11-9-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !!
See you there,
Larry

---

Shopping Wizard & Search Extender

Go to the Tech-Forums Discussion Home Page

---

Posted by: lars42

I've cleande up everything I could (run Microsoft Antispyware, NoAdware and , but still getting Ad-aware) but I'm still getting pop up windows (very often).
Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:36:23 PM, on 05/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\my received files\hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\PopOops\PopOops.exe
C:\Program Files\Macromedia\Flash MX 2004\Flash.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE
D:\Calendar3\New Folder\imageprotec\SkinEditor2.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Corel\Corel Graphics 12\Programs\CorelPP.exe
D:\Calendar3\New Folder\imageprotec\the dells.exe
C:\WINNT\regedit.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://65.108.118.60/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://65.108.118.60/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://65.108.118.60/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://65.108.118.60/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://65.108.118.60/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PopOops] C:\PROGRA~1\PopOops\PopOops.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Calendar] D:\Calendar3\New Folder\imageprotec\the dells.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.3.4\InstallStub.exe -a
O8 - Extra context menu item: Add URL to Calendar... - file://C:\WINNT\Web\WebCalendar.htm
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in New &Window (PopOops) - C:\WINNT\Web\PopOops.htm
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - [url]https://www.plaxo.com/down/latest/PlaxoInstall.cab[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[/url]
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\f20o0cd3ef0.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appyl.exe (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe

---

Posted by: Lobos

Hello lars42

Welcome to Tech Forums



Download [b]CWShredder.exe[/b] from here
[LIST][URL=http://cwshredder.net/bin/CWShredder.exe][b][color=blue]Cwshredder.exe[/color][/b][/URL] click update

then close it

[url=http://www.safer-networking.org/index.php?page=download][color=red][b]Click here[/b][/color][/url] and download Adaware SE
update it Follow these directions to configure AdAware SE and update it but do [b]not[/b] run a scan yet:
[LIST][URL=http://www.bleepingcomputer.com/forums/index.php?showtutorial=48][b][color=blue]AdAware Tutorial[/color][/b][/URL]

Download AboutBuster from [URL=http://www.besttechie.net/tools/AboutBuster.zip][b][color=blue]Here[/color][/b][/URL]
After you download it unzip all files from the zip folder to a folder or your desktop.
update it don't run it yet

[*][b]Prepare cwsserviceremove.reg for use:[/b]
[list]
[*]Download [url=http://lineofire.geekstogo.com/cwsserviceremove.zip]cwsserviceremove.zip[/url].
[*]Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
[*]Please do not do anything with it yet.

[b]Boot into Safe Mode:[/b]
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.


Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper and double click on it. Click on the Stop button and under Startup type, choose Disabled.




Run [b]HiJackThis[/b] then:

1. Click "[b][i]Config...[/i][/b]"
2. Click "[b][i]Misc Tools[/i][/b]"
3. Click "[b][i]Open Process manager[/i][/b]"

-

Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following:

[b][color=#000000]D:\Calendar3\New Folder\imageprotec\[/color][color=#ff0000]SkinEditor2.exe[/color][/b]
[b][color=#000000]D:\Calendar3\New Folder\imageprotec\[/color][color=#ff0000]the dells.exe[/color][/b]

Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain.

===============

Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:


[color=#9933cc][b] O4 - HKCU\..\Run: [Calendar] D:\Calendar3\New Folder\imageprotec\the dells.exe [/b][/color]

[color=#9933cc][b] O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appyl.exe (file missing) [/b][/color]


Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".

===============

Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:

[i]folders...[/i]

[b]D:\[color=#ff0000]Calendar3[/color][/b]


Double click cwsserviceremove.reg Let it merge with your registry

Run Cwshredder click fix not scan

run Aboutbuster

run Adaware

Post back a new log, and let me know how everything goes.

-

Lobos.

---

Posted by: Warez Monster

Remove entries at your own risk

System is looking good, not to bad.

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appyl.exe (file missing) These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (appyl.exe (file missing))
Unnecessary (deactivated) entry that can be fixed

---

Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site