Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJackThis Log


  • Please log in to reply

#1
chanvey

chanvey

    New Member

  • Member
  • Pip
  • 1 posts
This is the logfile from a friend's computer that has completely prevented him from doing anything, including even reformatting. He has run some various registry repair software that has found many errors, but is unable to fix anything. I thought I'd check and see if there was any spyware/malware that might be causing some of the problems since he is unable to get online.

Thanks.




Logfile of HijackThis v1.99.1
Scan saved at 10:12:32 AM, on 2/23/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
A:\HIJACKTHIS.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.trinicom.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Netscape\Communicator\Program\NetHelp\Blank.htm
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Program Files\Netscape\Users\penny\prefs.js)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\PROGRAM FILES\3B SOFTWARE\WINDOWS REGISTRY REPAIR PRO\REGISTRYREPAIRPRO.EXE 4
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: winupdate.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = airmail.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.11.201,151.164.1.8
  • 0

Advertisements


#2
Michlos

Michlos

    Member

  • Member
  • PipPip
  • 48 posts
I'm working on your log, as soon as another staff member reviews it I'll post a reply. Thank you for your patience.
  • 0

#3
Michlos

Michlos

    Member

  • Member
  • PipPip
  • 48 posts
Hi!

It seems your friend has been hit by the GAOBOT.BIA worm. You can read more about that

At symantec.com

At F-secure.com

If he has an anti-virus software I recommend that he makes sure that it's updated and then runs a full system scan.

If he can get online go here and run online scans (at least one), allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed
Reboot when done.

Also download, install and keep updated- Antivirus Software (and use only one):
Free for home users:
avast! 4 Home Edition Download
AVG free version 7.0 AVG free version v6.0 updates ended 12/31/04
AntiVir Personal Edition

Once he has gotten rid of that, post a new Hijack This log here and we can take a look at fixing the rest.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP