Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help please, problems with browser


  • This topic is locked This topic is locked

#1
Stoical Aragorn

Stoical Aragorn

    New Member

  • Member
  • Pip
  • 2 posts
First of all thanks you guys for this page.
I´ve got a trojan in the computer. Lately it reboots the computer automaticaly. Im in the Test mode (don´t know if it´s the correct name in english).

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 16:37:00, on 24/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\savedump.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\userinit.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\system32\sysinit32m.exe
D:\Documents and Settings\Pedro\Escritorio\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10087/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe sysinit32m.exe
F3 - REG:win.ini: run=D:\WINDOWS\inet20038\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - D:\Archivos de programa\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - D:\Archivos de programa\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Windows KeyHook] D:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [APVXDWIN] "D:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MessengerPlus3] "F:\MessengerPlus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [eBayToolbar] D:\Archivos de programa\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [xp_system] D:\WINDOWS\inet20038\services.exe
O4 - HKLM\..\Run: [sys009] D:\WINDOWS\system32\sys009.exe
O4 - HKLM\..\Run: [switp] D:\WINDOWS\switpa.exe
O4 - HKLM\..\Run: [Windows Service] D:\WINDOWS\system32\dstart4.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "F:\MessengerPlus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [xp_system] D:\WINDOWS\inet20038\services.exe
O4 - HKCU\..\Run: [Windows Service] D:\WINDOWS\system32\dstart4.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://D:\Archivos de programa\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - D:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {832E6EB2-276F-4A16-85AB-378A3135CE98} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {832E6EB2-276F-4A16-85AB-378A3135CE98} - (no file) (HKCU)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - D:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - F:\TuneUp Utilities 2004\WinStylerThemeSvc.exe

again thank you. Sorry if i made mistakes in english.
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Stoical Aragorn to Geek to Go!

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

***

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

***

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download and install CleanUp! Here.
If that doesn’t work, use this link.

Save all of these files somewhere you will remember like to the Desktop.

***

Run the CleanUp! installer. You dont need to do anything with it right now.

***

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
***

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
***

Download Autoruns from here:
http://www.sysintern.../autoruns.shtml

****Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
***

Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
***

Run about:buster again following the same instructions as above, this time without the restart at the end.

***

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

***

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.
Reboot your computer into safe mode again.

***

Run Autoruns.
1. Uncheck this key with autoruns:

+ sysinit32m.exe c:\windows\system32\sysinit32m.exe


2. Then open up regedit (Start - Run - and type "regedit", press Enter).

- Navigate here: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

- Double click on "Shell", and the VALUE should only be "Explorer.exe". So delete everything BUT that value.

3. Now download, save, and Run Pocket Killbox: http://pctherapy.ca/...Box/KillBox.exe

- put a checkmark in "End Explorer Shell While Killing File".
- then type the path (c:\windows\system32\sysinit32m.exe) in the text box of "Full Path".
- Reboot.


4. After the reboot, go to housecall and do a complete virus scan: http://housecall.tre.../start_corp.asp
- have it Clean or Delete anything it finds.


5. Navigate back to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.
- Make sure Explorer.exe is the only value.

***
Copy and paste the text from the box to an empty file in Notepad.

@ECHO OFF
process -k explorer.exe
cd D:\WINDOWS\inet20038
services.exe /fullremove
attrib -s -r -h services.exe
del services.exe
start explorer.exe
exit


Save the file:
name : stop.bat
location: desktop
type : all types

Close Notepad.

Double click stop.bat.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Reboot to safe mode again.

***

Next please run HijackThis, click Scan, and check:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10087/

F2 - REG:system.ini: Shell=Explorer.exe sysinit32m.exe

F3 - REG:win.ini: run=D:\WINDOWS\inet20038\services.exe

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - (no file)

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xp_system] D:\WINDOWS\inet20038\services.exe

O4 - HKLM\..\Run: [sys009] D:\WINDOWS\system32\sys009.exe

O4 - HKLM\..\Run: [switp] D:\WINDOWS\switpa.exe

O4 - HKLM\..\Run: [Windows Service] D:\WINDOWS\system32\dstart4.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [xp_system] D:\WINDOWS\inet20038\services.exe

O4 - HKCU\..\Run: [Windows Service] D:\WINDOWS\system32\dstart4.exe

O9 - Extra button: Microsoft AntiSpyware helper -
{832E6EB2-276F-4A16-85AB-378A3135CE98} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {832E6EB2-276F-4A16-85AB-378A3135CE98} - (no file) (HKCU)

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

***

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

D:\WINDOWS\inet20038\services.exe
D:\WINDOWS\system32\sys009.exe
D:\WINDOWS\switpa.exe
D:\WINDOWS\system32\dstart4.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Reboot the computer.
Please post back in this topic with a fresh log using HijackThis.
  • 0

#3
Stoical Aragorn

Stoical Aragorn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
g2i2r4, thank you very much.

Just after posting my last message my computer collapsed. It wasn´t able even to open windows, so finally I gave up and I´ve send it to a shop. I´m really sorry formaking you waste your time. I know I shoud have advise you, but it is the first time I can use a computer since. Please accept my apologise.

Again thank you.
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You didn't waste my time. I learn a lot reading yet another log.
I really appreciate your feedback.

Still, I'll give you some advise.

Please follow these simple steps in order to keep your computer clean and secure after it comes 'home' again.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Good luck.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP