Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

malware

Started by justinleong , Jan 13 2005 11:20 PM

  • Please log in to reply

#1
justinleong
Posted 13 January 2005 - 11:20 PM

justinleong

    New Member

  • Member
  • Pip
  • 2 posts
Hi

I am having problems with annoying pop-ups and dll error msgs. My Ad-aware SE scanner reveals VX2 malware in my computer.

Listed below are my hijackthis log and findit output files for your analysis.

Logfile of HijackThis v1.99.0
Scan saved at 11:11:18 AM, on 1/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ntsmod.exe
D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\DOCUME~1\Leong\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Leong\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ntsmod] C:\WINDOWS\system32\ntsmod.exe
O4 - HKLM\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: YahooPOPs.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103854899964
O17 - HKLM\System\CCS\Services\Tcpip\..\{716F19DD-53E3-459B-9334-F23CD0836C78}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

----------------------------------------------------------------------------------------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Leong\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 1D3B-16DB

Directory of C:\WINDOWS\System32

01/14/2005 10:59 AM 223,232 guard.tmp
01/14/2005 10:02 AM 223,232 d2j02c1mgf.dll
01/14/2005 09:29 AM 223,556 h42o0ef3eh2.dll
01/12/2005 09:00 AM 223,551 lvjo0913e.dll
01/12/2005 08:22 AM 225,108 p66slgj716o.dll
01/01/2005 04:28 PM 10,856 KGyGaAvL.sys
01/01/2005 04:28 PM 56 2E82438637.sys
12/24/2004 04:34 AM <DIR> Microsoft
12/23/2004 07:12 PM <DIR> dllcache
7 File(s) 1,129,591 bytes
2 Dir(s) 13,403,488,256 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 1D3B-16DB

Directory of C:\WINDOWS\System32

01/01/2005 04:28 PM 56 2E82438637.sys
01/01/2005 04:28 PM 10,856 KGyGaAvL.sys
12/23/2004 07:22 PM 488 logonui.exe.manifest
12/23/2004 07:22 PM 488 WindowsLogon.manifest
12/23/2004 07:21 PM 749 cdplayer.exe.manifest
12/23/2004 07:21 PM 749 ncpa.cpl.manifest
12/23/2004 07:21 PM 749 sapi.cpl.manifest
12/23/2004 07:21 PM 749 wuaucpl.cpl.manifest
12/23/2004 07:21 PM 749 nwc.cpl.manifest
12/23/2004 07:12 PM <DIR> dllcache
9 File(s) 15,633 bytes
1 Dir(s) 13,403,471,872 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 1D3B-16DB

Directory of C:\WINDOWS\System32

01/14/2005 10:59 AM 223,232 guard.tmp
1 File(s) 223,232 bytes
0 Dir(s) 13,403,439,104 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 1D3B-16DB

Directory of C:\WINDOWS\System32

01/14/2005 10:59 AM 223,232 guard.tmp
08/18/2001 12:00 PM 2,577 CONFIG.TMP
2 File(s) 225,809 bytes
0 Dir(s) 13,403,422,720 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{84E0C0B1-887B-4445-9550-F0B7CC9039CE}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s688lglu16q8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
ncpacp~1.man Thu Dec 23 2004 7:21:54p A..HR 749 0.73 K
nwccpl~1.man Thu Dec 23 2004 7:21:54p A..HR 749 0.73 K
sapicp~1.man Thu Dec 23 2004 7:21:54p A..HR 749 0.73 K
wuaucp~1.man Thu Dec 23 2004 7:21:54p A..HR 749 0.73 K
cdplay~1.man Thu Dec 23 2004 7:21:54p A..HR 749 0.73 K
logonu~1.man Thu Dec 23 2004 7:22:00p A..HR 488 0.48 K
window~1.man Thu Dec 23 2004 7:22:00p A..HR 488 0.48 K
kgygaavl.sys Sat Jan 1 2005 4:28:20p A.SH. 10,856 10.60 K
2e8243~1.sys Sat Jan 1 2005 4:28:20p ..SHR 56 0.05 K
guard.tmp Fri Jan 14 2005 10:59:30a ..S.R 223,232 218.00 K
p66slg~1.dll Wed Jan 12 2005 8:22:54a ..S.R 225,108 219.83 K
d2j02c~1.dll Fri Jan 14 2005 10:02:48a ..S.R 223,232 218.00 K
lvjo09~1.dll Wed Jan 12 2005 9:00:40a ..S.R 223,551 218.31 K
h42o0e~1.dll Fri Jan 14 2005 9:29:10a ..S.R 223,556 218.32 K

14 items found: 14 files, 0 directories.
Total of file sizes: 1,134,312 bytes 1.08 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\DigiSign.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"CPATR10"="C:\\PROGRA~1\\EzButton\\CPATR10.EXE"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Device Detector"="DevDetect.exe -autorun"
"FinePrint Dispatcher v5"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fpdisp5a.exe"
"pdfFactory Pro Dispatcher v2"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ntsmod"="C:\\WINDOWS\\system32\\ntsmod.exe"
"AWMON"="\"D:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

I hope somebody is able to guide me thru on how to clean my computer of the pest.

Thank you guys

Justin
  • 0

Advertisements

#2
coachwife6
Posted 14 January 2005 - 11:09 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
1. Download the Pocket Killbox.Pocket Killbox.
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\p66slgj716o.dll
6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt.
8. Click "No" at the Pending Operations prompt.
9. Repeat steps 4-8 above for these files:
* C:\WINDOWS\System32\d2j02c1mgf.dll
* C:\WINDOWS\System32\h42o0ef3eh2.dll
* C:\WINDOWS\System32\lvjo0913e.dll
10. Click "Replace on Reboot" and check the "Use Dummy" box.
11. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\Guard.tmp
12. Click the "Delete File" button which looks like a stop sign.
13. Click "Yes" at the Replace on Reboot prompt.
14. Click "Yes" at the Pending Operations prompt to restart your computer.
15. Double-click on find.bat and post the new output.txt.
  • 0

#3
justinleong
Posted 15 January 2005 - 12:48 AM

justinleong

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Dear Coachwife6

Thanks for your response. I could not wait for the response as I was even losing browser and email access to the net and therefore decided to just reformat my notebook again.

Anyway, I do appreciate the trouble put in to help me.

Regards

Justin
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP