Tech Support Forum - View Single Post - Hijacked by popups, hopefully a quick fix; log inside

MicroBell · 03-23-2005, 12:57 AM

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\system32\w?nlogon.exe

Run hijackthis and fix this entry..

O2 - BHO: (no name) - {63929A18-7BF9-2F7A-8688-5740459DFBCC} - C:\WINDOWS\System32\aoop.dll

C:\WINDOWS\System32\aoop.dll <--delete that file
C:\WINDOWS\system32\w?nlogon.exe <--delete that file. Make sure you get the one with the ? in it and NOT the legit named one.

Delete the 16 alarms that TDS-3 tagged as positive. Repost another hijackthis log when finished. If your not sure about the TDS-3 entrys...copy and paste everything found in the bottom window and post it here.

03-23-2005, 12:57 AM	#8 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\system32\w?nlogon.exe Run hijackthis and fix this entry.. O2 - BHO: (no name) - {63929A18-7BF9-2F7A-8688-5740459DFBCC} - C:\WINDOWS\System32\aoop.dll C:\WINDOWS\System32\aoop.dll <--delete that file C:\WINDOWS\system32\w?nlogon.exe <--delete that file. Make sure you get the one with the ? in it and NOT the legit named one. Delete the 16 alarms that TDS-3 tagged as positive. Repost another hijackthis log when finished. If your not sure about the TDS-3 entrys...copy and paste everything found in the bottom window and post it here. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 03-23-2005 at 12:59 AM.