Overclock.net banner

1 - 10 of 10 Posts

·
Registered
Joined
·
1,702 Posts
Discussion Starter #1
i have a virus that pops up random pron windows on both of my screens<br>
i know where it is but it says to stop the activity before i can stop it and each time i stop via ctrl-alt-del, it restarts.its in my windows sys 32 folder. i have avg anti-virus running and scanning, also i have nod32 anti-virus and lastly ad-aware se running and scanning. none of them find it. now what do i do?i know nothing about regedit so i cant use that to get rid of it<br><br>
plz help me!!!
 

·
Premium Member
Joined
·
4,543 Posts
<a href="http://www.majorgeeks.com" target="_blank">www.majorgeeks.com</a><br><br>
This is the site that brought hope back to me.<br><br>
Download HighJackThis and post your log up here. (Be sure to do it in Safe mode.)
 

·
Registered
Joined
·
1,702 Posts
Discussion Starter #4
heres my log from hijackthis in safe mode<br><br>
Logfile of HijackThis v1.99.1<br>
Scan saved at 7:18:18 PM, on 10/26/2006<br>
Platform: Windows XP SP2 (WinNT 5.01.2600)<br>
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)<br><br>
Running processes:<br>
C:\\WINDOWS\\System32\\smss.exe<br>
C:\\WINDOWS\\system32\\winlogon.exe<br>
C:\\WINDOWS\\system32\\services.exe<br>
C:\\WINDOWS\\system32\\lsass.exe<br>
C:\\WINDOWS\\system32\\svchost.exe<br>
C:\\WINDOWS\\system32\\svchost.exe<br>
C:\\WINDOWS\\Explorer.EXE<br>
C:\\Documents and Settings\\Administrator\\Desktop\\HijackThis.exe<br><br>
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = <a href="http://overclock.net/" target="_blank">http://overclock.net/</a><br>
R1 - HKCU\\Software\\Microsoft\\Internet Connection Wizard,ShellNext = <a href="http://overclock.net/" target="_blank">http://overclock.net/</a><br>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll<br>
O2 - BHO: (no name) - {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b} - C:\\Program Files\\VideoCompressionCodec\\isaddon.dll (file missing)<br>
O4 - HKLM\\..\\Run: [D-Link Wireless G WUA-1340] C:\\Program Files\\D-Link\\Wireless G WUA-1340\\AirGCFG.exe<br>
O4 - HKLM\\..\\Run: [ANIWZCS2Service] C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe<br>
O4 - HKLM\\..\\Run: [NvCplDaemon] RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup<br>
O4 - HKLM\\..\\Run: [NvMediaCenter] RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit<br>
O4 - HKLM\\..\\Run: [RivaTunerStartupDaemon] "C:\\Program Files\\RivaTuner v2.0 RC 16\\RivaTuner.exe" /S<br>
O4 - HKLM\\..\\Run: [SoundMan] SOUNDMAN.EXE<br>
O4 - HKLM\\..\\Run: [ViewMgr] C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe<br>
O4 - HKLM\\..\\Run: [DiskeeperSystray] "C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe"<br>
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe<br>
O4 - HKLM\\..\\Run: [nod32kui] "C:\\Program Files\\Eset\<br>
od32kui.exe" /WAITSERVICE<br>
O4 - HKLM\\..\\Run: [!AVG Anti-Spyware] "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe" /minimized<br>
O4 - HKCU\\..\\Run: [AIM] C:\\Program Files\\AIM\\aim.exe -cnetwait.odl<br>
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll<br>
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll<br>
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\\Program Files\\AIM\\aim.exe<br>
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe<br>
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe<br>
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - <a href="http://www3.ca.com/securityadvisor/virusinfo/webscan.cab" target="_blank">http://www3.ca.com/securityadvisor/v...fo/webscan.cab</a><br>
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\\WINDOWS\\system32\\WPDShServiceObj.dll<br>
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\\Program Files\\ANI\\ANIWZCS2 Service\\ANIWZCSdS.exe<br>
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\guard.exe<br>
O23 - Service: Diskeeper - Diskeeper Corporation - C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkService.exe<br>
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\\Program Files\\Eset\<br>
od32krn.exe<br>
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\\WINDOWS\\system32\<br>
vsvc32.exe<br><b>O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\\WINDOWS\\system32\\wbem\\wmiapsrv.exe (file missing)</b><br><br>
thats where i think the virus is but i deleted all of the files i could and still have it running pop-ups<br>
so evidently i dont know where it is
 

·
Registered
Joined
·
1,702 Posts
Discussion Starter #5
bump
 

·
Registered
Joined
·
772 Posts
well, there allways is the last resort (a r34orma7) then you will know for sure that it is'nt there anymore.
 

·
Premium Member
Joined
·
22,477 Posts
Here is a on-line sight that has helped me before...Takes a while to run it, but it might help when your rig is infected...<a href="http://www.trendmicro.com/hc_intro/default.asp" target="_blank">Trend Microâ„¢ HouseCall</a>
 

·
Registered
Joined
·
1,702 Posts
Discussion Starter #8
a wat?!<br />
edit: does anybody know of the "video compression codec".........i think thats the virus i could be wrong though
 

·
Registered
Joined
·
7 Posts
well, the best thing 2 do (in my experience) is to type the .dll file or .exe file in google and see what it says. I did this with the "video compression codec" of yours (isaddon.dll) and all the results said it was "bad", its a trojan file and you should get rid of it quickly. Hope i was of help
 

·
Registered
Joined
·
1,246 Posts
"video compression codec" isnt likely to be the problem. Viruses usually come in the form of dodjily or randomly named .exe files.<br><br>
Also, r34orma7 is a stupid geek way of spelling reformat - nice one jmc7983
 
1 - 10 of 10 Posts
Top