iptl.exe and some other questions

Posted 7/23/2004 8:58 PM
#2073
User avatar

Juke Joint Jezebel Member

Date Joined Nov 2016
Total Posts: 5
hi. i've been doing some searching on iptl.exe and i really can't figure out what it is. it sounds safe but i've never heard of it before. not sure if i should let it access the internet



quick overview, i visited a nasty site yesterday and my computer went completely nuts. i stomped most of the virii but at least two of them are still giving me major problems. one keeps opening "680180.net" popup windows in msie (maybe someone can help me with that?) and the other one's preventing me from visiting a whole list of sites (including a lot of anti-virus ones). i think the site blocker is DOS_AGOBOT.HM, so i can probably remove that soon



one last thing. i installed Norton AntiVirus 2004 Professional and LiveUpdate doesn't seem to be working. i don't know if this is because of DOS_AGOBOT.HM or another annoying virus. the updater for my PC-Cillin 2000 (yeah, i know i gotta upgrade heh) hasn't worked for months either. could it be related?



1st EDIT:

does anyone have any info on ndllzxy.exe either? thanks



2nd EDIT:

problem fixed!
Posted 7/24/2004 4:50 AM
#2077
User avatar

Mystikal Dreamer Member

Date Joined Nov 2016
Total Posts: 9
O.o. Im guessing a "nasty site" is a porn site? xD I have a brother and hes the same way =P anyway...Most of those sites are spyware/adware and maybe even trojans. One day, I scanned my comp with adware (as usual) before my bro got on the comp. Then, my comp started acting really strange..(porn popups, really sluggish, etc.) so I scanned it once again. And there it was...adware and keyloggers. The cookies your computer probably recived from that site could be a trojan, or a dialer. Dialers have a huge potential to damage your computer. But some dialers are just to annoy the hell outta you =P. When a dialer enters your comp, most likely, it'll download a malicious program called Internet Optimizer (or something like that) which calls up phone lines, and downloads malicious software and such. People oftenly confuse dialers with a popular trojan by the name of Trojan.Downloader.Agent (or plain trojan.downloader). However, you can only get dialers from those little nasty sites on the net. What I would do is, download hijack this and locate the file witch iptl.exe is in. Then delete it. And after that, go into regedit, and search for iptl.exe or iptl, and delete all of those registry keys. When you say "Norton hasnt been working or live update hasnt been working," what do you mean by that? And about the PC Cillin incedent. If you dont know, PC Cillin and Norton conflict with each other. Thats probably your problem :P uninstall one or the other because there going to keep conflicting and not work.


Hope this helps,

Kyra
Posted 7/24/2004 7:02 AM
#2078
User avatar

SClyde Valued member

Date Joined Nov 2016
Total Posts: 20
If you provide me a tad bit more information I could probably help. Exp: OS/DOE/WWS/etc
My basic knowledge of iptl.exe is that it likes to hide in

C:\Documents and Settings\User\Application Data\iptl.exe

C:\WINDOWS\System32\iptl.exe



Usually iptl.exe is caught by opening attachments in email.



And as for ndllzxy.exe, it likes to stay hidden at

C:\WINDOWS\System32\ndllzxy.exe



ndllzxy (90%) of the time follows with iptl.exe with about 14 others.



It usuallys affects



C:\WINDOWS\system32\config\system.LOG ->
C:\WINDOWS\system32\config\software.LOG ->
C:\WINDOWS\system32\config\default.LOG ->
C:\WINDOWS\system32\config\SECURITY ->
C:\WINDOWS\system32\config\SAM ->

C:\WINDOWS\system32\config\SAM.LOG ->
C:\WINDOWS\system32\config\SECURITY.LOG ->
C:\WINDOWS\system32\config\SYSTEM ->
C:\WINDOWS\system32\config\SOFTWARE ->
C:\WINDOWS\system32\config\DEFAULT ->
C:\WINDOWS\system32\kafg.dll12 ->
C:\WINDOWS\system32\winhost32.exe ->
C:\WINDOWS\winh.exe ->




It is a combination of Trojans and Spyware fitted into a neat package. Not to complicated to get rid of. G'Luck
Posted 7/24/2004 11:38 PM
#2098
User avatar

Juke Joint Jezebel Member

Date Joined Nov 2016
Total Posts: 5
nah, the nasty site's a pretty popular site frequented by pirates (hey, i was looking for old episodes of an old show). but i've visited it often in the past and i've never had any problems before. i feel like i've been stabbed in the back by an old friend



anyways, i fixed two major problems. first, i destroyed the programs that were lagging my pc. they were constantly trying to connect to whatever servers for god knows what, and it was tearing my memory apart. second, i found my hosts file. some piece of crap keeps loading it with anti-virus sites, which doesn't allow me to upgrade my anti-virus programs and doesn't let me connect to those sites with a browser. but it's pretty easy to open it up and empty it. i messed around in regedit and destroyed the entries that had automove.exe, ndllzxy.exe, id53.exe, iptl.exe, stcloader.exe, stclient.dll, and one other entry that had "stc" in its name. all this was done in safe mode, by the way



so i've rebooted and a few problems still remain. first, a lot of those entries are back in regedit. luckily, i removed the programs so they're not wrecking havoc anymore. but i'm still pretty curious about how they keep reloading themselves there. second, my hosts file is filled with anti-virus sites again. third, i thought i took the problem out but those popups in msie persist



oh yeah, i'm using Windows XP and uh as for more info, how about a HijackThis log?



Logfile of HijackThis v1.97.7
Scan saved at 6:32:56 PM, on 7/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SERV-U\SERVUD~1.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
D:\Awe of She\Downloads 3\71972237\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url=https://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*https://www.yahoo.com]https://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*https://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = https://www.sony.com/vaiopeople
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe
O4 - HKLM\..\Run: [System Log Event] csrss32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
O4 - HKLM\..\RunServices: [System Log Event] csrss32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\User by Default\Application Data\iptl.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - https://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - https://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - https://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - https://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.899849537
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - https://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - https://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27BEBFED-407C-46DF-9E27-F29A1D08CF93}: NameServer = 151.164.11.201 151.164.30.104
Posted 7/24/2004 11:44 PM
#2099
User avatar

Juke Joint Jezebel Member

Date Joined Nov 2016
Total Posts: 5
i did a little research and found this
https://www.security-forums.com/forum/viewtopic.php?p=108800


i'm tempted to follow paperghost's instructions and do something about SWin32.dll. but instead of transferring it to a floppy, i'll just rename it (to 'dogface.txt' or something) and move it to another folder. any opinions on that?
Posted 7/25/2004 5:10 AM
#2103
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It can be fixed with Hijackthis!
Run Hijackthis, close all other windows, put a checkmark to these, and fix:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///d:/top.html
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe


Find and delete:
C:\WINDOWS\System32\SWin32.dll<<C:\Program Files\TV Media\Tvm.exe <<
Onlinescan with Trend:
https://housecall.trendmicro.com/housecall/start_corp.asp
Because you have some worms and trojans.

And post new HJT log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/26/2004 3:31 AM
#2115
User avatar

Juke Joint Jezebel Member

Date Joined Nov 2016
Total Posts: 5
awesome, almost everything's fixed now. just two things left



no matter how many times i virus scan, it picks up something. i wish i wrote down what they were so i could look them up individually. i'll go back and do that later if they still come up. after using that Trend scan, i did another with Norton, and for some reason it can't destroy the threats it found on my computer. so i guess i'll scan again, write down the file names, and delete them myself in safe mode



also, something keeps filling my hosts file with those anti-virus sites. i'm hoping the two problems are related so i can take out one bird with two stones. we'll see




oh yeah, i checked my registry for one of the adwares that Norton picked and found the following

https://www.dangerz.net/jjj/misc/reglastgood.gif

i don't know what to think of that



thanks, everyone, for your help. i should've mentioned it earlier. i'm very grateful for everyone's efforts. finally, here's my latest HijackThis log



Logfile of HijackThis v1.97.7
Scan saved at 10:11:57 PM, on 7/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SERV-U\SERVUD~1.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
D:\Awe of She\Downloads 3\71972237\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url=https://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*https://www.yahoo.com]https://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*https://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = https://www.sony.com/vaiopeople
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Log Event] csrss32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [System Log Event] csrss32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\User by Default\Application Data\iptl.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - https://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - https://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - https://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - https://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.899849537
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - https://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - https://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27BEBFED-407C-46DF-9E27-F29A1D08CF93}: NameServer = 151.164.11.201 151.164.30.104
Posted 7/26/2004 5:08 AM
#2118
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
We have improvements here :smilewinkgrin:

Just a few more things to be fixed-same procedure.

Fix:
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O4 - HKLM\..\Run: [System Log Event] csrss32.exe
O4 - HKLM\..\RunServices: [System Log Event] csrss32.exe
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\User by Default\Application Data\iptl.exe

https://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Boot to safe mode- F8
Find and delete:
csrss32.exe
C:\Documents and Settings\User by Default\Application Data\iptl.exe<<<<Exe File
Reboot

You really need Updates: https://v4.windowsupdate.microsoft.com/da/default.asp
And for safer networking:
https://www.javacoolsoftware.com/spywareblaster.html
https://www.javacoolsoftware.com/spywareguard.html
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Which key are open i registry? (screenshot)
I don´t need more logs, just tell if host file is still filled up, after you´ve installed these programs, and still pick some virus?




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/27/2004 7:25 AM
#2133
User avatar

Juke Joint Jezebel Member

Date Joined Nov 2016
Total Posts: 5
cool, i'll check out those links later tonight




the screenshot i provided was the registry of the windows recovery thing. some of the adwares (mainly Alchem and that Twaintec crap) installed themselves there (which probably explains why they kept appearing no matter how many times an anti-adware/anti-virus deleted them). so i picked out and deleted the foreign entries manually. i also went nuts, deleting temporary files/folders and destroyed their corresponding registry entries. (i don't recommend anyone else doing this. i mean, going into a deleting frenzy in your registry editor. i think i actually might've destroyed some important entries by accident.) anyways, i guess one of them was linked to the hosts file because it's not being loaded anymore




it's a broken record but thanks again, everyone, for your time and aid!
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, December 2, 2022, 2:20 PM (GMT +1)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
32 Guest(s), 0 Registered Member(s) are currently online.