|
Doesproc.exe
|
|
|
Bloodtear
Newbie
|
16. August 2007 @ 12:10 |
Link to this message
|
whenever i open windows from the internet or even windows itself i get these pop-ups of advertisements. They always say CiD:(then the name of the page of advertisement)
heres my hijackthis
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Matt Wilson\Desktop\HijackThis.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [metabolt] C:\DOCUME~1\MATTWI~1\APPLIC~1\BAITDA~1\Doesproc.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
im pretty sure it has to do with that [metabolt] thing
what do i do to get rid of the pop ups? plz help
|
|
Advertisement
|
|
|
|
|
bluecoal
Suspended due to non-functional email address
|
21. August 2007 @ 06:26 |
Link to this message
|
Hi,
Yes, it does. You have something called LOP. I'd like to see another piece of information first.
Back to HijackThis. When you open it, click "open the misc tools section"
Then click "generate startup list log"
I don't need you to post the whole list. Scroll down the list until you find a section with this heading
"Enumerating Task Scheduler jobs:"
Copy and paste that section of the startup list for me.
Thanks.
|
Member
|
21. August 2007 @ 13:38 |
Link to this message
|
|
Hey, bc
Since I'm not allowed to post advice to victims, I'll post advice to helpers :)
There's a tool called NoLop!, research it and see what you can make of it :D
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
Bloodtear
Newbie
|
22. August 2007 @ 04:58 |
Link to this message
|
|
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
B7F759BB9D64C58F.job
ive been working on my problem and i think i fixed it. here it is encase i still have the problem i just hid it or something else is wrong
|
|
Bloodtear
Newbie
|
22. August 2007 @ 05:26 |
Link to this message
|
|
i just checked it off under msconfig startup, so i think its still on my comp just not running
|
|
bluecoal
Suspended due to non-functional email address
|
22. August 2007 @ 07:17 |
Link to this message
|
Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.
Netpumper
BitRoll
CiD Help
CiD Manager
Download Plugin for Internet Explorer
Zone Media
Be sure to reboot when done.
Please download NoLop and save it to your desktop.
http://www.spywareedge.net/nolop/NoLop.exe
? First close any other programs you have running as this will require a reboot.
? Double click NoLop.exe to run it.
? Now click the button labeled "Search and Destroy"
<infected files>>
? When scanning is finished you will be prompted to reboot only if infected. Click OK.
? Now click the "REBOOT" button.
? A Message should popup from NoLop. If not, double click the program again and it will finish.
? Please post the contents of C:\NoLop.log along with a fresh HijackThis log in your next reply.
--If you receive an error: "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder then rerun NoLop..
|
Member
|
22. August 2007 @ 08:22 |
Link to this message
|
|
Hey, bc
You forgot MessengerPlus! 3 :D
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
Bloodtear
Newbie
|
22. August 2007 @ 08:27 |
Link to this message
|
NoLop! Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\Matt Wilson\Desktop
[8/22/2007]
[11:19:44 AM]
---Infection Files Found/Removed---
C:\WINDOWS\tasks\B7F759BB9D64C58F.job
Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**
---Listing AppData sub directories---
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Gtek
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Kodak -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Lies Camp Plus This -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nova Development
C:\Documents and Settings\All Users\Application Data\Nvidia
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Skilljam
C:\Documents and Settings\All Users\Application Data\Support.com
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\This Dog Ping Okay -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Gtek
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Matt Wilson\Application Data\Adobe
C:\Documents and Settings\Matt Wilson\Application Data\Adobeaum
C:\Documents and Settings\Matt Wilson\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Matt Wilson\Application Data\Apple Computer
C:\Documents and Settings\Matt Wilson\Application Data\Avg7
C:\Documents and Settings\Matt Wilson\Application Data\Azureus
C:\Documents and Settings\Matt Wilson\Application Data\Bait Data Sect
C:\Documents and Settings\Matt Wilson\Application Data\Bittorrent
C:\Documents and Settings\Matt Wilson\Application Data\Corel
C:\Documents and Settings\Matt Wilson\Application Data\Corel Photo Album
C:\Documents and Settings\Matt Wilson\Application Data\Divx
C:\Documents and Settings\Matt Wilson\Application Data\Gtek
C:\Documents and Settings\Matt Wilson\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Matt Wilson\Application Data\Identities
C:\Documents and Settings\Matt Wilson\Application Data\Lavasoft
C:\Documents and Settings\Matt Wilson\Application Data\Leadertech
C:\Documents and Settings\Matt Wilson\Application Data\Macromedia
C:\Documents and Settings\Matt Wilson\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Matt Wilson\Application Data\Microsoft
C:\Documents and Settings\Matt Wilson\Application Data\Mozilla
C:\Documents and Settings\Matt Wilson\Application Data\Netscape
C:\Documents and Settings\Matt Wilson\Application Data\Nova Development
C:\Documents and Settings\Matt Wilson\Application Data\Real
C:\Documents and Settings\Matt Wilson\Application Data\Securom
C:\Documents and Settings\Matt Wilson\Application Data\Sonic
C:\Documents and Settings\Matt Wilson\Application Data\Sun
C:\Documents and Settings\Matt Wilson\Application Data\Teamspeak2
C:\Documents and Settings\Matt Wilson\Application Data\Technology Lighthouse -- EMPTY Directory
C:\Documents and Settings\Matt Wilson\Application Data\Ventrilo
C:\Documents and Settings\Matt Wilson\Application Data\Viewpoint
C:\Documents and Settings\Matt Wilson\Application Data\Vlc
C:\Documents and Settings\Networkservice\Application Data\Microsoft
Logfile of HijackThis v1.99.1
Scan saved at 11:25:25 AM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt Wilson\Desktop\HijackThis.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
After my comp restarted after i did the nolop thing i went to inernet explorer and it had my homepage as about:blank so i changed it bak to my original. is that normal?
|
|
bluecoal
Suspended due to non-functional email address
|
22. August 2007 @ 09:21 |
Link to this message
|
Looking much better.
?After my comp restarted after i did the nolop thing i went to inernet explorer and it had my homepage as about:blank so i changed it bak to my original. is that normal?
I have not had enough comments back on NoLop to know if that is normal or not. I used to use something else for fixing the task scheduler jobs.
To finish the LOP cleanup, please check these three locations:
C:\Documents and Settings\All Users\Application Data
C:\Documents and Settings\Matt Wilson\Application Data
C:\ProgramFiles
For these folders and delete them if you find them:
Lies Camp Plus This
This Dog Ping Okay
Bait Data Sect
For some additional cleanup you can do these two items:
In this link at steps 8 and 14 there are instructions for a program called superantispyware:
http://www.malwarebytes.org/forums/index.php?showtopic=692
Also note steps 9 and 12 for atf cleaner.
Here is a link with some comments about making your computer more secure in the future:
http://www.city-data.com/forum/technolog...-you-clean.html
Messenger plus used to be the source of LOP. There are apparently other sources now. If you are using Messenger Plus, we should talk about that briefly.
Regards
bc
|
|
Bloodtear
Newbie
|
22. August 2007 @ 23:59 |
Link to this message
|
|
ok wen i go to all users folder there is no application data folder. am i blind or missing something? i know its there cuz it gets scanned i just dont see it. is it hidden? if so how do i get into it?
isnt runDLL.exe or w/e bad?
|
|
bluecoal
Suspended due to non-functional email address
|
23. August 2007 @ 00:28 |
Link to this message
|
|
|
|
Advertisement
|
|
|
Member
|
23. August 2007 @ 05:24 |
Link to this message
|
Umm... rundll.exe would be bad if you're not in Win85, 98, or ME. Rundll32.exe is the proper process for 32-bit systems like XP and 2k.
edit - bloodtear, your log looks slightly shorter than a normal person's log would on XP. Could I get you to do two things for me?
1. Rename HijackThis to something like scanner.exe
2. Open the Backups section of HijackThis (when it starts click on "Misc Tools" and "Backups") and checkmark everything there. Click "Restore".
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
This message has been edited since posting. Last time this message was edited on 23. August 2007 @ 05:26
|
