tal ormanda Posted December 26, 2006 Share Posted December 26, 2006 (edited) They keep poping up in IE, I scaned with Ad Aware SE and kaspersky, but anything specific to stop them?Logfile of HijackThis v1.99.1Scan saved at 4:41:43 PM, on 12/26/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Java\jre1.5.0_10\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\AIM\aim.exeC:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exeC:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exeC:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exeC:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exeC:\Documents and Settings\Brandon Randolph\Desktop\Anti Virus\winvnc.exeC:\Program Files\Hamachi\hamachi.exeC:\WINDOWS\explorer.exeC:\Program Files\Agnitum\Outpost Firewall\outpost.exeC:\Documents and Settings\Brandon Randolph\Desktop\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jspR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htmR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/library/app/fee...2882833CAE9AB32R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dllO3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dllO4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitserviceO4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startupO4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tpgtrypr.dll",setvmO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167167639968O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exeO23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing) Edited December 26, 2006 by tal ormanda Link to comment Share on other sites More sharing options...
prx984 Posted December 26, 2006 Share Posted December 26, 2006 (edited) It looks like a popup really, although, it's more than likely its some kind of virus. If kaspersky isn't finding it, you may want to try some other virus program. I'm not too familiar with Kaspersky.Try disconnecting from the internet and see if they persist. It really looks like adware. Edited December 26, 2006 by Cygnus Link to comment Share on other sites More sharing options...
Tarun Posted December 26, 2006 Share Posted December 26, 2006 There is nothing apparent that is malicious in your log. Have you run anything else besides Kaspersky and Ad-Aware? Link to comment Share on other sites More sharing options...
tal ormanda Posted December 27, 2006 Author Share Posted December 27, 2006 Its on my friends computer, and no. I will I guess though, I did spybot now that I think of it. I am doing it remotely. Link to comment Share on other sites More sharing options...
LLXX Posted December 27, 2006 Share Posted December 27, 2006 There is nothing apparent that is malicious in your log.O RLY? Look again.Hint: The rundll32 entry with the random DLL name. Link to comment Share on other sites More sharing options...
nitroshift Posted December 27, 2006 Share Posted December 27, 2006 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tpgtrypr.dll",setvmThat's the culprit. Just delete it and see if the popups still appear. Link to comment Share on other sites More sharing options...
tal ormanda Posted December 27, 2006 Author Share Posted December 27, 2006 (edited) How do you guys know whats bad lol? Do you just want me to delete it from the highjack this program? Any way to back up that file just in case? Edited December 27, 2006 by tal ormanda Link to comment Share on other sites More sharing options...
Tarun Posted December 27, 2006 Share Posted December 27, 2006 Start > Run > cmdcd %Windir%/System32del tpgtrypr.dllIf this file refuses to delete, use HijackThis to delete the file at next boot or use Unlocker. Link to comment Share on other sites More sharing options...
Camarade_Tux Posted December 27, 2006 Share Posted December 27, 2006 Before deleting it, try Start -> Run -> regsvr32 /u tpgtrypr.dllIt may help delete it. And we find suspect because-they have random names-are in WINDOWS or SYSTEM32 but are not usual entries (experience)-if you browse to them in explorer and take their properties, they don't have any : no author, no detail, nothing which is never the case with MS files and rarely the case with other legit files Link to comment Share on other sites More sharing options...
LLXX Posted December 28, 2006 Share Posted December 28, 2006 (edited) - Most processes are not DLLs and do not start from RunDll32.Those that are, are well-known. Edited December 28, 2006 by LLXX Link to comment Share on other sites More sharing options...
tal ormanda Posted December 28, 2006 Author Share Posted December 28, 2006 I'll do that next time he gets on. Link to comment Share on other sites More sharing options...
tal ormanda Posted December 29, 2006 Author Share Posted December 29, 2006 Didn't work Link to comment Share on other sites More sharing options...
[deXter] Posted December 29, 2006 Share Posted December 29, 2006 (edited) Open Regedit.Head over to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session ManagerIn the right pane, right click and create a new Multi-string value and name it PendingFileRenameOperationsEdit it and type\??\C:\WINDOWS\system32\tpgtrypr.dllEdit: Or Run this file: remove_tpgtrypr.dll.reg ( 782bytes ) Also, download and run Autoruns.exe inhttp://download.sysinternals.com/Files/Autoruns.zipPress "Escape" to stop scanning. Goto Options -> Hide Microsoft EntriesPress F5 or Refresh to restart the scanning. Now you'll know all non-default programs that are loaded on startup. Delete all suspicious entries.Reboot.remove_tpgtrypr.dll.reg Edited December 29, 2006 by [deXter] Link to comment Share on other sites More sharing options...
tal ormanda Posted December 29, 2006 Author Share Posted December 29, 2006 (edited) Can I delete all the ones where the file is not found?In the IE section there were .dll files which when googled, had no results. Can I delete these?Under Browser Helper Objects:kpbutpjot.dllfjewgcqt.dllyrhafajb.dllbvolg.dll Edited December 29, 2006 by tal ormanda Link to comment Share on other sites More sharing options...
Tarun Posted December 29, 2006 Share Posted December 29, 2006 No, only delete this one entry:R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)The others are protected and that is why they show up as file missing. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now