Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IE and MSdos console Popups


  • Please log in to reply

#1
chun

chun

    New Member

  • Member
  • Pip
  • 1 posts
Hi guys, hope i can find some help here...
i just did a downgrade from vista back to XP. upon starting up the first things i got are IE popups. the next day msdos console pops up with a blank screen. then a window pops up reading

16 bit MSDOS Subsystem
C:\WINDOWS\System32\maxd641.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0dc7 IP:0103 OP:db 74 01 4b 83 Choose 'Close' to teminate the application.

Spybot and AVG only detects the virus but cant really do anything to remove them although they "healed" it.

this is my hijackthis log, please advice!

Logfile of HijackThis v1.99.1
Scan saved at 1:08:40 AM, on 10/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\Msn32e.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Y2h1bg\command.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\kernels1118.exe
C:\Program Files\Common Files\{907BA00A-0958-1033-0601-040202050001}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\chun\LOCALS~1\Temp\metasploit.exe
c:\boot.inx
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\Msn32e.exe
C:\WINDOWS\system32\Msn32e.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ntu.edu.sg/proxy.pac
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {7C38565D-E507-4676-903A-4F26BC4B754B} - C:\Program Files\MSN\horeloda.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zro42981] RUNDLL32.EXE w00225dd.dll,n 0064297b0000000a00225dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels1118.exe
O4 - HKLM\..\Run: [Microsoft Updates Emulator] MsnXp32s.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels1118.exe
O4 - HKLM\..\RunServices: [Microsoft Updates Emulator] MsnXp32s.exe
O4 - HKCU\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\o4ns0e57eh.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2h1bg\command.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
  • 0

Advertisements


#2
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP