Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

pop ups and trojans oh my

Started by nitrox , Dec 21 2004 09:02 AM

  • Please log in to reply

#1
nitrox
Posted 21 December 2004 - 09:02 AM

nitrox

    Member

  • Member
  • PipPip
  • 11 posts
Logfile of HijackThis v1.99.0
Scan saved at 10:00:01 AM, on 12/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\jhefoyts.exe
C:\Documents and Settings\Owner\Application Data\dees.exe
C:\WINNT\System32\d?dplay.exe
C:\WINNT\System32\cislbva.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G92RGLMB\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsear...sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsear...sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [izkgzplybhtk] C:\WINNT\System32\fdjfocv.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [WeeqEE] C:\WINNT\jhefoyts.exe
O4 - HKLM\..\Run: [szet] C:\WINNT\szet.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvgvm32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [kbdest] C:\WINNT\System32\kbdest.exe
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
O4 - HKCU\..\Run: [Rrdpyudx] C:\WINNT\System32\d?dplay.exe
O4 - HKCU\..\Run: [Zw37Rki2l] cislbva.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103641085484
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 21 December 2004 - 02:40 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsear...sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsear...sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [izkgzplybhtk] C:\WINNT\System32\fdjfocv.exe
O4 - HKLM\..\Run: [WeeqEE] C:\WINNT\jhefoyts.exe
O4 - HKLM\..\Run: [szet] C:\WINNT\szet.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvgvm32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [kbdest] C:\WINNT\System32\kbdest.exe
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
O4 - HKCU\..\Run: [Rrdpyudx] C:\WINNT\System32\d?dplay.exe
O4 - HKCU\..\Run: [Zw37Rki2l] cislbva.exe

Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of calsp.dll. Run it again and remove all traces of winlspak.dll

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden
files, and remove the following files in bold (if found):

C:\WINNT\EliteToolBar
C:\WINNT\System32\fdjfocv.exe
C:\WINNT\jhefoyts.exe
C:\WINNT\szet.exe
C:\winnt\system32\kalvgvm32.exe
C:\Program Files\ISTsvc
C:\WINNT\System32\kbdest.exe
C:\Documents and Settings\Owner\Application Data\dees.exe
C:\WINNT\System32\d?dplay.exe
C:\WINNT\System32\cislbva.exe

Reset your host file. Click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

Reboot normally and post new log.

-=jonnyrotten=- :tazz:
  • 0

#3
nitrox
Posted 22 December 2004 - 12:37 AM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Logfile of HijackThis v1.99.0
Scan saved at 10:00:01 AM, on 12/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\jhefoyts.exe
C:\Documents and Settings\Owner\Application Data\dees.exe
C:\WINNT\System32\d?dplay.exe
C:\WINNT\System32\cislbva.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G92RGLMB\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsear...sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsear...sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [izkgzplybhtk] C:\WINNT\System32\fdjfocv.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [WeeqEE] C:\WINNT\jhefoyts.exe
O4 - HKLM\..\Run: [szet] C:\WINNT\szet.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvgvm32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [kbdest] C:\WINNT\System32\kbdest.exe
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
O4 - HKCU\..\Run: [Rrdpyudx] C:\WINNT\System32\d?dplay.exe
O4 - HKCU\..\Run: [Zw37Rki2l] cislbva.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103641085484
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

View Post


  • 0

#4
nitrox
Posted 22 December 2004 - 12:42 AM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ogfile of HijackThis v1.99.0
Scan saved at 1:30:06 AM, on 12/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G92RGLMB\hijackthis[1]\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvgvm32.exe
O4 - HKLM\..\Run: [WeeqEE] C:\WINNT\jhefoyts.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103641085484
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#5
-=jonnyrotten=-
Posted 22 December 2004 - 12:47 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
-=jonnyrotten=- :tazz:
  • 0

#6
nitrox
Posted 23 December 2004 - 02:38 AM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/22/2004 01:28 AM 224,875 jrj0251mg.dll
12/22/2004 12:17 AM 224,875 mvdocs.dll
12/20/2004 08:58 PM 225,697 g0220afoed2c0.dll
12/20/2004 03:29 PM <DIR> dllcache
12/15/2004 03:11 PM 224,228 gpn2l35o1.dll
12/14/2004 04:12 AM 225,868 m046lahs1d46.dll
12/14/2004 04:03 AM 224,228 dmvvox.dll
12/14/2004 04:02 AM 224,228 en06l1ds1.dll
12/14/2004 03:44 AM 224,228 m4po0e73eh.dll
12/14/2004 03:38 AM 224,228 gp60l3jm1.dll
12/14/2004 03:19 AM 224,228 fpj8031ue.dll
12/14/2004 03:08 AM 224,228 k662lgjo16oc.dll
12/14/2004 01:57 AM 224,228 e4020edoeh0c0.dll
12/14/2004 01:47 AM 225,316 k880lilm18qa.dll
12/14/2004 12:51 AM 224,228 fp6q03j5e.dll
12/13/2004 09:51 PM 225,529 m0pola731d.dll
12/10/2004 08:10 AM 225,991 j44o0eh3eh4.dll
12/10/2004 05:33 AM 224,043 hrj0051me.dll
12/09/2004 04:34 PM 225,647 i406leds1h06.dll
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/30/2004 11:47 AM 56,320 mkzay.dll
10/06/2003 02:34 PM <DIR> Microsoft
20 File(s) 4,491,333 bytes
2 Dir(s) 111,617,585,152 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/20/2004 03:29 PM <DIR> dllcache
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/30/2004 11:47 AM 56,320 mkzay.dll
10/06/2003 02:25 PM 488 logonui.exe.manifest
10/06/2003 02:25 PM 488 WindowsLogon.manifest
10/06/2003 02:25 PM 749 nwc.cpl.manifest
10/06/2003 02:25 PM 749 sapi.cpl.manifest
10/06/2003 02:25 PM 749 cdplayer.exe.manifest
10/06/2003 02:25 PM 749 ncpa.cpl.manifest
10/06/2003 02:25 PM 749 wuaucpl.cpl.manifest
9 File(s) 450,161 bytes
1 Dir(s) 111,617,585,152 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/22/2004 01:31 AM 225,697 guard.tmp
1 File(s) 225,697 bytes
0 Dir(s) 111,617,581,056 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/22/2004 01:31 AM 225,697 guard.tmp
03/31/2003 06:00 AM 2,577 CONFIG.TMP
2 File(s) 228,274 bytes
0 Dir(s) 111,617,576,960 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D533D09D-E5D3-40ED-97BD-26C23029ABEA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\g0220afoed2c0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

C:\WINNT\system32\gzuucg.dll: updates.qoologic.com
C:\WINNT\system32\pmuuhp.exe: updates.qoologic.com
C:\WINNT\system32\zuppez.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINNT\system32\installer.exe: .aspack
C:\WINNT\system32\qyuupq.dat: .aspack
C:\WINNT\system32\youuwy.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="\"C:\\Program Files\\Gateway Utilities\\GWInkMonitor.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"
"kalvsys"="C:\\winnt\\system32\\kalvgvm32.exe"
"WeeqEE"="C:\\WINNT\\jhefoyts.exe"
"Narrator"="C:\\WINNT\\System32\\youuwy.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


 shakabra thanks for your help ......nitrox
  • 0

#7
admin
Posted 23 December 2004 - 08:19 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\jrj0251mg.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\mvdocs.dll
    • C:\WINDOWS\System32\g0220afoed2c0.dll
    • C:\WINDOWS\System32\gpn2l35o1.dll
    • C:\WINDOWS\System32\m046lahs1d46.dll
    • C:\WINDOWS\System32\dmvvox.dll
    • C:\WINDOWS\System32\en06l1ds1.dll
    • C:\WINDOWS\System32\m4po0e73eh.dll
    • C:\WINDOWS\System32\gp60l3jm1.dll
    • C:\WINDOWS\System32\fpj8031ue.dll
    • C:\WINDOWS\System32\k662lgjo16oc.dll
    • C:\WINDOWS\System32\e4020edoeh0c0.dll
    • C:\WINDOWS\System32\k880lilm18qa.dll
    • C:\WINDOWS\System32\fp6q03j5e.dll
    • C:\WINDOWS\System32\m0pola731d.dll
    • C:\WINDOWS\System32\j44o0eh3eh4.dll
    • C:\WINDOWS\System32\hrj0051me.dll
    • C:\WINDOWS\System32\i406leds1h06.dll
    • C:\WINNT\system32\gzuucg.dll
    • C:\WINNT\system32\zuppez.dll
    • C:\WINDOWS\System32\d?dplay.exe
    • C:\WINNT\system32\pmuuhp.exe
    • C:\WINNT\system32\installer.exe
    • C:\WINNT\system32\qyuupq.dat
    • C:\WINNT\system32\youuwy.exe
    • C:\DOCUMENTS AND SETTINGS\ALLUSERES\STARTMENU\Programs\Startup\ypgghy.exe
    • C:\WINNT\jhefoyts.exe
    • C:\WINNT\System32\youuwy.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.

  • 0

#8
nitrox
Posted 23 December 2004 - 04:10 PM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\jrj0251mg.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\mvdocs.dll
    • C:\WINDOWS\System32\g0220afoed2c0.dll
    • C:\WINDOWS\System32\gpn2l35o1.dll
    • C:\WINDOWS\System32\m046lahs1d46.dll
    • C:\WINDOWS\System32\dmvvox.dll
    • C:\WINDOWS\System32\en06l1ds1.dll
    • C:\WINDOWS\System32\m4po0e73eh.dll
    • C:\WINDOWS\System32\gp60l3jm1.dll
    • C:\WINDOWS\System32\fpj8031ue.dll
    • C:\WINDOWS\System32\k662lgjo16oc.dll
    • C:\WINDOWS\System32\e4020edoeh0c0.dll
    • C:\WINDOWS\System32\k880lilm18qa.dll
    • C:\WINDOWS\System32\fp6q03j5e.dll
    • C:\WINDOWS\System32\m0pola731d.dll
    • C:\WINDOWS\System32\j44o0eh3eh4.dll
    • C:\WINDOWS\System32\hrj0051me.dll
    • C:\WINDOWS\System32\i406leds1h06.dll
    • C:\WINNT\system32\gzuucg.dll
    • C:\WINNT\system32\zuppez.dll
    • C:\WINDOWS\System32\d?dplay.exe
    • C:\WINNT\system32\pmuuhp.exe
    • C:\WINNT\system32\installer.exe
    • C:\WINNT\system32\qyuupq.dat
    • C:\WINNT\system32\youuwy.exe
    • C:\DOCUMENTS AND SETTINGS\ALLUSERES\STARTMENU\Programs\Startup\ypgghy.exe
    • C:\WINNT\jhefoyts.exe
    • C:\WINNT\System32\youuwy.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.

View Post


  • 0

#9
nitrox
Posted 23 December 2004 - 04:17 PM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/23/2004 01:40 PM 225,697 f8j2li1o18.dll
12/23/2004 01:26 PM 224,875 dnn6015se.dll
12/22/2004 12:17 AM 224,875 mvdocs.dll
12/20/2004 03:29 PM <DIR> dllcache
12/15/2004 03:11 PM 224,228 gpn2l35o1.dll
12/14/2004 04:12 AM 225,868 m046lahs1d46.dll
12/14/2004 04:03 AM 224,228 dmvvox.dll
12/14/2004 04:02 AM 224,228 en06l1ds1.dll
12/14/2004 03:44 AM 224,228 m4po0e73eh.dll
12/14/2004 03:38 AM 224,228 gp60l3jm1.dll
12/14/2004 03:19 AM 224,228 fpj8031ue.dll
12/14/2004 03:08 AM 224,228 k662lgjo16oc.dll
12/14/2004 01:57 AM 224,228 e4020edoeh0c0.dll
12/14/2004 01:47 AM 225,316 k880lilm18qa.dll
12/14/2004 12:51 AM 224,228 fp6q03j5e.dll
12/13/2004 09:51 PM 225,529 m0pola731d.dll
12/10/2004 08:10 AM 225,991 j44o0eh3eh4.dll
12/10/2004 05:33 AM 224,043 hrj0051me.dll
12/09/2004 04:34 PM 225,647 i406leds1h06.dll
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/30/2004 11:47 AM 56,320 mkzay.dll
10/06/2003 02:34 PM <DIR> Microsoft
20 File(s) 4,491,333 bytes
2 Dir(s) 111,622,012,928 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/20/2004 03:29 PM <DIR> dllcache
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/30/2004 11:47 AM 56,320 mkzay.dll
10/06/2003 02:25 PM 488 logonui.exe.manifest
10/06/2003 02:25 PM 488 WindowsLogon.manifest
10/06/2003 02:25 PM 749 nwc.cpl.manifest
10/06/2003 02:25 PM 749 sapi.cpl.manifest
10/06/2003 02:25 PM 749 cdplayer.exe.manifest
10/06/2003 02:25 PM 749 ncpa.cpl.manifest
10/06/2003 02:25 PM 749 wuaucpl.cpl.manifest
9 File(s) 450,161 bytes
1 Dir(s) 111,622,012,928 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/23/2004 01:45 PM 224,875 guard.tmp
1 File(s) 224,875 bytes
0 Dir(s) 111,622,008,832 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/23/2004 01:45 PM 224,875 guard.tmp
03/31/2003 06:00 AM 2,577 CONFIG.TMP
2 File(s) 227,452 bytes
0 Dir(s) 111,622,004,736 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D533D09D-E5D3-40ED-97BD-26C23029ABEA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\dnn6015se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="\"C:\\Program Files\\Gateway Utilities\\GWInkMonitor.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"
"kalvsys"="C:\\winnt\\system32\\kalvgvm32.exe"
"WeeqEE"="C:\\WINNT\\jhefoyts.exe"
"Narrator"="C:\\WINNT\\System32\\youuwy.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


JR I HOPE I DID NOT SCREW THIS UP. I AM NOW GETTING ERROR MSGS DURING START UP RE: SOME OF THE FILES THAT WERE DELETED "THE SYSTEM FILE IS NOT SUITABLE FOR RUNNING MS DOS AND WINDOWS APPLICATIONS" AND I STILL HAVE POP-UPS........ IF I EVER GET OUTA HERE....................... I'M GOING TO KATMANDO STANDING BY FOR FURTHER INSTRUCTIONS THANKS ....NITROX
  • 0

#10
-=jonnyrotten=-
Posted 23 December 2004 - 04:23 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Don't worry, you may encounter some errors during the process of malware removal, but in the end everything will be ok. When you used the killbox did it say the files were deleted? I only ask because they are all back. Try rebooting into "Safe Mode" by pressing F8 right after your initial Bios screen upon bootup and select "Safe Mode" from the list you are presented with. Next follow the previous instructions Admin had posted, but this time you will be doing this in "Safe Mode". The first step in this process is removing those unwanted malicious files. You have a difficult infection to remove, but if you follow the steps exactly we should get through this. Like I was saying it's going to take a few steps before everything is all clean, just hang in there and we'll take care of ya. :tazz:

-=jonnyrotten=- ;)
  • 0

Advertisements

#11
nitrox
Posted 27 December 2004 - 12:47 PM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Don't worry, you may encounter some errors during the process of malware removal, but in the end everything will be ok.  When you used the killbox did it say the files were deleted?  I only ask because they are all back.  Try rebooting into "Safe Mode" by pressing F8 right after your initial Bios screen upon bootup and select "Safe Mode" from the list you are presented with.  Next follow the previous instructions Admin had posted, but this time you will be doing this in "Safe Mode".  The first step in this process is removing those unwanted malicious files.  You have a difficult infection to remove, but if you follow the steps exactly we should get through this.  Like I was saying it's going to take a few steps before everything is all clean, just hang in there and we'll take care of ya.  :tazz:

-=jonnyrotten=- ;)

View Post

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/27/2004 01:34 PM 224,875 tBpi3.dll
12/27/2004 01:29 PM 224,875 jt8u07l9e.dll
12/27/2004 01:18 PM 224,875 n46qlej51ho.dll
12/27/2004 01:17 PM 225,535 azao0eh3eh4.dll
12/27/2004 12:30 PM 223,053 ujp10.dll
12/27/2004 12:28 PM 224,875 f8l02i3mg8.dll
12/27/2004 12:03 PM 225,697 opbcjt32.dll
12/27/2004 10:17 AM <DIR> dllcache
12/22/2004 12:17 AM 224,875 mvdocs.dll
12/15/2004 03:11 PM 224,228 gpn2l35o1.dll
12/14/2004 04:12 AM 225,868 m046lahs1d46.dll
12/14/2004 04:03 AM 224,228 dmvvox.dll
12/14/2004 04:02 AM 224,228 en06l1ds1.dll
12/14/2004 03:44 AM 224,228 m4po0e73eh.dll
12/14/2004 03:38 AM 224,228 gp60l3jm1.dll
12/14/2004 03:19 AM 224,228 fpj8031ue.dll
12/14/2004 03:08 AM 224,228 k662lgjo16oc.dll
12/14/2004 01:57 AM 224,228 e4020edoeh0c0.dll
12/14/2004 01:47 AM 225,316 k880lilm18qa.dll
12/14/2004 12:51 AM 224,228 fp6q03j5e.dll
12/13/2004 09:51 PM 225,529 m0pola731d.dll
12/10/2004 08:10 AM 225,991 j44o0eh3eh4.dll
12/10/2004 05:33 AM 224,043 hrj0051me.dll
12/09/2004 04:34 PM 225,647 i406leds1h06.dll
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/30/2004 11:47 AM 56,320 mkzay.dll
10/06/2003 02:34 PM <DIR> Microsoft
25 File(s) 5,614,546 bytes
2 Dir(s) 111,443,095,552 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/27/2004 10:21 AM <DIR> vmss
12/27/2004 10:21 AM <DIR> wsxsvc
12/27/2004 10:17 AM <DIR> dllcache
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/30/2004 11:47 AM 56,320 mkzay.dll
10/06/2003 02:25 PM 488 WindowsLogon.manifest
10/06/2003 02:25 PM 488 logonui.exe.manifest
10/06/2003 02:25 PM 749 nwc.cpl.manifest
10/06/2003 02:25 PM 749 ncpa.cpl.manifest
10/06/2003 02:25 PM 749 sapi.cpl.manifest
10/06/2003 02:25 PM 749 cdplayer.exe.manifest
10/06/2003 02:25 PM 749 wuaucpl.cpl.manifest
9 File(s) 450,161 bytes
3 Dir(s) 111,443,091,456 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

03/31/2003 06:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 111,443,087,360 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D533D09D-E5D3-40ED-97BD-26C23029ABEA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\f8l02i3mg8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="\"C:\\Program Files\\Gateway Utilities\\GWInkMonitor.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"
"kalvsys"="C:\\winnt\\system32\\kalvgvm32.exe"
"WeeqEE"="C:\\WINNT\\jhefoyts.exe"
"Narrator"="C:\\WINNT\\System32\\youuwy.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"stcloader"="C:\\WINNT\\System32\\stcloader.exe"
"winupdtl"="C:\\WINNT\\System32\\winupdtl.exe"
"Dvx"="C:\\WINNT\\System32\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINNT\\System32\\vmss\\vmss.exe"
"USB controller"="\"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\ICD1.tmp\\svcmm32.exe\" /startup"
"180ax"="c:\\docume~1\\owner\\locals~1\\temp\\180ax.exe"
"zknszkl"="C:\\WINNT\\zknszkl.exe"
"CashBack"="C:\\Program Files\\CashBack\\bin\\cashback.exe"
"NaviSearch"="C:\\Program Files\\NaviSearch\\bin\\nls.exe"
"BullsEye Network"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


jr happy merry pop ups still comin on strong .... would it be that hard to reformat ive got some pics and documents that i can save if so can u walk me thru the reformat.... thanks nitrox
  • 0

#12
nitrox
Posted 27 December 2004 - 12:58 PM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
new prob computer reboots itself after last kill box procedure and pop ups barely let me type this to u
  • 0

#13
-=jonnyrotten=-
Posted 27 December 2004 - 01:12 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Well you can always reformat, but that is a last resort around here. Keep in mind if you are going to reformat anyways, let me know and I will definitely help you do it, but let me know soon so we don't get too deep into this and then reformat anyways. :tazz: This is a nasty infection you have and it usually takes a few tries to remove it but we can. Hopefully you still want to go through with this. Here is the next step:

[*]Double-click on KillBox.exe.
[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste this file into the top "Full Path of File to Delete" box.
  • C:\WINDOWS\System32\XXXXX.dll
[*]Click the "Delete File" button which looks like a stop sign.
[*]Click "Yes" at the Replace on Reboot prompt.
[*]Click "No" at the Pending Operations prompt.
[*]Repeat steps 4-8 above for these files:
  • C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe
  • C:\WINNT\System32\d?dplay.exe
  • C:\WINNT\System32\tBpi3.dll
  • C:\WINNT\System32\jt8u07l9e.dll
  • C:\WINNT\System32\n46qlej51ho.dll
  • C:\WINNT\System32\azao0eh3eh4.dll
  • C:\WINNT\System32\ujp10.dll
  • C:\WINNT\System32\f8l02i3mg8.dll
  • C:\WINNT\System32\opbcjt32.dll
  • C:\WINNT\System32\mvdocs.dll
  • C:\WINNT\System32\gpn2l35o1.dll
  • C:\WINNT\System32\m046lahs1d46.dll
  • C:\WINNT\System32\dmvvox.dll
  • C:\WINNT\System32\en06l1ds1.dll
  • C:\WINNT\System32\m4po0e73eh.dll
  • C:\WINNT\System32\gp60l3jm1.dll
  • C:\WINNT\System32\fpj8031ue.dll
  • C:\WINNT\System32\k662lgjo16oc.dll
  • C:\WINNT\System32\e4020edoeh0c0.dll
  • C:\WINNT\System32\k880lilm18qa.dll
  • C:\WINNT\System32\fp6q03j5e.dll
  • C:\WINNT\System32\m0pola731d.dll
  • C:\WINNT\System32\j44o0eh3eh4.dll
  • C:\WINNT\System32\hrj0051me.dll
  • C:\WINNT\System32\i406leds1h06.dll
[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste this file into the top "Full Path of File to Delete" box.
  • C:\WINDOWS\System32\Guard.tmp
[*]Click the "Delete File" button which looks like a stop sign.
[*]Click "Yes" at the Replace on Reboot prompt.
[*]Click "Yes" at the Pending Operations prompt to restart your computer.
[*]You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
[*]Double-click on find.bat and post the new output.txt.
[/list]
I had just noticed that before I had you delete files in c:\windows\system32 but the files are located in c:\winnt\system32... Oops. No harm done. What did the killbox say when you were telling it to delete all those files the first time?

-=jonnyrotten=- ;)
  • 0

#14
nitrox
Posted 30 December 2004 - 01:33 AM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Well you can always reformat, but that is a last resort around here.  Keep in mind if you are going to reformat anyways, let me know and I will definitely help you do it, but let me know soon so we don't get too deep into this and then reformat anyways.  :tazz:  This is a nasty infection you have and it usually takes a few tries to remove it but we can.  Hopefully you still want to go through with this.  Here is the next step: 

[*]Double-click on KillBox.exe.
[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste this file into the top "Full Path of File to Delete" box.

  • C:\WINDOWS\System32\XXXXX.dll
[*]Click the "Delete File" button which looks like a stop sign.
[*]Click "Yes" at the Replace on Reboot prompt.
[*]Click "No" at the Pending Operations prompt.
[*]Repeat steps 4-8 above for these files:
  • C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe
  • C:\WINNT\System32\d?dplay.exe
  • C:\WINNT\System32\tBpi3.dll
  • C:\WINNT\System32\jt8u07l9e.dll
  • C:\WINNT\System32\n46qlej51ho.dll
  • C:\WINNT\System32\azao0eh3eh4.dll
  • C:\WINNT\System32\ujp10.dll
  • C:\WINNT\System32\f8l02i3mg8.dll
  • C:\WINNT\System32\opbcjt32.dll
  • C:\WINNT\System32\mvdocs.dll
  • C:\WINNT\System32\gpn2l35o1.dll
  • C:\WINNT\System32\m046lahs1d46.dll
  • C:\WINNT\System32\dmvvox.dll
  • C:\WINNT\System32\en06l1ds1.dll
  • C:\WINNT\System32\m4po0e73eh.dll
  • C:\WINNT\System32\gp60l3jm1.dll
  • C:\WINNT\System32\fpj8031ue.dll
  • C:\WINNT\System32\k662lgjo16oc.dll
  • C:\WINNT\System32\e4020edoeh0c0.dll
  • C:\WINNT\System32\k880lilm18qa.dll
  • C:\WINNT\System32\fp6q03j5e.dll
  • C:\WINNT\System32\m0pola731d.dll
  • C:\WINNT\System32\j44o0eh3eh4.dll
  • C:\WINNT\System32\hrj0051me.dll
  • C:\WINNT\System32\i406leds1h06.dll
[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste this file into the top "Full Path of File to Delete" box.
  • C:\WINDOWS\System32\Guard.tmp
[*]Click the "Delete File" button which looks like a stop sign.
[*]Click "Yes" at the Replace on Reboot prompt.
[*]Click "Yes" at the Pending Operations prompt to restart your computer.
[*]You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
[*]Double-click on find.bat and post the new output.txt.
[/list]
I had just noticed that before I had you delete files in c:\windows\system32 but the files are located in c:\winnt\system32...  Oops.  No harm done.  What did the killbox say when you were telling it to delete all those files the first time?

-=jonnyrotten=- ;)

View Post


  • 0

#15
nitrox
Posted 30 December 2004 - 01:41 AM

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

View Post

arning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/30/2004 02:20 AM 225,959 kudcan.dll
12/30/2004 02:19 AM 224,875 q8860ilse8q60.dll
12/30/2004 01:58 AM 224,875 atmparse.dll
12/30/2004 01:58 AM 225,959 k480lelm1hqa.dll
12/30/2004 01:48 AM 224,875 mxdart.dll
12/27/2004 07:57 PM 224,875 hrr0059me.dll
12/27/2004 10:17 AM <DIR> dllcache
12/10/2004 08:10 AM 225,991 j44o0eh3eh4.dll
12/10/2004 05:33 AM 224,043 hrj0051me.dll
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/30/2004 11:47 AM 56,320 mkzay.dll
10/06/2003 02:34 PM <DIR> Microsoft
10 File(s) 2,246,892 bytes
2 Dir(s) 111,389,650,944 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/27/2004 10:21 AM <DIR> vmss
12/27/2004 10:21 AM <DIR> wsxsvc
12/27/2004 10:17 AM <DIR> dllcache
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/30/2004 11:47 AM 56,320 mkzay.dll
10/06/2003 02:25 PM 488 WindowsLogon.manifest
10/06/2003 02:25 PM 488 logonui.exe.manifest
10/06/2003 02:25 PM 749 nwc.cpl.manifest
10/06/2003 02:25 PM 749 ncpa.cpl.manifest
10/06/2003 02:25 PM 749 sapi.cpl.manifest
10/06/2003 02:25 PM 749 cdplayer.exe.manifest
10/06/2003 02:25 PM 749 wuaucpl.cpl.manifest
9 File(s) 450,161 bytes
3 Dir(s) 111,389,646,848 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

03/31/2003 06:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 111,389,642,752 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D533D09D-E5D3-40ED-97BD-26C23029ABEA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\k480lelm1hqa.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="\"C:\\Program Files\\Gateway Utilities\\GWInkMonitor.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"
"kalvsys"="C:\\winnt\\system32\\kalvgvm32.exe"
"WeeqEE"="C:\\WINNT\\jhefoyts.exe"
"Narrator"="C:\\WINNT\\System32\\youuwy.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"stcloader"="C:\\WINNT\\System32\\stcloader.exe"
"winupdtl"="C:\\WINNT\\System32\\winupdtl.exe"
"Dvx"="C:\\WINNT\\System32\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINNT\\System32\\vmss\\vmss.exe"
"USB controller"="\"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\ICD1.tmp\\svcmm32.exe\" /startup"
"180ax"="c:\\docume~1\\owner\\locals~1\\temp\\180ax.exe"
"zknszkl"="C:\\WINNT\\zknszkl.exe"
"CashBack"="C:\\Program Files\\CashBack\\bin\\cashback.exe"
"NaviSearch"="C:\\Program Files\\NaviSearch\\bin\\nls.exe"
"BullsEye Network"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"
"BCPC"="\"C:\\Program Files\\Bcpc\\bcpc.exe\""
"Breg"="\"C:\\Program Files\\Common Files\\Java\\bcre.exe\""
"Xcpy1"="\"C:\\Program Files\\Common Files\\Java\\Xcpy1.exe\""
"SurfSideKick 2"="C:\\Program Files\\SurfSideKick 2\\Ssk.exe"
"version"="C:\\WINNT\\System32\\ms1B.exe"
"secure"="C:\\WINNT\\System32\\secure.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


ok did the killbox dance again in safemode. when i returned to regular pop ups
[bleep] thing is playing jingle bells i cant get anything done i get pup ups every minute 6 at a time i have gun and iwill kill this guy if ever see him just joking noooo....... not really
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP