I've already got XP SP2 installed, and I've run CWShredder, Spybot, Adaware, MS Antispyware, and AVG Free edition. They all find problems, and say they fixed them, but when I reboot the PC I get swamped with pop-ups. Plus I'm getting words highlighted on all webpages, and when I hover the pointer over them in the IE statusbar it says Sponsored Link.
Here's the Hijack this log, followed by the Find.bat log...
Logfile of HijackThis v1.99.1
Scan saved at 5:10:51 PM, on 4/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsh73.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
====================================================
And my Find.bat log
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\temp\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is EC04-C423
Directory of C:\WINDOWS\System32
04/16/2005 07:28 PM <DIR> dllcache
04/16/2005 01:34 AM 13,560 KGyGaAvL.sys
03/31/2005 08:33 PM 104 01D1BE5E9F.sys
03/11/2005 10:01 AM 12,800 Thumbs.db
01/13/2005 04:05 PM 3,547 hwxcx.log
09/16/2004 03:27 AM 56 5B69E9EBAD.sys
04/15/2004 05:25 AM <DIR> Microsoft
04/15/2004 03:18 AM 6,144 access.ctl
6 File(s) 36,211 bytes
2 Dir(s) 2,013,401,088 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is EC04-C423
Directory of C:\WINDOWS\System32
04/16/2005 07:28 PM <DIR> dllcache
04/16/2005 01:34 AM 13,560 KGyGaAvL.sys
03/31/2005 08:33 PM 104 01D1BE5E9F.sys
03/11/2005 10:01 AM 12,800 Thumbs.db
01/25/2005 10:54 PM <DIR> GroupPolicy
01/13/2005 04:05 PM 3,547 hwxcx.log
09/16/2004 03:27 AM 56 5B69E9EBAD.sys
04/15/2004 03:43 AM 488 WindowsLogon.manifest
04/15/2004 03:43 AM 488 logonui.exe.manifest
04/15/2004 03:43 AM 749 nwc.cpl.manifest
04/15/2004 03:43 AM 749 sapi.cpl.manifest
04/15/2004 03:43 AM 749 cdplayer.exe.manifest
04/15/2004 03:43 AM 749 wuaucpl.cpl.manifest
04/15/2004 03:43 AM 749 ncpa.cpl.manifest
04/15/2004 03:18 AM 6,144 access.ctl
05/11/2001 05:43 PM 397,856 XceedZip.dll
14 File(s) 438,788 bytes
2 Dir(s) 2,013,396,992 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is EC04-C423
Directory of C:\WINDOWS\System32
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is EC04-C423
Directory of C:\WINDOWS\System32
08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 2,013,396,992 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""
"SV1"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
------------- Locate.com Results -------------
C:\WINDOWS\SYSTEM32\
01d1be~1.sys Thu Mar 31 2005 8:33:36p ..SHR 104 0.10 K
kgygaavl.sys Sat Apr 16 2005 1:34:46a A.SH. 13,560 13.24 K
thumbs.db Fri Mar 11 2005 10:01:06a A.SH. 12,800 12.50 K
3 items found: 3 files, 0 directories.
Total of file sizes: 26,464 bytes 25.84 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\ntdll.dll: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
Edited by Abraxsis, 17 April 2005 - 03:13 PM.
Sign In
Create Account
