Options

The unstoppable poppable.

Unknown
edited April 2006 in Spyware & Virus Removal
Occasionally whenever a new MSIE window opens, either by launching MSIE or clicking a link that opens a new window, an extra window taking me to mp3721.com (a chinese website for... media?) will open, as well.

It happens all the time when I first boot my computer and open MSIE for the first time that session. I'll open MSIE and up comes my homepage but a 2nd window with mp3721.com.

I've recently formatted and I'm a 'perfectionist' when it comes to keeping my hard drive and OS in order. I don't know how the hell I got this.

AVG anti-virus and Spybot S&D are apparently not detecting it because it's still here.

Please help me remove this annoying peice of malware!

Thank you.

* Win XP Pro SP2 all patched with Microsoft Internet Explorer. Legal copy (Dell gaming laptop XPS Gen 2)

Comments

  • skywalker45skywalker45 Bloomington, IN. USA
    edited April 2006
    Please download Hijack This from [url=http://www.short-media.com/download.php?dc=69&p=3
    ]here.[/url] Unzip the program to it's own folder. Open Hijack This and have it do a system scan and save a log file. The log will open in notepad. Copy and paste the entire contents of the log in your next reply.
    :)
  • Pop-down
    edited April 2006
    Logfile of HijackThis v1.99.1
    Scan saved at 5:56:25 AM, on 4/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Grisoft\AVG Free\avgwb.dat
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Nathan\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\system32\NaviHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited April 2006
    Run Hijack This again and put a check (tick) next to the following:

    O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\system32\NaviHelper.dll

    Close all other browsers/windows and click Fix Checked.

    Make sure you can view all hidden files, explained below:
    • Click "Start".
    • Click "My Computer".
    • Select the "Tools" menu and click "Folder Options".
    • Select the "View" tab.
    • Under the "Hidden files and folders" heading, select "Show hidden files and folders".
    • Uncheck the "Hide protected operating system files (recommended)" option.
    • Click "Yes" to confirm.
    • Uncheck the "Hide file extensions for known file types".
    • Click Apply then click "OK".

    Restart the PC in safe mode. Do this by rebooting. As the PC is booting begin tapping the F8 key. Keep tapping F8 until the advanced boot options menu appears. Scroll to the top choice which is safe mode and then press enter.

    Once in safe mode use Windows Explorer to find and delete the following:

    C:\WINDOWS\system32\NaviHelper.dll<----This file.

    Reboot into normal mode and post a fresh Hijack This log.
  • Pop-down
    edited April 2006
    I'll never be sure how I got it, but it's gone now.

    Thanks a ton, my friend.

    That Browser Helper Object is now removed and no longer causing me issues. An added bonus, I know understand quite a few things better.

    Props.
  • skywalker45skywalker45 Bloomington, IN. USA
    edited April 2006
    You're very welcome. Could you please post a new Hijack This log for me to look at?
    :)
Sign In or Register to comment.