   | Junior Member with 5 posts. | | Join Date: Dec 2004 Experience: Intermediate | | Damn pop-ups I hope I may ask here my problem, because I have browsed the whole internet used programs such as norton, AVG, google toolbar, spy sweeper, spybot, adaware, hijack this, spysubract, cwsshredder...
I don't know it annymore... but I hope you wise guys can help me out 
I thought I have found the solution here, because it's the same problem as in this topic: http://forums.techguy.org/malware-removal-hijackthis-logs/304499-solved-hijacked-hosts-file.html
But the problem is that the same solution will not do it for me....
Every few minute's popup from smiley's.... I can't laugh with this... and especialy not that my computer crashes the whole time.
So beginning as you asked in the previous thread I will try to give you as much info as I can give you.
And with a well meaned thanks in advance for reading this topic
DLL Compare log PHP Code: * DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:WINNTSYSTEM32c6000g~1.dll Sun 19 Dec 2004 12:02:52 ..S.R 222.876 217,65 K
C:WINNTSYSTEM32dedlgs.dll Sat 18 Dec 2004 17:56:34 ..S.R 223.075 217,84 K
C:WINNTSYSTEM32dn2401~1.dll Tue 21 Dec 2004 8:24:26 ..S.R 222.876 217,65 K
C:WINNTSYSTEM32dnlq01~1.dll Sat 11 Dec 2004 23:06:48 ..S.R 223.232 218,00 K
C:WINNTSYSTEM32dttmsft.dll Tue 21 Dec 2004 18:06:56 ..S.R 222.876 217,65 K
C:WINNTSYSTEM32en08l1~1.dll Sun 19 Dec 2004 11:59:24 ..S.R 226.187 220,88 K
C:WINNTSYSTEM32en66l1~1.dll Fri 17 Dec 2004 21:58:20 ..S.R 223.038 217,81 K
C:WINNTSYSTEM32enjsl1~1.dll Fri 17 Dec 2004 18:01:24 ..S.R 225.791 220,50 K
C:WINNTSYSTEM32fpns03~1.dll Fri 17 Dec 2004 22:17:50 ..S.R 222.584 217,37 K
C:WINNTSYSTEM32gp6ul3~1.dll Sat 11 Dec 2004 21:19:32 ..S.R 225.195 219,91 K
C:WINNTSYSTEM32hfui.dll Sat 18 Dec 2004 18:02:10 ..S.R 226.187 220,88 K
C:WINNTSYSTEM32j4j6le~1.dll Fri 17 Dec 2004 19:11:22 ..S.R 225.791 220,50 K
C:WINNTSYSTEM32j60s0g~1.dll Tue 21 Dec 2004 19:18:00 ..S.R 222.876 217,65 K
C:WINNTSYSTEM32lv8u09~1.dll Fri 17 Dec 2004 17:52:56 ..S.R 222.702 217,48 K
C:WINNTSYSTEM32m0ls0a~1.dll Fri 17 Dec 2004 17:27:28 ..S.R 222.573 217,36 K
C:WINNTSYSTEM32m0rmla~1.dll Sat 18 Dec 2004 15:04:16 ..S.R 222.803 217,58 K
C:WINNTSYSTEM32m6julg~1.dll Tue 21 Dec 2004 19:17:00 ..S.R 224.792 219,52 K
C:WINNTSYSTEM32megsvc.dll Tue 21 Dec 2004 20:52:40 ..S.R 222.876 217,65 K
C:WINNTSYSTEM32morapi.dll Sun 19 Dec 2004 10:31:24 ..S.R 226.187 220,88 K
C:WINNTSYSTEM32mrjdbc10.dll Thu 16 Dec 2004 16:43:18 ..S.R 225.021 219,75 K
C:WINNTSYSTEM32mvn4l9~1.dll Tue 21 Dec 2004 20:52:40 ..S.R 224.335 219,07 K
C:WINNTSYSTEM32nv2029~1.dll Fri 17 Dec 2004 19:08:14 ..S.R 225.791 220,50 K
C:WINNTSYSTEM32o648lg~1.dll Tue 14 Dec 2004 21:45:10 ..S.R 223.131 217,90 K
C:WINNTSYSTEM32t4r8le~1.dll Tue 21 Dec 2004 19:46:08 ..S.R 224.770 219,50 K
________________________________________________
1.010 items found: 1.010 files (24 H/S), 0 directories.
Total of file sizes: 179.289.717 bytes 170,98 M
Administrator Account = True
--------------------End log---------------------
Last edited by deef : 22-Dec-2004 02:03 AM.
| | | Junior Member with 5 posts. | | Join Date: Dec 2004 Experience: Intermediate | | Windows registry log:
Windows Registry Editor Version 5.00 PHP Code: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyURL]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\dn2401fqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifywzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
| | | Junior Member with 5 posts. | | Join Date: Dec 2004 Experience: Intermediate | | startup programs: PHP Code: "Silent Runners.vbs", revision 27, launched at: 21:41
Operating System: Windows 2000
Startup items buried in registry:
---------------------------------
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
"internat.exe" = "internat.exe" [MS]
"MsnMsgr" = ""C:Program FilesMSN MessengerMsnMsgr.Exe" /background" [file not found]
"SpySweeper" = ""G:Program FilesWebrootSpy SweeperSpySweeper.exe" /0" ["Webroot Software, Inc."]
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
HKLMSoftwareMicrosoftActive SetupInstalled Components
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}InprocServer32(Default) = "C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}InprocServer32(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}InprocServer32(Default) = "stobject.dll" [MS]
HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWindows
"load" = ** WARNING -- empty or invalid data! **
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows
"AppInit_DLLs" = ** WARNING -- empty or invalid data! **
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
INFECTION WARNING! "URL\DLLName" = "C:\WINNT\system32\dn2401fqe.dll" [null data]
Startup items in "Deef" & "All Users" startup folders:
------------------------------------------------------
C:Documents and SettingsDavy RenckensMenu StartProgramma's\Opstarten
"OpenOffice.org 1.1.3" -> shortcut to: "C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe" [null data]
C:\Documents and Settings\All Users\Menu Start\Programma'sOpstarten
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [file not found]
"NkvMon.exe" -> shortcut to: "C:\Program Files\Nikon\NkView5\NkvMon.exe" ["Nikon Corporation"]
"Snelkoppeling naar msnmsgr" -> shortcut to: "C:\Program Files\MSN Messenger\msnmsgr.exe" [file not found]
"SpySubtract" -> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]
Enabled Scheduled Tasks:
------------------------
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Alerter, Alerter, "C:\WINNT\System32\services.exe" [MS]
Automatische updates, wuauserv, "C:\WINNT\system32\svchost.exe -k wugroup" {"C:\WINNT\System32\wuauserv.dll" [MS]}
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
COM+-gebeurtenissysteem, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}
Computer Browser, Browser, "C:\WINNT\System32\services.exe" [MS]
DHCP Client, Dhcp, "C:\WINNT\System32\services.exe" [MS]
Distributed Link Tracking Client, TrkWks, "C:\WINNT\system32\services.exe" [MS]
DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]
Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]
Intelligente achtergrondsoverdrachtservice, BITS, "C:\WINNT\System32\svchost.exe -k BITSgroup" {"C:\WINNT\System32\qmgr.dll" [MS]}
IPSEC Policy Agent, PolicyAgent, "C:\WINNT\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINNT\System32\services.exe" [MS]
Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\netman.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss" {"C:\WINNT\system32\rpcss.dll" [MS]}
Remote Registry-service, RemoteRegistry, "C:\WINNT\system32\regsvc.exe" [MS]
Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\NtmsSvc.dll" [MS]}
RunAs-service, seclogon, "C:\WINNT\system32\services.exe" [MS]
Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINNT\System32\services.exe" [MS]
System Event Notification, SENS, "C:\WINNT\system32\svchost.exe -k netsvcs" {"C:\WINNT\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINNT\system32\MSTask.exe" [MS]
TCP/IP NetBIOS Helper-service, LmHosts, "C:\WINNT\System32\services.exe" [MS]
Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\tapisrv.dll" [MS]}
Windows Management Instrumentation, WinMgmt, "C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]
Windows Management Instrumentation Driver Extensions, Wmi, "C:\WINNT\system32\Services.exe" [MS]
Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]
| | | Junior Member with 5 posts. | | Join Date: Dec 2004 Experience: Intermediate | | Hijack this log: PHP Code: Logfile of HijackThis v1.99.0
Scan saved at 21:19:03, on 21/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:PROGRA~1GrisoftAVG7avgamsvr.exe
C:PROGRA~1GrisoftAVG7avgupsvc.exe
C:WINNTSystem32svchost.exe
C:WINNTsystem32regsvc.exe
C:WINNTsystem32MSTask.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTsystem32svchost.exe
C:WINNTSystem32svchost.exe
C:WINNTsystem32rundll32.exe
C:WINNTExplorer.EXE
C:WINNTSOUNDMAN.EXE
C:Program FilesJavaj2re1.4.2_06binjusched.exe
C:PROGRA~1GrisoftAVG7avgcc.exe
C:PROGRA~1GrisoftAVG7avgemc.exe
C:WINNTsystem32internat.exe
C:Program FilesNikonNkView5NkvMon.exe
C:Program FilesinterMuteSpySubtractSpySub.exe
C:HijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [url]http://www.google.be[/url]
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = [url]http://www.google.be[/url]
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=C:WINNTsystem32Userinit.exe
So Here starts the problem... I can not delete this entrys because they come always back: PHP Code: O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
PHP Code: O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_06binjusched.exe
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKLM..Run: [AVG7_EMC] C:PROGRA~1GrisoftAVG7avgemc.exe
O4 - HKCU..Run: [internat.exe] internat.exe
O4 - HKCU..Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU..Run: [SpySweeper] "G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:Program FilesOpenOffice.org1.1.3programquickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = D:Program FilesNikonNkView5NkvMon.exe
O4 - Global Startup: Snelkoppeling naar msnmsgr.lnk = D:Program FilesMSN Messengermsnmsgr.exe
O4 - Global Startup: SpySubtract.lnk = C:Program FilesinterMuteSpySubtractSpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: Dexia netbanking - [url]http://netbanking.dexia.be/PC//Dynamic/Shared/Applet//DexiaIIA.cab[/url]
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - [url]http://secure2.comned.com/signuptemplates/AktiveSekurity.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative-service - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:Program FilesCommon FilesMacromedia SharedServiceMacromedia Licensing.exe
| | | Junior Member with 5 posts. | | Join Date: Dec 2004 Experience: Intermediate | | Is there no one who can help me out please... ? I'm turning really wild of my computer....
If I was sure that the popups where away if I copy my documents and my internet favorites to a CD.... I can also format my HD ? But that I would use as the last solution.... :-( |  THIS THREAD HAS EXPIRED.
Are you having the same problem?
We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.
| | |
Smart Search
| Find your solution! | | |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 05:46 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
|  |
|
Welcome to Tech Support Guy! Read our Welcome Guide or take a minute to watch the video below!
Malware Removal & HijackThis Logs 
Search 
