michaely Posted November 30, 2004 Report Share Posted November 30, 2004 I get random popups containing ads. When I run spybot SD I get 3 possible threats. I remove them but they come back. 2 of them is Common hijacker to a ip=69.20.16.183 and the last one is IgetNet, ieautosearch also to the same IPI have a log from Hijack this. If I try to remove the 3 01-posts in the hijackscan they also come back in a few seconds. Can anyone help?Logfile of HijackThis v1.98.2Scan saved at 16:15:48, on 2004-11-30Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program\CA\Common\Alert\ALERT.EXEC:\Program\Cisco Systems\VPN Client\cvpnd.exeC:\Program\Compaq\COMPAQ~1\hibserv.exeC:\Program\CA\eTrust\InoculateIT\InoRpc.exeC:\Program\CA\eTrust\InoculateIT\InoRT.exeC:\Program\CA\eTrust\InoculateIT\InoTask.exeC:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\nutsrv4.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\Explorer.EXEC:\Program\Compaq\EAB\EabServr.exeC:\Program\CA\eTrust\InoculateIT\realmon.exeC:\Program\MSN Messenger\msnmsgr.exeC:\WINDOWS\System32\wuauclt.exeC:\temp\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.seR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.msn.seR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dovlx1.dom.se/intraweb/goO1 - Hosts: 69.20.16.183 auto.search.msn.comO1 - Hosts: 69.20.16.183 search.netscape.comO1 - Hosts: 69.20.16.183 ieautosearchO4 - HKLM\..\Run: [eabconfg.cpl] C:\Program\Compaq\EAB\EabServr.exe /StartO4 - HKLM\..\Run: [Realtime Monitor] C:\Program\CA\eTrust\InoculateIT\realmon.exeO4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program\Rational\Rational Test\nutcroot\bin\ncoeenv.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /backgroundO4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program\Cisco Systems\VPN Client\vpngui.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{08DB9CFC-4B41-45A5-9A87-6B1637BF986B}: NameServer = 159.190.1.72,159.190.1.8,164.9.196.5,169.9.196.55O17 - HKLM\System\CS1\Services\Tcpip\..\{08DB9CFC-4B41-45A5-9A87-6B1637BF986B}: NameServer = 159.190.1.72,159.190.1.8,164.9.196.5,169.9.196.55O17 - HKLM\System\CS2\Services\Tcpip\..\{08DB9CFC-4B41-45A5-9A87-6B1637BF986B}: NameServer = 159.190.1.72,159.190.1.8,164.9.196.5,169.9.196.55 Link to post Share on other sites
tg1911 Posted November 30, 2004 Report Share Posted November 30, 2004 Put HijackThis in a Permanent folder:Click My Computer / C: / File / New / Folder / name the folder; HijackThisPut HijackThis.exe, in this folder.This is a mandatory step, for the backup and restore functions, of HijackThis, to be able to work.Read the pinned post in the Security forum, hereThen, run a log, and post it in the HJT forum, here. Do not, fix anything, yet.A member, of the HJT Team, will help you out.Please, be patient, these people are volunteers. They will help you out, as soon as possible. Link to post Share on other sites
michaely Posted December 1, 2004 Author Report Share Posted December 1, 2004 Hi againStarted a new from a restartpoint day before yesterdayInstalled and ran the new updated adaware which found several problems compared to my old version.that seems to have made the trickThanks!Michael Link to post Share on other sites
Dragon Posted December 3, 2004 Report Share Posted December 3, 2004 hi Michaely,could you please post a new hijack this log, I wan to tcompare it to your old one to make sure everything is fixed. Thanks Link to post Share on other sites
Recommended Posts