Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 9 of 9 Posts

· Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
Hi guys,

Can anybody help me try to get rid of the annoying pop up window which is labelled 680130.net. I've tried programs such as Ad-Aware, Spyware Blaster & Spybot - Search & Destroy but none of these seem to work. Please can you help me out?

:mad:
 

· Retired Moderator
Joined
·
72,209 Posts
Hi JUSSI75, Welcome to TSG!!

Create a permanent folder on your hard drive for Hijackthis, like My Documents\HJT
Click on this link: http://www.spywareinfo.com/~merijn/files/HijackThis.exe and "Save" hijackthis to the folder you have created.

Double click on the program to run hijackthis, click "scan" then click on "Save Log".

Post a copy back here and someone will be happy to review it.

Don't make any changes until instructed to do so.
 

· Registered
Joined
·
3,181 Posts
I have posted your log for you

Logfile of HijackThis v1.99.0
Scan saved at 16:32:30, on 01/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\INV32CLI.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\WUSER32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\MS\SMS\BIN\pcmwin32.exe
C:\MS\SMS\BIN\appctl32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\MS\SMS\BIN\climonnt.exe
C:\Program Files\AutoCAD 2004\acad.exe
C:\DOCUME~1\JF789~1.HIN\LOCALS~1\Temp\~e5d141.tmp
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
I:\J. Hinsley\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
F3 - REG:win.ini: load=smsrun32.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\htiwege.dll
O2 - BHO: (no name) - {3D11B23C-B381-7D9B-43D7-499EFDC43AA8} - C:\WINDOWS\Xkqorijv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\system32\mqwuw.dll
O2 - BHO: SDWin32 Class - {FB0C53D7-A3E0-4BE7-8F6B-B32E05182244} - C:\WINDOWS\system32\mqwuw.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O3 - Toolbar: Search - {8B88DD86-3696-D399-0861-DE90850EBB0A} - C:\WINDOWS\Xkqorijv.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - Startup: System Instrumentation.lnk = Profiles\M.Gilmore\Favorites\Links\Toggle Images.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097485306578
O17 - HKLM\System\CCS\Services\Tcpip\..\{C864664D-81F9-4D6A-8EA6-4C93F016B307}: NameServer = 194.119.131.65,194.119.131.66
O23 - Service: ASF Agent - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

· Registered
Joined
·
3,181 Posts
Run Hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

F3 - REG:win.ini: load=smsrun32.exe

O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\htiwege.dll

O2 - BHO: (no name) - {3D11B23C-B381-7D9B-43D7-499EFDC43AA8} - C:\WINDOWS\Xkqorijv.dll (file missing)

O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\system32\mqwuw.dll

O2 - BHO: SDWin32 Class - {FB0C53D7-A3E0-4BE7-8F6B-B32E05182244} - C:\WINDOWS\system32\mqwuw.dll

O3 - Toolbar: Search - {8B88DD86-3696-D399-0861-DE90850EBB0A} - C:\WINDOWS\Xkqorijv.dll (file missing)

O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe

O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

Reboot in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

and delet these

C:\WINDOWS\satmat.exe

C:\WINDOWS\farmmext.exe

Reboot and post a new hijackthis log
 

· Retired Moderator
Joined
·
72,209 Posts
Add these to the list of fixes!

Run HJT again and put a check in the following:

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Close all applications and browser windows before you click "fix checked".
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top