popup problems

bigwills · 03-18-2005, 11:38 AM

I'm cant get rid of the popups. Here is my log files. What can I do?

Logfile of HijackThis v1.99.0
Scan saved at 12:32 PM, on 18 Mar 2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bigwills\Desktop\Spyware removal\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\aklsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 12:32 PM, on 18 Mar 2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Documents and Settings\Bigwills\Desktop\Spyware removal\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\aklsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

End of KRC HijackThis Analyzer Log.
====================================================================

Module information for 'rundll32.exe'
MODULE BASE SIZE PATH
rundll32.exe 1000000 16384 C:\WINNT\system32\rundll32.exe 5.00.2134.1 Run a DLL as an App
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL
GDI32.dll 77f40000 241664 C:\WINNT\system32\GDI32.dll 5.00.2195.6945 GDI Client DLL
USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7017 Windows 2000 USER API Client DLL
IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper
MSVCRT.DLL 78000000 282624 C:\WINNT\system32\MSVCRT.DLL 6.10.9844.0 Microsoft (R) C Runtime Library
DQCOBJ.DLL 10000000 483328 C:\WINNT\system32\DQCOBJ.DLL
ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
COMCTL32.dll 71710000 540672 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library
comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL
SHLWAPI.DLL 70a70000 417792 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1612 (xpsp2.041207-1145) Shell Light-weight Utility Library
SHELL32.DLL 782f0000 2379776 C:\WINNT\system32\SHELL32.DLL 5.00.3900.7009 Windows Shell Common Dll
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 IP Helper API
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
SAMLIB.DLL 75150000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
NETAPI32.DLL 75170000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6949 Net Win32 API DLL
Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
OLE32.DLL 77a50000 978944 C:\WINNT\system32\OLE32.DLL 5.00.2195.7021 Microsoft OLE for Windows
OLEAUT32.DLL 779b0000 634880 C:\WINNT\system32\OLEAUT32.DLL 2.40.4522
ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL
ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6604 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL
DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service
oledlg.dll 752f0000 126976 C:\WINNT\system32\oledlg.dll 1.0 Microsoft Windows(TM) OLE 2.0 User Interface Support
PSAPI.DLL 690a0000 45056 C:\WINNT\system32\PSAPI.DLL 5.00.2134.1 Process Status Helper
urlmon.dll 1a400000 512000 C:\WINNT\system32\urlmon.dll 6.00.2800.1485 OLE32 Extensions for Win32
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
WININET.dll 63000000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1485 Internet Extensions for Win32
WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL
msafd.dll 74fd0000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL
rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL
winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper
SBHook.dll 10d0000 131072 C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\SBHook.dll 5.6.13.asst_classic.smartbridge.20040616_113000 SmartBridge Hook
sdchook.dll 671f0000 53248 C:\Program Files\Support.com\bin\sdchook.dll 5,5,726,0 sdchook
FULLSOFT.DLL 67c70000 311296 C:\Program Files\Support.com\bin\FULLSOFT.DLL 5,5,726,0 Talkback Library
-------------------------------------------------------------------

Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 192512 C:\WINNT\system32\winlogon.exe 5.00.2195.6970 Windows NT Logon Application
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
MSVCRT.dll 78000000 282624 C:\WINNT\system32\MSVCRT.dll 6.10.9844.0 Microsoft (R) C Runtime Library
KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL
ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
GDI32.dll 77f40000 241664 C:\WINNT\system32\GDI32.dll 5.00.2195.6945 GDI Client DLL
USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7017 Windows 2000 USER API Client DLL
USERENV.dll 7c0f0000 397312 C:\WINNT\system32\USERENV.dll 5.00.2195.6794 Userenv
NDdeApi.dll 769a0000 28672 C:\WINNT\system32\NDdeApi.dll 5.00.2195.6661 Network DDE Share Management APIs
sfc.dll 76980000 110592 C:\WINNT\system32\sfc.dll 5.00.2195.6673 Windows File Protection
sfcfiles.dll 68010000 983040 C:\WINNT\system32\sfcfiles.dll 5.00.2195.6894 Windows 2000 System File Checker
Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface
PROFMAP.dll 690f0000 45056 C:\WINNT\system32\PROFMAP.dll 5.00.2195.6610 Userenv
NETAPI32.dll 75170000 323584 C:\WINNT\system32\NETAPI32.dll 5.00.2195.6949 Net Win32 API DLL
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.dll 75150000 61440 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6897 SAM Library DLL
msgina.dll 76b90000 348160 C:\WINNT\system32\msgina.dll 5.00.2195.6928 Windows NT Logon Application
SHELL32.dll 782f0000 2379776 C:\WINNT\system32\SHELL32.dll 5.00.3900.7009 Windows Shell Common Dll
SHLWAPI.dll 70a70000 417792 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1612 (xpsp2.041207-1145) Shell Light-weight Utility Library
COMCTL32.dll 71710000 540672 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library
WINSTA.dll 65780000 53248 C:\WINNT\system32\WINSTA.dll 5.00.2195.6701 Winstation Library
WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL
setupapi.dll 77880000 581632 C:\WINNT\system32\setupapi.dll 5.00.2195.6622 Windows Setup API
wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper
ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.7021 Microsoft OLE for Windows
mscat32.dll 76a00000 20480 C:\WINNT\system32\mscat32.dll 5.131.2134.1 MSCAT32 Forwarder DLL
rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
cscdll.dll 770c0000 143360 C:\WINNT\system32\cscdll.dll 5.00.2195.6713 Offline Network Agent
WlNotify.dll 76920000 65536 C:\WINNT\system32\WlNotify.dll 5.00.2195.6706 Common DLL to receive Winlogon notifications
CERTCLI.DLL 75570000 147456 C:\WINNT\system32\CERTCLI.DLL 5.00.2195.6619 Microsoft® Certificate Services Client
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
WINSCARD.DLL 76960000 94208 C:\WINNT\system32\WINSCARD.DLL 5.00.2195.6609 Microsoft Smart Card API
WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
jtjm0711e.dll 10000000 483328 C:\WINNT\system32\jtjm0711e.dll
comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL
iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 IP Helper API
ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
OLEAUT32.DLL 779b0000 634880 C:\WINNT\system32\OLEAUT32.DLL 2.40.4522
ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL
ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6604 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL
DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service
oledlg.dll 752f0000 126976 C:\WINNT\system32\oledlg.dll 1.0 Microsoft Windows(TM) OLE 2.0 User Interface Support
PSAPI.DLL 690a0000 45056 C:\WINNT\system32\PSAPI.DLL 5.00.2134.1 Process Status Helper
urlmon.dll 1a400000 512000 C:\WINNT\system32\urlmon.dll 6.00.2800.1485 OLE32 Extensions for Win32
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
WININET.dll 63000000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1485 Internet Extensions for Win32
sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL
msv1_0.dll 2c80000 135168 C:\WINNT\system32\msv1_0.dll 5.00.2195.6897 Microsoft Authentication Package v1.0
wzcdlg.dll 2ce0000 69632 C:\WINNT\system32\wzcdlg.dll 5.00.2195.6604 Wireless Zero Configuration Service UI
WZCSAPI.DLL 2d10000 40960 C:\WINNT\system32\WZCSAPI.DLL 5.00.2195.6604 Wireless Zero Configuration service API
CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
msafd.dll 74fd0000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL
rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL
winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper

--------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\jtjm0711e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

----------------------------------------------------------------------

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---Extensions
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---wzcnotif

Guardian Key--- is called:

User Agent String---
{4B7E1D02-0911-F24A-0440-70B4EA6CCEC9}
--------------------------------------------------------------
Thankyou

Johnny

greyknight17 · 03-18-2005, 12:05 PM

Please don't create a new thread for the same log/topic. After you are done with the below fixes, just reply back to this same thread.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).

Download WinsockFix and unzip it. Then double-click on it to run it.

1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question.

2. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete Extensions

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

3. Run KillBox now.
a) Click on the 'Delete on Reboot' button.
b) Check 'End Explorer Shell While Killing File'.
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).

Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):

c:\recycler\desktop.ini
C:\WINDOWS\system32\guard.tmp
c:\winnt\system32\aklsp.dll
C:\WINNT\system32\DQCOBJ.DLL
C:\WINNT\system32\jtjm0711e.dll

4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

5. Run HijackThis and do a scan. Check and fix the following:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\aklsp.dll' missing

Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs.
-- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).

After that's done (or if you need more help), give us a new set of updated logs (2 PV logs, 1 notify.txt log, 1 VX2Finder log and 1 HijackThis log).

bigwills · 03-18-2005, 02:47 PM

Thank you very much. I couldn't have done it without your help. It took a couple of tries, but everything seems to be working fine now.

03-18-2005, 11:38 AM	#1 (permalink)
bigwills Registered User Join Date: Jan 2005 Posts: 15 OS: win 2000	popup problems I'm cant get rid of the popups. Here is my log files. What can I do? Logfile of HijackThis v1.99.0 Scan saved at 12:32 PM, on 18 Mar 2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\BellSouth Internet Tools\blsloader.exe C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Bigwills\Desktop\Spyware removal\HijackThis.exe O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 64.91.255.87 www.dcsresearch.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\aklsp.dll' missing O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 12:32 PM, on 18 Mar 2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\BellSouth Internet Tools\blsloader.exe C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Documents and Settings\Bigwills\Desktop\Spyware removal\HijackThis.exe O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 64.91.255.87 www.dcsresearch.com O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\aklsp.dll' missing O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab End of KRC HijackThis Analyzer Log. ==================================================================== Module information for 'rundll32.exe' MODULE BASE SIZE PATH rundll32.exe 1000000 16384 C:\WINNT\system32\rundll32.exe 5.00.2134.1 Run a DLL as an App ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL GDI32.dll 77f40000 241664 C:\WINNT\system32\GDI32.dll 5.00.2195.6945 GDI Client DLL USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7017 Windows 2000 USER API Client DLL IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper MSVCRT.DLL 78000000 282624 C:\WINNT\system32\MSVCRT.DLL 6.10.9844.0 Microsoft (R) C Runtime Library DQCOBJ.DLL 10000000 483328 C:\WINNT\system32\DQCOBJ.DLL ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime COMCTL32.dll 71710000 540672 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL SHLWAPI.DLL 70a70000 417792 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1612 (xpsp2.041207-1145) Shell Light-weight Utility Library SHELL32.DLL 782f0000 2379776 C:\WINNT\system32\SHELL32.DLL 5.00.3900.7009 Windows Shell Common Dll CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32 MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 IP Helper API WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL SAMLIB.DLL 75150000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL NETAPI32.DLL 75170000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6949 Net Win32 API DLL Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL OLE32.DLL 77a50000 978944 C:\WINNT\system32\OLE32.DLL 5.00.2195.7021 Microsoft OLE for Windows OLEAUT32.DLL 779b0000 634880 C:\WINNT\system32\OLEAUT32.DLL 2.40.4522 ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6604 Remote Access Connection Manager TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service oledlg.dll 752f0000 126976 C:\WINNT\system32\oledlg.dll 1.0 Microsoft Windows(TM) OLE 2.0 User Interface Support PSAPI.DLL 690a0000 45056 C:\WINNT\system32\PSAPI.DLL 5.00.2134.1 Process Status Helper urlmon.dll 1a400000 512000 C:\WINNT\system32\urlmon.dll 6.00.2800.1485 OLE32 Extensions for Win32 VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL WININET.dll 63000000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1485 Internet Extensions for Win32 WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL msafd.dll 74fd0000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper SBHook.dll 10d0000 131072 C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\SBHook.dll 5.6.13.asst_classic.smartbridge.20040616_113000 SmartBridge Hook sdchook.dll 671f0000 53248 C:\Program Files\Support.com\bin\sdchook.dll 5,5,726,0 sdchook FULLSOFT.DLL 67c70000 311296 C:\Program Files\Support.com\bin\FULLSOFT.DLL 5,5,726,0 Talkback Library ------------------------------------------------------------------- Module information for 'winlogon.exe' MODULE BASE SIZE PATH winlogon.exe 1000000 192512 C:\WINNT\system32\winlogon.exe 5.00.2195.6970 Windows NT Logon Application ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL MSVCRT.dll 78000000 282624 C:\WINNT\system32\MSVCRT.dll 6.10.9844.0 Microsoft (R) C Runtime Library KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime GDI32.dll 77f40000 241664 C:\WINNT\system32\GDI32.dll 5.00.2195.6945 GDI Client DLL USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7017 Windows 2000 USER API Client DLL USERENV.dll 7c0f0000 397312 C:\WINNT\system32\USERENV.dll 5.00.2195.6794 Userenv NDdeApi.dll 769a0000 28672 C:\WINNT\system32\NDdeApi.dll 5.00.2195.6661 Network DDE Share Management APIs sfc.dll 76980000 110592 C:\WINNT\system32\sfc.dll 5.00.2195.6673 Windows File Protection sfcfiles.dll 68010000 983040 C:\WINNT\system32\sfcfiles.dll 5.00.2195.6894 Windows 2000 System File Checker Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface PROFMAP.dll 690f0000 45056 C:\WINNT\system32\PROFMAP.dll 5.00.2195.6610 Userenv NETAPI32.dll 75170000 323584 C:\WINNT\system32\NETAPI32.dll 5.00.2195.6949 Net Win32 API DLL NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL SAMLIB.dll 75150000 61440 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6897 SAM Library DLL msgina.dll 76b90000 348160 C:\WINNT\system32\msgina.dll 5.00.2195.6928 Windows NT Logon Application SHELL32.dll 782f0000 2379776 C:\WINNT\system32\SHELL32.dll 5.00.3900.7009 Windows Shell Common Dll SHLWAPI.dll 70a70000 417792 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1612 (xpsp2.041207-1145) Shell Light-weight Utility Library COMCTL32.dll 71710000 540672 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library WINSTA.dll 65780000 53248 C:\WINNT\system32\WINSTA.dll 5.00.2195.6701 Winstation Library WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL setupapi.dll 77880000 581632 C:\WINNT\system32\setupapi.dll 5.00.2195.6622 Windows Setup API wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32 MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.7021 Microsoft OLE for Windows mscat32.dll 76a00000 20480 C:\WINNT\system32\mscat32.dll 5.131.2134.1 MSCAT32 Forwarder DLL rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export) cscdll.dll 770c0000 143360 C:\WINNT\system32\cscdll.dll 5.00.2195.6713 Offline Network Agent WlNotify.dll 76920000 65536 C:\WINNT\system32\WlNotify.dll 5.00.2195.6706 Common DLL to receive Winlogon notifications CERTCLI.DLL 75570000 147456 C:\WINNT\system32\CERTCLI.DLL 5.00.2195.6619 Microsoft® Certificate Services Client ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode) WINSCARD.DLL 76960000 94208 C:\WINNT\system32\WINSCARD.DLL 5.00.2195.6609 Microsoft Smart Card API WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI jtjm0711e.dll 10000000 483328 C:\WINNT\system32\jtjm0711e.dll comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 IP Helper API ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL OLEAUT32.DLL 779b0000 634880 C:\WINNT\system32\OLEAUT32.DLL 2.40.4522 ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6604 Remote Access Connection Manager TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service oledlg.dll 752f0000 126976 C:\WINNT\system32\oledlg.dll 1.0 Microsoft Windows(TM) OLE 2.0 User Interface Support PSAPI.DLL 690a0000 45056 C:\WINNT\system32\PSAPI.DLL 5.00.2134.1 Process Status Helper urlmon.dll 1a400000 512000 C:\WINNT\system32\urlmon.dll 6.00.2800.1485 OLE32 Extensions for Win32 VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL WININET.dll 63000000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1485 Internet Extensions for Win32 sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL msv1_0.dll 2c80000 135168 C:\WINNT\system32\msv1_0.dll 5.00.2195.6897 Microsoft Authentication Package v1.0 wzcdlg.dll 2ce0000 69632 C:\WINNT\system32\wzcdlg.dll 5.00.2195.6604 Wireless Zero Configuration Service UI WZCSAPI.DLL 2d10000 40960 C:\WINNT\system32\WZCSAPI.DLL 5.00.2195.6604 Wireless Zero Configuration service API CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0 msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter msafd.dll 74fd0000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper -------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\jtjm0711e.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ---------------------------------------------------------------------- Log for VX2.BetterInternet File Finder (msg126) Files Found--- Additional Files--- Keys Under Notify---crypt32chain Keys Under Notify---cryptnet Keys Under Notify---cscdll Keys Under Notify---Extensions Keys Under Notify---sclgntfy Keys Under Notify---SensLogn Keys Under Notify---wzcnotif Guardian Key--- is called: User Agent String--- {4B7E1D02-0911-F24A-0440-70B4EA6CCEC9} -------------------------------------------------------------- Thankyou Johnny

03-18-2005, 12:05 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please don't create a new thread for the same log/topic. After you are done with the below fixes, just reply back to this same thread. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily. This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so). Download WinsockFix and unzip it. Then double-click on it to run it. 1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question. 2. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete Extensions If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. 3. Run KillBox now. a) Click on the 'Delete on Reboot' button. b) Check 'End Explorer Shell While Killing File'. c) Check 'Unregister .dll Before Deleting' for each file (if it's available). Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them): c:\recycler\desktop.ini C:\WINDOWS\system32\guard.tmp c:\winnt\system32\aklsp.dll C:\WINNT\system32\DQCOBJ.DLL C:\WINNT\system32\jtjm0711e.dll 4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode. 5. Run HijackThis and do a scan. Check and fix the following: O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 64.91.255.87 www.dcsresearch.com O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\aklsp.dll' missing Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK. Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff. 6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs. -- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again). After that's done (or if you need more help), give us a new set of updated logs (2 PV logs, 1 notify.txt log, 1 VX2Finder log and 1 HijackThis log). __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-18-2005, 02:47 PM	#3 (permalink)
bigwills Registered User Join Date: Jan 2005 Posts: 15 OS: win 2000	Thank you very much. I couldn't have done it without your help. It took a couple of tries, but everything seems to be working fine now.