elmof.dll

Discussion in 'other software & services' started by Mr.Blaze, Mar 22, 2007.

Thread Status:
Not open for further replies.
  1. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    I keep geting this anoying pop up on windows xp
    Error loading c:\windows\system32\elmof.dll
    Invalid acess to memory location

    i tryed reg32 registering it and i get loading libary failled-Invalid acess to memory location

    i have also notice i cant schduale repairs on system reboot when schduled to

    and what is elmof.dll i cant find refrence anywhere to it
     
  2. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    err... if you can't find reference to it in google ( I couldn't), are you sure you really want it registered?
    perhaps upload it to virus total as it sounds a bit suspicious, but I'm no expert.
     
  3. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Realy strange i cant upload it either or atatch it and send it as e-mai says its in use
     
  4. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    try ending explorer and start a new one. open task manager pick explorer.exe then pick end task....then pick new task and type in explorer.exe and hit enter...then see if you can upload to virus total.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Did u try to copy it?
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Hey Blaze,

    First please allow me to ask:
    Are you sure that you have spelled the name of that file elmof.dll right?
    Sorry for asking buddy ;)

    Have you scanned your computer already with all your scanners with last definitions?
    Also in Safe Mode?

    Did you install something before this happened?

    In addition to what others already posted:
    Maybe Unlocker might be of help to unlock that file.
    It is here: http://ccollomb.free.fr/unlocker/
    But maybe that is more a tool to use under guidance of an HJT-log expert.
    I'm not saying that your computer is infected; I don't know.
    HJT-logs are not allowed anymore at the Wilders forum.
    So, if you think that an HJT analysis is needed, you need to go to another forum (and follow the required steps of that board).
    Example: http://www.dslreports.com/forum/cleanup

    Edited to add:
    Blaze, follow the advice from Pieter in the next posting
     
    Last edited: Mar 25, 2007
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Blaze,

    If I had to guess from the name, I'd go for Vundo.

    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Blazey, my dear old friend, what is happening?

    You haven't replied .......

    Did you manage to solve this issue?
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    I've got an email from Blaze.

    He is still having that problem; that file is constantly used by something.
    And one of the keys on his keyboard is not working.

    I hope he will come over here to the forum.
     
  10. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Pieter_Arntz hey that program worked now i can schduae checks and no more errors thx so much one dowen two to go now i have is give norton acces to drive g and figure out why im missing a key on my keybord that saeems to go on and off ast time i buy a microsoft keybord
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hey Blaze, :)

    Nice to see you back.
    Can you post the log I asked for?
    Maybe it shows something that explains your problems.
    And I'd like to see what was fixed, ofcourse. :cool:

    Regards,

    Pieter
     
  12. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    whers the og i cant find it or was i supose to save it?
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    It opens after the scan runs fully.
    And it usually gets saved as C:\ComboFix.txt

    If you can't find it, just run the prgram again and post the new log, but I would prefer the original one.

    Regards,

    Pieter
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi Pieter, I heard there is a problem with ComboFix and author has withdrawn it.
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi aigle,

    There was a problem and the author has fixed it.
    After that it has been updated as regularly as it was before.
    So I have no second thoughts using it.

    Regards,

    Pieter
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks. I did not know all the detail.
     
  17. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Owner" - 07-04-04 23:11:58 Service Pack 2
    ComboFix 07-04-04.5 - Running from: "C:\Documents and Settings\Owner\My Documents"


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\wbem\tsqkw.dll
    C:\WINDOWS\system32\dienb.dll
    C:\DOCUME~1\ALLUSE~1\TEMPLA~1.\temp.exe
    C:\WINDOWS\system32\advport.dll
    C:\WINDOWS\system32\drivers\msqmx.sys
    C:\WINDOWS\system32\score.txt
    C:\WINDOWS\f2.exe
    C:\WINDOWS\g3.exe
    C:\WINDOWS\system32\rundll2000.exe
    C:\WINDOWS\system32\drivers\lybyy.sys
    C:\WINDOWS\system32\elmof.dll


    ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\lybyy
    -------\msqmx
    -------\LEGACY_LYBYY
    -------\LEGACY_MSQMX


    ((((((((((((((((((((((((((((((( Files Created from 2007-03-05 to 2007-04-05 ))))))))))))))))))))))))))))))))))


    2007-04-04 00:41 <DIR> C:\Program Files\-zZE,æ,I'+,IŸSŸAŸ<
    2007-03-31 21:40 <DIR> d-------- C:\Program Files\illiminable
    2007-03-31 18:48 <DIR> d-------- C:\Program Files\Replay Converter
    2007-03-31 17:50 <DIR> d-------- C:\WINDOWS\FLV Player
    2007-03-31 17:50 <DIR> d-------- C:\Program Files\FLV Player
    2007-03-29 10:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2007-03-29 10:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
    2007-03-20 22:48 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2007-03-20 21:58 <DIR> d-------- C:\WINDOWS\system32\QuickTime
    2007-03-20 21:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
    2007-03-20 21:57 <DIR> d-------- C:\Program Files\TechSmith
    2007-03-19 20:05 <DIR> d-------- C:\Program Files\Screen Recorder Gold
    2007-03-17 17:32 161,785 --a------ C:\WINDOWS\Screen Recorder Uninstaller.exe
    2007-03-17 17:32 <DIR> d-------- C:\Program Files\Common Files\River Past
    2007-03-17 17:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\River Past G5
    2007-03-17 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\River Past G5
    2007-03-17 17:00 5,242 --a------ C:\WINDOWS\system32\svchots.exe
    2007-03-14 08:55 <DIR> d-------- C:\WINDOWS\system32\embedded
    2007-03-14 08:55 <DIR> d-------- C:\Program Files\UltraISO
    2007-03-14 08:55 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
    2007-03-07 17:11 61,440 --a------ C:\WINDOWS\system32\W32N50.DLL
    2007-03-07 17:11 40,960 --a------ C:\WINDOWS\system32\WMPCI54G.dll
    2007-03-07 17:11 16,292 --a------ C:\WINDOWS\system32\PCANDIS5.SYS
    2007-03-07 17:11 16,112 --a------ C:\WINDOWS\system32\PCANDIS4.SYS
    2007-03-07 17:11 <DIR> d-------- C:\Program Files\WMPCI54G WLAN Monitor
    2007-03-07 14:11 <DIR> d-ah----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gtek
    2007-03-07 14:10 <DIR> d--h----- C:\DOCUME~1\Owner\APPLIC~1\GTek
    2007-03-07 14:04 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
    2007-03-05 22:20 <DIR> d-------- C:\Program Files\DivX


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-03-31 18:48 737280 --a------ C:\WINDOWS\iun6002.exe
    2007-03-22 15:26 -------- d--h----- C:\Program Files\installshield installation information
    2007-03-08 09:35 -------- d-------- C:\Program Files\pure networks
    2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
    2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
    2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
    2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
    2007-03-01 15:03 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\limewire
    2007-02-24 19:19 -------- d-------- C:\Program Files\bitpim
    2007-02-24 18:58 25600 --a------ C:\WINDOWS\system32\drivers\usbsermptxp.sys
    2007-02-24 18:58 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
    2007-02-24 18:58 -------- d-------- C:\Program Files\motorola phone tools
    2007-02-24 18:23 -------- d-------- C:\Program Files\liveupdate
    2007-02-24 18:23 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\installshield
    2007-02-22 21:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
    2007-02-22 21:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
    2007-02-18 19:36 -------- d-------- C:\Program Files\java
    2007-02-15 10:35 -------- d-------- C:\Program Files\Common Files\symantec shared
    2007-02-14 23:22 -------- d-------- C:\Program Files\iespell
    2007-02-13 10:59 -------- d-------- C:\Program Files\Common Files\scanner
    2007-02-11 21:08 -------- d-------- C:\Program Files\guild wars
    2007-02-05 02:07 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\teamspeak2
    2007-02-02 18:34 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
    2007-02-02 13:17 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
    2007-02-02 13:04 307200 --a------ C:\WINDOWS\system32\atidemgx.dll
    2007-02-02 13:03 264704 --a------ C:\WINDOWS\system32\ati2dvag.dll
    2007-02-02 12:57 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
    2007-02-02 12:56 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
    2007-02-02 12:56 26112 --a------ C:\WINDOWS\system32\ati2mdxx.exe
    2007-02-02 12:56 110592 --a------ C:\WINDOWS\system32\oemdspif.dll
    2007-02-02 12:56 110592 --a------ C:\WINDOWS\system32\ati2evxx.dll
    2007-02-02 12:55 446464 --a------ C:\WINDOWS\system32\ati2evxx.exe
    2007-02-02 12:54 53248 --a------ C:\WINDOWS\system32\atiddc.dll
    2007-02-02 12:46 2827968 --a------ C:\WINDOWS\system32\ati3duag.dll
    2007-02-02 12:40 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
    2007-02-02 12:40 1272960 --a------ C:\WINDOWS\system32\ativvaxx.dll
    2007-02-02 12:27 241664 --a------ C:\WINDOWS\system32\atikvmag.dll
    2007-02-02 12:25 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
    2007-02-02 12:20 348160 --a------ C:\WINDOWS\system32\ati2cqag.dll
    2007-02-02 12:19 5312512 --a------ C:\WINDOWS\system32\atioglxx.dll
    2007-01-31 09:12 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
    2007-01-30 09:21 128813 --a------ C:\WINDOWS\system32\atiicdxx.dat
    2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
    @=""
    "StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
    "WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "NVRaidService"="C:\\WINDOWS\\system32\\nvraidservice.exe"
    "NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
    "HostManager"="C:\\Program Files\\Common Files\\AOL\\1156836504\\ee\\AOLSoftware.exe"
    "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "BOC-422"="C:\\PROGRA~1\\NSClean\\BOClean\\BOC422.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "WMLAN54G.exe"="C:\\Program Files\\WMPCI54G WLAN Monitor\\WMP54G.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="RealPlay"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "inimapping"="0"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=dword:00000000

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisableRegistryTools"=dword:00000000

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

    hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
    Popular



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1156837741.job
    C:\WINDOWS\tasks\MP Scheduled Scan.job
    C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job
    C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
    C:\WINDOWS\tasks\Symantec Drmc.job


    ********************************************************************

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-04-05 0:27:46
    C:\ComboFix-quarantined-files.txt ... 07-04-05 00:27
    Code:
    04-05-18 07:46      9768    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\advport.dll.vir 
    06-02-28 05:00      10240    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\drivers\lybyy.sys.vir 
    06-02-28 05:00      10240    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\rundll2000.exe.vir 
    06-02-28 05:00      237376    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\dienb.dll.vir 
    06-02-28 05:00      241664    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\wbem\tsqkw.dll.vir 
    06-02-28 05:00      59392    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\elmof.dll.vir 
    06-02-28 05:00      7744    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\drivers\msqmx.sys.vir 
    07-03-17 17:00      329856    --a------    C:\Qoobox\Quarantine\07-04-04\DOCUME~1\ALLUSE~1\TEMPLA~1\temp.exe.vir 
    07-03-17 17:00      57344    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\f2.exe.vir 
    07-03-17 17:10      57344    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\g3.exe.vir 
    07-04-04 23:14      120938    --a------    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\Score.txt.vir 
    07-04-04 23:16      1242    --a------    C:\Qoobox\Quarantine\07-04-04\Registry_backups\LEGACY_LYBYY.reg.cf 
    07-04-04 23:16      1242    --a------    C:\Qoobox\Quarantine\07-04-04\Registry_backups\LEGACY_MSQMX.reg.cf 
    07-04-04 23:16      2416    --a------    C:\Qoobox\Quarantine\07-04-04\Registry_backups\services_lybyy.reg.cf 
    07-04-04 23:16      2544    --a------    C:\Qoobox\Quarantine\07-04-04\Registry_backups\services_msqmx.reg.cf 
    
    
    Folder PATH listing
    Volume serial number is 6497-1E91
    C:\QOOBOX
    \---Quarantine
        \---07-04-04
            +---DOCUME~1
            |   \---ALLUSE~1
            |       \---TEMPLA~1
            |               temp.exe.vir
            |               
            +---Registry_backups
            |       LEGACY_LYBYY.reg.cf
            |       LEGACY_MSQMX.reg.cf
            |       services_lybyy.reg.cf
            |       services_msqmx.reg.cf
            |       
            \---WINDOWS
                |   f2.exe.vir
                |   g3.exe.vir
                |   
                \---system32
                    |   advport.dll.vir
                    |   dienb.dll.vir
                    |   elmof.dll.vir
                    |   rundll2000.exe.vir
                    |   Score.txt.vir
                    |   
                    +---drivers
                    |       lybyy.sys.vir
                    |       msqmx.sys.vir
                    |       
                    \---wbem
                            tsqkw.dll.vir
                            
    
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Looks like you did good, Blaze. :thumb:

    Do us a favor and send the files in this folder to FanJ:
    C:\Qoobox\Quarantine
    He will forward them to me and I'll see if it was indeed what we suspected.
    Looks like it
     
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Thanks very much Pieter !!!

    Blaze,
    Please send me those files zipped and password protected.
    Here is how you can do that:

    ===
    How do I create a password protected zip file?

    1. Using Windows Explorer, locate the file you want to zip.
    2. Right click on the file and select "Send To" and "Compressed (zipped)
    Folder".
    This will create a new compressed folder with the same name as the
    file, except with the extension .zip.
    3. Right click on the compressed folder and select "Explore".
    4. In "File" select "Add a Password". Enter the password and confirm the
    password.
    5. Use the password "infected" (without the quotes).
    ===

    If you don't succeed in doing it that way, then let us know and we will give you another way.
     
  20. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Dear Marcelo and Pieter,

    It could be that due to family circumstances (my brother is very, very ill) I will not be able to help as much as I would love to.

    Blaze, buddy, make sure that you subscribe to this thread, and please check this thread frequently. It is only in your own interest.
    And it could very well be that security vendors need those files to make definitions against them.

    You have permission from Derek (known as dvk01 at the Wilders-forum) to upload all those files to his site so they can be looked at:
    http://www.thespykiller.co.uk/index.php?board=1.0
    Make the title of your thread: From Blaze for Pieter

    I am talking about those files at your system:

    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\advport.dll.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\drivers\lybyy.sys.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\rundll2000.exe.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\dienb.dll.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\wbem\tsqkw.dll.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\elmof.dll.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\drivers\msqmx.sys.vir
    C:\Qoobox\Quarantine\07-04-04\DOCUME~1\ALLUSE~1\TEMPLA~1\temp.exe.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\f2.exe.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\g3.exe.vir
    C:\Qoobox\Quarantine\07-04-04\WINDOWS\system32\Score.txt.vir
    C:\Qoobox\Quarantine\07-04-04\Registry_backups\LEGACY_LYBYY.reg.cf
    C:\Qoobox\Quarantine\07-04-04\Registry_backups\LEGACY_MSQMX.reg.cf
    C:\Qoobox\Quarantine\07-04-04\Registry_backups\services_lybyy.reg.cf
    C:\Qoobox\Quarantine\07-04-04\Registry_backups\services_msqmx.reg.cf
     
  21. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    OK I SENT IT

    thx guys
     
  22. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Thanks buddy ! :)
     
  23. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi, best wishes for your brother! May Allah bless him with health and all the best.
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    elmoff.dll may well have been the source of the other misery.
    "Trojan-Downloader.Win32.Agent.bdd"

    All the files fit the bill. I'm just puzzled by rundll2000.exe which claims to be a MS file (in Chinese)
    None of the scanners I used picked it up, so it may really be a harmless file they needed to run the rest. I'll try and find that out and get back to you.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.