Page 4 of 4 FirstFirst ... 234
Results 31 to 37 of 37

Thread: PopUps, PopUps, PopUps ...

  1. #31
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    That's what I needed! Good job. Now I can see what to fix - and it appears a lot of it may be gone already.

    Please download the Killbox.
    Unzip it to the desktop but do NOT run it yet.
    Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
    Once in Safe Mode, please run Killbox.
    Click "Replace on Reboot" and check the "Use Dummy" box.
    Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\ipiprz.exe

    Click the red-and-white "Delete File".
    Click "Yes" at the Replace on Reboot prompt.
    Click "No" at the Pending Operations prompt.
    Repeat steps above for this file:
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkrk.exe

    Click "Yes" at the Replace on Reboot prompt.
    Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
    When your computer reboots, please run Find-Qoologic2.bat again and post the new log here. There will be more to clean up. We'll worry about the L2M when we get this straigtened out.

  2. #32
    Junior Member
    Join Date
    Apr 2005
    Posts
    18
    Here it is, and thanks again :-)

    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    »»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

    NOT using address check -- 0x7c90df5e

    Global Startup:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    .
    ..
    DESKTOP.INI
    Microsoft Works Calendar Reminders.lnk
    rkrk.exe

    User Startup:
    C:\Documents and Settings\Molly\Start Menu\Programs\Startup
    .
    ..
    DESKTOP.INI

    »»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

    ! REG.EXE VERSION 3.0

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
    <NO NAME> REG_SZ

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
    <NO NAME> REG_SZ {1E2CDF40-419B-11D2-A5A1-002018648BA7}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
    <NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mnmngyxq
    <NO NAME> REG_SZ {693b5c7d-be21-4d71-86a4-440e0e19397c}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    <NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    <NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    <NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
    <NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
    <NO NAME> REG_SZ {5464D816-CF16-4784-B9F3-75C0DB52B499}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    <NO NAME> REG_SZ Start Menu Pin

    »»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    "Find activesetup", version1, launched at: 22:41
    Operating System: Windows XP SP2


    HKLM\Software\Microsoft\Active Setup\Installed Components\
    ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
    \StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
    "cd43e2be-1b71-435c-a64d-b7d83dd5978f\(Default)" = ""
    \StubPath = "C:\WINDOWS\system32\dndncam.exe" [null data]

  3. #33
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    If you dont feel comfortable reinstalling your Operating System, then I would say leave it to the pros. There can be much more to a reinstall than just slapping a disk in and running the setup.exe file. You may have drivers that need to be installed also. If you have any third party hardware installed then you will most likely need to get the drivers. But after reviewing these posts I see you have a Dell. Running the recovery cd will help you in reformatting your hard drive and starting fresh. be forwarned that you will loose all data with a format so backup your data.

    Why should you do a fresh install? Well for one it can clean up alot of crap that malware, spyware, and adware ****ed up. Just look at the firewall issue. Reformatting the hard drive will also help free up space that once held old dll files and other files that arent removed after a uninstall. I suggest to all my customers to get a clean start once a year. P.S. I normally charge $120.00 for a reinstall and $45.00 for a backup. "Easy money" Geek squad charges more.
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  4. #34
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Sorry it's taken me so long to get back to you. I have an illness in the family. If I dissappear for a day or so then things here need my attention. If noone else jumps in here bring your logs to bleepingcomputer.com & link back to this post. They'll help you out there. Hopefully that won't be neccesary though.

    Please run Notepad and paste the following text into a new file:

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\cd43e2be-1b71-435c-a64d-b7d83dd5978f]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mnmngyxq]

    [-HKEY_CLASSES_ROOT\CLSID\{693b5c7d-be21-4d71-86a4-440e0e19397c}]
    Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

    Then give me a new HJT log & a new findqoologic2 log.

  5. #35
    Junior Member
    Join Date
    Apr 2005
    Posts
    18
    Please; there is no need to apologize for taking awhile to get back. I feel indebted to you and everybody that is helping me. Believe it or not this is groundbreaking stuff for me. So, not only am I getting my computer fixed, I am learning a great deal as I go along. I'm also very sorry to hear about illness touching your life. We have had quite a bit of that here in the past several months too. I hope evrything is working out okay for you.

    I did the operations you prescribed. I didn't shut down or anything before running these scans. Here is the first .....

    Logfile of HijackThis v1.99.1
    Scan saved at 11:17:15 PM, on 4/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLHOS~1.EXE
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLServiceHost.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkrk.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105105845\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiprz.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Molly"
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...d/install.html
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\kt68l7ju1.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

    and the second .......
    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    »»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

    »»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    »»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

    NOT using address check -- 0x7c90df5e

    Global Startup:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    .
    ..
    DESKTOP.INI
    Microsoft Works Calendar Reminders.lnk
    rkrk.exe

    User Startup:
    C:\Documents and Settings\Molly\Start Menu\Programs\Startup
    .
    ..
    DESKTOP.INI

    »»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

    ! REG.EXE VERSION 3.0

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
    <NO NAME> REG_SZ

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
    <NO NAME> REG_SZ {1E2CDF40-419B-11D2-A5A1-002018648BA7}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
    <NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mnmngyxq
    <NO NAME> REG_SZ {693b5c7d-be21-4d71-86a4-440e0e19397c}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    <NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    <NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    <NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
    <NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
    <NO NAME> REG_SZ {5464D816-CF16-4784-B9F3-75C0DB52B499}

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    <NO NAME> REG_SZ Start Menu Pin

    »»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    "Find activesetup", version1, launched at: 23:22
    Operating System: Windows XP SP2


    HKLM\Software\Microsoft\Active Setup\Installed Components\
    ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
    \StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

  6. #36
    Junior Member
    Join Date
    Apr 2005
    Posts
    18
    Here is a copy of my l2m scan.

    Setting Directory
    C:\Documents and Settings\Molly\Desktop\l2mfix
    System Rebooted!

    Running From:
    C:\Documents and Settings\Molly\Desktop\l2mfix

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 1660 'explorer.exe'
    Killing PID 1660 'explorer.exe'
    Killing PID 1660 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 1324 'rundll32.exe'

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    Backing Up: C:\WINDOWS\system32\dn2u01f9e.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\dwwsockx.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\fhlemgmt.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\hrr2059oe.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\i8loli3318.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\kt40l7hm1.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\KZDNE.DLL
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\l4n4le5q1h.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\notrap.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\q4nu0e59eh.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\guard.tmp
    1 file(s) copied.
    deleting: C:\WINDOWS\system32\dn2u01f9e.dll
    Successfully Deleted: C:\WINDOWS\system32\dn2u01f9e.dll
    deleting: C:\WINDOWS\system32\dwwsockx.dll
    Successfully Deleted: C:\WINDOWS\system32\dwwsockx.dll
    deleting: C:\WINDOWS\system32\fhlemgmt.dll
    Successfully Deleted: C:\WINDOWS\system32\fhlemgmt.dll
    deleting: C:\WINDOWS\system32\hrr2059oe.dll
    Successfully Deleted: C:\WINDOWS\system32\hrr2059oe.dll
    deleting: C:\WINDOWS\system32\i8loli3318.dll
    Successfully Deleted: C:\WINDOWS\system32\i8loli3318.dll
    deleting: C:\WINDOWS\system32\kt40l7hm1.dll
    Successfully Deleted: C:\WINDOWS\system32\kt40l7hm1.dll
    deleting: C:\WINDOWS\system32\KZDNE.DLL
    Successfully Deleted: C:\WINDOWS\system32\KZDNE.DLL
    deleting: C:\WINDOWS\system32\l4n4le5q1h.dll
    Successfully Deleted: C:\WINDOWS\system32\l4n4le5q1h.dll
    deleting: C:\WINDOWS\system32\notrap.dll
    Successfully Deleted: C:\WINDOWS\system32\notrap.dll
    deleting: C:\WINDOWS\system32\q4nu0e59eh.dll
    Successfully Deleted: C:\WINDOWS\system32\q4nu0e59eh.dll
    deleting: C:\WINDOWS\system32\guard.tmp


    Zipping up files for submission:
    updating: q4nu0e59eh.dll (164 bytes security) (deflated 5%)
    adding: dn2u01f9e.dll (164 bytes security) (deflated 4%)
    adding: dwwsockx.dll (164 bytes security) (deflated 4%)
    adding: fhlemgmt.dll (164 bytes security) (deflated 5%)
    adding: hrr2059oe.dll (164 bytes security) (deflated 4%)
    adding: i8loli3318.dll (164 bytes security) (deflated 5%)
    adding: kt40l7hm1.dll (164 bytes security) (deflated 5%)
    adding: KZDNE.DLL (164 bytes security) (deflated 5%)
    adding: l4n4le5q1h.dll (164 bytes security) (deflated 5%)
    adding: notrap.dll (164 bytes security) (deflated 4%)
    updating: guard.tmp (164 bytes security) (deflated 4%)
    updating: clear.reg (164 bytes security) (deflated 37%)
    adding: cecho.reg (164 bytes security) (stored 0%)
    updating: direct.txt (164 bytes security) (stored 0%)
    updating: lo2.txt (164 bytes security) (deflated 79%)
    updating: readme.txt (164 bytes security) (deflated 49%)
    updating: test.txt (164 bytes security) (deflated 70%)
    updating: test2.txt (164 bytes security) (deflated 17%)
    updating: test3.txt (164 bytes security) (deflated 17%)
    updating: test5.txt (164 bytes security) (deflated 17%)
    updating: xfind.txt (164 bytes security) (deflated 62%)
    adding: log.txt (164 bytes security) (deflated 85%)
    updating: backregs/10D1A8F8-6A26-4046-A5A8-E18F306C1EFF.reg (164 bytes security) (deflated 70%)
    updating: backregs/shell.reg (164 bytes security) (deflated 74%)
    adding: backregs/ADAE2B38-9C80-4220-A549-28C654834B32.reg (164 bytes security) (deflated 70%)
    adding: backregs/CE30184A-E6A2-43A8-8F79-3AA3FA079489.reg (164 bytes security) (deflated 70%)

    Restoring Registry Permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Revoking access for predefined group "Administrators"
    Inherited ACE can not be revoked here!
    Inherited ACE can not be revoked here!
    Warning (option /rgaci)) - There is no ACE to remove!


    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER


    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... successful

    deleting local copy: dn2u01f9e.dll
    deleting local copy: dwwsockx.dll
    deleting local copy: fhlemgmt.dll
    deleting local copy: hrr2059oe.dll
    deleting local copy: i8loli3318.dll
    deleting local copy: kt40l7hm1.dll
    deleting local copy: KZDNE.DLL
    deleting local copy: l4n4le5q1h.dll
    deleting local copy: notrap.dll
    deleting local copy: q4nu0e59eh.dll
    deleting local copy: guard.tmp

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\j24o0ch3ef4.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000


    The following are the files found:
    ****************************************************************************
    C:\WINDOWS\system32\dn2u01f9e.dll
    C:\WINDOWS\system32\dwwsockx.dll
    C:\WINDOWS\system32\fhlemgmt.dll
    C:\WINDOWS\system32\hrr2059oe.dll
    C:\WINDOWS\system32\i8loli3318.dll
    C:\WINDOWS\system32\kt40l7hm1.dll
    C:\WINDOWS\system32\KZDNE.DLL
    C:\WINDOWS\system32\l4n4le5q1h.dll
    C:\WINDOWS\system32\notrap.dll
    C:\WINDOWS\system32\q4nu0e59eh.dll
    C:\WINDOWS\system32\guard.tmp

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{ADAE2B38-9C80-4220-A549-28C654834B32}"=-
    "{CE30184A-E6A2-43A8-8F79-3AA3FA079489}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{ADAE2B38-9C80-4220-A549-28C654834B32}]
    [-HKEY_CLASSES_ROOT\CLSID\{CE30184A-E6A2-43A8-8F79-3AA3FA079489}]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "SV1"=""
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    ****************************************************************************
    

  7. #37
    Junior Member
    Join Date
    Apr 2005
    Posts
    18
    Logfile of HijackThis v1.99.1
    Scan saved at 8:28:49 AM, on 4/16/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLHOS~1.EXE
    C:\Program Files\America Online 9.0a\waol.exe
    C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLServiceHost.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkrk.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105105845\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiprz.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...d/install.html
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\j24o0ch3ef4.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •