TechSpot

Darn pop ups! HJT file attached

By vankanma
Nov 10, 2005
  1. I scanned with Norton, spybot and Adaware, I checked for running programs and I still can't get rid of the pop ups.
    Could someone kindly look at my log and see if all is ok?
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    C:\Documents and Settings\Mark\Desktop\HijackThis.exe
    Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop!.

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /U/ UNinstall anything to do with this
    /R/ unRegister the xxx.DLL in that line
    Transfer the text from between these dotted lines underneath to between the dotted lines of that post.
    Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines indicated here!
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
    /P/U/ O4 - HKCU\..\Run: [wkkf] C:\PROGRA~1\COMMON~1\wkkf\wkkfm.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106167466328
    /R/ O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\j42q0ef5eh2.dll
    ...................................................................................................

    STOP using that crappy IE (other than for Windows-updates) and install Firefox from www.getfirefox.com
     
  3. vankanma

    vankanma TS Rookie Topic Starter

    still popping

    Thanks for looking into this, but it's still popping.
    I notice some of the things you asked to fix were not there or only shows up in normal boot mode.
    I've attached two more logs, one for safe mode and the other for normal boot.

    I use Firefox at home, but I'm stuck with IE at work.
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    First Read: Only use these HJT-instructions when asked!
    /R/ unRegister the xxx.DLL in that line
    Transfer the text from between these dotted lines underneath to between the dotted lines of that post.
    Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines indicated here!
    ...................................................................................................
    /R/ O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\mv24l9fq1.dll
    ...................................................................................................

    STOP using that crappy IE (other than for Windows-updates) and install Firefox from www.getfirefox.com
     
  5. vankanma

    vankanma TS Rookie Topic Starter

    This line keeps coming back but with a different xxx.dll, I tried delete on reboot with no luck.
    ...................................................................................................
    /R/ O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\mv24l9fq1.dll
    ...................................................................................................


    I re-ran adaware but this time with the Vx2 plugin, it reports "Posssible new VX2 variant file: C:\WINDOWS\system32\f6l02g3mg6.dll" the clean button is greyed out.
    What to do next?
     
  6. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    You want to go in Safe Mode when removing this. And not go to Normal Mode until you are clean.

    The Notify key is in the registry (start-run-regedit) under:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    Delete the Key on the left which references the bad DLL on the right. Then find and delete the DLL in Explorer.
    However, it is possible that this file is referenced in other places in the registry, namely, a service. If so, other such references should be deleted as well.
    The problem is that this DLL may not be the "main" baddy, there could be a daddy program that is restarting and renaming it.

    So if you delete the Notify entry manually in Safe Mode, and it comes back, you've got some nasties in there which may need more advanced techniques to remove.
    If you don't want to edit the registry, then just tell us what IS in the Notify key, and what file it points to on the right-hand side of regedit. Then do a search for that file and post here what other keys it is referenced by.

    If all this sounds scary to you, you may just want to take it somewhere to be fixed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...