Popups Galore
17 posts
• Page 2 of 2 • 1, 2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - {6E73C124-2E9A-501A-E89E-563084A4DE9B} - C:\WINDOWS\system32\uavopeci.dll
Look for that folder in Program files and see if its related to a game?
O4 - HKCU\..\Run: [Aaee] "C:\Program Files\oeoa\mdoi.exe" -vt ndrv
For root kits we have one posted somewhere I will see if I can dig it up
Rootki revealer
- Neuromancer
- Posts: 5756
- Joined: Sun Mar 28, 2004 5:19 am
- Location: West Virginia
Ok, I fixed those things you pointed out in the HJT log.
I also have been in the mdoi.exe folder (which is gone now, more later), and it's set up as follows:
Program Files\oeoa
-mdoi.exe (hidden file)
-rocu (directory)
--nothing inside Program Files\oeoa\rocu
mdoi.exe was the only thing occupying space in that directory. Nothing was there even when I made hidden files and protected OS files visible with the Folder Options.
I can't ever remember installing anything like that, so I've been trying to delete it with no luck...Killing the process, deleting the file, and cleaning the registry. It always came back. Until now. It's not in the process window (which, btw, I looked "mdoi.exe" up at process-library.com, and it isn't listed), and the oeoa folder and everything else are just gone. I have no idea how I got rid of it though.
I also downloaded and ran the RootkitRevealer. My log is as follows:
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Sonic Desktop Software\Common\LibraryFilesFolder 10/19/2005 7:55 PM 95 bytes Data mismatch between Windows API and raw hive data.
C:\System Volume Information\_restore{EC4F234F-F470-4D63-B15E-EF1389CDD450}\RP53\A0008861.ini 1/5/2006 8:58 PM 116 bytes Hidden from Windows API.
C:\WINDOWS\QTFont.for 1/6/2006 3:11 PM 1.38 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\QTFont.qfn 1/6/2006 9:35 PM 52.89 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\gtm7i82v.TMP 1/6/2006 9:47 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
I can account for everything except the bolded entries. The embedded nulls are from Pinnacle Studio 9 Plus, the data mismatch from Sonic Desktop is part of the Pinnacle software (SmartSound sountrack creation), and the system restore is typical for most scans (according to some stuff I read on the website).
The last 3 things, however, I can't find. At all. There is no "QTFont.for" or "QTFont.qfn" in the WINDOWS folder, and the same for the file in the Temp folder. I searched too, for files created or modified or accessed, and nothing with those names came up.
I'm also just going to continue running scans in Safe Mode about once a day. I'm sure there's still stuff on here, as seen in my BSP screencap...I just need to figure out how to get it off
-Craig
I also have been in the mdoi.exe folder (which is gone now, more later), and it's set up as follows:
Program Files\oeoa
-mdoi.exe (hidden file)
-rocu (directory)
--nothing inside Program Files\oeoa\rocu
mdoi.exe was the only thing occupying space in that directory. Nothing was there even when I made hidden files and protected OS files visible with the Folder Options.
I can't ever remember installing anything like that, so I've been trying to delete it with no luck...Killing the process, deleting the file, and cleaning the registry. It always came back. Until now. It's not in the process window (which, btw, I looked "mdoi.exe" up at process-library.com, and it isn't listed), and the oeoa folder and everything else are just gone. I have no idea how I got rid of it though.
I also downloaded and ran the RootkitRevealer. My log is as follows:
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 10/16/2005 4:24 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Sonic Desktop Software\Common\LibraryFilesFolder 10/19/2005 7:55 PM 95 bytes Data mismatch between Windows API and raw hive data.
C:\System Volume Information\_restore{EC4F234F-F470-4D63-B15E-EF1389CDD450}\RP53\A0008861.ini 1/5/2006 8:58 PM 116 bytes Hidden from Windows API.
C:\WINDOWS\QTFont.for 1/6/2006 3:11 PM 1.38 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\QTFont.qfn 1/6/2006 9:35 PM 52.89 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\gtm7i82v.TMP 1/6/2006 9:47 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
I can account for everything except the bolded entries. The embedded nulls are from Pinnacle Studio 9 Plus, the data mismatch from Sonic Desktop is part of the Pinnacle software (SmartSound sountrack creation), and the system restore is typical for most scans (according to some stuff I read on the website).
The last 3 things, however, I can't find. At all. There is no "QTFont.for" or "QTFont.qfn" in the WINDOWS folder, and the same for the file in the Temp folder. I searched too, for files created or modified or accessed, and nothing with those names came up.
I'm also just going to continue running scans in Safe Mode about once a day. I'm sure there's still stuff on here, as seen in my BSP screencap...I just need to figure out how to get it off
-Craig
- Craigular.B
- Posts: 70
- Joined: Sat Mar 26, 2005 5:34 pm
- Location: Marquette MI
- Real Name: Craig Belpedio
One that I like to use is Trendmicro's Anti-Spyware for the web...get to it Here .
Try it and see if that helps...I've had it work to a point that the popups go from 40-50 at a time to none!! It'll take a few passes to get the worst of the "goop"!! Reboot in between runs.
Paul
Try it and see if that helps...I've had it work to a point that the popups go from 40-50 at a time to none!! It'll take a few passes to get the worst of the "goop"!! Reboot in between runs.
Paul
Life is not measured by the number of breaths we take, but by the moments that take our breath away.
Women and cats will do as they please, and men and dogs should relax and get used to the idea.
-Robert A. Heinlein
longhornrulescensor444 Here
<a href='http://www.pro-networks.org/forum/viewtopic.php?t=62589' target='_blank'><img src='http://img134.imageshack.us/img134/4245/pronetkatrinahelp7gs.gif'></a>
Women and cats will do as they please, and men and dogs should relax and get used to the idea.
-Robert A. Heinlein
longhornrulescensor444 Here
<a href='http://www.pro-networks.org/forum/viewtopic.php?t=62589' target='_blank'><img src='http://img134.imageshack.us/img134/4245/pronetkatrinahelp7gs.gif'></a>
- RRCinci
- PROfessional Member
- Posts: 1577
- Joined: Fri Jul 12, 2002 5:38 pm
- Location: Cincinnati, OH
Also try this site out. I use it ALL the time.
http://www.processlibrary.com
very usefull information to find.....
http://www.processlibrary.com
very usefull information to find.....
Dogs Have Owners; Cats Have Staff
- NT50
- PROfessional Member
- Posts: 8220
- Joined: Sat Jun 19, 2004 4:46 pm
- Location: Jackson, TN USA
- Real Name: Jeff Replogle
Looks like you have been doing very well Craig... taking care of it I mean.
For those last three APIs that you are not sure of...
Have you tried opening a DOS window at c:\Windows and erasing the listed files?
I know that they are "hidden" but I think I resolved a unknown rootkit issue I was having that way.
However.. I ended up formatting anyway just because I was not sure
Good Luck and keep up the diligence
For those last three APIs that you are not sure of...
Have you tried opening a DOS window at c:\Windows and erasing the listed files?
I know that they are "hidden" but I think I resolved a unknown rootkit issue I was having that way.
However.. I ended up formatting anyway just because I was not sure
Good Luck and keep up the diligence
- Neuromancer
- Posts: 5756
- Joined: Sun Mar 28, 2004 5:19 am
- Location: West Virginia
Chances are that the uavopeci.dll file was responsible for recreating the mdoi.exe file.
As far as other issues, you might want to grab Process Explorer from the same site as RKR and run it, when it comes up, double-click on winlogon.exe and go to the Threads Tab - depending on how much is there, note down all the DLLs that winlogon.exe is running - common ones like rpcrt.dll, ntdll.dll or wdmaud.drv can be left out. Do the same for explorer.exe - this will give a clue as to whether or not there are still lurking malware programs loading up.
Regarding the QT things, it appears they are related to QuickTime acc to here
As far as other issues, you might want to grab Process Explorer from the same site as RKR and run it, when it comes up, double-click on winlogon.exe and go to the Threads Tab - depending on how much is there, note down all the DLLs that winlogon.exe is running - common ones like rpcrt.dll, ntdll.dll or wdmaud.drv can be left out. Do the same for explorer.exe - this will give a clue as to whether or not there are still lurking malware programs loading up.
Regarding the QT things, it appears they are related to QuickTime acc to here
-ZRC
- ZRC
- Posts: 184
- Joined: Thu Mar 17, 2005 12:28 am
- Location: Massachusetts.USA.Earth.in-addr.arpa.
17 posts
• Page 2 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 2 guests