whenever i open windows from the internet or even windows itself i get these pop-ups of advertisements. They always say CiDthen the name of the page of advertisement) heres my hijackthis Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Matt Wilson\Desktop\HijackThis.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [metabolt] C:\DOCUME~1\MATTWI~1\APPLIC~1\BAITDA~1\Doesproc.exe O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe im pretty sure it has to do with that [metabolt] thing what do i do to get rid of the pop ups? plz help
Hi, Yes, it does. You have something called LOP. I'd like to see another piece of information first. Back to HijackThis. When you open it, click "open the misc tools section" Then click "generate startup list log" I don't need you to post the whole list. Scroll down the list until you find a section with this heading "Enumerating Task Scheduler jobs:" Copy and paste that section of the startup list for me. Thanks.
Hey, bc Since I'm not allowed to post advice to victims, I'll post advice to helpers There's a tool called NoLop!, research it and see what you can make of it
Enumerating Task Scheduler jobs: AppleSoftwareUpdate.job B7F759BB9D64C58F.job ive been working on my problem and i think i fixed it. here it is encase i still have the problem i just hid it or something else is wrong
Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove. Netpumper BitRoll CiD Help CiD Manager Download Plugin for Internet Explorer Zone Media Be sure to reboot when done. Please download NoLop and save it to your desktop. http://www.spywareedge.net/nolop/NoLop.exe • First close any other programs you have running as this will require a reboot. • Double click NoLop.exe to run it. • Now click the button labeled "Search and Destroy" <<your computer will now be scanned for infected files>> • When scanning is finished you will be prompted to reboot only if infected. Click OK. • Now click the "REBOOT" button. • A Message should popup from NoLop. If not, double click the program again and it will finish. • Please post the contents of C:\NoLop.log along with a fresh HijackThis log in your next reply. --If you receive an error: "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder then rerun NoLop..
NoLop! Log by Skate_Punk_21 Fix running from: C:\Documents and Settings\Matt Wilson\Desktop [8/22/2007] [11:19:44 AM] ---Infection Files Found/Removed--- C:\WINDOWS\tasks\B7F759BB9D64C58F.job Beginning Removal... Rebooting... Removing Lop's Leftover Files/Folders... Editing Registry... **Fix Complete!** ---Listing AppData sub directories--- C:\Documents and Settings\All Users\Application Data\Adobe C:\Documents and Settings\All Users\Application Data\Aol -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\Apple Computer C:\Documents and Settings\All Users\Application Data\Avg7 C:\Documents and Settings\All Users\Application Data\Grisoft C:\Documents and Settings\All Users\Application Data\Gtek C:\Documents and Settings\All Users\Application Data\Installshield C:\Documents and Settings\All Users\Application Data\Intuit C:\Documents and Settings\All Users\Application Data\Kodak -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\Lies Camp Plus This -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\Mcafee C:\Documents and Settings\All Users\Application Data\Mcafee.com C:\Documents and Settings\All Users\Application Data\Mcafee.com Personal Firewall C:\Documents and Settings\All Users\Application Data\Microsoft C:\Documents and Settings\All Users\Application Data\Nova Development C:\Documents and Settings\All Users\Application Data\Nvidia C:\Documents and Settings\All Users\Application Data\Quicktime C:\Documents and Settings\All Users\Application Data\Sbsi C:\Documents and Settings\All Users\Application Data\Skilljam C:\Documents and Settings\All Users\Application Data\Support.com C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\This Dog Ping Okay -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\Viewpoint C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage C:\Documents and Settings\Default User\Application Data\Gtek C:\Documents and Settings\Default User\Application Data\Identities C:\Documents and Settings\Default User\Application Data\Microsoft C:\Documents and Settings\Default User\Application Data\Sun C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory C:\Documents and Settings\Localservice\Application Data\Mcafee.com Personal Firewall C:\Documents and Settings\Localservice\Application Data\Microsoft C:\Documents and Settings\Matt Wilson\Application Data\Adobe C:\Documents and Settings\Matt Wilson\Application Data\Adobeaum C:\Documents and Settings\Matt Wilson\Application Data\Adobeum -- EMPTY Directory C:\Documents and Settings\Matt Wilson\Application Data\Apple Computer C:\Documents and Settings\Matt Wilson\Application Data\Avg7 C:\Documents and Settings\Matt Wilson\Application Data\Azureus C:\Documents and Settings\Matt Wilson\Application Data\Bait Data Sect C:\Documents and Settings\Matt Wilson\Application Data\Bittorrent C:\Documents and Settings\Matt Wilson\Application Data\Corel C:\Documents and Settings\Matt Wilson\Application Data\Corel Photo Album C:\Documents and Settings\Matt Wilson\Application Data\Divx C:\Documents and Settings\Matt Wilson\Application Data\Gtek C:\Documents and Settings\Matt Wilson\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Matt Wilson\Application Data\Identities C:\Documents and Settings\Matt Wilson\Application Data\Lavasoft C:\Documents and Settings\Matt Wilson\Application Data\Leadertech C:\Documents and Settings\Matt Wilson\Application Data\Macromedia C:\Documents and Settings\Matt Wilson\Application Data\Mcafee.com Personal Firewall C:\Documents and Settings\Matt Wilson\Application Data\Microsoft C:\Documents and Settings\Matt Wilson\Application Data\Mozilla C:\Documents and Settings\Matt Wilson\Application Data\Netscape C:\Documents and Settings\Matt Wilson\Application Data\Nova Development C:\Documents and Settings\Matt Wilson\Application Data\Real C:\Documents and Settings\Matt Wilson\Application Data\Securom C:\Documents and Settings\Matt Wilson\Application Data\Sonic C:\Documents and Settings\Matt Wilson\Application Data\Sun C:\Documents and Settings\Matt Wilson\Application Data\Teamspeak2 C:\Documents and Settings\Matt Wilson\Application Data\Technology Lighthouse -- EMPTY Directory C:\Documents and Settings\Matt Wilson\Application Data\Ventrilo C:\Documents and Settings\Matt Wilson\Application Data\Viewpoint C:\Documents and Settings\Matt Wilson\Application Data\Vlc C:\Documents and Settings\Networkservice\Application Data\Microsoft Logfile of HijackThis v1.99.1 Scan saved at 11:25:25 AM, on 8/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Matt Wilson\Desktop\HijackThis.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe After my comp restarted after i did the nolop thing i went to inernet explorer and it had my homepage as about:blank so i changed it bak to my original. is that normal?
Looking much better. “After my comp restarted after i did the nolop thing i went to inernet explorer and it had my homepage as about:blank so i changed it bak to my original. is that normal” I have not had enough comments back on NoLop to know if that is normal or not. I used to use something else for fixing the task scheduler jobs. To finish the LOP cleanup, please check these three locations: C:\Documents and Settings\All Users\Application Data C:\Documents and Settings\Matt Wilson\Application Data C:\ProgramFiles For these folders and delete them if you find them: Lies Camp Plus This This Dog Ping Okay Bait Data Sect For some additional cleanup you can do these two items: In this link at steps 8 and 14 there are instructions for a program called superantispyware: http://www.malwarebytes.org/forums/index.php?showtopic=692 Also note steps 9 and 12 for atf cleaner. Here is a link with some comments about making your computer more secure in the future: http://www.city-data.com/forum/technology/130737-now-you-clean.html Messenger plus used to be the source of LOP. There are apparently other sources now. If you are using Messenger Plus, we should talk about that briefly. Regards bc
ok wen i go to all users folder there is no application data folder. am i blind or missing something? i know its there cuz it gets scanned i just dont see it. is it hidden? if so how do i get into it? isnt runDLL.exe or w/e bad?
Here are instructions on how to show hidden files and folders: http://www.bleepingcomputer.com/tutorials/tutorial62.html See if that helps. After your problems are fixed, you can put these settings back so you do not accidentally delete a system file.
Umm... rundll.exe would be bad if you're not in Win85, 98, or ME. Rundll32.exe is the proper process for 32-bit systems like XP and 2k. edit - bloodtear, your log looks slightly shorter than a normal person's log would on XP. Could I get you to do two things for me? 1. Rename HijackThis to something like scanner.exe 2. Open the Backups section of HijackThis (when it starts click on "Misc Tools" and "Backups") and checkmark everything there. Click "Restore".
