Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

pop ups and trojans oh my


  • Please log in to reply

#16
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Hehe, stay calm, we're making progress (slow) but it's working believe me. If you go postal will you take pictures and send them to me? I won't tell. Anyways here's the new instructions remember to do this in safe mode.

Remove the following files the same way as you have been already. They're all in c:\winnt\system32 except for the last one.

kudcan.dll
q8860ilse8q60.dll
atmparse.dll
k480lelm1hqa.dll
mxdart.dll
hrr0059me.dll
j44o0eh3eh4.dll
hrj0051me.dll
d?dplay.exe
mkzay.dll
d?dplay.exe
mkzay.dll
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe

Post a new output.txt. This will take a few more steps, but we'll get it.

-=jonnyrotten=- :tazz:
  • 0

Advertisements


#17
nitrox

nitrox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hehe, stay calm, we're making progress (slow) but it's working believe me.  If you go postal will you take pictures and send them to me?  I won't tell.  Anyways here's the new instructions remember to do this in safe mode. 

Remove the following files the same way as you have been already.  They're all in c:\winnt\system32 except for the last one.

kudcan.dll
q8860ilse8q60.dll
atmparse.dll
k480lelm1hqa.dll
mxdart.dll
hrr0059me.dll
j44o0eh3eh4.dll
hrj0051me.dll
d?dplay.exe
mkzay.dll
d?dplay.exe
mkzay.dll
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe

Post a new output.txt.  This will take a few more steps, but we'll get it. 

-=jonnyrotten=-  :tazz:

View Post

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/30/2004 11:02 AM 225,959 rcutils.dll
12/30/2004 11:02 AM 223,091 p66slgj716o.dll
12/30/2004 10:37 AM 225,959 nbtlogon.dll
12/30/2004 10:10 AM 225,959 irnol5531.dll
12/30/2004 02:40 AM <DIR> dllcache
12/10/2004 08:10 AM 225,991 j44o0eh3eh4.dll
12/10/2004 05:33 AM 224,043 hrj0051me.dll
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/06/2003 02:34 PM <DIR> Microsoft
7 File(s) 1,740,122 bytes
2 Dir(s) 111,168,344,064 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

12/30/2004 02:40 AM <DIR> dllcache
12/27/2004 10:21 AM <DIR> vmss
12/27/2004 10:21 AM <DIR> wsxsvc
12/08/2004 10:16 AM 389,120 d?dplay.exe
10/06/2003 02:25 PM 488 WindowsLogon.manifest
10/06/2003 02:25 PM 488 logonui.exe.manifest
10/06/2003 02:25 PM 749 nwc.cpl.manifest
10/06/2003 02:25 PM 749 ncpa.cpl.manifest
10/06/2003 02:25 PM 749 sapi.cpl.manifest
10/06/2003 02:25 PM 749 cdplayer.exe.manifest
10/06/2003 02:25 PM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
3 Dir(s) 111,168,335,872 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 10B0-A85A

Directory of C:\WINNT\System32

03/31/2003 06:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 111,168,331,776 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D533D09D-E5D3-40ED-97BD-26C23029ABEA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\irnol5531.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ypgghy.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="\"C:\\Program Files\\Gateway Utilities\\GWInkMonitor.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"kalvsys"="C:\\winnt\\system32\\kalvgvm32.exe"
"WeeqEE"="C:\\WINNT\\jhefoyts.exe"
"Narrator"="C:\\WINNT\\System32\\youuwy.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"winupdtl"="C:\\WINNT\\System32\\winupdtl.exe"
"Dvx"="C:\\WINNT\\System32\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINNT\\System32\\vmss\\vmss.exe"
"zknszkl"="C:\\WINNT\\zknszkl.exe"
"CashBack"="C:\\Program Files\\CashBack\\bin\\cashback.exe"
"NaviSearch"="C:\\Program Files\\NaviSearch\\bin\\nls.exe"
"BullsEye Network"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"
"BCPC"="\"C:\\Program Files\\Bcpc\\bcpc.exe\""
"SurfSideKick 2"="C:\\Program Files\\SurfSideKick 2\\Ssk.exe"
"version"="C:\\WINNT\\System32\\ms1B.exe"
"secure"="C:\\WINNT\\System32\\secure.exe"
"180ax"="c:\\docume~1\\owner\\locals~1\\temp\\180ax.exe"
"fuf"="C:\\WINNT\\fuf.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


there still here.... wish i was in wakiki " mostly sunny today a few windward and makka showers highs in the 80's" easy now Nitrox
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP