I've got something and i cant get rid of it...:(

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by LilReb, Feb 8, 2004.

  1. LilReb

    LilReb Private E-2

    Can anyone help me? I've got something on my computer (spyware maybe?) that pops up an IE window about every 15 mins that says "I hate pops" and set my homepage to popnav.net. I cant reset my homepage because when i restart it sets it back to the popnav thing. I've tried ad-aware, spybot s&d. I dunno what to do but i dont wanna reinstall windows. I just did like 2 weeks ago. PLease help me :(
     
    LilReb, Feb 8, 2004
    #1
  2. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    NICK ADSL UK, Feb 8, 2004
    #2
  3. LilReb

    LilReb Private E-2

    Logfile of HijackThis v1.97.7
    Scan saved at 8:03:37 PM, on 2/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    D:\AVG6\avgcc32.exe
    C:\WINDOWS\System32\msbb\msbb.exe
    C:\WINDOWS\System32\iefeatures.exe
    C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
    D:\Acidmax2\mirc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Downloads\Programs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] D:\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb\msbb.exe
    O4 - HKLM\..\Run: [BHLRYOV] C:\WINDOWS\BHLRYOV.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Steam] D:\Steam\Steam.exe -silent
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: D-Link AirPlus USB.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_168/QDow.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37989.7767361111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
     
    LilReb, Feb 8, 2004
    #3
  4. alanc

    alanc MajorGeek

    This is the nasty "180Solutions"

    C:\WINDOWS\System32\msbb\msbb.exe
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb\msbb.exe

    Info: http://www.pestpatrol.com/pestinfo\other\180solutions.asp


    This is "Popmonster"

    C:\WINDOWS\System32\iefeatures.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe

    Info: http://www.pestpatrol.com/pestinfo/p/popmonster.asp

    "PopNav" is related

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

    Info: http://www.computercops.biz/postitle14026-0-0-.html


    Get rid of "ClearSearch"

    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)

    Info: http://sarc.com/avcenter/venc/data/adware.clearsearch.html


    Someone else may notice something(s) I missed.



    Spyware Blaster will help stop this junk from getting on there in the 1st place...
     
    alanc, Feb 8, 2004
    #4
  5. zimpal

    zimpal Private First Class

    How 'nasty' is 180 Solutions? I linked to pest patrol and discovered 180 Solutions has a local address. Kinda scary. Here I am, a frustrated time bomb with a pathologic hatred for hijackers and spyware, and I drive right past their place of business very early every morning! ;)
     
    zimpal, Feb 9, 2004
    #5
  6. Freddy

    Freddy Sergeant

    Download Adaware and/or Spybot from this site. Run to clean spyware. Repeat often.
     
    Freddy, Feb 9, 2004
    #6
  7. zimpal

    zimpal Private First Class

    please note wink smilie
     
    zimpal, Feb 9, 2004
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds