Spyware Warrior

Rebus

Hi,

a couple of days ago my computer got infected by Vx2, several unwanted pop-ups and a process called Kuuixw (Spwysweeper detects and removes it, but ik kept coming back) .
I ran a Virus scanner, Spysweeper, Spybot S&D and AdAware against them. Finally AdAware killed most of them, including Vx2 - after upgrading security levels -, but this one keeeps coming back:

69.20.16.183 autosearch.msn.com
69.20.16.183 netscpe.com
69.20.16.183 ieautosearch.com.

Can you please help to get rid of this nasty stuff?

HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 23:05:17, on 29-3-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINGATE\WGENGMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hagczpaojudppqcfbqswk.com/XGyqI4adlFrETozc4jdnauPQILEMR4p9o6Z1zISGKuf7XCrTki78C1bhch/XxzT0.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38200.7243287037
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games33.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} (VacPro.olanda_win98) - http://www9.advnt01.com/dialer/olanda_win98.CAB
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

java · Posted: Wed Mar 30, 2005 8:26 pm Post subject:

Hi and Welcome!

Ok first could you please update your HiJackThis to the new version. http://spywarewarrior.com/files/HijackThis.exe

Then post an new log for us to look at.

Thank you

Java
_________________
We are our own worst nightmares!
Please update your computers, update and run all anitvirus/spyware programs!

Rebus · Posted: Wed Mar 30, 2005 10:58 pm Post subject:

Here's the new one:

Logfile of HijackThis v1.99.1
Scan saved at 9:11:31, on 31-3-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINGATE\WGENGMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OPERA75\OPERA.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hagczpaojudppqcfbqswk.com/XGyqI4adlFrETozc4jdnauPQILEMR4p9o6Z1zISGKuf7XCrTki78C1bhch/XxzT0.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games33.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} (VacPro.olanda_win98) - http://www9.advnt01.com/dialer/olanda_win98.CAB
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

3162 · Posted: Sat Apr 02, 2005 3:50 am Post subject:

Hello, Java asked me to step in here.

Let's deal with vx2 first, then see what else is left over.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Sat Apr 02, 2005 3:17 pm Post subject:

I did download L2mfix, but got this error message:

Not compatible with 9x or windows nt.

(I have win98 on my computer).

3162 · Posted: Sat Apr 02, 2005 3:57 pm Post subject:

Sorry about that, my bad!

Download For Win9x/ME:
findit9xMe

Unzip the contents of finditnt.zip to a convenient location such as Desktop.

Navigate to the Find It NT-2K-XP (Win9x&MEFindit) folder and double-click on

find.bat. ( Win9x-Find.bat )

A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.

Copy the entire contents of output.txt into your next post, and include another hijackthis log please.

Try not to reboot after doing this, until I get back to you.
Thanks
_________________
Proud member of the Chest Zipper Club!

Mosaic1 · Posted: Sat Apr 02, 2005 4:36 pm Post subject:

Download VX2Finder9x.exe

http://www.downloads.subratam.org/VX2Finder9x.exe Click on the VX2Finder9x.exe

Run it. Click this button. Click to Find VX2.Betterinternet
Click the Make Log button. A log will open in Notepad.
Copy and pase the contents in your next reply.

---------------------------------------
Download DLLCompare.exe

http://www.downloads.subratam.org/DllCompare.exe

Save it to your desktop.

Double click DllCompare.exe to.
Click the RunLocate.com button. When the scan has ended, click the Compare button. When it has finished,
click the Make a Log of what was Found button. When asked if you want to view the log ,say yes. Copy and post the contents into your next reply here.

Download FindIt9xME.zip. Extract it to your desktop.
http://forums.techguy.org/attachment.php?attachmentid=46452

Double click on find.bat. This will take a while to run and complete. Molre thanb several minutes. Be patient. It will create a file named output.txt Copy and paste the contents of output.txt into your next reply.

Mosaic1 · Posted: Sat Apr 02, 2005 4:38 pm Post subject:

Oops. Sorry 3162. I opened this and had to leave. You posted in the meantime. I'll let you finish.

Rebus · Posted: Sat Apr 02, 2005 11:59 pm Post subject:

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

CNC DLL 227.104 26-03-05 12:27 CNC.DLL
MQIDLE DLL 227.104 26-03-05 12:27 MQIDLE.DLL
CTT16 DLL 227.104 26-03-05 12:27 CTT16.DLL
WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
WNSUI32 DLL 227.104 26-03-05 12:27 WNSUI32.DLL
JJVART DLL 227.104 26-03-05 12:27 JJVART.DLL
CHC DLL 227.104 26-03-05 12:27 CHC.DLL
DZCVW_32 DLL 227.104 26-03-05 12:27 DZCVW_32.DLL
AVL DLL 227.104 26-03-05 12:27 AVL.DLL
ODECLI DLL 227.104 26-03-05 12:27 ODECLI.DLL
SCCDLL DLL 227.104 26-03-05 12:27 SCCDLL.DLL
VKRDDX DLL 227.104 26-03-05 12:27 VKRDDX.DLL
MFVBVM50 DLL 227.104 26-03-05 12:27 MFVBVM50.DLL
EZHSIG DLL 227.104 26-03-05 12:27 ezhsig.dll
JYMD400 DLL 227.104 26-03-05 12:27 jymd400.dll
MJRD2X40 DLL 227.104 26-03-05 12:27 mjrd2x40.dll
RDCRES DLL 227.104 26-03-05 12:27 RDCRES.dll
WASRVINS DLL 227.104 26-03-05 12:27 wasrvins.dll
MMJETO~1 DLL 227.104 26-03-05 12:27 mmjetoledb40.dll
MWJETO~1 DLL 227.104 26-03-05 12:27 mwjetoledb40.dll
PRCRT DLL 227.104 26-03-05 12:27 prcrt.dll
MDVIDCTL DLL 227.104 26-03-05 12:27 mdvidctl.dll
MGEXCH40 DLL 227.104 26-03-05 12:27 mgexch40.dll
AOLSP DLL 227.104 26-03-05 12:27 aolsp.dll
24 bestand(en) 5.450.496 bytes.
0 dir('s) 3.707,78 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.145 03-04-05 9:39 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.336 bytes.
0 dir('s) 3.707,77 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

============================

Logfile of HijackThis v1.99.1
Scan saved at 10:13:11, on 3-4-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINGATE\WGENGMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\KOMBI-PLUS\HISERVER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OPERA75\OPERA.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hagczpaojudppqcfbqswk.com/XGyqI4adlFrETozc4jdnauPQILEMR4p9o6Z1zISGKuf7XCrTki78C1bhch/XxzT0.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games33.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} (VacPro.olanda_win98) - http://www9.advnt01.com/dialer/olanda_win98.CAB
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

3162 · Posted: Sun Apr 03, 2005 3:40 am Post subject:

We'll still have work to do after this, but here's the next steps:

Please copy the following instructions to a notepad file and save them - keep the notepad file open.
You will need to be Offline and NO IE windows open
You won't see this page.

Pocket Killbox

Disconnect from internet and shut down all running programs

Replace on Reboot

Use Dummy

Full Path of File to Delete

C:\WINDOWS\SYSTEM\CNC.DLL

Delete File

Yes

No

C:\WINDOWS\SYSTEM\MQIDLE.DLL
C:\WINDOWS\SYSTEM\CTT16.DLL
C:\WINDOWS\SYSTEM\WPNALIGN.DLL
C:\WINDOWS\SYSTEM\WNSUI32.DLL
C:\WINDOWS\SYSTEM\JJVART.DLL
C:\WINDOWS\SYSTEM\CHC.DLL
C:\WINDOWS\SYSTEM\DZCVW_32.DLL
C:\WINDOWS\SYSTEM\AVL.DLL
C:\WINDOWS\SYSTEM\ODECLI.DLL
C:\WINDOWS\SYSTEM\SCCDLL.DLL
C:\WINDOWS\SYSTEM\VKRDDX.DLL
C:\WINDOWS\SYSTEM\MFVBVM50.DLL
C:\WINDOWS\SYSTEM\ezhsig.dll
C:\WINDOWS\SYSTEM\jymd400.dll
C:\WINDOWS\SYSTEM\mjrd2x40.dll
C:\WINDOWS\SYSTEM\RDCRES.dll
C:\WINDOWS\SYSTEM\wasrvins.dll
C:\WINDOWS\SYSTEM\mmjetoledb40.dll
C:\WINDOWS\SYSTEM\mwjetoledb40.dll
C:\WINDOWS\SYSTEM\prcrt.dll
C:\WINDOWS\SYSTEM\mdvidctl.dll
C:\WINDOWS\SYSTEM\mgexch40.dll
C:\WINDOWS\SYSTEM\aolsp.dll

Replace on Reboot

Use Dummy

Full Path of File to Delete

C:\WINDOWS\System\Guard.tmp

Delete File

Yes

Please Do Not reboot until I reply back.
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Sun Apr 03, 2005 2:20 pm Post subject:

Thanks so far!

FindIt gave this:

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
MQFMIG32 DLL 227.104 26-03-05 12:27 MQFMIG32.DLL
WLDMLOG DLL 227.104 26-03-05 12:27 wldmlog.dll
WIVCORE DLL 227.104 26-03-05 12:27 wivcore.dll
4 bestand(en) 908.416 bytes.
0 dir('s) 3.801,23 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.801,22 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb05.exe"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"EnsoniqMixer"="starter.exe"
"Taakcontrole"="C:\\WINDOWS\\taskmon.exe"
"LoadQM"="loadqm.exe"
"Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"
"Adaptec DirectCD"="C:\\Program Files\\CD-Writer Plus\\DirectCD\\DIRECTCD.EXE"

Btw: I still have an IE file that starts automatically:

http://timothy0530.beltonen-logos-spel.com/
=========

Don't know if you need it, but I made a new HJTlog too:
Logfile of HijackThis v1.99.1
Scan saved at 0:33:48, on 4-4-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hagczpaojudppqcfbqswk.com/XGyqI4adlFrETozc4jdnauPQILEMR4p9o6Z1zISGKuf7XCrTki78C1bhch/XxzT0.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games33.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} (VacPro.olanda_win98) - http://www9.advnt01.com/dialer/olanda_win98.CAB
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

3162 · Posted: Sun Apr 03, 2005 2:41 pm Post subject:

OK good. We'll do the same thing again now for the few files which managed to rename themselves (may have to do this a few times)

Please copy the following instructions to a notepad file and save them - keep the notepad file open.
You will need to be Offline and NO IE windows open
You won't see this page.

Disconnect from internet and shut down all running programs

Replace on Reboot

Use Dummy

Full Path of File to Delete

C:\WINDOWS\SYSTEM\WPNALIGN.DLL

Delete File

Yes

No

C:\WINDOWS\SYSTEM\MQFMIG32.DLL
C:\WINDOWS\SYSTEM\wldmlog.dll
C:\WINDOWS\SYSTEM\wivcore.dll

Replace on Reboot

Use Dummy

Full Path of File to Delete

C:\WINDOWS\System\Guard.tmp

Delete File

Yes

Please Do Not reboot until I reply back.[/quote]
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Sun Apr 03, 2005 3:27 pm Post subject:

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
1 bestand(en) 227.104 bytes.
0 dir('s) 3.773,04 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.773,04 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
================Logfile of HijackThis v1.99.1
Scan saved at 1:41:44, on 4-4-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hagczpaojudppqcfbqswk.com/XGyqI4adlFrETozc4jdnauPQILEMR4p9o6Z1zISGKuf7XCrTki78C1bhch/XxzT0.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games33.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} (VacPro.olanda_win98) - http://www9.advnt01.com/dialer/olanda_win98.CAB
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

3162 · Posted: Sun Apr 03, 2005 4:41 pm Post subject:

Getting there....

Please copy the following instructions to a notepad file and save them - keep the notepad file open.
You will need to be Offline and NO IE windows open
You won't see this page.

Disconnect from internet and shut down all running programs

Replace on Reboot

Use Dummy

Full Path of File to Delete

C:\WINDOWS\SYSTEM\WPNALIGN.DLL

Delete File

Yes

No

[11] Click "Replace on Reboot" and check the "Use Dummy" box.
[12] Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System\Guard.tmp

[13] Click the "Delete File" button which looks like a stop sign.
[14] Click "Yes" at the Replace on Reboot prompt.
[15] Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.
[16] Once restarted...Double-click on find.bat and post the new output.txt.
[/list]
Please Do Not reboot until I reply back.
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Sun Apr 03, 2005 10:38 pm Post subject:

HI,

When I started IE to replay another IE window popped up:
http://www5.paypopup.com/adsDirect.php?
id=BundleWare&cid=1569722&sid=23782&campaign=&rurl=

and soon after that this one:

http://timothy0530.beltonen-logos-spel.com/

++++++++++++++++++++++

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
1 bestand(en) 227.104 bytes.
0 dir('s) 3.743,27 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.743,27 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
================

Logfile of HijackThis v1.99.1
Scan saved at 8:48:07, on 4-4-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hagczpaojudppqcfbqswk.com/XGyqI4adlFrETozc4jdnauPQILEMR4p9o6Z1zISGKuf7XCrTki78C1bhch/XxzT0.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games33.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} (VacPro.olanda_win98) - http://www9.advnt01.com/dialer/olanda_win98.CAB
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

3162 · Posted: Mon Apr 04, 2005 2:27 am Post subject:

We may have a sibling infection going on here as well.

OK same kind of fix as before, with a few added whistles, please pay close attention to the changes in how to use killbox this time. Wink

Before you do the killbox part,
Create a new Folder on Desktop. Name that Folder QOOLOGIC
Please download Findqoologic into the new Folder, and then unzip it into the new Folder, but don't do anything else with it yet.

Next:
please download to desktop but don't do anything else with it yet: WinsockXPFix

For Windows 98, 98SE, or Windows Me
winsock2fix

Now do this:

Please copy the following instructions to a notepad file and save them. Keep the notepad file Open
You will need to be Offline and NO IE windows open
You won't see this page.

Disconnect from internet and shut down all running programs

Keep killbox Open

explorer.exe

Delete on Reboot

Full Path of File to Delete

C:\WINDOWS\SYSTEM\WPNALIGN.DLL

Delete File

Yes

No

Delete on Reboot

Full Path of File to Delete

C:\WINDOWS\SYSTEM\Guard.tmp

Delete File

Yes

Please Do Not reboot until I reply back.

Next,
Run hijackthis again with no Windows Apps or Browser windows open, Scan, and checkmark/fix the following lines:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hagczpaojudppqcfbqswk.com/XGyqI4adlFrETozc4jdnauPQILEMR4p9o6Z1zISGKuf7XCrTki78C1bhch/XxzT0.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)

Close hijackthis.

Go to your new QOOLOGIC folder, open the Folder and doubleclick qoologic.bat
It'll take a while to run a full scan, but will save a text file when it's done. The text file will be located at c:\log.txt

Please post the contents of that text file, and then do NOT reboot until I get back to you.

If for some reason you cannot re-connect to the internet, then run the Winsock Fix.
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Tue Apr 05, 2005 2:08 am Post subject:

Hi,

I followed your instructions, except for this one -since I was a bit afraid it might cause connection problems-:

O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)/ (file missing) (HKCU),

since this @Home is my cable comp and - http://www/ is s asort of portal to @Home, which I have as long as I rember.

Looking through 016 list, I notice a couple of suspect items:

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games33.cab

O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} (VacPro.olanda_win98) - http://www9.advnt01.com/dialer/olanda_win98.CAB

==========

Logfile of HijackThis v1.99.1
Scan saved at 12:18:43, on 5-4-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\OPERA75\OPERA.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games33.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} (VacPro.olanda_win98) - http://www9.advnt01.com/dialer/olanda_win98.CAB
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

==============

Qoologic:

ECHO is ingesteld op uit.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
=============

FindIt:

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
HKP95EN DLL 227.104 26-03-05 12:27 HKP95EN.DLL
MRAFD DLL 227.104 26-03-05 12:27 MRAFD.DLL
AKCTRES DLL 227.104 26-03-05 12:27 akctres.dll
EOSHARED DLL 227.104 26-03-05 12:27 eoshared.dll
5 bestand(en) 1.135.520 bytes.
0 dir('s) 3.745,48 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.745,48 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb05.exe"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"EnsoniqMixer"="starter.exe"
"Taakcontrole"="C:\\WINDOWS\\taskmon.exe"
"LoadQM"="loadqm.exe"
"Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"
"Adaptec DirectCD"="C:\\Program Files\\CD-Writer Plus\\DirectCD\\DIRECTCD.EXE

3162 · Posted: Tue Apr 05, 2005 2:28 am Post subject:

You can fix those two 016's if you wish, they are activeX components or downloaded program files.
The 09 wouldn't have caused you any duress, it's only a shortcut button.

Anyways, more files to kill:

Please copy the following instructions to a notepad file and save them - keep the notepad file open.
You will need to be Offline and NO IE windows open
You won't see this page.

Disconnect from internet and shut down all running programs

Replace on Reboot

Use Dummy

Full Path of File to Delete

C:\WINDOWS\SYSTEM\WPNALIGN.DLL

Delete File

Yes

No

C:\WINDOWS\SYSTEM\HKP95EN.DLL
C:\WINDOWS\SYSTEM\MRAFD.DLL
C:\WINDOWS\SYSTEM\AKCTRES DLL
C:\WINDOWS\SYSTEM\EOSHARED DLL

Replace on Reboot

Use Dummy

Full Path of File to Delete

C:\WINDOWS\SYSTEM\GUARD.TMP

Delete File

Yes

Please Do Not reboot until I reply back.[/quote]
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Tue Apr 05, 2005 4:45 am Post subject:

Hi, here's the new FindIt:

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
AKCTRES DLL 227.104 26-03-05 12:27 akctres.dll
EOSHARED DLL 227.104 26-03-05 12:27 eoshared.dll
3 bestand(en) 681.312 bytes.
0 dir('s) 3.819,98 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.819,98 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

Rebus · Posted: Tue Apr 05, 2005 10:29 am Post subject:

I've been looking around in the registry (using RegMon), when I spotted this one:

HKCU
-RemoteAccess
--Profile
---Derbiz.comISP.

I hope it helps a little bit. Smile

3162 · Posted: Tue Apr 05, 2005 11:53 am Post subject:

I know this is tiresome, but we need to kill off all of the files so that they don't re-spawn. Make sure you are offline, and pull the Cat-5 out from the machine if you are on cable or a network.
We'll deal with registry after the files are all gone.

You should be proficient with killbox by now, so these are the three files to move on boot.

C:\WINDOWS\SYSTEM\WPNALIGN.DLL
C:\WINDOWS\SYSTEM\AKCTRES.DLL
C:\WINDOWS\SYSTEM\EOSHARED.DLL
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Tue Apr 05, 2005 1:43 pm Post subject:

Hi,

here's the new one:

Qoologic:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

Files Found in all users startup Folder............
------------------------
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
Finished
=============

FindIt:

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
1 bestand(en) 227.104 bytes.
0 dir('s) 3.331,80 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.331,79 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K

2 items found: 2 files, 0 directories.
Total of file sizes: 249.541 bytes 243,69 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -----------

3162 · Posted: Tue Apr 05, 2005 3:32 pm Post subject:

OK, just this one left to killbox, at this point:

C:\WINDOWS\SYSTEM\WPNALIGN.DLL

I don't need the qoologic log now, just the output.txt, thanks
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Wed Apr 06, 2005 2:04 am Post subject:

My apologies for this extreme output, but it's what I got Sad

Btw: For some kind of reason HJT crashes all the time. Can I do anything to fix that?

========

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
1 bestand(en) 227.104 bytes.
0 dir('s) 3.362,78 MB vrij

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
MJINCP16 DLL 227.104 26-03-05 12:27 MJINCP16.DLL
2 bestand(en) 454.208 bytes.
0 dir('s) 3.253,78 MB vrij

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
MJINCP16 DLL 227.104 26-03-05 12:27 MJINCP16.DLL
2 bestand(en) 454.208 bytes.
0 dir('s) 3.178,62 MB vrij

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
MJINCP16 DLL 227.104 26-03-05 12:27 MJINCP16.DLL
2 bestand(en) 454.208 bytes.
0 dir('s) 3.165,93 MB vrij

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
MJINCP16 DLL 227.104 26-03-05 12:27 MJINCP16.DLL
2 bestand(en) 454.208 bytes.
0 dir('s) 3.022,42 MB vrij

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
MJINCP16 DLL 227.104 26-03-05 12:27 MJINCP16.DLL
2 bestand(en) 454.208 bytes.
0 dir('s) 2.946,59 MB vrij

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
MJINCP16 DLL 227.104 26-03-05 12:27 MJINCP16.DLL
2 bestand(en) 454.208 bytes.
0 dir('s) 2.928,50 MB vrij

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
MJINCP16 DLL 227.104 26-03-05 12:27 MJINCP16.DLL
2 bestand(en) 454.208 bytes.
0 dir('s) 3.046,01 MB vrij

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
CTM DLL 227.104 26-03-05 12:27 CTM.DLL
AXCORE DLL 227.104 26-03-05 12:27 axcore.dll
3 bestand(en) 681.312 bytes.
0 dir('s) 3.068,80 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.362,77 MB vrij

---------------- User Agent ------------

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.253,78 MB vrij

---------------- User Agent ------------

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.178,62 MB vrij

---------------- User Agent ------------

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.165,93 MB vrij

---------------- User Agent ------------

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.022,39 MB vrij

---------------- User Agent ------------

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 2.946,59 MB vrij

---------------- User Agent ------------

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 2.928,50 MB vrij

---------------- User Agent ------------

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.046,01 MB vrij

---------------- User Agent ------------

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.068,80 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K

2 items found: 2 files, 0 directories.
Total of file sizes: 249.541 bytes 243,69 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
mjincp16.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 476.645 bytes 465,47 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
mjincp16.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 476.645 bytes 465,47 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
mjincp16.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 476.645 bytes 465,47 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
mjincp16.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 476.645 bytes 465,47 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
mjincp16.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 476.645 bytes 465,47 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
mjincp16.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 476.645 bytes 465,47 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
mjincp16.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 476.645 bytes 465,47 K

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
ctm.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
axcore.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

4 items found: 4 files, 0 directories.
Total of file sizes: 703.749 bytes 687,25 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: 2C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\USER.DAT: 3C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zipc.zip,
C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\output2.txt: ------------ Strings.exe Qoologic Results ------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\log.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\log.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\windows.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\windows.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\output2.txt: -------------- Strings.exe Aspack Results -------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb05.exe"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"EnsoniqMixer"="starter.exe"
"Taakcontrole"="C:\\WINDOWS\\taskmon.exe"
"LoadQM"="loadqm.exe"
"Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\CD-Writer Plus\\DirectCD\\DIRECTCD.EXE"
"Preventon RealTime Antivirus"="C:\\Program Files\\@Home veiligheid\\AntiVirus\\AVRealTime.exe"

Rebus · Posted: Wed Apr 06, 2005 2:11 am Post subject:

Ran FindIt again and not it gives a sorter output:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

WPNALIGN DLL 227.104 26-03-05 12:27 WPNALIGN.DLL
CTM DLL 227.104 26-03-05 12:27 CTM.DLL
AXCORE DLL 227.104 26-03-05 12:27 axcore.dll
3 bestand(en) 681.312 bytes.
0 dir('s) 3.072,63 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.072,63 MB vrij

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E61CECE-E379-F962-8EEF-BBBFA0808316}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wpnalign.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
ctm.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K
axcore.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

4 items found: 4 files, 0 directories.
Total of file sizes: 703.749 bytes 687,25 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: 2C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\USER.DAT: 3C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zipc.zip,
C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\output2.txt: ------------ Strings.exe Qoologic Results ------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\log.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\log.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\windows.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\windows.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\output2.txt: -------------- Strings.exe Aspack Results -------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

Rebus · Posted: Wed Apr 06, 2005 2:27 am Post subject:

Ignore my remark on HJT please. For some kind of reason HJT needs much more time than before.

3162 · Posted: Wed Apr 06, 2005 2:45 am Post subject:

FindIt does seem to do that once in a while, not sure why though.

Seems like that one file is being particularly stubborn so let's get a different tool on the job for it.

Please download MoveOnBoot
This will allow you to select the file to move or delete and where to move it to and what to rename it.

When you have installed the program, run MoveOnBoot and use the [...] button to choose
C:\WINDOWS\SYSTEM\WPNALIGN.DLL then click the Next button.
Choose Delete File and click the Next button.
You will be prompted to complete the procedure, and the machine will reboot.

Once rebooted, run FindIt again please. Then we'll see what's left.
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Wed Apr 06, 2005 4:37 am Post subject:

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

CTM DLL 227.104 26-03-05 12:27 CTM.DLL
1 bestand(en) 227.104 bytes.
0 dir('s) 3.076,66 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.076,66 MB vrij

---------------- User Agent ------------

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K
ctm.dll Sat 26 Mar 2005 12:27:18 ..S.R 227.104 221,78 K

2 items found: 2 files, 0 directories.
Total of file sizes: 249.541 bytes 243,69 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: 2C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\USER.DAT: 3C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zipc.zip,
C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\output2.txt: ------------ Strings.exe Qoologic Results ------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\log.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\log.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\windows.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\windows.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\output2.txt: -------------- Strings.exe Aspack Results -------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb05.exe"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"EnsoniqMixer"="starter.exe"
"Taakcontrole"="C:\\WINDOWS\\taskmon.exe"
"LoadQM"="loadqm.exe"
"Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\CD-Writer Plus\\DirectCD\\DIRECTCD.EXE"
"Preventon RealTime Antivirus"="C:\\Program Files\\@Home veiligheid\\AntiVirus\\AVRealTime.exe"

3162 · Posted: Wed Apr 06, 2005 5:06 am Post subject:

Very good

Now delete this one with MoveOnBoot:
C:\WINDOWS\SYSTEM\CTM.DLL

and one more FindIt log please
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Wed Apr 06, 2005 6:37 am Post subject:

Hi,

Here's the next:

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

3.310,89 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 3.310,88 MB vrij

---------------- User Agent ------------

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K

1 item found: 1 file, 0 directories.
Total of file sizes: 22.437 bytes 21,91 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: 2C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\USER.DAT: 3C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zipc.zip,
C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\output2.txt: ------------ Strings.exe Qoologic Results ------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\log.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\log.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\windows.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\windows.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\output2.txt: -------------- Strings.exe Aspack Results -------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb05.exe"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"EnsoniqMixer"="starter.exe"
"Taakcontrole"="C:\\WINDOWS\\taskmon.exe"
"LoadQM"="loadqm.exe"
"Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\CD-Writer Plus\\DirectCD\\DIRECTCD.EXE"
"Preventon RealTime Antivirus"="C:\\Program Files\\@Home veiligheid\\AntiVirus\\AVRealTime.exe"

3162 · Posted: Wed Apr 06, 2005 7:05 am Post subject:

Great, no files this time Smile

Copy the text from code box below to a notepad file.
Click file> click save as...> name it fix.reg > save as file types "all files (*.*)" > and save on desktop.

Rebus · Posted: Wed Apr 06, 2005 10:54 am Post subject:

Hi,

The good thing is the pop-ups are gone; the bad thing is, that my CDRom+Writer are gone. When I try to run New Hardware in the Control Panel, I get Control Panel<System. Do you think I can fix that with Ghost?

==============

------- System Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

4.172,20 MB vrij

------- Hidden Files in System Directory -------

Het volume in station C is C SCHIJF .
Het volumenummer is 3658-07D9
Map van C:\WINDOWS\SYSTEM.

FFASTLOG TXT 22.437 03-04-05 11:40 FFASTLOG.TXT
FOLDER HTT 12.925 02-01-03 10:17 folder.htt
DESKTOP INI 266 02-01-03 10:17 desktop.ini
3 bestand(en) 35.628 bytes.
0 dir('s) 4.172,19 MB vrij

---------------- User Agent ------------

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ffastlog.txt Sun 3 Apr 2005 11:40:00 A..H. 22.437 21,91 K

1 item found: 1 file, 0 directories.
Total of file sizes: 22.437 bytes 21,91 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: Qoologic
C:\WINDOWS\USER.DAT: 2C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\USER.DAT: 3C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zipc.zip,
C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\output2.txt: ------------ Strings.exe Qoologic Results ------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\log.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\log.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\log.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\log.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: Qoologic
C:\windows.txt: C:\WINDOWS\USER.DAT: 1C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\windows.txt: C:\WINDOWS\USER.DAT: LastFolderC:\WINDOWS\Desktop\QOOLOGICvangen bestanden
C:\windows.txt: C:\WINDOWS\USER.DAT: qoologic.com
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\VPTNFILE.526: TROJ_QOOLOGIC.A
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.G
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.C
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.B
C:\windows.txt: C:\WINDOWS\LPT$VPN.526: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\output2.txt: -------------- Strings.exe Aspack Results -------------
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\log.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\log.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\win.txt: C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\start.txt: C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb05.exe"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"EnsoniqMixer"="starter.exe"
"Taakcontrole"="C:\\WINDOWS\\taskmon.exe"
"LoadQM"="loadqm.exe"
"Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\CD-Writer Plus\\DirectCD\\DIRECTCD.EXE"
"Preventon RealTime Antivirus"="C:\\Program Files\\@Home veiligheid\\AntiVirus\\AVRealTime.exe"

=================

Logfile of HijackThis v1.99.1
Scan saved at 20:13:50, on 6-4-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\@HOME VEILIGHEID\ANTIVIRUS\AVREALTIME.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} -
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} -

3162 · Posted: Thu Apr 07, 2005 2:51 am Post subject:

That's great news about the popups, it looks like you nailed all those bad files Smile

Now, I would not use Ghost at this time, in case it returns you to a state where the infection comes back as well.

Not sure exactly what you mean by

Rebus · Posted: Thu Apr 07, 2005 3:43 am Post subject:

Hi,

as for the WinSockXPFix, since I have Win98, I'm not sure whether XPFix works. If not, should I download an alternative?

Actually the CDRom and CDWriter show again now in the DeviceManager. There can be several reasons why they disappear, but since they are back when I reboot I'm able to use them if needed.

When they were gone yesterday, I thought I could reinstall them using the "New Hardware" option in Control Panel. But when I clicked " New Hardware" I got the "System" Tab, so I can't install New hardware right now (not really a problem as long as no device breaks down).

Another (minor) damage is the fact that a number of items on the taskbar (at the bottom of the screen) are presented twice now (IE, Outlook, RealOnePlayer, etc.).

Possible reasons:
- I removed ICQ from the start-up along with the old Norton AV and installed a new Virus Scanner.
- I get a lot of questions from Spybot wether I want to allow certain changes or not. I may have made mistakes there.
- I made a mistake when killing WPNALIGN with MoveOnBoot. I removed WINALIGN instead.
- Some other reason.

3162 · Posted: Thu Apr 07, 2005 3:55 am Post subject:

The WinsockXPFix should work fine, it will replace the stack. If for some reason it fails, you can use
For Windows 98, 98SE, or Windows Me
winsock2fix

To remove those extra icons, probably the fastest way is to use Windows Search for all files/folders and type in quick Launch
Double click the Folder found, and r-click>delete the duplicates.

You shouldn't need to use 'add new hardware' in Control Panel at all, since Windows will auto-detect any new hardware you install and prompt for the disk (if needed) to install the drivers. Glad your Drives are back, though Wink

Don't forget to post a fresh hijackthis log, after the winsock fix.
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Thu Apr 07, 2005 6:30 am Post subject:

Used the WinsockFix and restored the Reg Values, cause I lost my connection.

New HJT:

Logfile of HijackThis v1.99.1
Scan saved at 16:40:43, on 7-4-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\@HOME VEILIGHEID\ANTIVIRUS\AVREALTIME.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} -
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} -

3162 · Posted: Thu Apr 07, 2005 6:54 am Post subject:

Odd, that usually works, but we have a different method of repair.

Download and run LSPFix

Click the "I know what I'm doing" checkbox.

Check all instances of aklsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish.

Reboot, and post a fresh log please.
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Thu Apr 07, 2005 9:53 am Post subject:

New log:

Logfile of HijackThis v1.99.1
Scan saved at 19:58:16, on 7-4-05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINGATE\WINGATE.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\@HOME VEILIGHEID\ANTIVIRUS\AVREALTIME.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\GRAVITY\RAGNAROKONLINE\QRO.EXE
C:\PROGRAM FILES\OPERA75\OPERA.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: @Home - {554C72E0-1E41-11D7-9547-0000C55FF2DE} - http://www/ (file missing) (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .exe: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O12 - Plugin for .zip: D:\Program Files\Opera75\PLUGINS\NPNetPumper_Application.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
O16 - DPF: {E3E34A32-3A6A-47CC-B4E3-B8B86715D388} (MBoom Class) - http://pain.gamepoint.net/msn2/2003/ds/sintgame/marsepein/dll/boom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605690.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/nl/dbgames/dbaccess.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} -
O16 - DPF: {BCDB34A6-C1A6-4C89-9526-E84A579A0EF7} -

3162 · Posted: Thu Apr 07, 2005 11:33 am Post subject:

Very good

That took care of it.

Any other problems right now?
_________________
Proud member of the Chest Zipper Club!

Rebus · Posted: Thu Apr 07, 2005 1:40 pm Post subject:

Not much, in fact. Here and there some files have remained in the comp, but they are harmless I guess, since I don't see pop-ups anymore. the computer also has a normal speed again.

Vx2Finder found this one:

Files Found---

User Agent String---
{3E61CECE-E379-F962-8EEF-BBBFA0808316}

Searching files gave these:

ceres.dll in Windows
ceres.inf in Windows/System
aklsp.dll in Windows/System
farmmext.exe
etc.

I improved my security settings, which also makes IE less attractive than Opera, because of the constant questions for permission. I run a new Anti-Virusprogram now and have installed Spybot next to Spysweeper. I'll look at the Forum again, cause I remember having seen some more suggestions. And I'm really thinking about using Linux soon.

One thing is sure: without your help I never ever would have eliminated this stuff. So I'm really grateful and appreciated your very fast help. And I really hope those Vx2 guys get nailed. Smile