Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop-ups are killin me here, help PLZ

Started by Abraxsis , Jan 10 2005 04:23 AM

  • Please log in to reply

#1
Abraxsis
Posted 10 January 2005 - 04:23 AM

Abraxsis

    Member

  • Member
  • PipPip
  • 13 posts
My PC has been running great, up till yesterday. While browsing a site my windows taskbar vanished then reappeared, and all of a sudden I'm swamped with pop-ups. These seem specific to the page I'm browsing. For example I was on amazon.com looking at music cd's, when a pop-up opened showing some music download site. On another site I was told it might be the vx2 problem, but so far I'm not sure what it is.

I've already run Ad-aware SE Professional with the vx2 killer, spybot, antispyware, scanspyware, spysubtract, and spyblaster, along with the anti virus program AVG.

All those programs and the pop-ups continue. I even switched to firefox and the pop-ups still continue.

Here's the hijackthis log, hopefully one of you can help me...


Logfile of HijackThis v1.99.0
Scan saved at 5:12:22 AM, on 1/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\strings.exe
C:\WINDOWS\system32\find.exe
C:\Temp\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
admin
Posted 10 January 2005 - 08:32 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Yes, this is the pesky new VX2 infection.
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0

#3
Abraxsis
Posted 10 January 2005 - 02:20 PM

Abraxsis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I tried Find.bat and got an error message

16 bit MS-DOS Subsystem
C:\WINDOWS\System32\cmd.exe
C:WINDOWS\SYSTEM32\SUTOEXEC.NT. The system file is not suitable for running MD-DOS and Microsoft Windows application. Choose 'Close' to terminate the application" with a Close and Ignore button.

I hit close and nothing happens, the window just stays there doing nothing, and if I hit Ignore same thing, the window just stays there doing nothing.

Any idea what to do now?
  • 0

#4
Abraxsis
Posted 10 January 2005 - 06:15 PM

Abraxsis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Anyone have any other suggestion? These pop-ups are becoming really untolerable.
  • 0

#5
Abraxsis
Posted 10 January 2005 - 09:29 PM

Abraxsis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Please, doesn't anyone have any other suggestions since it appears I can't use the Find.bat file?

If it helps I hit ignore when I get the error message after starting Fid.bat, and the program just sits there, I've left it sitting for over an hour, and nothing happens.

I'm at the end of my rope here and need help.
  • 0

#6
admin
Posted 10 January 2005 - 10:50 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Please download and run this file:
http://www.visualtou...oads/xp_fix.exe

Try Find_it again when finished. :tazz:
  • 0

#7
Abraxsis
Posted 11 January 2005 - 04:59 AM

Abraxsis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks Very Much Admin!!! :tazz:

That worked great, and now I've got the Find.bat log to post....

------------------------------------------------------------------------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

01/10/2005 04:49 AM 56 mv0ol9d31.dll
11/18/2004 06:19 PM <DIR> dllcache
11/02/2004 07:45 PM 5,120 KGyGaAvL.sys
11/02/2004 05:20 PM 56 01D1BE5E9F.sys
09/16/2004 02:27 AM 56 5B69E9EBAD.sys
04/15/2004 04:25 AM <DIR> Microsoft
04/15/2004 02:18 AM 6,144 access.ctl
5 File(s) 11,432 bytes
2 Dir(s) 3,899,830,272 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

11/18/2004 06:19 PM <DIR> dllcache
11/02/2004 07:45 PM 5,120 KGyGaAvL.sys
11/02/2004 05:20 PM 56 01D1BE5E9F.sys
09/16/2004 02:27 AM 56 5B69E9EBAD.sys
04/15/2004 02:43 AM 488 logonui.exe.manifest
04/15/2004 02:43 AM 488 WindowsLogon.manifest
04/15/2004 02:43 AM 749 ncpa.cpl.manifest
04/15/2004 02:43 AM 749 nwc.cpl.manifest
04/15/2004 02:43 AM 749 sapi.cpl.manifest
04/15/2004 02:43 AM 749 wuaucpl.cpl.manifest
04/15/2004 02:43 AM 749 cdplayer.exe.manifest
04/15/2004 02:18 AM 6,144 access.ctl
05/11/2001 04:43 PM 397,856 XceedZip.dll
12 File(s) 413,953 bytes
1 Dir(s) 3,899,826,176 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

01/10/2005 05:44 AM 225,105 guard.tmp
1 File(s) 225,105 bytes
0 Dir(s) 3,899,826,176 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

01/10/2005 05:44 AM 225,105 guard.tmp
08/23/2001 11:00 AM 2,577 CONFIG.TMP
2 File(s) 227,682 bytes
0 Dir(s) 3,899,826,176 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DD69A154-69E7-438E-8F74-02507D4807D3}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv0ol9d31.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
01d1be~1.sys Tue Nov 2 2004 5:20:14p ..SHR 56 0.05 K
kgygaavl.sys Tue Nov 2 2004 7:45:04p A.SH. 5,120 5.00 K
mv0ol9~1.dll Mon Jan 10 2005 4:49:08a ..S.R 56 0.05 K

3 items found: 3 files, 0 directories.
Total of file sizes: 5,232 bytes 5.11 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\isbsni.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\The Day After Tomorrow.scr: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"



  • 0

#8
Metallica
Posted 11 January 2005 - 02:25 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\system32\isbsni.dll
C:\WINDOWS\System32\mv0ol9d31.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DD69A154-69E7-438E-8F74-02507D4807D3}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button.

Then post back with a new FindIt log.

Regards,

Pieter
  • 0

#9
Abraxsis
Posted 11 January 2005 - 04:07 PM

Abraxsis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK...Followed Metallica's directions, now here's the new find.bat log........



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

11/18/2004 06:19 PM <DIR> dllcache
11/02/2004 07:45 PM 5,120 KGyGaAvL.sys
11/02/2004 05:20 PM 56 01D1BE5E9F.sys
09/16/2004 02:27 AM 56 5B69E9EBAD.sys
04/15/2004 04:25 AM <DIR> Microsoft
04/15/2004 02:18 AM 6,144 access.ctl
4 File(s) 11,376 bytes
2 Dir(s) 3,910,279,168 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

11/18/2004 06:19 PM <DIR> dllcache
11/02/2004 07:45 PM 5,120 KGyGaAvL.sys
11/02/2004 05:20 PM 56 01D1BE5E9F.sys
09/16/2004 02:27 AM 56 5B69E9EBAD.sys
04/15/2004 02:43 AM 488 logonui.exe.manifest
04/15/2004 02:43 AM 488 WindowsLogon.manifest
04/15/2004 02:43 AM 749 ncpa.cpl.manifest
04/15/2004 02:43 AM 749 nwc.cpl.manifest
04/15/2004 02:43 AM 749 sapi.cpl.manifest
04/15/2004 02:43 AM 749 wuaucpl.cpl.manifest
04/15/2004 02:43 AM 749 cdplayer.exe.manifest
04/15/2004 02:18 AM 6,144 access.ctl
05/11/2001 04:43 PM 397,856 XceedZip.dll
12 File(s) 413,953 bytes
1 Dir(s) 3,910,275,072 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

01/10/2005 05:44 AM 225,105 guard.tmp
1 File(s) 225,105 bytes
0 Dir(s) 3,910,275,072 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

01/10/2005 05:44 AM 225,105 guard.tmp
08/23/2001 11:00 AM 2,577 CONFIG.TMP
2 File(s) 227,682 bytes
0 Dir(s) 3,910,275,072 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
01d1be~1.sys Tue Nov 2 2004 5:20:14p ..SHR 56 0.05 K
kgygaavl.sys Tue Nov 2 2004 7:45:04p A.SH. 5,120 5.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 5,176 bytes 5.05 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\isbsni.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\The Day After Tomorrow.scr: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"



  • 0

#10
Metallica
Posted 12 January 2005 - 07:52 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job. :tazz:

Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\system32\isbsni.dll

Then post back with a HijackThis log.

Regards,

Pieter
  • 0

Advertisements

#11
Abraxsis
Posted 12 January 2005 - 01:53 PM

Abraxsis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK...Did what you said again, and here's the new find.bat results...



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

11/18/2004 06:19 PM <DIR> dllcache
11/02/2004 07:45 PM 5,120 KGyGaAvL.sys
11/02/2004 05:20 PM 56 01D1BE5E9F.sys
09/16/2004 02:27 AM 56 5B69E9EBAD.sys
04/15/2004 04:25 AM <DIR> Microsoft
04/15/2004 02:18 AM 6,144 access.ctl
4 File(s) 11,376 bytes
2 Dir(s) 4,088,532,992 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

11/18/2004 06:19 PM <DIR> dllcache
11/02/2004 07:45 PM 5,120 KGyGaAvL.sys
11/02/2004 05:20 PM 56 01D1BE5E9F.sys
09/16/2004 02:27 AM 56 5B69E9EBAD.sys
04/15/2004 02:43 AM 488 logonui.exe.manifest
04/15/2004 02:43 AM 488 WindowsLogon.manifest
04/15/2004 02:43 AM 749 ncpa.cpl.manifest
04/15/2004 02:43 AM 749 nwc.cpl.manifest
04/15/2004 02:43 AM 749 sapi.cpl.manifest
04/15/2004 02:43 AM 749 wuaucpl.cpl.manifest
04/15/2004 02:43 AM 749 cdplayer.exe.manifest
04/15/2004 02:18 AM 6,144 access.ctl
05/11/2001 04:43 PM 397,856 XceedZip.dll
12 File(s) 413,953 bytes
1 Dir(s) 4,088,528,896 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is EC04-C423

Directory of C:\WINDOWS\System32

08/23/2001 11:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 4,088,528,896 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
01d1be~1.sys Tue Nov 2 2004 5:20:14p ..SHR 56 0.05 K
kgygaavl.sys Tue Nov 2 2004 7:45:04p A.SH. 5,120 5.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 5,176 bytes 5.05 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"



  • 0

#12
Metallica
Posted 12 January 2005 - 03:11 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Yes. That is clean. :tazz:

Now we will need a HijackThis log.

Regards,

Pieter
  • 0

#13
Abraxsis
Posted 12 January 2005 - 06:55 PM

Abraxsis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks for all the help Metallica!!!

Here's the Hijackthis log...


Logfile of HijackThis v1.99.0
Scan saved at 7:54:40 PM, on 1/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#14
Metallica
Posted 13 January 2005 - 06:03 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Those should stay away now.

Safe surfing,

Pieter
  • 0

#15
Abraxsis
Posted 13 January 2005 - 02:54 PM

Abraxsis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks so much Pieter! My pc is back to normal again. I can't say Thank You enough.

Just to be safe though, here's the new hijack this log. Hopefully it'll be 100% clean now :tazz:


Logfile of HijackThis v1.99.0
Scan saved at 3:52:28 PM, on 1/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP