Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hello everyone!
I've been having internet and computer problems for the past 2 weeks. Everytime I log on the internet it redirects itself to http://j0r.biz I used Stinger, McAfee, Spybot and Ad-aware and nothing was detected but the internet still gets redirected. Also, there seems to be a file named loader2.ocx that can't be deleted, cleaned or removed. So I used HijackThis1.99 and saved the log. Could anyone please take a look at it and tell me what to delete? I have no clue what to do.
Thanks a lot !
Microsoft's free download of it's Beta version of AntiSpyware program claims to be able to recover a browser that has been hijacked to it's previous state. I would give it a try.
In the past I manually removed all the hijack software and registry keys and this is a painstakingly slow and frustrating process. If Microsoft's product can do it automatically, that would be great.
0 
Hi Zen, hello everyone
I am not sure on the rules about posting a hijackthis log in the forums as of late. Email it to me and I shall post my finding back here.
Best Regards,
Mesich
0
You definitely have something nasty on your computer, of that there is no doubt.
I tried going to http://j0r.biz and the results where telling. It first displayed Yahoo's Home page. Then it attempted to load an active X control. Windows IE pop-up stopper stopped it with the warning that you must be 18 years or over to access free porn . . . Needless to say I declined the offer to download the Active X.
loader2.ocx is almost certainly the active X it downloads and I would bet next months salary that this is a dialler that dials a premium rate number on your modem, probably somewhere in Eastern Europe. So much for free porn - like free lunches, it doesn't exist.
I would try booting into safe mode. You should then be able to delete loader2.ocx. Look closely at the Hi Jack this log and delete anything that relate to loader2.ocx or http://j0r.biz.
Stuart
0
Already scanned the pc in safe mode but nothing was detected.
Mesich-got the email?Now that I think of it, I got the following message a couple of times:
" Acrobat Plug-in - Could not find Acrobat External Window Handler"
How can this be fixed?
0
loader2.ocx is definately bad,I have removed this from many computers.
Post your hijackthis log here....
http://hijackthis.de/index.php?langselect=english
Tt Lanfire
nf7-s v2.0
XP-m 2500@209x11
SP 97
512mb pc3200
Jou Jye 550w psu
FX5600
WDCaviar 160gb sata
WDCaviar 160gb sata;~}
0
Hello everyone,
Here is a copy of Zen's log;
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\
Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.exe
C:\Program Files\Network Associates\
Common Framework\UpdaterUI.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\n3monap23.exe
D:\Addtl Programs\Adobe 6.0 Pro\Distillr\acrotray.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\Patricia\Escritorio\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- d:\addtl programs\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - D:\Addtl Programs\Adobe 6.0 Pro\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082467}
- C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Adobe PDF -
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Addtl Programs\Adobe 6.0 Pro\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.exe"
/STANDALONEO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\
Network Associates\Common Framework\UpdaterUI.exe"O4 - HKLM\..\Run: [Omnipage] C:\Program
Files\ScanSoft\OmniPageSE\opware32.exeO4 - HKLM\..\Run: [MONPluginSrIvcs] n3monap23.exe
O4 - HKLM\..\RunServices: [MONPluginSrIvcs] n3monap23.exe
O4 - HKCU\..\Run: [MONPluginSrIvcs] n3monap23.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Addtl Programs\Adobe 6.0 Pro\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk
= C:\Program Files\Microsoft Office\Office\OSA9.exeO4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/
v5consumer/V5Controls/en/x86/clien
t/wuweb_site.cab?1106007401181O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/
2004061001/housecall.trendmicro.com/
housecall/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://www.pandasoftware.com/activescan/
as5/asinst.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class)
- http://messenger.msn.com/download/
MsnMessengerSetupDownloader.cabO17 -
HKLM\System\CCS\Services\Tcpip\..\
{D6008A19-FE2F-4FC1-AE19-3F77D8DBD4BA}
: NameServer = 200.48.225.130,200.48.225.146O23 - Service: McAfee Framework Service
- Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exeO23 - Service: Network Associates McShield
- Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exeO23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
Best Regards,
Mesich
0
Hello everyone,
Everything looks good except for the following, use hijackthis to remove them.
O4 - HKLM\..\Run: [MONPluginSrIvcs] n3monap23.exe
O4 - HKLM\..\RunServices: [MONPluginSrIvcs] n3monap23.exe
O4 - HKCU\..\Run: [MONPluginSrIvcs] n3monap23.exe
Check you ip address here
and remove the item below if yours is not 200.48.225.130 or 200.48.225.146.O17 -
HKLM\System\CCS\Services\Tcpip\..\
{D6008A19-FE2F-4FC1-AE19-3F77D8DBD4BA}
: NameServer = 200.48.225.130,200.48.225.146Best Regards,
Mesich
0
Hello everyone,
Zen,
Forgot to mention after removing the items above, restart the computer.
Also, if you have any problems after removing those items, start hijackthis.
Best Regards,
Click on View the list of backups.
Place a check next to the backup and click Restore.
Mesich
0
The following I got from another forum after googling n3mnap23.. pleease deal with accordinly, the person posted their Hijack this results, and had the same entries as You did, do note the very last line.
"Attention!
Kaspersky Anti-Virus has detected a virus in the file you have submitted.We suggest that you consider:
Reading about the virus/viruses in our Virus Encyclopedia
Downloading a trial version of Kaspersky Anti-Virus
Purchasing a copy of Kaspersky Anti-Virus in our E-Store
Purchasing Kaspersky Anti-Virus from a certified partner
Scanned file: n3monap23.exen3monap23.exe - infected by Backdoor.Win32.Rbot.gen "
0  |
 virtual gart driver
|
user account tool not wor...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
