0

Killbox multiple file deletion

Download Killbox v2.0.0.175 and unzip the file to your Desktop and have it ready to use.

-

Save all the below files to a text document (notepad) to be used shortly.

C:\WINDOWS\SYSTEM\qool3.exe
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\jaaabr.exe
C:\WINDOWS\rnnkpj.exe
C:\WINDOWS\SYSTEM\ib50_qc.dll
C:\WINDOWS\SYSTEM\wwauto8.dll
C:\WINDOWS\SYSTEM\sfpdate.dll
C:\WINDOWS\SYSTEM\iom32.dll
C:\WINDOWS\SYSTEM\didrm.dll
C:\WINDOWS\SYSTEM\iwctl.dll
C:\WINDOWS\SYSTEM\if50_32.dll
C:\WINDOWS\SYSTEM\jst.dll
C:\WINDOWS\SYSTEM\lwonar~1.dll
C:\WINDOWS\SYSTEM\senceng.dll
C:\WINDOWS\SYSTEM\tcpiui.dll
C:\WINDOWS\SYSTEM\iz50_qcx.dll
C:\WINDOWS\SYSTEM\wbpoadmn.dll
C:\WINDOWS\SYSTEM\eutier2.dll
C:\WINDOWS\SYSTEM\mcimsg.dll
C:\WINDOWS\SYSTEM\sxem0409.dll
C:\WINDOWS\SYSTEM\dheml.dll
C:\WINDOWS\SYSTEM\ueer.exe
C:\WINDOWS\SYSTEM\lytga80n.dll
C:\WINDOWS\SYSTEM\lafil80n.dll
C:\WINDOWS\SYSTEM\ibengine.dll
C:\WINDOWS\SYSTEM\mrxcat.dll
C:\WINDOWS\SYSTEM\oatext32.dll
C:\WINDOWS\SYSTEM\qeartz.dll
C:\WINDOWS\SYSTEM\cjrviddc.dll
C:\WINDOWS\SYSTEM\ifrop.dll
C:\WINDOWS\SYSTEM\mxr.dll
C:\WINDOWS\SYSTEM\mmdtc.dll
C:\WINDOWS\SYSTEM\gqu32.dll
C:\WINDOWS\SYSTEM\ovbccu32.dll
C:\WINDOWS\SYSTEM\osengl32.dll
C:\WINDOWS\SYSTEM\cgrtc.dll
C:\WINDOWS\SYSTEM\mbcans32.dll
C:\WINDOWS\SYSTEM\myxcat.dll
C:\WINDOWS\SYSTEM\mgc42enu.dll
C:\WINDOWS\SYSTEM\myxml3a.dll
C:\WINDOWS\SYSTEM\aricap.dll
C:\WINDOWS\SYSTEM\hnink.dll

-

Reboot into safe mode following the instructions here.

Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

0

Thanks. Unfortunately I couldn't do this because my mouse stops working in safe mode, so I can't use the curser and highlight text, etc. Is there any other way I can delete the files, or should I forget it at this point? I'm not getting the error messages any more, and the computer seems to be working ok.

0

You will have to enter the file names one by one then :(. Your PC is still infected.
You can also attempt the cleanup in normal mode.

0

I tried the Killbox cleanup in normal mode. Here is another log from FindIt. See what you think.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


LAFIL80N DLL       227,104  07-09-05  4:59p lafil80n.DLL
IWETRES  DLL       227,104  07-09-05  4:59p iwetres.dll
IXCTL    DLL       227,104  07-09-05  4:59p ixctl.dll
3 file(s)        681,312 bytes
0 dir(s)        2,981.02 MB free


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


FFASTLOG TXT        23,127  12-13-02  4:27p FFASTLOG.TXT
1 file(s)         23,127 bytes
0 dir(s)        2,981.02 MB free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""



------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
lafil80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
iwetres.dll    Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
ixctl.dll      Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K


3 items found:  3 files, 0 directories.
Total of file sizes:  681,312 bytes    665.34 K


------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\hosts: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  www.qoologic.com
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic


-------------- Strings.exe Aspack Results -------------


C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
C:\WINDOWS\SYSTEM\redit.cpl: .aspack


----------------- HKLM Run Key ------------------


-------------- Strings.exe Umonitor Results -------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"PSof1"="C:\\WINDOWS\\SYSTEM\\PSof1.exe"
"KavSvc"="C:\\WINDOWS\\rnnkpj.exe reg_run"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\SUPDATE.DLL,SHStart"
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"

Edited by pritaeas: Fixed formatting

0

We are getting there slowly :).

Save all the below files to a text document.

C:\WINDOWS\SYSTEM\LAFIL80N DLL
C:\WINDOWS\SYSTEM\IWETRES DLL
C:\WINDOWS\SYSTEM\lafil80n.dll
C:\WINDOWS\SYSTEM\iwetres.dll
C:\WINDOWS\SYSTEM\ixctl.dll
C:\WINDOWS\SYSTEM\qool3.exe
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\redit.cpl
C:\WINDOWS\SYSTEM\PSof1.exe
C:\WINDOWS\rnnkpj.exe
C:\WINDOWS\SYSTEM\SUPDATE.DLL
C:\WINDOWS\jaaabr.exe

Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

==========

Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click to run it and when asked if you want to merge with your registry, answer yes.

==========

Please Download the following tools to assist us in removing this infection!

  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    1. Go to the WinPFind folder
    2. Locate WinPFind.txt
    3. Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

0

Thanks! I could not download Track qoo. When I went to that link, I got an error message that said "You do not have permission to use this feature."

I think everything else worked. Here is a new log from FindIt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


LAFIL80N DLL       227,104  07-09-05  4:59p lafil80n.DLL
DPLITE   DLL       227,104  07-09-05  4:59p DPLITE.DLL
MDJAVA   DLL       227,104  07-09-05  4:59p MDJAVA.DLL
TKAPI    DLL       227,104  07-09-05  4:59p TKAPI.DLL
IPPRSHT  DLL       227,104  07-09-05  4:59p ipprsht.dll
RU32CLV1 DLL       227,104  07-09-05  4:59p RU32CLV1.DLL
HQFRSU06 DLL       227,104  07-09-05  4:59p hqfrsu06.dll
MUOERT2  DLL       227,104  07-09-05  4:59p muoert2.dll
HJFWIN06 DLL       227,104  07-09-05  4:59p hjfwin06.dll
AQCODC32 DLL       227,104  07-09-05  4:59p AQCODC32.DLL
MDPWL32  DLL       227,104  07-09-05  4:59p MDPWL32.DLL
SJI_CI32 DLL       227,104  07-09-05  4:59p SJI_CI32.DLL
SRNSAPI  DLL       227,104  07-09-05  4:59p SRNSAPI.DLL
JUB      DLL       227,104  07-09-05  4:59p JUB.DLL
ATVAPI32 DLL       227,104  07-09-05  4:59p ATVAPI32.DLL
15 file(s)      3,406,560 bytes
0 dir(s)        3,369.94 MB free


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


FFASTLOG TXT        23,127  12-13-02  4:27p FFASTLOG.TXT
1 file(s)         23,127 bytes
0 dir(s)        3,369.94 MB free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""



------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
lafil80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
dplite.dll     Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
mdjava.dll     Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
tkapi.dll      Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
ipprsht.dll    Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
ru32clv1.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
hqfrsu06.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
muoert2.dll    Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
hjfwin06.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
aqcodc32.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
mdpwl32.dll    Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
sji_ci32.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
srnsapi.dll    Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
jub.dll        Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
atvapi32.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K


15 items found:  15 files, 0 directories.
Total of file sizes:  3,406,560 bytes      3.25 M


------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\hosts: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  www.qoologic.com
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic


-------------- Strings.exe Aspack Results -------------


C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
C:\WINDOWS\SYSTEM\redit.cpl: .aspack


----------------- HKLM Run Key ------------------


-------------- Strings.exe Umonitor Results -------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"PSof1"="C:\\WINDOWS\\SYSTEM\\PSof1.exe"
"KavSvc"="C:\\WINDOWS\\rnnkpj.exe reg_run"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\SUPDATE.DLL,SHStart"
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"



And here is the log from WinPFind:



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.


If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.


»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Checking %SystemDrive% folder...
UPX!    c:\log.txt
PEC2    c:\log.txt
qoologic    c:\winzip.log
UPX!    c:\win.txt
PEC2    c:\win.txt
UPX!    c:\windows.txt


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...
qoologic    c:\windows\hosts
urllogic    c:\windows\hosts
urllogic    c:\windows\hosts
qoologic    c:\windows\hosts.bak
urllogic    c:\windows\hosts.bak
urllogic    c:\windows\hosts.bak
qoologic    c:\windows\USER.DAT
KavSvc  c:\windows\SYSTEM.DATabetterinternet.com    c:\windows\SYSTEM.DATabetterinternet.com    c:\windows\abiuninst.htm69.59.186.63    c:\windows\djjfhgg.dll209.66.67.134 c:\windows\djjfhgg.dll
web-nex c:\windows\djjfhgg.dll
KavSvc  c:\windows\system.tomabetterinternet.com    c:\windows\system.tom
PECompact2  c:\windows\LPT$VPN.715
qoologic    c:\windows\LPT$VPN.715
SAHAgent    c:\windows\LPT$VPN.715
UPX!    c:\windows\vsapi32.dll
aspack  c:\windows\vsapi32.dll
UPX!    c:\windows\tsc.exe
PECompact2  c:\windows\VPTNFILE.715
qoologic    c:\windows\VPTNFILE.715
SAHAgent    c:\windows\VPTNFILE.71569.59.186.63 c:\windows\jooda.dll209.66.67.134   c:\windows\jooda.dll
web-nex c:\windows\jooda.dll


Checking %System% folder...
PEC2    c:\windows\system\mfcsubs.dll
UPX!    c:\windows\system\Hot Sex Live-uninstall.exe
qoologic    c:\windows\system\qool3.exe
aspack  c:\windows\system\qool3.exe
KavSvc  c:\windows\system\qool3.exe69.59.186.63 c:\windows\system\qool3.exe209.66.67.134    c:\windows\system\qool3.exe66.63.167.97 c:\windows\system\qool3.exe66.63.167.77 c:\windows\system\qool3.exe
web-nex c:\windows\system\qool3.exe
yourkey c:\windows\system\qool3.exe
FSG!    c:\windows\system\PHATNWk1.xml
aspack  c:\windows\system\supdate.dll
KavSvc  c:\windows\system\supdate.dll69.59.186.63   c:\windows\system\supdate.dll209.66.67.134  c:\windows\system\supdate.dll66.63.167.97   c:\windows\system\supdate.dll66.63.167.77   c:\windows\system\supdate.dll
web-nex c:\windows\system\supdate.dll
yourkey c:\windows\system\supdate.dll69.59.186.63   c:\windows\system\datadx.dll209.66.67.134   c:\windows\system\datadx.dll66.63.167.97    c:\windows\system\datadx.dll66.63.167.77    c:\windows\system\datadx.dll
web-nex c:\windows\system\datadx.dll
aspack  c:\windows\system\redit.cpl


Checking %System%\Drivers folder and sub-folders...


Checking the Windows folder for system and hidden files within the last 60 days...
7/16/05     c:\windows\ttfCache
7/17/05     c:\windows\USER.DAT
7/17/05     c:\windows\SYSTEM.DAT
7/3/05      c:\windows\system.tom
7/3/05      c:\windows\user.tom
7/16/05     c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\0HGJK3SV\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\Z1KK0NZV\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\MNS5Y9CF\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\G1AZSX2V\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\MD8FEXMT\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\OHEBWLMR\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\IXV4L0BE\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\ZVPBR9SW\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\GDQ7CTEJ\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\8BNFI4X9\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\0T27CDIN\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\RYGNVX0X\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\I9DQ3A14\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\09ENOTMN\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\Y5DMNQ18\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\CTKN0JC7\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\1C8ZXXS9\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\EZYN2HEF\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\1NZ3PLWE\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\8DAB09EV\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\KPUJKT6F\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\8PUJS167\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\GBE19N2N\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\2FIBGZYL\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\4DVLPIBZ\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\8KPEXD4K\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\P0KFLDS9\desktop.ini
7/16/05     c:\windows\Temporary Internet Files\Content.IE5\LFJB9X0E\desktop.ini
7/17/05     c:\windows\Tasks\SA.DAT


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»


Checking %ALLUSERSPROFILE%\Startup folder...


Checking %ALLUSERSPROFILE%\Application Data folder...


Checking %USERPROFILE%\Startup folder...


Checking %USERPROFILE%\Application Data folder...


»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry    c:\windows\scanregw.exe /autorun
TaskMonitor c:\windows\taskmon.exe
SystemTray  SysTray.Exe
EnsoniqMixer    starter.exe
BJCFD   C:\Program Files\BroadJump\Client Foundation\CFD.exe
TkBellExe   C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
Pop-Up Stopper  "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
PSof1   C:\WINDOWS\SYSTEM\PSof1.exe
KavSvc  C:\WINDOWS\rnnkpj.exe reg_run
autoupdate  rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
winsync C:\WINDOWS\jaaabr.exe reg_run


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8   - Log file written to "WinPFind.Txt" in the WinPFind folder.

Edited by pritaeas: Fixed formatting

0

Save all the below files to a text document.

C:\WINDOWS\SYSTEM\lafil80n.dll
C:\WINDOWS\SYSTEM\dplite.dll
C:\WINDOWS\SYSTEM\mdjava.dll
C:\WINDOWS\SYSTEM\tkapi.dll
C:\WINDOWS\SYSTEM\ipprsht.dll
C:\WINDOWS\SYSTEM\ru32clv1.dll
C:\WINDOWS\SYSTEM\hqfrsu06.dll
C:\WINDOWS\SYSTEM\muoert2.dll
C:\WINDOWS\SYSTEM\hjfwin06.dll
C:\WINDOWS\SYSTEM\aqcodc32.dll
C:\WINDOWS\SYSTEM\mdpwl32.dll
C:\WINDOWS\SYSTEM\sji_ci32.dll
C:\WINDOWS\SYSTEM\srnsapi.dll
C:\WINDOWS\SYSTEM\jub.dll
C:\WINDOWS\SYSTEM\atvapi32.dll
C:\WINDOWS\SYSTEM\qool3.exe
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\redit.cpl
C:\WINDOWS\SYSTEM\PSof1.exe"
C:\WINDOWS\rnnkpj.exe
C:\\WINDOWS\SYSTEM\SUPDATE.DLL
C:\WINDOWS\jaaabr.exe
c:\windows\djjfhgg.dll
c:\windows\jooda.dll
c:\windows\system\datadx.dll
c:\windows\system\PHATNWk1.xml

=====

Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

=

I have uploaded the file you could not get. Please run it and post the log here.

0

Thank you. Below is a new log from FindIt. After that is the log from Track qoo.

I noticed when I pasted in the list of files from the clipboard into Killbox that a few of the files were skipped over and did not appear, including:

C:\WINDOWS\SYSTEM\PSof1.exe"
C:\WINDOWS\rnnkpj.exe
C:\\WINDOWS\SYSTEM\SUPDATE.DLL

FindIt log:

Warning! This utility will find legitimate files in addition to malware.   
Do not remove anything unless you are sure you know what you're doing. 

 ------- System Files in System Directory ------- 


 Volume in drive C has no label
 Volume Serial Number is 5C8D-579D
 Directory of C:\WINDOWS\SYSTEM

LAFIL80N DLL       227,104  07-09-05  4:59p lafil80n.DLL
UXL      DLL       227,104  07-09-05  4:59p UXL.DLL
         2 file(s)        454,208 bytes
         0 dir(s)        3,348.24 MB free

 ------- Hidden Files in System Directory ------- 


 Volume in drive C has no label
 Volume Serial Number is 5C8D-579D
 Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT        23,127  12-13-02  4:27p FFASTLOG.TXT
         1 file(s)         23,127 bytes
         0 dir(s)        3,348.23 MB free

 ---------------- User Agent ------------ 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""

 ------------------ Locate.com Results ------------------ 

C:\WINDOWS\SYSTEM\
   lafil80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
   uxl.dll        Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K

2 items found:  2 files, 0 directories.
   Total of file sizes:  454,208 bytes    443.56 K

 ------------ Strings.exe Qoologic Results ------------ 

C:\WINDOWS\hosts: 127.0.0.1  [url]www.qoologic.com[/url]
C:\WINDOWS\hosts.bak: 127.0.0.1  [url]www.qoologic.com[/url]
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic

 -------------- Strings.exe Aspack Results ------------- 

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
C:\WINDOWS\SYSTEM\redit.cpl: .aspack

 ----------------- HKLM Run Key ------------------ 

 -------------- Strings.exe Umonitor Results ------------- 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"PSof1"="C:\\WINDOWS\\SYSTEM\\PSof1.exe"
"KavSvc"="C:\\WINDOWS\\rnnkpj.exe reg_run"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\SUPDATE.DLL,SHStart"
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"



==========================================

Track qoo log:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"PSof1"="C:\\WINDOWS\\SYSTEM\\PSof1.exe"
"KavSvc"="C:\\WINDOWS\\rnnkpj.exe reg_run"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\SUPDATE.DLL,SHStart"
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"

-----------------

Edited by mike_2000_17: Fixed formatting

0

We are slowly but durely getting it :).

=========

Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click to run it and when asked if you want to merge with your registry, answer yes.

=========

Run KillBox, select the option: Replace on Reboot
Then, in the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\PSof1.exe

Select the option: Use Dummy
Press the button with a red circle and a white X (Delete File button)
Click Yes at the Replace on Reboot confirmation prompt.
Click No at the request to reboot.

Do the exact same as above for each and every one of the files that follow, and select No at the request to reboot!

C:\WINDOWS\rnnkpj.exe
C:\WINDOWS\SYSTEM\SUPDATE.DLL
C:\WINDOWS\System\lafil80n.DLL
C:\WINDOWS\System\uxl.dll
C:\WINDOWS\SYSTEM\qool3.exe
C:\WINDOWS\jaaabr.exe

Finally, in the Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\SYSTEM\redit.cpl

Press the button with a red circle and a white X.
Click Yes at the Replace on Reboot prompt.
Click Yes at the request to reboot.

On this last file, close KillBox and Notepad, and Reboot the computer!!

Attachments
0

Thank you. I did all of this and hope I did it right. Do you need to see another log? Here is a new log from FindIt. Let me know if I should do something else next.

Warning! This utility will find legitimate files in addition to malware.   
Do not remove anything unless you are sure you know what you're doing. 

 ------- System Files in System Directory ------- 


 Volume in drive C has no label
 Volume Serial Number is 5C8D-579D
 Directory of C:\WINDOWS\SYSTEM

LAFIL80N DLL       227,104  07-09-05  4:59p lafil80n.DLL
NPTBIOS  DLL       227,104  07-09-05  4:59p NPTBIOS.DLL
         2 file(s)        454,208 bytes
         0 dir(s)        3,376.27 MB free

 ------- Hidden Files in System Directory ------- 


 Volume in drive C has no label
 Volume Serial Number is 5C8D-579D
 Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT        23,127  12-13-02  4:27p FFASTLOG.TXT
         1 file(s)         23,127 bytes
         0 dir(s)        3,376.27 MB free

 ---------------- User Agent ------------ 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""

 ------------------ Locate.com Results ------------------ 

C:\WINDOWS\SYSTEM\
   lafil80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
   nptbios.dll    Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K

2 items found:  2 files, 0 directories.
   Total of file sizes:  454,208 bytes    443.56 K

 ------------ Strings.exe Qoologic Results ------------ 

C:\WINDOWS\hosts: 127.0.0.1  [url]www.qoologic.com[/url]
C:\WINDOWS\hosts.bak: 127.0.0.1  [url]www.qoologic.com[/url]
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic

 -------------- Strings.exe Aspack Results ------------- 

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
C:\WINDOWS\SYSTEM\redit.cpl: .aspack

 ----------------- HKLM Run Key ------------------ 

 -------------- Strings.exe Umonitor Results ------------- 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"

Edited by mike_2000_17: Fixed formatting

0

Are you getting any error messages when killing with the killbox? Some of those entries are still there. Also, the user agent string is still there. Did you have any problem with the fixme reg file?
Internet explorer should be closed along with any other folder windows.
We are getting there slowly, but I want to be certain you are getting no error and that all programs are closed :).

0

I don't remember getting any error messages with Killbox. It does not ask if I want to reboot now, but says that I need to reboot to complete the activity. Then I reboot manually.

The Fixme.reg file seemed to work instantly.

I closed all programs when instructed. Otherwise, I might have left Internet Explorer on when doing this.

The only message I continue to get is when shutting down the computer. I get a message that says Program Not Responding, and I have to select End Task before I can shut down the computer.

Should I re-perform any of the steps?

0

I just wanted to ask a couple of questions. Do you think I'm all done here and in the clear? I'll be glad to manually delete any other files. Also, is there a recommendation of what anti-virus, anti-spyware and firewall protection I should install on my computer and how I should handle prevention in the future? Thanks!

0

Sorry for the delay. Go through my last post again and redo the removal instructions making certain no other windows are up and running. Post back the results please.

0

I went through all the steps again with no windows open. Here's the new log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


LAFIL80N DLL       227,104  07-09-05  4:59p lafil80n.DLL
NPTBIOS  DLL       227,104  07-09-05  4:59p NPTBIOS.DLL
IUSENG   DLL       227,104  07-09-05  4:59p IUSENG.DLL
OIBCSTF  DLL       227,104  07-09-05  4:59p OIBCSTF.DLL
AVSRVR32 DLL       227,104  07-09-05  4:59p AVSRVR32.DLL
LQWPG80N DLL       227,104  07-09-05  4:59p lqwpg80n.dll
GHU32    DLL       227,104  07-09-05  4:59p GHU32.DLL
IDM32    DLL       227,104  07-09-05  4:59p IDM32.DLL
8 file(s)      1,816,832 bytes
0 dir(s)        3,378.43 MB free


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


FFASTLOG TXT        23,127  12-13-02  4:27p FFASTLOG.TXT
1 file(s)         23,127 bytes
0 dir(s)        3,378.43 MB free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""



------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
lafil80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
nptbios.dll    Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
iuseng.dll     Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
oibcstf.dll    Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
avsrvr32.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
lqwpg80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
ghu32.dll      Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
idm32.dll      Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K


8 items found:  8 files, 0 directories.
Total of file sizes:  1,816,832 bytes      1.73 M


------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\hosts: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  www.qoologic.com
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic


-------------- Strings.exe Aspack Results -------------


C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
C:\WINDOWS\SYSTEM\redit.cpl: .aspack


----------------- HKLM Run Key ------------------


-------------- Strings.exe Umonitor Results -------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"

Edited by happygeek: fixed formatting

0

Double click the KillBox program to launch it ...

Go to Tools > Delete Temp Files > Click "OK"

Now select "Replace on Reboot" and "Use Dummy" in the first column.

Next copy/paste the following into the "Full Path to Delete" box:

C:\WINDOWS\SYSTEM\LAFIL80N DLL

Click the Red Button with the White x on it.

Click the "Delete File" button, and when asked to reboot select no.

Select "Replace on Reboot" and "Use Dummy" in the first column for all files below.

Next copy/paste the following into the "Full Path to Delete" box one at a time and reboot on the last file entered:

C:\WINDOWS\SYSTEM\NPTBIOS DLL
C:\WINDOWS\SYSTEM\IUSENG DLL
C:\WINDOWS\SYSTEM\OIBCSTF DLL
C:\WINDOWS\SYSTEM\AVSRVR32 DLL
C:\WINDOWS\SYSTEM\LQWPG80N DLL
C:\WINDOWS\SYSTEM\GHU32 DLL
C:\WINDOWS\SYSTEM\IDM32 DLL
C:\WINDOWS\SYSTEM\qool3.exe
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\redit.cpl
C:\WINDOWS\jaaabr.exe

Click the "Delete File" button, and let your computer reboot.

Post the same logs after rebooting, along with another hijackthis log please.

0

Thank you. Here is the FindIt log and then the HijackThis log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


LAFIL80N DLL       227,104  07-09-05  4:59p lafil80n.DLL
1 file(s)        227,104 bytes
0 dir(s)        3,335.87 MB free


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


FFASTLOG TXT        23,127  12-13-02  4:27p FFASTLOG.TXT
1 file(s)         23,127 bytes
0 dir(s)        3,335.86 MB free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""



------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
lafil80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K


1 item found:  1 file, 0 directories.
Total of file sizes:  227,104 bytes    221.78 K


------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\hosts: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  www.qoologic.com
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic


-------------- Strings.exe Aspack Results -------------


C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
C:\WINDOWS\SYSTEM\redit.cpl: .aspack


----------------- HKLM Run Key ------------------


-------------- Strings.exe Umonitor Results -------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"



Logfile of HijackThis v1.99.1
Scan saved at 11:18:16 AM, on 7/24/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\WINDOWS\JAAABR.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jaaabr.exe reg_run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Windows Guardian.LNK = C:\Program Files\the HelpSpot!\Fawgrd32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: nppd.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab 

Edited by happygeek: fixed formatting

0

Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click to run it and when asked if you want to merge with your registry, answer yes.

==

Double click the KillBox program to launch it ...

Go to Tools > Delete Temp Files > Click "OK"

Now select "Replace on Reboot" and "Use Dummy" in the first column. Then select "Unregister dll before deleting" for each of the dll files below.

Next copy/paste the following into the "Full Path to Delete" box:

C:\WINDOWS\SYSTEM\LAFIL80N DLL

Click the Red Button with the White x on it.

Click the "Delete File" button, and when asked to reboot select no.

Select "Replace on Reboot" and "Use Dummy" in the first column for all files below.

Next copy/paste the following into the "Full Path to Delete" box one at a time and reboot on the last file entered:

C:\WINDOWS\SYSTEM\qool3.exe
C:\WINDOWS\jaaabr.exe
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\redit.cpl
C:\WINDOWS\jaaabr.exe
C:\Documents and Settings\Username\Start Menu\Programs\Startup\nppd.exe

Note that the last entry there will have to be the path to the startup folder on your PC. The one shown is W2K's path. If you get it wrong the file will not be deleted.

Click the "Delete File" button, and let your computer reboot.

Post the same logs after rebooting, along with another hijackthis log please.

0

I checked the path to the startup folder and copied it exactly, but I can see the file is still in there, so I don't know. Here are the new logs. Thanks.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


LAFIL80N DLL       227,104  07-09-05  4:59p lafil80n.DLL
1 file(s)        227,104 bytes
0 dir(s)        3,332.43 MB free


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


FFASTLOG TXT        23,127  12-13-02  4:27p FFASTLOG.TXT
1 file(s)         23,127 bytes
0 dir(s)        3,332.43 MB free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""



------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
lafil80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K


1 item found:  1 file, 0 directories.
Total of file sizes:  227,104 bytes    221.78 K


------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\hosts: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  www.qoologic.com
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic


-------------- Strings.exe Aspack Results -------------


C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
C:\WINDOWS\SYSTEM\redit.cpl: .aspack


----------------- HKLM Run Key ------------------


-------------- Strings.exe Umonitor Results -------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"


Logfile of HijackThis v1.99.1
Scan saved at 11:05:51 AM, on 7/25/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NPPD.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jaaabr.exe reg_run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Windows Guardian.LNK = C:\Program Files\the HelpSpot!\Fawgrd32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: nppd.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab 

Edited by happygeek: fixed formatting

0

Download moveonboot from here & the file(s) you choose will be deleted on reboot.

Once installed, all you need do is locate the file and right click on it and choose delete on next boot.
You can then reboot straight away, or leave it until you shut down your PC.

==

Now what you need to do is locate each one of those files I listed previously, right click on each of them and select 'delete on next boot' and see how you go. Once you have done all of them, reboot.
If that fails I reckon you are looking at reformatting :(.

0

I ran moveonboot and it seemed to work, but after I rebooted I can still see the files in there. Here are the new logs.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


LAFIL80N DLL       227,104  07-09-05  4:59p lafil80n.DLL
RK32RV10 DLL       227,104  07-09-05  4:59p RK32RV10.DLL
2 file(s)        454,208 bytes
0 dir(s)        3,366.54 MB free


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM


FFASTLOG TXT        23,127  12-13-02  4:27p FFASTLOG.TXT
1 file(s)         23,127 bytes
0 dir(s)        3,366.54 MB free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""



------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
lafil80n.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K
rk32rv10.dll   Sat Jul  9 2005   4:59:50p  ..S.R        227,104   221.78 K


2 items found:  2 files, 0 directories.
Total of file sizes:  454,208 bytes    443.56 K


------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\hosts: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  www.qoologic.com
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic


-------------- Strings.exe Aspack Results -------------


C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
C:\WINDOWS\SYSTEM\redit.cpl: .aspack


----------------- HKLM Run Key ------------------


-------------- Strings.exe Umonitor Results -------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"



Logfile of HijackThis v1.99.1
Scan saved at 9:22:46 AM, on 7/26/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\WINDOWS\JAAABR.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jaaabr.exe reg_run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Windows Guardian.LNK = C:\Program Files\the HelpSpot!\Fawgrd32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: nppd.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab 

Edited by happygeek: fixed formatting

0

Well, I am sorry to say that I have no other options for you to try :sad:. It looks like a reformat is going to be the only thing that will clean your PC up.

0

Thank you for all the time you spent with this. I appreciate it. In re-formatting, you mean I'd delete everything and then re-install all the software on the computer? What are the disadvantages of leaving this stuff on there, as long as the computer seems to operate o.k.?

0

By leaving them there they will only multiply to the point where your PC will likely become unuseable.
Yes, all the programs, files, documents will be erased from your PC, so you will have to save those that you do not want to lose.

0

Hello

I want to thank you all. I ran Autoruns and deleted some files, thinking that I did not need them, boy I'm not that great of a pc tech when I mess up my own computer. Took forever to boot then would reboot no problem afterwards, Nucrisift restire never works on my HP Pavilion m7100e. Well it booted up fine after that first long boot, but then I could not connect to internet, don't know why i did not remove anything that had to do with MS or network configuration, except for MS Messenger auto load, I will never mess with that again. But then I came across this post and did the winsockfix, hallelula it fixed it lickety split, no wait time whatsoever thanx again and since I'm gonna try to give this pc repair a real go will keep coming here again and again, thank you thank you thank you.
Marcos

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.