Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Browser Hijack: www.mundososcuro.atspace.com


  • Please log in to reply

#1
englishwd

englishwd

    New Member

  • Member
  • Pip
  • 3 posts
Every time I connect to the Internet, IE automatically pops up and opens to www.mundooscuro.atspace.com. I have run most of the spyware programs, and while they found numerous infections and cleaned them, none has removed this particular problem.

Your help is greatly appreciated!

Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 09:49:22 p.m., on 20/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\System32\NetSis.exe
C:\Archivos de programa\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\David\Escritorio\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uolsinectis.com.ar:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINDOWS\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [Networks Controler] NetSis.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Networks Controler] NetSis.exe
O4 - HKCU\..\Run: [Networks Controler] NetSis.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINDOWS\MWW32\manager\mwcpyrt.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE

Please let me know what I should remove.

Thank you!

David
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi David,


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [Networks Controler] NetSis.exe
O4 - HKLM\..\RunServices: [Networks Controler] NetSis.exe
O4 - HKCU\..\Run: [Networks Controler] NetSis.exe



Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run Ewido full scan. Let it fix any items it finds.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following file -

NetSis.exe

(Search for this file using the Windows Search function)


Run CleanUp and delete all temp files including temporary internet files


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.
  • 0

#3
englishwd

englishwd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thank you greatly for the help! This is the new Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 09:19:03 a.m., on 24/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\resetservice.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Escritorio\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uolsinectis.com.ar:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINDOWS\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINDOWS\MWW32\manager\mwcpyrt.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{323837DE-6D75-4B3E-A059-4F78FA1933D2}: NameServer = 216.244.219.2 216.244.219.3
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Can you post the Ewido scan report also please ??

In case you havent done that then please visit Panda and do an online scan. Save the scan report and post it back here.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP