan with hijack and post a fresh log please

[Mobo]

Thread was completed in the backup forum when we were offline therefore I will close this.