Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

please help... invaded by pop-ups

Started by halcon , Mar 17 2005 09:11 PM

  • This topic is locked This topic is locked

#1
halcon
Posted 17 March 2005 - 09:11 PM

halcon

    Member

  • Member
  • PipPip
  • 21 posts
please help me

here is my hijack log

thank you

Logfile of HijackThis v1.97.7
Scan saved at 7:00:18 PM, on 3/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ie32upd.exe
C:\WINDOWS\System32\sysrc32.exe
C:\WINDOWS\System32\ykvyiu.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Documents and Settings\Allan\Local Settings\Temp\Temporary Directory 18 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ie32upd] C:\WINDOWS\System32\ie32upd.exe
O4 - HKLM\..\Run: [sysrc32] C:\WINDOWS\System32\sysrc32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ie32upd] C:\WINDOWS\System32\ie32upd.exe
O4 - HKCU\..\Run: [sysrc32] C:\WINDOWS\System32\sysrc32.exe
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker (HKLM)
O9 - Extra 'Tools' menuitem: EmpirePoker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7988.0225347222
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...362/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
  • 0

Advertisements

#2
Trevuren
Posted 17 March 2005 - 09:42 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi alcon welcome to Geeks 2 Go.

Before I am able to analyze your log, you must read the information provided in the following link and do everything that is indicated from step 1 through step 5. Stop after installing HijackThis in its own folder. The folder should look something like this C:\HijackThis\HijacktThis.exe when you are finished. These steps often drastically reduce the number of problems we have to contend with and get you up and running much faster.

You Must Read This Before Posting A Log


Regards,

Trevuren
  • 0

#3
halcon
Posted 17 March 2005 - 11:07 PM

halcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
hey trevuren

thanks for the reply.

I went ahead and did as you asked. here is my log. however, it still shows that I have sp1 not sp1a. is this normal?


thanks for any help

halcon

Logfile of HijackThis v1.99.1
Scan saved at 9:02:32 PM, on 3/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ie32upd.exe
C:\WINDOWS\System32\sysrc32.exe
C:\windows\system32\madsfuk.exe
C:\WINDOWS\System32\ykvyiu.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\windows\system32\packager.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\Allan\Desktop\virus-spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ie32upd] C:\WINDOWS\System32\ie32upd.exe
O4 - HKLM\..\Run: [sysrc32] C:\WINDOWS\System32\sysrc32.exe
O4 - HKLM\..\Run: [madsfuk] c:\windows\system32\madsfuk.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ie32upd] C:\WINDOWS\System32\ie32upd.exe
O4 - HKCU\..\Run: [sysrc32] C:\WINDOWS\System32\sysrc32.exe
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111121531718
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...362/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
halcon
Posted 18 March 2005 - 10:02 AM

halcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
bump... please help
  • 0

#5
Trevuren
Posted 18 March 2005 - 10:55 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi halcon,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now let's do some work on your log:

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Close all browser windows and RUN HijackThis.
. Click the SCAN button to produce a log.
. Click the Config button located in the lower right hand corner of the HijackThis window.
. When the new screen opens, find and click the Miscellaneous Tools button.
. Then choose the Open Process Manager button.
. From the list of processes, hilight the following items by clicking them, ONE AT A TIME, then DELETE them by clicking the KILL button:

C:\WINDOWS\System32\ie32upd.exe
C:\WINDOWS\System32\sysrc32.exe
C:\windows\system32\madsfuk.exe
C:\WINDOWS\System32\ykvyiu.exe

Once all items have been KILLED, click the Back button which will return you to the HijackThis main window. Now place a check mark beside each one of the following Mandatory items as well as those Optional items that you choose based upon the information provided in green.

MANDATORY ITEMS

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ie32upd] C:\WINDOWS\System32\ie32upd.exe
O4 - HKLM\..\Run: [sysrc32] C:\WINDOWS\System32\sysrc32.exe
O4 - HKLM\..\Run: [madsfuk] c:\windows\system32\madsfuk.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ie32upd] C:\WINDOWS\System32\ie32upd.exe
O4 - HKCU\..\Run: [sysrc32] C:\WINDOWS\System32\sysrc32.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab

OPTIONAL ITEMS

The following items are considered to be either "not required", "seldom used" or "resource hogs". Their removal should slightly enhance the performance of your system.

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files/folders, and delete them (if they are present):

FILES

C:\WINDOWS\System32\ie32upd.exe
C:\WINDOWS\System32\sysrc32.exe
C:\windows\system32\madsfuk.exe
C:\WINDOWS\System32\ykvyiu.exe
C:\WINDOWS\Pynix.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\wupdt.exe
C:\WINDOWS\farmmext.exe

FOLDERS (with all their content)

C:\Program Files\EmpirePoker

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally,RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren
  • 0

#6
halcon
Posted 18 March 2005 - 11:42 AM

halcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
here is my latest hijack file

thank you


Logfile of HijackThis v1.99.1
Scan saved at 9:40:24 AM, on 3/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Allan\Desktop\virus-spyware\HijackThis.exe
C:\WINDOWS\System32\ykvyiu.exe

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ynkyug.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111121531718
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...362/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#7
Trevuren
Posted 18 March 2005 - 12:59 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi halcon,

Things are starting to look good. There are but two little entries that didn't go away. We will essentially repeat the process one more time and if they still remain, we get out the big guns.

First we need to make all files and folders VISIBLE:

Close all browser windows and RUN HijackThis.
. Click the SCAN button to produce a log.
. Click the Config button located in the lower right hand corner of the HijackThis window.
. When the new screen opens, find and click the Miscellaneous Tools button.
. Then choose the Open Process Manager button.
. From the list of processes, hilight the following items by clicking them, ONE AT A TIME, then DELETE them by clicking the KILL button:

ykvyiu.exe

Once all items have been KILLED, click the Back button which will return you to the HijackThis main window. Now place a check mark beside the following item:

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)

Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files and delete them (if they are present):

FILES

C:\WINDOWS\System32\ykvyiu.exe
C:\WINDOWS\Pynix.dll

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally,RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren
  • 0

#8
halcon
Posted 18 March 2005 - 02:30 PM

halcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
hey trevuren thanks for the help. here is the latest file

it seems ykvyiu.exe does not want to go away.

also what is y75yvz.exe and ynkyug.exe

thanks again


Logfile of HijackThis v1.99.1
Scan saved at 12:27:38 PM, on 3/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Allan\Desktop\virus-spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\ykvyiu.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ynkyug.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111121531718
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...362/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#9
Trevuren
Posted 18 March 2005 - 04:02 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi alcon,

Gone to the "big boys" for suggestions on all three. It could take a while. Just use your system and see what turns up.

I'll get back to you when I get an answer.


[COLOR=green]Trevuren[/COLOR]
  • 0

#10
Trevuren
Posted 18 March 2005 - 09:41 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi alcon,

It looks as if we may have something here. I will be sure tomorrow. Please be patient. It is a weird one if it is what I think. I am really looking forward to fixing it.

Regards,

Trevuren
  • 0

Advertisements

#11
halcon
Posted 18 March 2005 - 09:42 PM

halcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
thanks trevuren I appreciate all the help
  • 0

#12
Trevuren
Posted 19 March 2005 - 11:51 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Good afternoon Halcon,

Apparently we are dealing with an infection called a "Narrator Infection". If you look in your last HJT log in the 04's you will see the word Narrator. This is a fairly recent breakout which is complicating most of our lives. Be prepared for new programs and new logs. (I have to read them, not you). There are quite a few steps to this so bear with me as most can only be done one at a time.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Please download FindIt from here:
http://lineofire.gee...It NT-2K-XP.zip
Save it to the desktop and run FindNarrator.bat. This will generate a log file; please post the entire contents of the log file here for me to see
  • 0

#13
halcon
Posted 19 March 2005 - 12:37 PM

halcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
hey trevuren here is the log file

thanks again

Halcon


---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Professional 5.1 Service Pack 1 (Build 2600)

********* Date/Time ********

Saturday, March 19, 2005 (3/19/2005)
10:08 AM, Pacific Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Allan\Desktop\virus-spyware\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINDOWS\system32\gplgyu.dll: updates.qoologic.com
C:\WINDOWS\system32\pqlpzu.exe: updates.qoologic.com
C:\WINDOWS\system32\zaizop.dll: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINDOWS\system32\qvwqau.dat: .aspack
C:\WINDOWS\system32\ykvyiu.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ynkyug.exe: .aspack

---------------- Active Setup Installed Components ----------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\%GUID%

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\c5c39d63-932e-4a37-821f-55d3a8d768b7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\fe9e47bf-21fc-47a3-b9a1-3a1599ec4fe1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0fde1f56-0d59-4fd7-9624-e3df6b419d0e}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0fde1f56-0d59-4fd7-9624-e3df6b419d0f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gqmgny]
@="{546f8752-4622-492e-ac12-1a7cb9be1801}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"C-Media Mixer"="Mixer.exe /startup"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zlclient.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------

  • 0

#14
Trevuren
Posted 19 March 2005 - 02:16 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi halcon,

We found them, now to get rid of them.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

CODE
  • Please download the Killbox.
  • Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\gplgyu.dll
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\pqlpzu.exe
    • C:\WINDOWS\System32\zaizop.dll
    • C:\WINDOWS\System32\qvwqau.dat
    • C:\WINDOWS\System32\ykvyiu.exe
    • C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Programs\Startup\ynkyug.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\gplgyu.dll
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run FindIt.bat again and post the new log here.
During the process, you may be upset at receiving an error message at system startup that says something like: 16 Bit MS-DOS Sunsystem, C:\WINNT\sytem32\wwrvkg.exe (This would probably be one of the bad files). The NTVDM has encountered an illegal instruction.

You should then click on the option to "terminate application", and continue with the process pf posting FindIt logs and killing Files. This message will go away when all the Narrator bad files have gone away.


Regards,

Trevuren
  • 0

#15
halcon
Posted 19 March 2005 - 03:09 PM

halcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
here is the new logfile. this ykvyiu.exe does not want to go away


---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****


********* Date/Time ********


*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Allan

---------------- Strings.exe Qoologic Results ----------------


---------------- Strings.exe Aspack Results ----------------


---------------- Active Setup Installed Components ----------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\%GUID%

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\c5c39d63-932e-4a37-821f-55d3a8d768b7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\fe9e47bf-21fc-47a3-b9a1-3a1599ec4fe1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0fde1f56-0d59-4fd7-9624-e3df6b419d0e}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0fde1f56-0d59-4fd7-9624-e3df6b419d0f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gqmgny]
@="{546f8752-4622-492e-ac12-1a7cb9be1801}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"C-Media Mixer"="Mixer.exe /startup"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zlclient.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"Narrator"="C:\\WINDOWS\\System32\\ykvyiu.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP