Spyware Pop-Up: Nothing works.

whitestar19 · #1 (**permalink**) 14-12-2004, 04:07 AM

Hey guys. I tried running Ad-Aware SE, Spybot S&D, SpySubtract, CWShredder, LSPFix, CleanUp!, and HijackThis (all updated) over 10 times and 10 times in Safe Mode as well. They have gotten rid of most of the spyware but not all. It keeps coming back after restart,

I am running Windows XP Home SP2 and have an updated Norton Systemworks 2004, ran it a few times and it couldn't delete "oqmwy.dll. I have gone into my registry and deleted many values, I have delete Host files, I have seached the web many times and tried out how other people fixed their problems (that's how I found you guys) and I have had no luck. Sometimes my browser makes a "Default beep" when going from certain websites but now matter what I've tried, I still get this pop-up:

It asks me to do a scan of the computer because it might be infected. I close it and a window pops up asking me if I want to download CPURocket to fix the problem. I get diffetent pop-ups every now and then, here is two.

http://www.threatlevel.com/?affid=131
http://www.spotresults.com/cgi-bin/search.cgi?keyword
http://e.rn11.com/a/a174-admed-ron
(Fake looking scan on a webpage telling me I have worms and such nasties.)

I believe my main problem is that CPURocket is the spyware and if wants me to install it to get rid of itself, which won't happen cause we know what type of trash company they are. Here's my hijack log. *NOTE* I have run it before and deleted the obvious spyware. Thanks for any assistance.

Logfile of HijackThis v1.98.2
Scan saved at 9

42 PM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Tweak-XP Pro\transtask.exe
C:\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\SpySubtract\SpySub.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Xan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: rch
O1 - Hosts: rch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [CTDVDDet] C:\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TransTask] "C:\Tweak-XP Pro\transtask.exe"
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.cwinsider.com/brchml6/iNotes.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30653e34...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093298025093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab

owen · #2 (**permalink**) 14-12-2004, 11:45 PM

Could you please download DLL Compare from here.

Click Run Locate.com.

When it says Completed scan, click Compare at the bottom. Let it do its thing.

Click Make a Log of what was found.

The logfile will be created and is called log.txt. It will be located in the same location as the DLLCompare file.

Paste the log back here.

whitestar19 · #3 (**permalink**) 15-12-2004, 01:27 AM

Thanks for your response. Here is the log with "Include SubDirectories" clicked since I figured more the better

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\aza807~1.dll Fri Dec 10 2004 4:02:28p ..S.R 224,539 219.27 K
C:\WINDOWS\SYSTEM32\dkdskmgr.dll Fri Dec 10 2004 3:39:46p ..S.R 223,918 218.67 K
C:\WINDOWS\SYSTEM32\dn0201~1.dll Mon Dec 13 2004 6:35:08p ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\fp6m03~1.dll Thu Dec 9 2004 11:24:28p ..S.R 223,228 217.99 K
C:\WINDOWS\SYSTEM32\ir4sl5~1.dll Mon Dec 13 2004 9:23:54p ..S.R 226,141 220.84 K
C:\WINDOWS\SYSTEM32\j2l4lc~1.dll Fri Dec 10 2004 2:02:16p ..S.R 224,557 219.29 K
C:\WINDOWS\SYSTEM32\jt8807~1.dll Fri Dec 10 2004 2:09:14p ..S.R 224,012 218.76 K
C:\WINDOWS\SYSTEM32\lvj609~1.dll Tue Dec 14 2004 1:43:08a ..S.R 226,141 220.84 K
C:\WINDOWS\SYSTEM32\m6rm0g~1.dll Thu Dec 9 2004 9:42:40p ..S.R 223,428 218.19 K
C:\WINDOWS\SYSTEM32\mic42u.dll Fri Dec 10 2004 2:16:12p ..S.R 223,125 217.89 K
C:\WINDOWS\SYSTEM32\msexcl35.dll Thu Sep 9 1999 9:06:38p A.S.. 252,688 246.77 K
C:\WINDOWS\SYSTEM32\msjet35.dll Tue Sep 28 1999 8:42:48p A.S.. 1,050,896 1.00 M
C:\WINDOWS\SYSTEM32\msltus35.dll Thu Sep 9 1999 9:06:38p A.S.. 168,720 164.77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll Mon Jun 7 1999 5:59:34p A.S.. 250,128 244.27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll Wed Aug 25 1999 1:57:26p A.S.. 415,504 405.77 K
C:\WINDOWS\SYSTEM32\mstext35.dll Thu Sep 30 1999 6

24p A.S.. 166,672 162.77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll Sun Apr 25 1999 4:00:00p A.S.. 287,504 280.77 K
C:\WINDOWS\SYSTEM32\oqmwy.dll Fri Oct 22 2004 10:24:26a A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\pjgfilt.dll Mon Dec 13 2004 4:34:06p ..S.R 226,141 220.84 K
C:\WINDOWS\SYSTEM32\sbayerxp.dll Fri Dec 10 2004 3:17:38p ..S.R 223,125 217.89 K
________________________________________________

2,164 items found: 2,164 files (20 H/S), 0 directories.
Total of file sizes: 493,826,406 bytes 470.95 M

Administrator Account = True

--------------------End log---------------------

owen · #4 (**permalink**) 15-12-2004, 10:33 PM

Download the Pocket Killbox from here.

Unzip it and run the program.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\SYSTEM32\aza807~1.dll
C:\WINDOWS\SYSTEM32\dkdskmgr.dll
C:\WINDOWS\SYSTEM32\dn0201~1.dll
C:\WINDOWS\SYSTEM32\fp6m03~1.dll
C:\WINDOWS\SYSTEM32\ir4sl5~1.dll
C:\WINDOWS\SYSTEM32\j2l4lc~1.dll
C:\WINDOWS\SYSTEM32\jt8807~1.dll
C:\WINDOWS\SYSTEM32\lvj609~1.dll
C:\WINDOWS\SYSTEM32\m6rm0g~1.dll
C:\WINDOWS\SYSTEM32\mic42u.dll
C:\WINDOWS\SYSTEM32\oqmwy.dll
C:\WINDOWS\SYSTEM32\pjgfilt.dll
C:\WINDOWS\SYSTEM32\sbayerxp.dll

When KillBox has rebooted your system, post a fresh Hijack This log here.

whitestar19 · #5 (**permalink**) 16-12-2004, 12:03 AM

I think we're getting somewhere... but I now get a pop-up for http://www.spotresults.com/cgi-bin/search.cgi?keyword

Here is my updated Hijack Log you asked for. Thanks for your continued help.

Logfile of HijackThis v1.98.2
Scan saved at 5:52:38 PM, on 12/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Tweak-XP Pro\transtask.exe
C:\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\SpySubtract\SpySub.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Xan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: rch
O1 - Hosts: rch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [CTDVDDet] C:\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TransTask] "C:\Tweak-XP Pro\transtask.exe"
O4 - HKCU\..\RunOnce: [CleanUp!] C:\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.cwinsider.com/brchml6/iNotes.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30653e34...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093298025093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab

owen · #6 (**permalink**) 16-12-2004, 05:35 PM

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: rch
O1 - Hosts: rch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30653e3...ip/RdxIE601.cab

Click Fix Checked

Reboot and post a fresh log

whitestar19 · #7 (**permalink**) 16-12-2004, 11:51 PM

Went into Safe Mode. Did what you said. Here is a log. I ran AD-Aware and it keeps finding VX2 with some random dll files. k4jsle171.dll, dpdskmgr.dll, en0ul1d91.dll, dsvacm.dll and finds MRU Lists. I continue to get this error when I load up "RUNDLL - "An exception occured while trying to run C:\WINDOWS\SYSTEM32\xxxxx.dll" the x's being a random DLL each time. Never the same. My recyle bin won't empty, it always has the full icon. Thanks for your continued help... I hope we can do this somehow.

Logfile of HijackThis v1.98.2
Scan saved at 5:37:10 PM, on 12/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Logitech\MouseWare\system\em_exec.exe
C:\Tweak-XP Pro\transtask.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\SpySubtract\SpySub.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Xan\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [CTDVDDet] C:\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TransTask] "C:\Tweak-XP Pro\transtask.exe"
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://inotes.cwinsider.com/brchml6/iNotes.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093298025093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab

owen · #8 (**permalink**) 17-12-2004, 05:25 PM

Could you post another DLLCompare log please. Cheers.

whitestar19 · #9 (**permalink**) 17-12-2004, 08:53 PM

When I run Ad-Aware I still get a lot of VX2 finds, now I'm getting CoolWebSearch finds, hosts redirects (someone else made a post I'm going to read that) and when I try to delete them, Ad-Aware can't delete:

C:\Windows\System32\random.dll (random being a random DLL file)
C:\Windows\System32\euupui.dll
C:\Windows\System32\euupui.dll
C:\Windows\System32\euupui.dll
C:\Windows\System32\euupui.dll
C:\Windows\System32\euupui.dll
C:\Windows\System32\euupui.dll

It repeats that euupui file and when I try running a search it can't find it, even with Hidden Files SHOWN. I hear C:\Windows\System32\guard.tmp is a problem too reading through other people's posts? I can't seem to get rid of it, even with KillBox. Recyle bin still won't empty. Anyways, here's the DLL Compare log. Thanks and good luck.

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dnn601~1.dll Thu Dec 16 2004 11:09:10p ..S.R 224,112 218.86 K
C:\WINDOWS\SYSTEM32\g240lc~1.dll Wed Dec 15 2004 5:26:40p ..S.R 226,141 220.84 K
C:\WINDOWS\SYSTEM32\kt2ul7~1.dll Fri Dec 17 2004 2:12:44p ..S.R 223,171 217.94 K
C:\WINDOWS\SYSTEM32\lv2s09~1.dll Wed Dec 15 2004 6:36:04p ..S.R 224,410 219.15 K
C:\WINDOWS\SYSTEM32\msexcl35.dll Thu Sep 9 1999 9:06:38p A.S.. 252,688 246.77 K
C:\WINDOWS\SYSTEM32\msjet35.dll Tue Sep 28 1999 8:42:48p A.S.. 1,050,896 1.00 M
C:\WINDOWS\SYSTEM32\msltus35.dll Thu Sep 9 1999 9:06:38p A.S.. 168,720 164.77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll Mon Jun 7 1999 5:59:34p A.S.. 250,128 244.27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll Wed Aug 25 1999 1:57:26p A.S.. 415,504 405.77 K
C:\WINDOWS\SYSTEM32\mstext35.dll Thu Sep 30 1999 6

24p A.S.. 166,672 162.77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll Sun Apr 25 1999 4:00:00p A.S.. 287,504 280.77 K
C:\WINDOWS\SYSTEM32\mv8ql9~1.dll Wed Dec 15 2004 6:26:04p ..S.R 223,049 217.82 K
C:\WINDOWS\SYSTEM32\s888li~1.dll Wed Dec 15 2004 2:13:50a ..S.R 226,141 220.84 K
________________________________________________

2,164 items found: 2,164 files (13 H/S), 0 directories.
Total of file sizes: 491,804,754 bytes 469.02 M

Administrator Account = True

--------------------End log---------------------

owen · #10 (**permalink**) 17-12-2004, 08:57 PM

Download the Pocket Killbox from here.

Unzip it and run the program.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\SYSTEM32\dnn601~1.dll
C:\WINDOWS\SYSTEM32\g240lc~1.dll
C:\WINDOWS\SYSTEM32\kt2ul7~1.dll
C:\WINDOWS\SYSTEM32\lv2s09~1.dll
C:\WINDOWS\SYSTEM32\mv8ql9~1.dll
C:\WINDOWS\SYSTEM32\s888li~1.dll
C:\Windows\System32\euupui.dll
C:\Windows\System32\guard.tmp

When KillBox has rebooted your system, post a fresh DLLCompare and Hijack This log.