Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijackthis [RESOLVED]


  • This topic is locked This topic is locked

#1
renatovel

renatovel

    New Member

  • Member
  • Pip
  • 3 posts
Hi, I beg your pardon if I did something wrong. It´s my first post here. I´ve read all messages concerned to the same problem I´m having. Although I´ve done everything I could - installing every kind of antispys, antivirus (as you can see below), reinstalling service pack 1a, installing another browser (Mozilla), comparing disks files before and after the programs that I suspect that had infected my system - I had no success.
My browser (IE 6.0) is still very, very, very slow. However, like everybody, my downloads are ok, downloading at 200, 300 Kbps. So, here is my logfile of HijackThis.
I hope you can help me in this hard work.
Thanks
R. B.


Logfile of HijackThis v1.99.1
Scan saved at 00:30:55, on 28/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
C:\Arquivos de programas\IE Accelerator\IEAccelerator.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\InterMute\SpySubtract\CWShredder.exe
C:\Documents and Settings\eduardo\Meus documentos\Meus vídeos\hjt\HijackThis.exe
C:\WINDOWS\regedit.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft...er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.20.1:3128
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Arquivos de programas\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Arquivos de programas\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [PasswordOrganizer] C:\Arquivos de programas\AGuardDog Suite\RunTimePwdOrg.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [IE Accelerator] C:\Arquivos de programas\IE Accelerator\IEAccelerator.exe /Auto
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .com/ovftpdfs/IDNJHKKGNFIAAP00D/fs046/ovft/live/gv023/00006534/00006534-200404150-00043: C:\ARQUIV~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114380975812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

I don't see anything that could cause Internet Explorer to slow down. Let's try fixing these entries then:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft...er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft...er=6&ar=msnhome
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab


Just want to know. Is this the correct proxy server?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.20.1:3128

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
renatovel

renatovel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I thank your quick reply, Mr. Greyknight17.
I´ve done what you suggested and my hijackthis log is posted below, after I reboot in safe mode, fix those entries, restart and hijackthis again. It´s quite impossible to send something by e-mail or by geekstogo.com site on my machine. IE takes 5, 8 minutes, and shows that time is expired. I brought the list to send by my office´s machine.
Btw, you asked about "Settings,ProxyServer = 192.168.20.1:3128". Yes, this is what hijack is showing. Any trouble with ":3128"?
Best regards

Logfile of HijackThis v1.99.1
Scan saved at 23:06:07, on 02/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
C:\Arquivos de programas\IE Accelerator\IEAccelerator.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\eduardo\Meus documentos\Meus vídeos\hjt\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.20.1:3128
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Arquivos de programas\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Arquivos de programas\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [PasswordOrganizer] C:\Arquivos de programas\AGuardDog Suite\RunTimePwdOrg.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [IE Accelerator] C:\Arquivos de programas\IE Accelerator\IEAccelerator.exe /Auto
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .com/ovftpdfs/IDNJHKKGNFIAAP00D/fs046/ovft/live/gv023/00006534/00006534-200404150-00043: C:\ARQUIV~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114380975812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe




Welcome to GTG.

I don't see anything that could cause Internet Explorer to slow down.  Let's try fixing these entries then:

Please print out or copy this page to Notepad.  Make sure to work through the fixes in the exact order it is mentioned below.  If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.  You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key until menu shows up.  In some systems, this may be the F5 key, so try that if F8 doesn't work.  Make sure to close any open browsers.  Run a scan in HijackThis.  Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft...er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft...er=6&ar=msnhome
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab


Just want to know.  Is this the correct proxy server?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.20.1:3128

Reboot into Normal Mode run a new HijackThis scan.  Save the log file and post it here.

View Post


  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
There is nothing else wrong in this log.

That 3128 is a port used by legitimate programs, but it may also be used by trojans. Since it doesn't seem like you know what it's for, I think it's bad.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#5
renatovel

renatovel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Mr. Greyknight17:
Here is the Mwav.exe log you asked me. There were 12 entries. The worst sites are those related to e-mail, like gmail, hotmail, etc. Also, those which I need to send something, like geekstogo, where I must post logs and send. It´s impossible to do that. I must do that on other computer than mine.
I really appreciate your help.
Regards
R. B.

File System Found infected by "cws.tapicfg Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mruninst.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\hh.htt infected by "Trojan.JS.Zapchast.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\mruninst.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\hh.htt infected by "Trojan.JS.Zapchast.a" Virus. Action Taken: No Action Taken.
File C:\Arquivos de programas\dcmsetup.zip tagged as not-a-virus:RiskWare.Tool.Gendel. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\undo\backup.cab infected by "Trojan.JS.Zapchast.a" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\eduardo\Meus documentos\Aplicativos\BSINSTALL.exe infected by "not-a-virus:AdWare.SaveNow.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\eduardo\Meus documentos\documentos word\mirc616.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.


There is nothing else wrong in this log.

That 3128 is a port used by legitimate programs, but it may also be used by trojans.  Since it doesn't seem like you know what it's for, I think it's bad.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file.  This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN.  When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.  We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

View Post


  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\mruninst.exe
C:\WINDOWS\hh.htt
C:\undo\backup.cab
C:\Documents and Settings\eduardo\Meus documentos\Aplicativos\BSINSTALL.exe


Restart. Any problems still? If not:

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP