Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HiJackThis Log

Started by chanvey , Feb 23 2005 10:49 AM

  • Please log in to reply

#1
chanvey
Posted 23 February 2005 - 10:49 AM

chanvey

    New Member

  • Member
  • Pip
  • 1 posts
This is the logfile from a friend's computer that has completely prevented him from doing anything, including even reformatting. He has run some various registry repair software that has found many errors, but is unable to fix anything. I thought I'd check and see if there was any spyware/malware that might be causing some of the problems since he is unable to get online.

Thanks.




Logfile of HijackThis v1.99.1
Scan saved at 10:12:32 AM, on 2/23/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
A:\HIJACKTHIS.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.trinicom.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Netscape\Communicator\Program\NetHelp\Blank.htm
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Program Files\Netscape\Users\penny\prefs.js)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\PROGRAM FILES\3B SOFTWARE\WINDOWS REGISTRY REPAIR PRO\REGISTRYREPAIRPRO.EXE 4
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: winupdate.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = airmail.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.11.201,151.164.1.8
  • 0

Advertisements

#2
Michlos
Posted 23 February 2005 - 05:05 PM

Michlos

    Member

  • Member
  • PipPip
  • 48 posts
I'm working on your log, as soon as another staff member reviews it I'll post a reply. Thank you for your patience.
  • 0

#3
Michlos
Posted 24 February 2005 - 02:40 AM

Michlos

    Member

  • Member
  • PipPip
  • 48 posts
Hi!

It seems your friend has been hit by the GAOBOT.BIA worm. You can read more about that

At symantec.com

At F-secure.com

If he has an anti-virus software I recommend that he makes sure that it's updated and then runs a full system scan.

If he can get online go here and run online scans (at least one), allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed
Reboot when done.

Also download, install and keep updated- Antivirus Software (and use only one):
Free for home users:
avast! 4 Home Edition Download
AVG free version 7.0 AVG free version v6.0 updates ended 12/31/04
AntiVir Personal Edition

Once he has gotten rid of that, post a new Hijack This log here and we can take a look at fixing the rest.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP