Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack this log and http://utruuh.(resolved)


  • This topic is locked This topic is locked

#1
yafuetodo

yafuetodo

    Member

  • Member
  • PipPip
  • 45 posts
Hello:

Since I was so kindly helped in this forum a few days ago with a problem affecting a home computer, I thought I would resort to you guys again with a similar problem with my work computer.

Two things if I may, and forgive me if I am out of procedure: Hijackthis log and a problem with a stubborn rogue search engine website KcKc:utruuh.globe-finder.cc/. edited by Kc

So first:
Is my hijackthis log ok? (below)

And second:
How do I get rid of this search engine that keeps popping up as my homepage regardless of how many times I change my internet options and run all the malware removal software I know of (ad aware se, spybot, cwsshredder, norton antivirus, win updates)?

thank you very much again.

yafuetodo

//////////////////////////////////////////////

Logfile of HijackThis v1.99.1
Scan saved at 01:17:02 p.m., on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\InesGuardia\Escritorio\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.co.ve
O1 - Hosts: 1159680172 auto.search.msn.com
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {AC911B4D-3B6D-45F3-9CD8-5D4DC470F1DB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AC911B4D-3B6D-45F3-9CD8-5D4DC470F1DB} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1123203B-6629-48E5-9B81-BBC1701B1770}: NameServer = 159.90.200.7,159.90.200.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0D05C-D767-43AA-BA67-99AF873D68B5}: NameServer = 159.90.200.206,159.90.200.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{1123203B-6629-48E5-9B81-BBC1701B1770}: NameServer = 159.90.200.7,159.90.200.8
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe

Edited by thatman, 08 May 2005 - 08:40 AM.

  • 0

Advertisements


#2
yafuetodo

yafuetodo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I´ve just realized that some of the names of the files and folders in the log are in spanish. Is this a problem for this forum?
  • 0

#3
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi YAFU,

Welcome to geeks to go. Lets get your PC fixed.

Firstly create a new folder on your Cdrive (for example C\HJT).Install HJT into that folder and run it from there. Thay way it can create backups if required.

Please print out these instructions to make it easy to follow and to have access to them when you have to reboot your pc. Please read through them prior to commencing to do anything and if there is anything that you are unsure of, or do not understand, please contact me first for assistance.

I would like you to carry out the following free on-line virus scan and follow their instructions on removal of anything that it may find.

Panda Active Scan

Next please download the following two programs. Install them and update them both. Then run each one and have them fix anything that they may find.

Spybot Search and Destroy 1.3

Ad-aware S E 1.5

Open up HJT and rescan and Place a check against each of the following, making sure you get them all and not any others by mistake. Some of them might not be there as they will have been removed in previous stages of the sequence. This is normal so do not be alarmed

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O9 - Extra button: Microsoft AntiSpyware helper - {AC911B4D-3B6D-45F3-9CD8-5D4DC470F1DB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AC911B4D-3B6D-45F3-9CD8-5D4DC470F1DB} - (no file) (HKCU)
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)


Also unless your System administrator (you?) has set the following then also check them

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Ensure no windows are open apart from HJT and click FIX CHECKED.

Download the following program.

Cleanup

Reboot into SAFE MODE by tapping the F8 key whilst PC starts up.

Set PC to show hidden files (Click link below if you do not know how

Show hidden files

Using Windows Explorer locate and delete the following files/folders.

C:\WINDOWS\stsheets.dat

Now use the Cleanup program to clear out temp files, junk etc.

Reboot normally and rescan with HJT and post the log in this thread
  • 0

#4
yafuetodo

yafuetodo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
usetobe:

thank you very much... i did everything you instructed in your previous post... however, the problems seem to come up again...

here is the log for hijackthis...

Logfile of HijackThis v1.99.1
Scan saved at 12:43:41 p.m., on 03/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\InesGuardia\Mis documentos\Calique\Software de Spyware\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.co.ve
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1123203B-6629-48E5-9B81-BBC1701B1770}: NameServer = 159.90.200.7,159.90.200.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0D05C-D767-43AA-BA67-99AF873D68B5}: NameServer = 159.90.200.206,159.90.200.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{1123203B-6629-48E5-9B81-BBC1701B1770}: NameServer = 159.90.200.7,159.90.200.8
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe

also, i'm adding the activescan report from panda... it seems that three threats were not disinfected...


Incident Status Location

Virus:Bck/Haxdoor.A Disinfected Operating system
Adware:Adware/CWS.Searchmeup No disinfected C:\new.exe
Possible Virus. No disinfected C:\WINDOWS\system32\baksm.dat
Possible Virus. No disinfected C:\WINDOWS\system32\supermenuhook.dll
Virus:Bck/Haxdoor.BG Disinfected C:\WINDOWS\system32\winlow.sys
Virus:Bck/Haxdoor.BG Disinfected C:\WINDOWS\system32\wz.sys


again thank you

yafuetodo

Edited by yafuetodo, 03 May 2005 - 10:56 AM.

  • 0

#5
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi yafu,

We will try again on some of the stubborn entries,

Rescan your PC with HJT. Check the following entries.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.co.ve
O1 - Hosts: 1159680172 auto.search.msn.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1123203B-6629-48E5-9B81-BBC1701B1770}: NameServer = 159.90.200.7,159.90.200.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0D05C-D767-43AA-BA67-99AF873D68B5}: NameServer = 159.90.200.206,159.90.200.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{1123203B-6629-48E5-9B81-BBC1701B1770}: NameServer = 159.90.200.7,159.90.200.8


Ensure no windows open except HJT and click on fix checked.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINDOWS\system32\baksm.dat
C:\WINDOWS\system32\supermenuhook.dll
C:\new.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.

Then carry out a virus scan from the following location. Fill in your name, for company type anything you want and add your email address.

Kaspersky

Then rescan with HJT and post the log back in this thread.

Edited by usetobe, 03 May 2005 - 11:03 AM.

  • 0

#6
yafuetodo

yafuetodo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
hello usetobe,

i apologize for the delay in response... one thing i failed to mention is that the pc in question is part of a network, and as such is subject to the whims of the central command of the server... it seems that they weren´t so happy with my tampering of the pc and thus decided to shut off my internet connection until today... what they fail to consider is that if they provided tech support (they dont) i wouldnt have to resort to these measures...

anyhow, sorry for the venting... just trying to explain the situation, but also mentioning the fact that i am on a network... does that affect my malware problems?... i´ve checked and it seems that i am the only one affected with these problems, but could the solution be found not on my computer but on fixing something about the network?... just some questions...

anyways, i did all you asked me to...

here is my latest hjt log...

Logfile of HijackThis v1.99.1
Scan saved at 03:26:57 p.m., on 06/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARCHIV~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\ARCHIV~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\InesGuardia\Mis documentos\Calique\Software de Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.ve/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0D05C-D767-43AA-BA67-99AF873D68B5}: NameServer = 159.90.200.7,159.90.200.1
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\ARCHIV~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe

thank you...
  • 0

#7
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi yafu,

Do you know if your system administrator has set policy restrictions and control panel in internet explorer?

Rescan your PC with HJT and check the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O19 - User stylesheet: (file missing)


IF POLICY RESTRICTIONS NOT SET BY SYSTEM ADMINISTRATOR ALSO CHECK FOLLOWING

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Ensure no windows open except HJT and click fix checked.

Rescan with HJT and post back in this thread.
  • 0

#8
yafuetodo

yafuetodo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dear usetobe:

*First: regarding your question "Do you know if your system administrator has set policy restrictions and control panel in internet explorer?"

No, there are no imposed restrictions by my sysadmin...

*Second: In order to fix the problems detected by hjt i have to run the computer in safe mode, if i dont hjt pops a window that says something to the effcet of:

"the file you are attempting to fix is denying you access, it is currently in use"

*Third: as per your request below youll find the htj log after the fixes you recommended

thank you very much for your patience...

yafuetodo

/////////////////////////////////////////////////////

Logfile of HijackThis v1.99.1
Scan saved at 10:10:41 a.m., on 11/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\InesGuardia\Mis documentos\Calique\Software de Spyware\HijackThis.exe

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0D05C-D767-43AA-BA67-99AF873D68B5}: NameServer = 159.90.200.7,159.90.200.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
  • 0

#9
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Yafu,

That looks lke you did the scan of HJT in Safe mode, Can you do a scan in normal mode and post that log back please. You should be able to do that without any problems.
  • 0

#10
yafuetodo

yafuetodo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
actually, ive done most (if not all) of the scans in safe mode... i have to... otherwise hjt denies me access to some of the files it is attempting to fix...

i explain this in my previous post...

thanx

yafu
  • 0

Advertisements


#11
Guest_usetobe_*

Guest_usetobe_*
  • Guest
I can see that you have, however i need to see a HJT scan in normal mode. you should be able to do this as you are not carrying out any fixes, just a straight forward scan to post the log back.
  • 0

#12
yafuetodo

yafuetodo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
oh... ok...

here goes it...

///////////////////////////////////////////////////////////////////////

Logfile of HijackThis v1.99.1
Scan saved at 11:03:31 a.m., on 11/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\InesGuardia\Mis documentos\Calique\Software de Spyware\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0D05C-D767-43AA-BA67-99AF873D68B5}: NameServer = 159.90.200.7,159.90.200.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
  • 0

#13
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Yafu,

Thats what i needed to see.

Please click on the link below to download this program:
find.zip

*Right-click on your desktop and go to New > Folder - name it HJT.
*Download "Find.zip" to the HJT folder that you made. Make sure to Extract All Files!
*Double Click "Find.bat" and let it scan the PC, takes only seconds!
*Look back in the Folder you downloaded to (HJT) and locate "Report.txt"
*Double Click "Report.txt" and Copy the entire contents of the log and paste it here. It's going to be a very short log.
  • 0

#14
yafuetodo

yafuetodo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
C:\WINDOWS\SERVIC~1\I386\
atinxbxx.sys Tue 3 Aug 2004 10:29:32p ..... 31.744 31,00 K

C:\WINDOWS\SYSTEM32\DRIVERS\
atinxbxx.sys Tue 3 Aug 2004 10:29:32p ..... 31.744 31,00 K
p3i.sys Fri 24 Aug 2001 8:00:00a A.... 31.744 31,00 K

C:\WINDOWS\SOFTWA~1\DOWNLOAD\61E35F~1\
atinxbxx.sys Wed 4 Aug 2004 1:29:32a A.... 31.744 31,00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 126.976 bytes 124,00 K

No matches found.

  • 0

#15
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Please print these instructions out.

*First I need you to reboot in Safe Mode - you can do this by restarting your computer, then continually tapping the F8 key until a menu appears, then use your up arrow key to highlight Safe Mode, press enter.
*Be sure you're able to VIEW Hidden files *VERY IMPORTANT!*

*Now Navigate to this Folder using WINDOWS EXPLORER:

C:\WINDOWS\SYSTEM32\DRIVERS

Locate these file in your DRIVERS folder:

atinxbxx.sys
p3i.sys


Right Click each File and Select "Rename" and Rename it to:

atinxbxx.bak
p3i.bak

Restart in Normal Mode.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis again. Put a checkmark next to these entries. Then click "FIX CHECKED"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com


Restart into safemode again. Locate these Files (in bold) and DELETE THEM! You need to go straight into Windows Explorer to find it. Doing a search on your computer won't work. Make absolutely sure that you're able to VIEW Hidden files because at least one file will be hidden. They are both there and need to be deleted!

C:\WINDOWS\SYSTEM32\DRIVERS\atinxbxx.bak
C:\WINDOWS\SYSTEM32\DRIVERS\p3i.bak


Also search for

C:\WINDOWS\stsheets.dat <-- IF FOUND DELETE THAT ONE AS WELL

Reboot your computer normally and post a new HiJackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP