1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

www.0dp.com, about: blank, and other problems

Discussion in 'Malware and Virus Removal Archive' started by lthilsdorf, 2005/08/20.

  1. 2005/08/20
    lthilsdorf

    lthilsdorf Inactive Thread Starter

    Joined:
    2005/08/20
    Messages:
    1
    Likes Received:
    0
    For months now I have had to constantly deal with spyware/pop up problems. I would go and manually delete everything Ad Aware and Spyware doctor would find but then a few days later it would all come back. So a few days ago I finally downloaded a new browser (Firefox), spyware remover (Microsoft AntiSpyware) and thought I removed everything. But now I am still getting pop ups with a little bar at the bottom that mentions "web nexus" and just today I started geting www.0dp.com pop ups as well as about: blank ones too. Also ZoneAlarm and MS AntiSoyware detected several processes that are listed below:

    -ldks4d.exe reg_run
    -ntdr.exe
    -dees.exe
    -d140113.a.stub.exe (dnam)

    They tryed to get access and when I denied I suddenly had all those pop ups I mentioned. THis process has been going on for 5 months now where I remove everything but then it just comes a few days later. Can anyone help me? Here is a Hijack this from a few minutes ago.

    Logfile of HijackThis v1.99.1
    Scan saved at 1:12:10 PM, on 8/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\drivers\dcfssvc.exe
    C:\WINNT\System32\gearsec.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\ScsiAccess.EXE
    C:\WINNT\system32\ssoftsrv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINNT\system32\dees.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe
    C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\ldks4d.exe reg_run
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: Registration Pacific Fighters.LNK = D:\registration_us\RegistrationReminder.exe
    O4 - Startup: Registration Silent Hunter III.LNK = C:\Program Files\Ubisoft\SilentHunterIII\Support\Register\RegistrationReminder.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm
    O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: SWF To Video Scout - {5AA8BC0B-9A0E-4E82-8CF8-E26618BCF5A6} - C:\Program Files\SWF To Video Scout\flashextract.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winfixer.com/files/installers/cab/WinFixer2005ScannerInstall.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A6D2009E-B2D3-481C-BB9A-46A0DA3DB341}: NameServer = 216.144.240.8 216.144.240.2
    O20 - Winlogon Notify: OemStartMenuData - C:\WINNT\system32\opedlg.dll
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
    O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\System32\gearsec.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (Omega 1.6177) (P) (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
     
    lthilsdorf,
    #1
  2. 2005/08/23
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Hello, welcome to the boards.

    Disable System Restore.

    Open HJT, and click on 'Open misc tools section', then click on "Open process manager'. Locate this in the list, highlight it and click on 'Kill Process'.

    C:\WINNT\system32\dees.exe

    Now click on the 'Back' button, this button will change to 'Config', click on 'Config' then click on "Delete a file on reboot', a File Open window will appear. Copy/Paste the following into it.

    C:\WINNT\system32\dees.exe

    Then click on Open, and you will be prompted to reboot, select No at this time. Do the same for these.

    C:\WINNT\system32\ldks4d.exe
    C:\WINNT\system32\opedlg.dll

    Rescan with HJT, and remove these items.

    O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\ldks4d.exe reg_run
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winfixer.com/files/...nnerInstall.cab
    O20 - Winlogon Notify: OemStartMenuData - C:\WINNT\system32\opedlg.dll

    Reboot into Safe Mode.
    Delete all files and folders located in these folders.
    C:\Windows\Prefetch
    C:\Windows\Temp
    C:\Documents and Settings\username\Local Settings\Temp

    Reboot into Normal mode, and then enable System Restore.
     
    markp62,
    #2


  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...