Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJackThis Log Please help


  • Please log in to reply

#1
SonOfFate

SonOfFate

    New Member

  • Member
  • Pip
  • 2 posts
I need help. I keep on recieveing popup and ads all tghe time. If I leave my ADSL connection open I gen tons of windows opened.
Herés my HijackthisLog. ¿Can somedody help?
Logfile of HijackThis v1.98.2
Scan saved at 12:33:18 PM, on 12/9/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\WINDOWS\SYSTEM\SSDPSRV.EXE
D:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
D:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS ME\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
D:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\SO-NET BROADBAND\WINPPPOVERETHERNET.EXE
D:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
D:\WINDOWS\SYSTEM\INTERNAT.EXE
D:\WINDOWS\LOADQM.EXE
D:\WINDOWS\MIXER.EXE
D:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
D:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS ME\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\MOZILLA FIREFOX\FIREFOX.EXE
D:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
D:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS ME\DESKTOP\HIGH\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = oldwebct.udesa.edu.ar:8080
F1 - win.ini: run=D:\WINDOWS\SYSTEM\cmmpu.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Windows Me\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] D:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [z-WrDialer] D:\PROGRAM FILES\SO-NET BROADBAND\WrDialer.exe
O4 - HKLM\..\Run: [a-winpoet-service] D:\Program Files\So-net Broadband\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [WheelMouse] D:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Symantec Core LC] D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] D:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] D:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [ccEvtMgr] "D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Windows Me\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "D:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Spyware Doctor] "C:\WINDOWS ME\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\Windows Me\Program Files\Microsoft Office\Office10\OSA.EXE
O10 - Unknown file in Winsock LSP: d:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system\aklsp.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I'll be back in a sec.
Need to get my medicine. wink.gif

Regards,

Pieter
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
You have a new variant of a VX2 infection, identified by these entries:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

This fix is still a work in progress, but seems to be working well.
1. Download VX2Finder here: http://www.geekstogo...=download&id=37
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.

2. Download this ZIP file: FindIt.zip
and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.

3. Please download DllCompare from here: http://www.geekstogo...=download&id=38

When it has downloaded, run the program and click on the Run Locate.com button. When that has completed, click on the Compare button. When that completed click on the Make Log of What Was Found button. Then post the contents of that log as a reply to this post.

Only if you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.

4. Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.
  • 0

#4
SonOfFate

SonOfFate

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi, Fisrt Thanks.
I couldn´t run VX2Finder bescause It sais It´s only for NT enviorment.
I ran FindIt.bat and here´s the log.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------


Volume in drive D has no label
Volume Serial Number is 440C-11DF
Directory of D:\WINDOWS\SYSTEM32

919,175,168 bytes free

------- Hidden Files in System32 Directory -------


Volume in drive D has no label
Volume Serial Number is 440C-11DF
Directory of D:\WINDOWS\SYSTEM32

919,175,168 bytes free

---------- Files Named "Guard" -------------


Volume in drive D has no label
Volume Serial Number is 440C-11DF
Directory of D:\WINDOWS\SYSTEM32

919,175,168 bytes free

--------- Temp Files in System32 Directory --------


Volume in drive D has no label
Volume Serial Number is 440C-11DF
Directory of D:\WINDOWS\SYSTEM32

919,175,168 bytes free

---------------- User Agent ------------


------------ Keys Under Notify ------------


------------ Keys Under Notify ------------


---------------- Xfind Results -----------------


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


-------------- Locate.com Results ---------------


No matches found.

No matches found.

I ran DLLcompare and her´s the Log

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found smile.gif"
________________________________________________

11 items found: 11 files, 0 directories.
Total of file sizes: 769,282 bytes 751.25 K

--------------------End log---------------------

Am I infected? What´s my problem?
Thanks again
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP