MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: loadingwebsite, paypopup, winfixer
June 26, 2019, 10:30:48 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 26, 2019, 10:30:48 PM

Login with username, password and session length
 
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: loadingwebsite, paypopup, winfixer  (Read 5251 times)
melisroses
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 10


Bookmark and Share

View Profile
« on: July 19, 2005, 05:34:00 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: XP PRO SP2

Help!!, its getting worse by the minute!! I am so hijacked by paypopup, loadingwebsite and now winfixer!!!

I have done ad adware, spybot, Trend Micro online scan, ewido suite... nothing change...

Now i keep getting a dll error for rundll32.dll

Logfile of HijackThis v1.99.1
Scan saved at 13:32:28, on 2005-07-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\rundll32.exe

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.canoe.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.canoe.com/index.html
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Pages li
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #1 on: July 20, 2005, 02:42:12 PM »

Hello and Welcome to MyTechSupport.ca

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.


The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.  Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.


Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).


Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

CONFLICT.1



Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0715NetInstaller.exe"
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\o648lghu1648.dll (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\lv2009fme.dll




Do you know the IP or Domain '24.212.3.68,24.212.0.8'? If not, fix thse entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0208F7B5-5358-4E63-8C71-ADFAC6BDE8E4}: NameServer = 24.212.3.68,24.212.0.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0208F7B5-5358-4E63-8C71-ADFAC6BDE8E4}: NameServer = 24.212.3.68,24.212.0.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{0208F7B5-5358-4E63-8C71-ADFAC6BDE8E4}: NameServer = 24.212.3.68,24.212.0.8




Please remember to close all other windows, including browsers then click Fix checked.




 Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
C:\WINDOWS\system32\lv2009fme.dll




Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Empty your Recycle Bin.

Reboot your System in normal mode.

Please post a fresh Hijack This log so that we can check if your system is clean.

Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
melisroses
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 10


Bookmark and Share

View Profile
« Reply #2 on: July 20, 2005, 03:26:39 PM »

Ok done everything you said...
'24.212.3.68,24.212.0.8' is my domain, if I delete the entries I lose internet connection.

I rebooted to normal mode 2 minutes ago, open web page to post a reply and i have already had 3 popops (1 loadingwebsite, 2 paypopop)

Here is my new log
Logfile of HijackThis v1.99.1
Scan saved at 11:18:53, on 2005-07-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.canoe.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.canoe.com/index.html
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Pages li
Logged

 
melisroses
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 10


Bookmark and Share

View Profile
« Reply #3 on: July 20, 2005, 03:40:00 PM »

also wanted to mention that since the winfixer thing got into my pc i have been having this error

Image Insert:
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #4 on: July 20, 2005, 03:47:48 PM »

Download L2mfix

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This scan takes time to complete, then notepad will open with a log. Copy the contents of that log and paste it here

Please Do NOT run option #2 OR any other files in the l2mfix folder until told to.

« Last Edit: July 20, 2005, 03:50:38 PM by Geekgirl » Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
melisroses
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 10


Bookmark and Share

View Profile
« Reply #5 on: July 20, 2005, 05:10:57 PM »

did option #1 of l2mfix

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fn2021fmg.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8C06D07A-27A5-3BD7-234E-957BDB89641B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #6 on: July 20, 2005, 06:05:26 PM »

Close all open programs

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then press enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it here, along with a new HJT log.

Please Do NOT run any other files in the l2mfix folder until you are told to
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
melisroses
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 10


Bookmark and Share

View Profile
« Reply #7 on: July 20, 2005, 06:47:05 PM »

ok done the l2mfix option #2

L2Mfix 1.03a
 
Running From:
C:\Documents and Settings\demo\Bureau\l2mfix
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    AUTORITE NT\SYSTEM
(IO)    ALLOW  Full access    AUTORITE NT\SYSTEM
(NI)    ALLOW  Full access    AUTORITE NT\SYSTEM
(IO)    ALLOW  Full access    AUTORITE NT\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Utilisateurs
(ID-IO) ALLOW  Read           BUILTIN\Utilisateurs
(ID-NI) ALLOW  Full access    BUILTIN\Administrateurs
(ID-IO) ALLOW  Full access    BUILTIN\Administrateurs
(ID-NI) ALLOW  Full access    AUTORITE NT\SYSTEM
(ID-IO) ALLOW  Full access    AUTORITE NT\SYSTEM
(ID-IO) ALLOW  Full access    CREATEUR PROPRIETAIRE


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------      BUILTIN\Administrateurs
(NI)    ALLOW  Full access    AUTORITE NT\SYSTEM
(IO)    ALLOW  Full access    AUTORITE NT\SYSTEM
(NI)    ALLOW  Full access    AUTORITE NT\SYSTEM
(IO)    ALLOW  Full access    AUTORITE NT\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Utilisateurs
(ID-IO) ALLOW  Read           BUILTIN\Utilisateurs
(ID-NI) ALLOW  Full access    BUILTIN\Administrateurs
(ID-IO) ALLOW  Full access    BUILTIN\Administrateurs
(ID-NI) ALLOW  Full access    AUTORITE NT\SYSTEM
(ID-IO) ALLOW  Full access    AUTORITE NT\SYSTEM
(ID-IO) ALLOW  Full access    CREATEUR PROPRIETAIRE


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Documents and Settings\demo\Bureau\l2mfix
System Rebooted!
 
Running From:
C:\Documents and Settings\demo\Bureau\l2mfix
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1212 'explorer.exe'
Killing PID 1212 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\kidycc.dll
        1 fichier(s) copi
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #8 on: July 20, 2005, 08:18:45 PM »

The only thing I see is this, Do you reconize it?

O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5LP_0001_0715NetInstaller.exe"


We need to repair the missing reg file......

Copy and paste the contents of the quote box below into notepad.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: *All files* and save it on your Desktop.

quote:

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


Then, locate fixme.reg on your desktop and <double-click> it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".
« Last Edit: July 20, 2005, 08:20:33 PM by Geekgirl » Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
melisroses
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 10


Bookmark and Share

View Profile
« Reply #9 on: July 20, 2005, 08:48:50 PM »

ok here it is
1. O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5LP_0001_0715NetInstaller.exe"
that is linked to the winfixer installer that keeps popping up... everytime i delete the entrie it reappears after a while

2. the l2mfix thing really helped.. have not had any loadingwebsite and paypopup reappeared since

3. i fix the registry as you told me

4. panda online scan find spyware in the backups files of the l2mfix.. can i delete those files?


here is the newest hjt log

O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5LP_0001_0715NetInstaller.exe"
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #10 on: July 20, 2005, 09:44:45 PM »

Boot into safe mode and uninstall Winfixer from Add/Remove Programs in the Control Panel.
If you can't get rid of it in Add/Remove, download MoveOnBoot
MoveOnBoot allows you to copy, move or delete files on the next system boot. This can come handy if you need to replace or delete files that are locked by other applications, loaded into memory or cannot be changed until next system boot.
« Last Edit: July 20, 2005, 09:46:07 PM by Geekgirl » Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
melisroses
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 10


Bookmark and Share

View Profile
« Reply #11 on: July 20, 2005, 10:36:53 PM »

Since i deleted the entry with hjt i cant find the thing anywhere... i will try the moveonboot if it ever shows up again

so far so good... 2 hours since i have had any popup!! thank you so far for your time and patience...

just a few questions before i close this matter:

1. i ran a panda onlice scan:
here is the log


Incident                      Status                        Location                                                                                                                                                                                                                                                        

Adware:Adware/Transponder     No disinfected                C:\WINDOWS\gfqgdk.exe                                                                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[kidycc.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[uyrsvpia.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[xslehlp.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[sirrnfr.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[csmmdlg.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[tsolhelp.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[wxvadvd.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[csyptdlg.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[orbc32gt.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[wiadmod.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[mx43dmod.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[en8sl1l71.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[ifxsap.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[fndrclnr.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[diauth.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[enn6l15s1.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[iditpki.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[omjsel.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[iyaapi.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[nimsevt.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[mgang.dll]                                                                                                                                                                                              
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[dwmstor.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[mzfutil.dll]                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[subd10dm.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[l08mlal11dq.dll]                                                                                                                                                                                        
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[rUsapi32.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[hr6q05j5e.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[IdkEd.dll]                                                                                                                                                                                              
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[cHtsrvut.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[cLtsrvut.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[weerrFRA.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[en24l1fq1.dll]                                                                                                                                                                                          
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[j62qlgf5162.dll]                                                                                                                                                                                        
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[k0260afsed260.dll]                                                                                                                                                                                      
Adware:Adware/Look2Me         No disinfected                C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip[guard.tmp]                                                                                                                                                                                              
Can i delete the C:\Documents and Settings\demo\Bureau\l2mfix\backup.zip file? Can i unistall tne l2mfix program?

How can I get rid of the following spyware since ad adware and spybot dont detect it? Adware:Adware/Transponder     No disinfected                C:\WINDOWS\gfqgdk.exe

2. Would you have a suggestion for a free program to clean registry.. i have a lot of broken shortcut and all and i think a good cleaning of the registry would help my pc...

Thank you so much again for your help...

Here is the last HJT just in case there is still something in it:
Logfile of HijackThis v1.99.1
Scan saved at 17:57:20, on 2005-07-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.canoe.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.canoe.com/index.html
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Pages li
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #12 on: July 20, 2005, 11:18:01 PM »

Reboot to Safe Mode and navigate to C:\WINDOWS\gfqgdk.exe and delete that file.  If you are unable use MoveOnBoot
Yes delete the backup/zip file that l2mfix created and you can uninstall the program.

I dont use any reg cleaners, I tend to stay away from using 3rd party software ...sorry

Log is still clean Wink
« Last Edit: July 20, 2005, 11:19:07 PM by Geekgirl » Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
thx-rvg
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #13 on: July 22, 2005, 06:35:25 PM »

Hello Ladies and Gentlemen,


I'm a new user here, and I'm not sure if one is meant to start new threads entirely when bringing up a problem, or whether, if a problem is similar to another, to post in that thread. To err on the side of caution, I'm opting for the latter. I'm also having a big problem regarding loadingwebsite.com and paypopup.com, and nothing I have tried so far has worked. I'm not sure if my case is exactly similar to melisroses or whether a different approach is to be taken to resolve the problem, which is why I'm not sure whether the advice given above would aptly apply to my case.

Here is my Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:24:05 PM, on 20/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YCOMP5_6_0_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Corel Desktop Application Director 8 (2).LNK.disabled
O4 - Startup: Corel Desktop Application Director 8.LNK.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .mpga: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/internetwasherpro.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web660.cab
O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - http://content2.netvenda.com/sites/games-intl/ca/games1.cab
O16 - DPF: {637BB540-6ABA-11D4-901D-00D0090CB3BC} (FMClass Class) - http://www.flashants.com/codebase/fmplayer.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ca/games11.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {B1B7606A-D7B9-42A8-AFA2-476308413211} (VacPro.canada_ver4) - http://www.globalphon.com/dialer/canada_ver4.CAB
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {261EE805-4893-45A3-8E9E-AD90914CB39A} (VacPro.internazionale_98_ver11) - http://www9.advnt01.com/dialer/internazionale_98_ver11.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab



Any and all help would be greatly appreciated. I thank you in advance.

Regards,

thx-rvg.
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #14 on: July 22, 2005, 07:39:04 PM »

Hello thx-rvgand Welcome to MyTechSupport.ca

Unfortunately your decision to place your log in anothers thread wasn't the right one. Grin

It gets really confusing giving instructions to 2 users in the same thread. And as you say your issue may or may not be exactly identical, we would rather you start your own so you may get the attention you deserve as well as melisroses gets the attention they deserve.

Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page November 28, 2017, 05:54:03 PM