Damn pop-ups

deef · 03:03 AM

I hope I may ask here my problem, because I have browsed the whole internet used programs such as norton, AVG, google toolbar, spy sweeper, spybot, adaware, hijack this, spysubract, cwsshredder...

I don't know it annymore... but I hope you wise guys can help me out

I thought I have found the solution here, because it's the same problem as in this topic:
http://forums.techguy.org/virus-other-malware-removal/304499-solved-hijacked-hosts-file.html

But the problem is that the same solution will not do it for me....

Every few minute's popup from smiley's.... I can't laugh with this... and especialy not that my computer crashes the whole time.

So beginning as you asked in the previous thread I will try to give you as much info as I can give you.
And with a well meaned thanks in advance for reading this topic

DLL Compare log

PHP Code:

  *    DLLCompare Log version(1.0.0.125)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

 
C:WINNTSYSTEM32c6000g~1.dll   Sun 19 Dec 2004  12:02:52   ..S.R        222.876   217,65 K

C:WINNTSYSTEM32dedlgs.dll     Sat 18 Dec 2004  17:56:34   ..S.R        223.075   217,84 K

C:WINNTSYSTEM32dn2401~1.dll   Tue 21 Dec 2004   8:24:26   ..S.R        222.876   217,65 K

C:WINNTSYSTEM32dnlq01~1.dll   Sat 11 Dec 2004  23:06:48   ..S.R        223.232   218,00 K

C:WINNTSYSTEM32dttmsft.dll    Tue 21 Dec 2004  18:06:56   ..S.R        222.876   217,65 K

C:WINNTSYSTEM32en08l1~1.dll   Sun 19 Dec 2004  11:59:24   ..S.R        226.187   220,88 K

C:WINNTSYSTEM32en66l1~1.dll   Fri 17 Dec 2004  21:58:20   ..S.R        223.038   217,81 K

C:WINNTSYSTEM32enjsl1~1.dll   Fri 17 Dec 2004  18:01:24   ..S.R        225.791   220,50 K

C:WINNTSYSTEM32fpns03~1.dll   Fri 17 Dec 2004  22:17:50   ..S.R        222.584   217,37 K

C:WINNTSYSTEM32gp6ul3~1.dll   Sat 11 Dec 2004  21:19:32   ..S.R        225.195   219,91 K

C:WINNTSYSTEM32hfui.dll       Sat 18 Dec 2004  18:02:10   ..S.R        226.187   220,88 K

C:WINNTSYSTEM32j4j6le~1.dll   Fri 17 Dec 2004  19:11:22   ..S.R        225.791   220,50 K

C:WINNTSYSTEM32j60s0g~1.dll   Tue 21 Dec 2004  19:18:00   ..S.R        222.876   217,65 K

C:WINNTSYSTEM32lv8u09~1.dll   Fri 17 Dec 2004  17:52:56   ..S.R        222.702   217,48 K

C:WINNTSYSTEM32m0ls0a~1.dll   Fri 17 Dec 2004  17:27:28   ..S.R        222.573   217,36 K

C:WINNTSYSTEM32m0rmla~1.dll   Sat 18 Dec 2004  15:04:16   ..S.R        222.803   217,58 K

C:WINNTSYSTEM32m6julg~1.dll   Tue 21 Dec 2004  19:17:00   ..S.R        224.792   219,52 K

C:WINNTSYSTEM32megsvc.dll     Tue 21 Dec 2004  20:52:40   ..S.R        222.876   217,65 K

C:WINNTSYSTEM32morapi.dll     Sun 19 Dec 2004  10:31:24   ..S.R        226.187   220,88 K

C:WINNTSYSTEM32mrjdbc10.dll   Thu 16 Dec 2004  16:43:18   ..S.R        225.021   219,75 K

C:WINNTSYSTEM32mvn4l9~1.dll   Tue 21 Dec 2004  20:52:40   ..S.R        224.335   219,07 K

C:WINNTSYSTEM32nv2029~1.dll   Fri 17 Dec 2004  19:08:14   ..S.R        225.791   220,50 K

C:WINNTSYSTEM32o648lg~1.dll   Tue 14 Dec 2004  21:45:10   ..S.R        223.131   217,90 K

C:WINNTSYSTEM32t4r8le~1.dll   Tue 21 Dec 2004  19:46:08   ..S.R        224.770   219,50 K

________________________________________________

 
1.010 items found:  1.010 files (24 H/S), 0 directories.

Total of file sizes:  179.289.717 bytes    170,98 M

 
Administrator Account =  True

 
--------------------End log---------------------

deef · 22-Dec-2004, 02:52 AM #2

Windows registry log:

Windows Registry Editor Version 5.00

PHP Code:

  [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify]

 
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,

  6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,

  6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,

  6c,00,6c,00,00,00

 
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyURL]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINNT\\system32\\dn2401fqe.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifywzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

deef · 22-Dec-2004, 02:54 AM #3

startup programs:

PHP Code:

  "Silent Runners.vbs", revision 27, launched at: 21:41

Operating System: Windows 2000

 
 
Startup items buried in registry:

---------------------------------

 
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

"internat.exe" = "internat.exe" [MS]

"MsnMsgr" = ""C:Program FilesMSN MessengerMsnMsgr.Exe" /background" [file not found]

"SpySweeper" = ""G:Program FilesWebrootSpy SweeperSpySweeper.exe" /0" ["Webroot Software, Inc."]

 
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data]

"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]

 
HKLMSoftwareMicrosoftActive SetupInstalled Components

">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"

                                        StubPath   = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]

 
HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"

  -> resolves to: {CLSID}InprocServer32(Default) = "C:\WINNT\system32\NETSHELL.dll" [MS]

"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

  -> resolves to: {CLSID}InprocServer32(Default) = "C:\WINNT\System32\webcheck.dll" [MS]

"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"

  -> resolves to: {CLSID}InprocServer32(Default) = "stobject.dll" [MS]

 
HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWindows

"load" = ** WARNING -- empty or invalid data! **

 
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows

"AppInit_DLLs" = ** WARNING -- empty or invalid data! **

 
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify

INFECTION WARNING! "URL\DLLName" = "C:\WINNT\system32\dn2401fqe.dll" [null data]

 
 
Startup items in "Deef" & "All Users" startup folders:

------------------------------------------------------

 
C:Documents and SettingsDavy RenckensMenu StartProgramma's\Opstarten

"OpenOffice.org 1.1.3" -> shortcut to: "C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe" [null data]

 
C:\Documents and Settings\All Users\Menu Start\Programma'sOpstarten

"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [file not found]

"NkvMon.exe" -> shortcut to: "C:\Program Files\Nikon\NkView5\NkvMon.exe" ["Nikon Corporation"]

"Snelkoppeling naar msnmsgr" -> shortcut to: "C:\Program Files\MSN Messenger\msnmsgr.exe" [file not found]

"SpySubtract" -> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]

 
 
Enabled Scheduled Tasks:

------------------------

 
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

 
 
Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 
Alerter, Alerter, "C:\WINNT\System32\services.exe" [MS]

Automatische updates, wuauserv, "C:\WINNT\system32\svchost.exe -k wugroup" {"C:\WINNT\System32\wuauserv.dll" [MS]}

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]

COM+-gebeurtenissysteem, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

Computer Browser, Browser, "C:\WINNT\System32\services.exe" [MS]

DHCP Client, Dhcp, "C:\WINNT\System32\services.exe" [MS]

Distributed Link Tracking Client, TrkWks, "C:\WINNT\system32\services.exe" [MS]

DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]

Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]

Intelligente achtergrondsoverdrachtservice, BITS, "C:\WINNT\System32\svchost.exe -k BITSgroup" {"C:\WINNT\System32\qmgr.dll" [MS]}

IPSEC Policy Agent, PolicyAgent, "C:\WINNT\System32\lsass.exe" [MS]

Logical Disk Manager, dmserver, "C:\WINNT\System32\services.exe" [MS]

Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\netman.dll" [MS]}

Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]

Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]

Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]

Remote Access Connection Manager, RasMan, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}

Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss" {"C:\WINNT\system32\rpcss.dll" [MS]}

Remote Registry-service, RemoteRegistry, "C:\WINNT\system32\regsvc.exe" [MS]

Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\NtmsSvc.dll" [MS]}

RunAs-service, seclogon, "C:\WINNT\system32\services.exe" [MS]

Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]

Server, lanmanserver, "C:\WINNT\System32\services.exe" [MS]

System Event Notification, SENS, "C:\WINNT\system32\svchost.exe -k netsvcs" {"C:\WINNT\system32\sens.dll" [MS]}

Task Scheduler, Schedule, "C:\WINNT\system32\MSTask.exe" [MS]

TCP/IP NetBIOS Helper-service, LmHosts, "C:\WINNT\System32\services.exe" [MS]

Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\tapisrv.dll" [MS]}

Windows Management Instrumentation, WinMgmt, "C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]

Windows Management Instrumentation Driver Extensions, Wmi, "C:\WINNT\system32\Services.exe" [MS]

Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]

deef · 22-Dec-2004, 02:55 AM #4

Hijack this log:

PHP Code:

  Logfile of HijackThis v1.99.0

Scan saved at 21:19:03, on 21/12/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 
Running processes:

C:WINNTSystem32smss.exe

C:WINNTsystem32winlogon.exe

C:WINNTsystem32services.exe

C:WINNTsystem32lsass.exe

C:WINNTsystem32svchost.exe

C:WINNTsystem32spoolsv.exe

C:PROGRA~1GrisoftAVG7avgamsvr.exe

C:PROGRA~1GrisoftAVG7avgupsvc.exe

C:WINNTSystem32svchost.exe

C:WINNTsystem32regsvc.exe

C:WINNTsystem32MSTask.exe

C:WINNTSystem32WBEMWinMgmt.exe

C:WINNTsystem32svchost.exe

C:WINNTSystem32svchost.exe

C:WINNTsystem32rundll32.exe

C:WINNTExplorer.EXE

C:WINNTSOUNDMAN.EXE

C:Program FilesJavaj2re1.4.2_06binjusched.exe

C:PROGRA~1GrisoftAVG7avgcc.exe

C:PROGRA~1GrisoftAVG7avgemc.exe

C:WINNTsystem32internat.exe

C:Program FilesNikonNkView5NkvMon.exe

C:Program FilesinterMuteSpySubtractSpySub.exe

C:HijackThis.exe

 
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [url]http://www.google.be[/url]

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = [url]http://www.google.be[/url]

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen

F2 - REG:system.ini: UserInit=C:WINNTsystem32Userinit.exe

So Here starts the problem... I can not delete this entrys because they come always back:

PHP Code:

  O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

PHP Code:

  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll

O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_06binjusched.exe

O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP

O4 - HKLM..Run: [AVG7_EMC] C:PROGRA~1GrisoftAVG7avgemc.exe

O4 - HKCU..Run: [internat.exe] internat.exe

O4 - HKCU..Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU..Run: [SpySweeper] "G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Startup: OpenOffice.org 1.1.3.lnk = C:Program FilesOpenOffice.org1.1.3programquickstart.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:Program FilesMicrosoft OfficeOfficeOSA9.EXE

O4 - Global Startup: NkvMon.exe.lnk = D:Program FilesNikonNkView5NkvMon.exe

O4 - Global Startup: Snelkoppeling naar msnmsgr.lnk = D:Program FilesMSN Messengermsnmsgr.exe

O4 - Global Startup: SpySubtract.lnk = C:Program FilesinterMuteSpySubtractSpySub.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Koppelingspagina's - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O16 - DPF: Dexia netbanking - [url]http://netbanking.dexia.be/PC//Dynamic/Shared/Applet//DexiaIIA.cab[/url]

O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - [url]http://secure2.comned.com/signuptemplates/AktiveSekurity.cab[/url]

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]

O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe

O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe

O23 - Service: Logical Disk Manager Administrative-service - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:Program FilesCommon FilesMacromedia SharedServiceMacromedia Licensing.exe

deef · 23-Dec-2004, 04:31 PM #5

Is there no one who can help me out please... ? I'm turning really wild of my computer....

If I was sure that the popups where away if I copy my documents and my internet favorites to a CD.... I can also format my HD ? But that I would use as the last solution.... :-(

Tag Cloud
access acer asus bios bsod computer crash driver drivers error ethernet excel freeze games gaming gpu hard drive hardware hdmi internet java laptop malware memory monitor motherboard music network obp printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!