i have an older computer that has windows 2000 install and when i open up internet explorer my home page gets switched to a malware website and says i need to try to install a malware program. the warning is for a W32.Myzor.Fk@yf................says i need to install software to remove and fix this problem and brings me to a site for malwareburn and downloads a bunch of other programs when installed
any ideas of an easy fix can not get into internet explorer at all but when i run avg antivirus it comes back with no detections.
Full Version: Malware Site In Ie
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
Hi 11bfeller, welcome to SAF
I'm moving this thread to the proper forum. Please take a look at this pinned topic and post back a hijackthis log here, as we can take a look at it: http://www.suggestafix.com/index.php?showtopic=16053
Chris
I'm moving this thread to the proper forum. Please take a look at this pinned topic and post back a hijackthis log here, as we can take a look at it: http://www.suggestafix.com/index.php?showtopic=16053
Chris
i am unable to download hijackthis on my computer it tells me that internet explorer can not open this site and i get another popup that says i need to download yet another spyware malware program and pay X abount of dollars to use the program after registering the program.
Logfile of HijackThis v1.99.1
Scan saved at 12:23:33 AM, on 11/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Image Add-on\isfmm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Image Add-on\isfmntr.exe
C:\Program Files\Image Add-on\isfmm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\hijackcheck.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Image Add-on\isfmdl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Unknown owner - C:\WINNT\System32\dsnthser.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
Scan saved at 12:23:33 AM, on 11/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Image Add-on\isfmm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Image Add-on\isfmntr.exe
C:\Program Files\Image Add-on\isfmm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\hijackcheck.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Image Add-on\isfmdl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Unknown owner - C:\WINNT\System32\dsnthser.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
Well, you did not follow all the instructions from the pinned topic I asked you to read. You are using an outdated HJT version. Please wipe out this old one and download the latest version from http://www.bleepingcomputer.com/files/hijackthis.php
Download Smitfraudfix from http://siri.geekstogo.com/SmitfraudFix.php
Copy and follow the page instructions, don't run it yet.
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\Program Files\Image Add-on\isfmm.exe
C:\Program Files\Image Add-on\isfmntr.exe
Exit the Task Manager when finished.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Image Add-on\isfmdl.dll
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.
Run smitfraudfix option #2 (Clean)
Set your system to show all files; please see here if you're unsure how to do this.
Using Windows Explorer, locate the following files/folders and delete them if still showing:
C:\Program Files\Image Add-on\ (whole folder)
C:\WINNT\nvidGUIv.exe (file)
Exit Explorer, and reboot as normal afterwards.
Post back a fresh HJT log along with the SmitFraud c:\rapport.txt log
Chris
Download Smitfraudfix from http://siri.geekstogo.com/SmitfraudFix.php
Copy and follow the page instructions, don't run it yet.
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\Program Files\Image Add-on\isfmm.exe
C:\Program Files\Image Add-on\isfmntr.exe
Exit the Task Manager when finished.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Image Add-on\isfmdl.dll
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.
Run smitfraudfix option #2 (Clean)
Set your system to show all files; please see here if you're unsure how to do this.
Using Windows Explorer, locate the following files/folders and delete them if still showing:
C:\Program Files\Image Add-on\ (whole folder)
C:\WINNT\nvidGUIv.exe (file)
Exit Explorer, and reboot as normal afterwards.
Post back a fresh HJT log along with the SmitFraud c:\rapport.txt log
Chris
SmitFraudFix v2.247
Scan done at 9:23:58.98, Sun 11/04/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6574FA2E-B78D-4542-9938-84606CA49DEE}: DhcpNameServer=24.205.224.36 24.205.1.62 24.205.1.14
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6D643D6B-8F88-42B7-8111-DFD3BB036CD8}: DhcpNameServer=24.92.226.12 24.92.226.173
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B02DE250-0A0E-43B1-AD70-8F3F8575F028}: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6574FA2E-B78D-4542-9938-84606CA49DEE}: DhcpNameServer=24.205.224.36 24.205.1.62 24.205.1.14
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6574FA2E-B78D-4542-9938-84606CA49DEE}: DhcpNameServer=24.205.224.36 24.205.1.62 24.205.1.14
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6D643D6B-8F88-42B7-8111-DFD3BB036CD8}: DhcpNameServer=24.92.226.12 24.92.226.173
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B02DE250-0A0E-43B1-AD70-8F3F8575F028}: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6574FA2E-B78D-4542-9938-84606CA49DEE}: DhcpNameServer=24.205.224.36 24.205.1.62 24.205.1.14
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6D643D6B-8F88-42B7-8111-DFD3BB036CD8}: DhcpNameServer=24.92.226.12 24.92.226.173
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B02DE250-0A0E-43B1-AD70-8F3F8575F028}: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=66.133.150.12 67.50.135.146
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:04 AM, on 11/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackcheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Unknown owner - C:\WINNT\System32\dsnthser.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
--
End of file - 1910 bytes
Scan done at 9:23:58.98, Sun 11/04/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6574FA2E-B78D-4542-9938-84606CA49DEE}: DhcpNameServer=24.205.224.36 24.205.1.62 24.205.1.14
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6D643D6B-8F88-42B7-8111-DFD3BB036CD8}: DhcpNameServer=24.92.226.12 24.92.226.173
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B02DE250-0A0E-43B1-AD70-8F3F8575F028}: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6574FA2E-B78D-4542-9938-84606CA49DEE}: DhcpNameServer=24.205.224.36 24.205.1.62 24.205.1.14
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6574FA2E-B78D-4542-9938-84606CA49DEE}: DhcpNameServer=24.205.224.36 24.205.1.62 24.205.1.14
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6D643D6B-8F88-42B7-8111-DFD3BB036CD8}: DhcpNameServer=24.92.226.12 24.92.226.173
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B02DE250-0A0E-43B1-AD70-8F3F8575F028}: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6574FA2E-B78D-4542-9938-84606CA49DEE}: DhcpNameServer=24.205.224.36 24.205.1.62 24.205.1.14
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6D643D6B-8F88-42B7-8111-DFD3BB036CD8}: DhcpNameServer=24.92.226.12 24.92.226.173
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B02DE250-0A0E-43B1-AD70-8F3F8575F028}: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.133.150.12 67.50.135.146
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=66.133.150.12 67.50.135.146
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:04 AM, on 11/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackcheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Unknown owner - C:\WINNT\System32\dsnthser.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
--
End of file - 1910 bytes
Did you successfully delete this file ? C:\WINNT\nvidGUIv.exe
How is your system running now ?
Chris
How is your system running now ?
Chris
got it fixed my system is running good now thanks for all your help.
That's good news. You are welcome. 
I would strongly suggest you to stop this bad service, even if the file was deleted, as it's just cluttering the system: O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
- Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
- Double-click Administrative Tools, and then, double-click Services.
- Select nvidGUIv (nvidGUIv2) from the list of services.
- On the Action menu, click Stop to discontinue the service.
Close all and restart.
Chris
I would strongly suggest you to stop this bad service, even if the file was deleted, as it's just cluttering the system: O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
- Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
- Double-click Administrative Tools, and then, double-click Services.
- Select nvidGUIv (nvidGUIv2) from the list of services.
- On the Action menu, click Stop to discontinue the service.
Close all and restart.
Chris
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.