Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

more annoying popus [RESOLVED]

Started by powermonkey3000 , Jun 27 2005 03:54 PM

  • This topic is locked This topic is locked

#1
powermonkey3000
Posted 27 June 2005 - 03:54 PM

powermonkey3000

    Member

  • Member
  • PipPip
  • 39 posts
hello. i've gone through the processes that i was told to go through before posting any problems. it got rid of some of the popups but i still have more that won't go away. pleae help me get rid of these annoying pests. thankyou

here is a copy of my hijack this log :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 5:52:49 PM, on 6/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\wzcsbcli.exe
D:\WINDOWS\System32\xcomsnap.exe
D:\WINDOWS\System32\svchost.exe
C:\Program Files\Aprps\CxtPls.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\hamaul.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Saved Files\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - D:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - D:\WINDOWS\System32\WStart.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] D:\WINDOWS\System32\algs.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE D:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [VBouncer] D:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "D:\WINDOWS\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [o98X37O] xcomsnap.exe
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\System32\hamaul.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Zyr7RXipl] wzcsbcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119768691046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O20 - Winlogon Notify: Telephony - D:\WINDOWS\system32\wzploc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
  • 0

Advertisements

#2
powermonkey3000
Posted 30 June 2005 - 01:33 AM

powermonkey3000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
is there anyone that can help?
  • 0

#3
Metallica
Posted 02 July 2005 - 05:23 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you please update Windows and IE to SP1 and post a new log?

Regards,
  • 0

#4
powermonkey3000
Posted 03 July 2005 - 12:27 AM

powermonkey3000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ok i updated to service pack 1 and here is my new hijack this log. thanks


Logfile of HijackThis v1.99.1
Scan saved at 2:26:59 AM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\msiexec.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\wuauclt.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\xcomsnap.exe
D:\WINDOWS\System32\hamaul.exe
D:\Program Files\sbss\sbss.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\AIM\aim.exe
D:\WINDOWS\System32\wzcsbcli.exe
D:\Program Files\Cas\Client\casclient.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Saved Files\HijackThis.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - D:\WINDOWS\cfgmgr52.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] D:\WINDOWS\System32\algs.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE D:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [VBouncer] D:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [o98X37O] xcomsnap.exe
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\System32\hamaul.exe reg_run
O4 - HKLM\..\Run: [sbss Launcher] "D:\Program Files\sbss\sbss.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Zyr7RXipl] wzcsbcli.exe
O4 - HKCU\..\Run: [CAS Client] "D:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119768691046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - D:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: MCD - D:\WINDOWS\system32\wzploc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
  • 0

#5
Metallica
Posted 03 July 2005 - 03:22 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK then. Let's start cleaning. :tazz:

I would like to advise to uninstall ViewPoint Manager under Add/Remove Software

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - D:\WINDOWS\cfgmgr52.dll

O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [Application Layer Gateway Service] D:\WINDOWS\System32\algs.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE D:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [VBouncer] D:\PROGRA~1\VBouncer\VirtualBouncer.exe

O4 - HKLM\..\Run: [o98X37O] xcomsnap.exe
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\System32\hamaul.exe reg_run
O4 - HKLM\..\Run: [sbss Launcher] "D:\Program Files\sbss\sbss.exe"

O4 - HKCU\..\Run: [Zyr7RXipl] wzcsbcli.exe
O4 - HKCU\..\Run: [CAS Client] "D:\Program Files\Cas\Client\casclient.exe"

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab


Reboot into safe mode and delete:
D:\PROGRAM FILES\VBouncer <= entire folder
D:\Program Files\Cas <= entire folder
D:\WINDOWS\System32\hamaul.exe
D:\WINDOWS\System32\algs.exe

Boot back to normal and check if AVG is updated and functioning properly.
These are some descriptions of what I found:
http://securityrespo...sinoclient.html
http://www.symantec.....linkbot.m.html

Regards,
  • 0

#6
powermonkey3000
Posted 03 July 2005 - 11:41 AM

powermonkey3000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
thank you
i did what you said but there were a few strings i couldn't find to delete when i ran hijack this. i couldn't find:

O4 - HKLM\..\Run: [VBouncer] D:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [o98X37O] xcomsnap.exe

and i couldn't find this in the folders that you specified
D:\PROGRAM FILES\VBouncer
D:\WINDOWS\System32\hamaul.exe
D:\WINDOWS\System32\algs.exe

but i did find alg.exe in the folder you told me to look in. and i deleted that.

here is a new log after all that was done. i scanned with AVG and found and deleted 9 viruses hope everything is well now, don't seem to see anymore popups but just want to make sure. thanks


Logfile of HijackThis v1.99.1
Scan saved at 1:40:48 PM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\hamaul.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Program Files\Grisoft\AVG Free\avgemc.exe
D:\Program Files\Grisoft\AVG Free\avgcc.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Saved Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\System32\hamaul.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119768691046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - D:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: MCD - D:\WINDOWS\system32\wzploc.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - D:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
  • 0

#7
Metallica
Posted 03 July 2005 - 01:31 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Deleting alg.exe was not very smart. :tazz:

Can you see if it is in the Recycle Bin and restore it please?

Then surf to http://virusscan.jotti.org/ and upload this file D:\WINDOWS\system32\wzploc.dll

Let me know the results.

Regards,
  • 0

#8
powermonkey3000
Posted 03 July 2005 - 01:36 PM

powermonkey3000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
i restored the file, and when i submited that file it came back with this

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

i do have a router with firewall, but i have never had any problem uploading anything before.
thank you
  • 0

#9
Metallica
Posted 03 July 2005 - 01:49 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you mail it to me?

Send it (preferably zipped) to
pieterATwilderssecurity.org (replace AT with @)

Were you able to restore alg.exe ?
That worries me more.

Regards,
  • 0

#10
powermonkey3000
Posted 03 July 2005 - 02:32 PM

powermonkey3000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
i was able to restore alg.exe and i have emailed you the dll file but i was unable to zip it because it would not let me access it or copy it to a zip archive. sorry if that made it any harder.
  • 0

Advertisements

#11
Metallica
Posted 03 July 2005 - 02:47 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I did get your mail, but without the attachment.

Please read:
http://metallica.gee...xplanation.html
and
http://www.wanadoo.c...lattachfile.htm

Regards,
  • 0

#12
powermonkey3000
Posted 03 July 2005 - 03:14 PM

powermonkey3000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
i tried to zip it like you said but it wouldn't let me because it said i couldn't read from that file, or that it was in use with another program. i think that is the reason that i was unable to send it to you, cause i did attach it in the email. what should i do now
  • 0

#13
Metallica
Posted 04 July 2005 - 02:05 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I will have to assume that anything that resiliant to be investigated will have to be evil by nature.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Replace on Reboot option.
*Put a checkmark in the "Use Dummy" box
*Select this file to be replaced:
D:\WINDOWS\system32\wzploc.dll
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\System32\hamaul.exe reg_run

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - D:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: MCD - D:\WINDOWS\system32\wzploc.dll

Boot back to normal and post a new HijackThis log.

Regards,
  • 0

#14
powermonkey3000
Posted 04 July 2005 - 02:30 AM

powermonkey3000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
here's the new log. thanks


Logfile of HijackThis v1.99.1
Scan saved at 4:28:31 AM, on 7/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\rata.exe
D:\WINDOWS\System32\wuauclt.exe
C:\Saved Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\System32\hamaul.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119768691046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: policies - D:\WINDOWS\system32\wzploc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
  • 0

#15
Metallica
Posted 04 July 2005 - 02:59 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
You did fix those HijackThis entries in safe mode, right?

Can you find D:\WINDOWS\system32\wzploc.dll
Rightclick it and open it in notepad.
What does it say?

It should say:

dummy file for KillBox
It is safe to delete this file


if the procedure was successfull.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP