I think I have a virus can you look at my hijacklog
-
I think I have a virus can you look at my hijacklog
I took some disk to work and was told that i have a virus. Her is my hijacklog.
COMPUTER NUMBER 1
Logfile of HijackThis v1.98.2
Scan saved at 4:55:24 PM, on 9/21/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\BITWARE\CBWHOST.EXE
C:\PROGRAM FILES\BITWARE\CBWATTN.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOLTRAY.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\SHELLMON.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOLWBSPD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O1 - Hosts: 66.118.163.109 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\McAfee\VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [WORKFLO] E:\INSTALL\WORKFLOW.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [CBWHost] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWHOST.EXE
O4 - HKLM\..\RunServices: [CBWAttn] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWATTN.EXE
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: BackWeb.LNK = C:\CPQS\BackWeb\Program\UserProf.EXE
O4 - Startup: Microsoft Find Fast.lnk = ..\..\..\..\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = ?
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/beru0.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O19 - User stylesheet: C:\WINDOWS\my.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)
Last edited by owen; 23-09-2004 at 08:26 AM.
-
O..forgot to mention I have 2 computer @ home and was told this one as well was infected with a virus. Can you also look at his Hijack Log? Thanks so much.
Computer Number 2
Logfile of HijackThis v1.98.2
Scan saved at 5:28:18 PM, on 09/21/2004
Platform: Windows NT 4 SP5 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\dmislsrv.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\rasman.exe
C:\WINNT\system32\CPQBIOS.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\CPQAlert.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\America Online 5.0a\aoltray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\Profiles\Administrator\Desktop\HijackThis .exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\America Online 5.0a\aoltray.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O12 - Plugin for .cfm: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf3 2.dll
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
Last edited by owen; 23-09-2004 at 08:27 AM.
-
Hiya,
I'm going to deal with each computer with seperate replies, so when you post your response, don't forget to put the Computer Number in the response (I've added numbers to your first reply). Post a seperate response in this thread for each computer.
Computer Number 1
Could you please download and run CWShredder which will get rid of the majority of CWS Browser Hijacker infections. Please ensure that you click Fix and click Ok to any prompts. Make sure you don't only scan.
After you have run CWShredder, reboot and post a fresh log.
-
Computer Number 2
Close all browser windows, restart Hijack This and put a checkmark next to the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
Click Fix Checked
Not really any serious problems in there, are you experiencing any specific problems?
What I suggest you do for Computer 2, is get it sorted with some protection and perform some scans.
Have a read of this info about Protection:
Preventing it returning
After your problem has been resolved on the forum, it is an absoulute MUST to do the following steps to prevent the problem returning. Click on the link to get access to the software or webpage that I'm referring to.
1. Visit Windows Update
Pay a visit to Windows Update and scan for and download ALL Critical Updates and Service Packs. New updates are usually released monthly so check back to Windows Update every month.
2. Download Antivirus Software-
If you haven't already got Antivirus software, you should download and install AVG Antivirus. It is freeware and is updated nearly every 2 days (sometimes more frequently if there are a lot of new viruses) and in my opinion, is better than some Antivirus software such as Norton. Antivirus software will prevent viruses infecting your system and it is important that you update it every two days or every week at the most.
3. Download a Firewall-
If you haven't already got a firewall, it is Very important that you download one. Firewalls will prevent unauthorised access to your computer and stop data leaking out of your computer. You may think that it won't happen to you, but Hackers don't care who you are, what you do, where you live or what you had for tea last Sunday on your holiday in the Lake District, they want your data. Firewalls will keep these sneaks out and one of the best is Sygate Personal Firewall, which happens to be freeware.
4. Spyware Scanners-
It is important that as well as having real time spyware protection, you have a spyware scanning application. If you have not already been told to download one earlier in this thread, it is a good idea to download Spybot Search And Destroy and Ad-aware. They are both spyware scanners and will search for a remove spyware. It is recommended that you have both, because one will pick up entries that the other misses. It is even a good idea to download these if you have other programs such as ASE, Spysweeper, Pest Patrol, etc, because one spyware scanner will not pick up everything. Please remember to update your spyware scanners weekly/fortnightly.
5. Prevent Spyware slipping through Internet Explorer-
Quite a lot of spyware slips through Internet Explorer if your settings are not tight enough. Spyware Blaster will help you prevent spyware slipping through and installing tracking cookies. Simply run it via Start> Programs> Spyware Blaster and click Enable All Protection and it will protect you. It doesn't even have to be open! Remember to update weekly/fortnightly.
6. Constant Spyware Protection-
It is important to have constant spyware protection. Spyware Guard works like an antivirus program but detects Spyware instead. It will constantly protect your system. Check for updates monthly.
All Of these steps are very important and it is HIGHLY recommended that you download all of the programs mentioned for your own safety. Remember to Update everything (including Windows using Windows Update)! It is also a good idea to perform weekly/fortnightly scans with Spybot S&D, Ad-aware and your antivirus software.
And last of all, please remember, that common sense is your greatest tool. Without it, spyware and other related Malware would rule!
