« previous next »
Pages: [1]

Author Topic: daosearch and other pop ups  (Read 924 times)

Offline greendragon4

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
daosearch and other pop ups
« on: March 28, 2005, 05:44:16 PM »
Please help daosearch has taken over my browser and I have various other popups. Thank you
Logfile of HijackThis v1.99.1
Scan saved at 5:45:07 PM, on 3/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\hqvqkeyt.exe
C:\WINDOWS\System32\Services\{8F3BE65F-6E73-4A16-BB86-18F8BCE1304D}\SVCHOST.EXE
C:\windows\system32\taskmg.exe
C:\WINDOWS\System32\hpae.exe
C:\WINDOWS\System32\?ttrib.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [srmbuv] c:\windows\system32\srmbuv.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [pyeqybpwmqpwydjsvsyofzobz] C:\WINDOWS\hqvqkeyt.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{8F3BE65F-6E73-4A16-BB86-18F8BCE1304D}\SVCHOST.EXE
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [olesvr32] C:\WINDOWS\System32\olesvr32.exe
O4 - HKCU\..\Run: [hw0sRkKnT] pinmeter.exe
O4 - HKCU\..\Run: [Esat] C:\WINDOWS\System32\hpae.exe
O4 - HKCU\..\Run: [Gxovcbd] C:\WINDOWS\System32\?ttrib.exe
O4 - Startup: I.url
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {266792BD-911E-4158-B0FC-009A3FDCA83B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {266792BD-911E-4158-B0FC-009A3FDCA83B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2E7D1F17-3D55-4E82-A664-7FF4D95FFDDD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2E7D1F17-3D55-4E82-A664-7FF4D95FFDDD} - (no file) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E269E6F7-2857-4689-BB2A-AC6B55C8714F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E269E6F7-2857-4689-BB2A-AC6B55C8714F} - (no file) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c11.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {64B8D832-C085-7F88-08F9-6733057AA222} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - file://C:\Program Files\AutoCAD 2002\SysVerChk.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7CF4B9DF-7A2B-63AB-44EA-7AA553684312} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {7FFEAE0D-7AA2-2AF7-5C1A-1933032B8C3A} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0008.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
daosearch and other pop ups
« Reply #1 on: March 29, 2005, 07:43:54 PM »
Access your Add/Remove programs and remove if found
NCase or similiar
180 Search Assistant or similiar Stay online while uninstalling
Follow the Removal instructions carefully

Restart your computer if removed

Afterwards
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Find and delete if found
c:\windows\180ax.exe <-file
c:\windows\system32\srmbuv.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\hqvqkeyt.exe
C:\windows\system32\taskmg.exe <file, Notice the spelling, don't delete taskmgr.exe
C:\WINDOWS\System32\olesvr32.exe
C:\WINDOWS\System32\hpae.exe
pinmeter.exe <--Search for this one
I.url <--this one, may be in your
C:\Documents and Settings\<your user>\Start Menu\Programs\Startup folder

C:\WINDOWS\System32\Services\{8F3BE65F-6E73-4A16-BB86-18F8BCE1304D} <-folder
C:\Program Files\Ebates_MoeMoneyMaker <-folder

Stay in safe mode

Go to START>>RUN>>type in
%temp
Hit OK
New window click EDIT>>SELECT ALL
Delete the selected

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a

O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [srmbuv] c:\windows\system32\srmbuv.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [pyeqybpwmqpwydjsvsyofzobz] C:\WINDOWS\hqvqkeyt.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{8F3BE65F-6E73-4A16-BB86-18F8BCE1304D}\SVCHOST.EXE
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe

O4 - HKCU\..\Run: [olesvr32] C:\WINDOWS\System32\olesvr32.exe
O4 - HKCU\..\Run: [hw0sRkKnT] pinmeter.exe
O4 - HKCU\..\Run: [Esat] C:\WINDOWS\System32\hpae.exe
O4 - HKCU\..\Run: [Gxovcbd] C:\WINDOWS\System32\?ttrib.exe
O4 - Startup: I.url

O9 - Extra button: Microsoft AntiSpyware helper - {266792BD-911E-4158-B0FC-009A3FDCA83B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {266792BD-911E-4158-B0FC-009A3FDCA83B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2E7D1F17-3D55-4E82-A664-7FF4D95FFDDD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2E7D1F17-3D55-4E82-A664-7FF4D95FFDDD} - (no file) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E269E6F7-2857-4689-BB2A-AC6B55C8714F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E269E6F7-2857-4689-BB2A-AC6B55C8714F} - (no file) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c11.cab

O16 - DPF: {64B8D832-C085-7F88-08F9-6733057AA222} - http://69.50.182.94/1/rdgUS1882.exe

O16 - DPF: {7CF4B9DF-7A2B-63AB-44EA-7AA553684312} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {7FFEAE0D-7AA2-2AF7-5C1A-1933032B8C3A} - http://69.50.182.94/1/rdgUS1882.exe

O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0008.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh Hijackthis log afterwards

Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE  box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat
Save this file on the desktop
Code: [Select]
dir C:\WINDOWS\System32\?ttrib.exe /a h > files.txt
notepad files.txt
Double click on Export.bat
A text file will open, copy and paste back the contents
« Last Edit: March 29, 2005, 07:46:49 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »