•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 455,968 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,739 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community
Views: 1987 | Replies: 3
 |
•
•
Join Date: Aug 2004
Posts: 2
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
Logfile of HijackThis v1.97.7
Scan saved at 11:39:04 PM, on 8/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\ARCHIVOS DE PROGRAMA\NETMEETING\CONF.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\MNMSRVC.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\ARCHIVOS DE PROGRAMA\ACCESORIOS\WORDPAD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ARCHIVOS DE PROGRAMA\WEBSITEVIEWER\124245.DLR
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\HIGHJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\l4skdyfv.slt\prefs.js)
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
Scan saved at 11:39:04 PM, on 8/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\ARCHIVOS DE PROGRAMA\NETMEETING\CONF.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\MNMSRVC.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\ARCHIVOS DE PROGRAMA\ACCESORIOS\WORDPAD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ARCHIVOS DE PROGRAMA\WEBSITEVIEWER\124245.DLR
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\HIGHJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\l4skdyfv.slt\prefs.js)
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,015
Reputation:
Rep Power: 23
Solved Threads: 455
Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
Reboot into safe mode following the instructions here & navigate to & delete the following if found:
C:\WINDOWS\wininet32.exe-file
C:\WINDOWS\runwin32.exe-file
Reboot normally after doing the above then post a fresh log please.
Is that a complete log? It looks a little short.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
Reboot into safe mode following the instructions here & navigate to & delete the following if found:
C:\WINDOWS\wininet32.exe-file
C:\WINDOWS\runwin32.exe-file
Reboot normally after doing the above then post a fresh log please.
Is that a complete log? It looks a little short.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Aug 2004
Posts: 2
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
new log and msn and explorer are still dead
Logfile of HijackThis v1.97.7
Scan saved at 9:19:08 PM, on 8/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\REAL\UPDATE_OB\REALSCHED.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\POPROXY.EXE
C:\ARCHIVOS DE PROGRAMA\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\RAINLENDAR\RAINLENDAR.EXE
C:\PROGRAM FILES\MIRC\MIRC.EXE
D:\LA CARPETAMIA\WINAMP\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\HIGHJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\l4skdyfv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\l4skdyfv.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\LACARP~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\system\MP_S3.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\ARCHIV~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Archivos de programa\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\ARCHIVOS DE PROGRAMA\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\RunServices: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\RunServices: [wininet32] C:\WINDOWS\wininet32.exe
Logfile of HijackThis v1.97.7
Scan saved at 9:19:08 PM, on 8/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\REAL\UPDATE_OB\REALSCHED.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\POPROXY.EXE
C:\ARCHIVOS DE PROGRAMA\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\RAINLENDAR\RAINLENDAR.EXE
C:\PROGRAM FILES\MIRC\MIRC.EXE
D:\LA CARPETAMIA\WINAMP\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\HIGHJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\l4skdyfv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\l4skdyfv.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\LACARP~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\system\MP_S3.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\ARCHIV~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Archivos de programa\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\ARCHIVOS DE PROGRAMA\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\RunServices: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\RunServices: [wininet32] C:\WINDOWS\wininet32.exe
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,015
Reputation:
Rep Power: 23
Solved Threads: 455
Still running the outdated version of hijackthis!
Those files still live too.
Go here for an on-line scan & set it to autoclean for you.
Try this scan as well.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\RunServices: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\RunServices: [wininet32] C:\WINDOWS\wininet32.exe
Delete those files in safe mode. Reboot normally & post another log.
Those files still live too.
Go here for an on-line scan & set it to autoclean for you.
Try this scan as well.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\RunServices: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\RunServices: [wininet32] C:\WINDOWS\wininet32.exe
Delete those files in safe mode. Reboot normally & post another log.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
•
•
•
•
adult adware complete information console defender europe explorer firefox game google gradient graphics ie 7 ie7 im internet internet explorer internet explorer 7 legal live malware mcafee microsoft mozilla msn new folder new viruses news nhatquanglan phishing reliability search security sex software spyware survey svchost virus viruses vista web windows xbox 360 yahoo
- A few problems i've been having - with msn/internet explorer etc (Viruses, Spyware and other Nasties)
- Duckblink: DSO exploits (HJT Log inside) (Viruses, Spyware and other Nasties)
- Great search homepage (HIjack log inside) (Viruses, Spyware and other Nasties)
- HiJackThis log inside - Please help my poor computer! (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Spyware Problem and question involving BPS
- Next Thread: RE: Removal of spyware and fixing linkshare not working
