Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92232 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Popups and popups and ...


  • This topic is locked This topic is locked
20 replies to this topic

#16 fredsom

fredsom

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 20 November 2005 - 10:43 AM

I've downloaded 'FindIt NT-2K-XP' and launched FindVX2.bat and here's the log ---------------- FindVX2 NT-2K-XP ---------------- Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. ***** Operating System ***** Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600) ********* Date/Time ******** dimanche 20 novembre 2005 (20/11/2005) 17:33, Paris, Madrid *********** Path *********** FindVX2.bat is running from: C:\Documents and Settings\Karine\Bureau\FindIt NT-2K-XP ------- System Files in System32 Directory ------- Le volume dans le lecteur C s'appelle C_SYSTEM Le num‚ro de s‚rie du volume est 0016-F17A R‚pertoire de C:\WINDOWS\System32 20/11/2005 17:06 235˙388 rdr20.dll 20/11/2005 16:53 235˙388 xksp1res.dll 20/11/2005 16:45 56 o0660ajsedo60.dll 20/11/2005 09:25 234˙675 dnns0157e.dll 14/10/2005 07:41 <REP> dllcache 19/08/2005 16:28 1˙890 KGyGaAvL.sys 23/07/2003 16:44 <REP> Microsoft 5 fichier(s) 707˙397 octets 2 R‚p(s) 3˙147˙796˙480 octets libres ------- Hidden Files in System32 Directory ------- Le volume dans le lecteur C s'appelle C_SYSTEM Le num‚ro de s‚rie du volume est 0016-F17A R‚pertoire de C:\WINDOWS\System32 14/10/2005 07:41 <REP> dllcache 19/08/2005 16:28 1˙890 KGyGaAvL.sys 25/07/2004 00:05 <REP> CyberUninstallerSystem 01/11/2003 20:25 <REP> GroupPolicy 23/07/2003 16:32 488 logonui.exe.manifest 23/07/2003 16:32 488 WindowsLogon.manifest 23/07/2003 16:32 749 nwc.cpl.manifest 23/07/2003 16:32 749 sapi.cpl.manifest 23/07/2003 16:32 749 cdplayer.exe.manifest 23/07/2003 16:32 749 ncpa.cpl.manifest 23/07/2003 16:32 749 wuaucpl.cpl.manifest 8 fichier(s) 6˙611 octets 3 R‚p(s) 3˙147˙792˙384 octets libres --------------- Files Named "Guard" -------------- Le volume dans le lecteur C s'appelle C_SYSTEM Le num‚ro de s‚rie du volume est 0016-F17A R‚pertoire de C:\WINDOWS\System32 -------- Temp Files in System32 Directory -------- Le volume dans le lecteur C s'appelle C_SYSTEM Le num‚ro de s‚rie du volume est 0016-F17A R‚pertoire de C:\WINDOWS\System32 ------------------- User Agent ------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{7F982FE3-941B-5CAC-5F5C-FE9824E772F8}"="" --------------- Keys Under Notify ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\o0660ajsedo60.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ------------ Shell Extensions Approved ----------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] @="" "{8A8629CE-3683-453C-A83F-029D0E71A32B}"="" "{102473B3-9B6D-4CDF-BB02-0A9C01EAF12B}"="" --------------- Locate.com Results --------------- C:\WINDOWS\SYSTEM32\ dnns01~1.dll Sun 20 Nov 2005 9:25:02 ..S.R 234 675 229,17 K o0660a~1.dll Sun 20 Nov 2005 16:45:16 ..S.R 56 0,05 K rdr20.dll Sun 20 Nov 2005 17:06:08 ..S.R 235 388 229,87 K xksp1res.dll Sun 20 Nov 2005 16:53:16 ..S.R 235 388 229,87 K 4 items found: 4 files, 0 directories. Total of file sizes: 705 507 bytes 688,97 K ---------------- FindVX2 NT-2K-XP ---------------- 

    Advertisements

Register to Remove


#17 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 20 November 2005 - 12:30 PM

Please scan with Ewido again.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
  • Post the report please.


#18 fredsom

fredsom

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 21 November 2005 - 05:41 AM

here is the ewido scan log: --------------------------------------------------------- ewido security suite - Rapport de scan --------------------------------------------------------- + Créé le: 12:39:52, 21/11/2005 + Somme de contrôle: 38BB393B + Résultats du scan: [1288] C:\WINDOWS\system32\xksp1res.dll -> Spyware.Look2Me : Erreur durant le nettoyage [244] C:\WINDOWS\system32\aptxprxy.dll -> Spyware.Look2Me : Nettoyer et sauvegarder C:\!KillBox\Guard.tmp -> Spyware.Look2Me : Nettoyer et sauvegarder :mozilla.8:C:\Documents and Settings\Karine\Application Data\Mozilla\Firefox\Profiles\1p237sn7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder :mozilla.9:C:\Documents and Settings\Karine\Application Data\Mozilla\Firefox\Profiles\1p237sn7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder :mozilla.10:C:\Documents and Settings\Karine\Application Data\Mozilla\Firefox\Profiles\1p237sn7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder :mozilla.11:C:\Documents and Settings\Karine\Application Data\Mozilla\Firefox\Profiles\1p237sn7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder C:\Documents and Settings\Karine\Bureau\l2mfix\backup.zip/sqrmdll.dll -> Spyware.Look2Me : Erreur durant le nettoyage C:\Documents and Settings\Karine\Bureau\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Erreur durant le nettoyage C:\Documents and Settings\Karine\Cookies\karine@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder C:\Documents and Settings\Karine\Cookies\karine@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Nettoyer et sauvegarder C:\Documents and Settings\Karine\Local Settings\Temp\Cookies\karine@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder C:\Documents and Settings\Karine\Local Settings\Temp\Cookies\karine@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Nettoyer et sauvegarder C:\WINDOWS\system32\aptxprxy.dll -> Spyware.Look2Me : Nettoyer et sauvegarder C:\WINDOWS\system32\dnns0157e.dll -> Spyware.Look2Me : Nettoyer et sauvegarder C:\WINDOWS\Temp\Cookies\karine@2o7[2].txt -> Spyware.Cookie.2o7 : Nettoyer et sauvegarder C:\WINDOWS\Temp\Cookies\karine@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder C:\WINDOWS\Temp\Cookies\karine@paypopup[2].txt -> Spyware.Cookie.Paypopup : Nettoyer et sauvegarder C:\WINDOWS\Temp\Cookies\karine@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Nettoyer et sauvegarder ::Fin du rapport

#19 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 21 November 2005 - 06:15 AM

Download 3S New in version 1.04
3S Home page.


Run Kill box , and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

C:\WINDOWS\system32\aptxprxy.dll
C:\WINDOWS\system32\dnns0157e.dll
C:\WINDOWS\system32\xksp1res.dll


The program will ask you if you want to reboot; say No each time until the last one has been pasted in.
Run 3S under items to clear check all but the last one.

Let the system reboot.

#20 fredsom

fredsom

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 21 November 2005 - 09:04 AM

HI, I've done the Killbox and 3S thing and still get popups coming up. I quit and will reinstall windows, which I should have done long before. Thanks anyway for your help, I really appreciate the time you spent for me. Bye

#21 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 21 November 2005 - 07:27 PM

Sorry we weren't able to help.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users