]Pai_Natal[ Posted May 7, 2004 Share Posted May 7, 2004 Hi there... I think i have a little problem in my computer, it's about a virus (i think) and i'm trying to do everything but i can't remove that... i will post the log file...Logfile of HijackThis v1.97.7Scan saved at 2:06:24, on 07-05-2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\Ati2evxx.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\LEXBCES.EXEC:\WINNT\system32\spoolsv.exeC:\WINNT\system32\LEXPPS.EXEC:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exeC:\WINNT\System32\svchost.exeC:\Programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exeC:\Programas\Norton SystemWorks\Norton Internet Security\NISUM.EXEC:\Programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\Programas\Norton SystemWorks\Norton Internet Security\SymProxySvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\Programas\Norton SystemWorks\Norton Internet Security\NISSERV.EXEC:\WINNT\Explorer.EXEC:\Programas\Ficheiros comuns\Symantec Shared\SymTray.exeC:\WINNT\twain_32\VIVID\VIVID.EXEC:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exeC:\Programas\Norton SystemWorks\Norton Internet Security\IAMAPP.EXEF:\MouseTrackPacked\MouseTrack.exeC:\Programas\Netcount\Netcount.exeD:\Mirc\mirc.exeD:\MyScript\mirc32.exeC:\WINNT\system32\rundll32.exeF:\Windows Uptime\Windows Uptime.exeC:\Programas\Avant Browser\iexplore.exeC:\Documents and Settings\Administrador\Ambiente de trabalho\HijackThis.exeC:\Programas\Lavasoft\Ad-aware 6\Ad-aware.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = HiperligaçõesR1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlF1 - win.ini: load=C:\WINNT\TWAIN_32\Vivid\VIVID.EXEO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dllO3 - Toolbar: @msdxmLC.dll,-1@2070,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dllO3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Programas\Ficheiros comuns\Symantec Shared\SymTray.exe SetRegO4 - HKLM\..\Run: [iamapp] C:\Programas\Norton SystemWorks\Norton Internet Security\IAMAPP.EXEO4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programas\ICQ\NDetect.exeO4 - HKCU\..\Run: [bMT] F:\MouseTrackPacked\MouseTrack.exeO4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Programas\Ficheiros comuns\Symantec Shared\Symtrdr.exeO4 - Startup: Netcount.lnk = C:\Programas\Netcount\Netcount.exeO4 - Startup: CAINETA.lnk = D:\Mirc\mirc.exeO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DOWNLO~1\dapextie.htmO8 - Extra context menu item: Abrir todos os links nesta página... - C:\Programas\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Adicionar à lista negra - C:\Programas\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Bloquear todas as imagens do mesmo servidor - C:\Programas\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Destacar - C:\Programas\Avant Browser\Highlight.htmO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DOWNLO~1\dapextie2.htmO8 - Extra context menu item: Procurar - C:\Programas\Avant Browser\Search.htmO9 - Extra button: Trace (HKLM)O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)O9 - Extra button: ICQ (HKLM)O9 - Extra 'Tools' menuitem: ICQ (HKLM)O13 - DefaultPrefix: c:\searchpage.html?page=O13 - WWW Prefix: c:\searchpage.html?page=O13 - Home Prefix: c:\searchpage.html?page=O13 - Mosaic Prefix: c:\searchpage.html?page=O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab Link to comment Share on other sites More sharing options...
gamehead200 Posted May 7, 2004 Share Posted May 7, 2004 Have you used an AV scanner, or Ad-Aware, Spybot Search & Destroy, or anything like that other than what you got the log file from? Link to comment Share on other sites More sharing options...
]Pai_Natal[ Posted May 7, 2004 Author Share Posted May 7, 2004 I used Ad-ware and the spybot... and finally Hijackthis to see this log file... i think it's a variant of a worm... or something like that! Link to comment Share on other sites More sharing options...
gamehead200 Posted May 8, 2004 Share Posted May 8, 2004 Pai_Natal[,May 7 2004, 07:19 PM]I used Ad-ware and the spybot... and finally Hijackthis to see this log file... i think it's a variant of a worm... or something like that!You might want to run an AV scanner just to be sure... Also, disable system restore when you run your AV! Link to comment Share on other sites More sharing options...
]Pai_Natal[ Posted May 8, 2004 Author Share Posted May 8, 2004 The windows 2000 don't have system restore... and i have run the ad-ware to clean all the garbage... the spybot found something else and i clean that... but the "bug" continues! Link to comment Share on other sites More sharing options...
gamehead200 Posted May 8, 2004 Share Posted May 8, 2004 Pai_Natal[,May 8 2004, 10:30 AM]The windows 2000 don't have system restore... and i have run the ad-ware to clean all the garbage... the spybot found something else and i clean that... but the "bug" continues!Disconnect from the Internet, put up a firewall, go back on, and scan. Link to comment Share on other sites More sharing options...
netmatrix Posted May 10, 2004 Share Posted May 10, 2004 hai,Select the following lines in Hijackthis. And choose Fix! Before choosing the Fix this button be sure to close all Intenet Explorer and Windows Explorer windows.R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = HiperligaçõesR1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlO13 - DefaultPrefix: c:\searchpage.html?page=O13 - WWW Prefix: c:\searchpage.html?page=O13 - Home Prefix: c:\searchpage.html?page=O13 - Mosaic Prefix: c:\searchpage.html?page=O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cabYou may have to restart the computer. Just to be sure run the Hijackthis software after you reboot and if you find any more of the above listed lines. Then choose them and select fix this. Also make sure you run Spybot and Adaware after you run this.And also do a virus scan of your system..Hope that helps. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now