christopher Posted February 5, 2007 Share Posted February 5, 2007 alright.. many months later.. new ie explorer, sp2 and all..all previous fixes were made, now i'm getting these popups whenever i go to any website that open in a new browser window (not tabbed) -- just by coming here i get a random popup.. something to clean my computer, or cell phone ringtones and so forth..i've run everything, adaware, and everything provided in the malware prevention package from tarun's site.. still no stoppage.here is my new hijackthis logfile if it helpsLogfile of HijackThis v1.99.1Scan saved at 5:45:46 PM, on 2/5/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0011)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Yahoo!\Antivirus\ISafe.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exeC:\WINDOWS\System32\wdfmgr.exeC:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeC:\Program Files\Yahoo!\Antivirus\VetMsg.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\System32\ezSP_Px.exeC:\PROGRA~1\Yahoo!\YOP\yop.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Ahead\InCD\InCD.exeC:\Program Files\TGTSoft\StyleXP\StyleXP.exeC:\Program Files\AIM95\aim.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\WINDOWS\system32\drwtsn32.exeC:\WINDOWS\system32\drwtsn32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\christopher\Desktop\c\Anti-Malware Full\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exeO4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exeO4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostartO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exeO4 - HKLM\..\Run: [hgkudpg.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\christopher\Local Settings\Application Data\hgkudpg.dll",qoavijeO4 - HKLM\..\RunOnce: [spybotDeletingA8428] command /c del "C:\WINDOWS\system32\vqmvywlq.dll_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotDeletingC5191] cmd /c del "C:\WINDOWS\system32\vqmvywlq.dll_tobedeleted_old"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -HideO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exeO4 - HKCU\..\RunOnce: [spybotDeletingB5581] command /c del "C:\WINDOWS\system32\vqmvywlq.dll_tobedeleted_old"O4 - HKCU\..\RunOnce: [spybotDeletingD6738] cmd /c del "C:\WINDOWS\system32\vqmvywlq.dll_tobedeleted_old"O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O11 - Options group: [iNTERNATIONAL] International*O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161395254515O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161395242343O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exeO23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exeO23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeO23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe Link to comment Share on other sites More sharing options...
Tarun Posted February 5, 2007 Share Posted February 5, 2007 O4 - HKLM\..\Run: [hgkudpg.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\christopher\Local Settings\Application Data\hgkudpg.dll",qoavijeThis is the source of your problem. You can navigate to C:\Documents and Settings\christopher\Local Settings\Application Data\ and locate hgkudpg.dll. Attempt to delete the file manually. If you can not, use Unlocker to delete the file.I also split your topic to help avoid some confusion since this is a new HijackThis log for a separate problem. Link to comment Share on other sites More sharing options...
cluberti Posted February 6, 2007 Share Posted February 6, 2007 The only problem is, what is causing that to execute? *Something* had to put that in there... Link to comment Share on other sites More sharing options...
Jeremy Posted February 6, 2007 Share Posted February 6, 2007 Filemon will help. Link to comment Share on other sites More sharing options...
LeveL Posted February 6, 2007 Share Posted February 6, 2007 (edited) You can submit your log files here:http://www.hijackthis.deFor C:\Program Files\Yahoo!\Antivirus\VetMsg.exe it says...Possibly nasty! According to our database this process runs normallyin c:\programme\ca.*\ Check if you know this process and arrangea viruscheck where required.Well, that seems pretty nonsensical to me, you can upload any fileyou think is suspicious to http://www.virustotal.com/en/indexf.html Edited February 6, 2007 by LeveL Link to comment Share on other sites More sharing options...
Tarun Posted February 6, 2007 Share Posted February 6, 2007 You can submit your log files here:http://www.hijackthis.deThe problem with that website is that it is full of misinformation and false positives. Almost every tech site on the Internet will advise users not to use or rely on that website. Link to comment Share on other sites More sharing options...
christopher Posted February 6, 2007 Author Share Posted February 6, 2007 O4 - HKLM\..\Run: [hgkudpg.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\christopher\Local Settings\Application Data\hgkudpg.dll",qoavijeThis is the source of your problem. You can navigate to C:\Documents and Settings\christopher\Local Settings\Application Data\ and locate hgkudpg.dll. Attempt to delete the file manually. If you can not, use Unlocker to delete the file.I also split your topic to help avoid some confusion since this is a new HijackThis log for a separate problem. thanks. i dont like clutter much myself so i just kept my post in the previous one just in case. i actually CAN'T navigate to where you're directing me above. i can go to C: documents & settings, christopher, then the next step is local settings and i dont have it there. so anyways, i just ran hijackthis again and did the whole 'fix' function on that hgkudpg.dll there. does this solve the problem just as well?also, as someone stated above about something putting it there, is that what i have to go after? (and how) Link to comment Share on other sites More sharing options...
christopher Posted February 6, 2007 Author Share Posted February 6, 2007 i have been a member here for a looong time. time just passes by. i would've never found the great styleXP w/o msfn! ;0 Link to comment Share on other sites More sharing options...
Tarun Posted February 6, 2007 Share Posted February 6, 2007 thanks. i dont like clutter much myself so i just kept my post in the previous one just in case. i actually CAN'T navigate to where you're directing me above. i can go to C: documents & settings, christopher, then the next step is local settings and i dont have it there. so anyways, i just ran hijackthis again and did the whole 'fix' function on that hgkudpg.dll there. does this solve the problem just as well?also, as someone stated above about something putting it there, is that what i have to go after? (and how)The folder may be hidden. You can also access it through the command prompt or using FileASSASSIN (you can paste the path into it.)It's possible the parent program may already have been deleted with the scans prior to your log submission. Here's the link to FileMon. Link to comment Share on other sites More sharing options...
christopher Posted February 6, 2007 Author Share Posted February 6, 2007 i just deleted it via hijackthis (i believe) and the problem still exists.can i get a short explanation on what this filemon is? Link to comment Share on other sites More sharing options...
Tarun Posted February 6, 2007 Share Posted February 6, 2007 FileMon (File Monitor)You simply removed the run entry with HijackThis, the file still exists. Link to comment Share on other sites More sharing options...
christopher Posted February 6, 2007 Author Share Posted February 6, 2007 FileMon (File Monitor)You simply removed the run entry with HijackThis, the file still exists.so does this filemon do anything when it's running? currently i have it running and it's just flying through a zillion files.what's the purpose of me having it? do i have this so i can find hgkudpg.dll? Link to comment Share on other sites More sharing options...
Tarun Posted February 6, 2007 Share Posted February 6, 2007 Yes, so it can find the source of what is making your malicious dll files. Link to comment Share on other sites More sharing options...
cluberti Posted February 6, 2007 Share Posted February 6, 2007 Filemon description. Link to comment Share on other sites More sharing options...
christopher Posted February 6, 2007 Author Share Posted February 6, 2007 well i used file assassin and typed in the location to the .dll and it said it was deleted.whether this fixes everything i dont know, i'll get back to you guys. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now