Jump to content


Photo

Super infected


  • Please log in to reply
1 reply to this topic

#1 altaso

altaso

    Member

  • New Member
  • Pip
  • 1 posts

Posted 08 July 2004 - 05:22 PM

Hello,
I'm not expert usin Hijack This and I don't know what I have to delete.
I post here the result of the scan. Please help me to find out what do I have to delete.Thanks
Logfile of HijackThis v1.97.7
Scan saved at 23:00:11, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton Internet Security\NISUM.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Archivos de programa\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\pctspk.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\ARCHIV~1\TERRAA~1\bin\win2k\tidslmon.exe
C:\Documents and Settings\Propietario\Mis documentos\Temporales\Picasa\PicasaMediaDetector.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Archivos de programa\Archivos comunes\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\System32\window.exe
C:\ARCHIV~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Archivos de programa\Archivos comunes\Nokia\Services\ServiceLayer.exe
C:\Archivos de programa\Norton Internet Security\ccPxySvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgn.exe
C:\Documents and Settings\Propietario\Mis documentos\Temporales\Eliminar web\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realtime.dire....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://realtime.dire....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://realtime.dire....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realtime.dire....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://realtime.dire....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://realtime.dire....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://realtime.dire....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\Archivos de programa\IntBar\ToolBand.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Archivos de programa\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Archivos de programa\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: (no name) - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\Archivos de programa\IntBar\ToolBand.dll
O2 - BHO: (no name) - {856E366D-E9F2-47B8-BED6-B95DA9FC8AE0} - C:\WINDOWS\System32\ikidgba.dll
O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Archivos de programa\IntBar\ToolBand.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Archivos de programa\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Archivos de programa\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TIxDSL] C:\ARCHIV~1\TERRAA~1\bin\win2k\tidslmon.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Documents and Settings\Propietario\Mis documentos\Temporales\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Archivos de programa\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Archivos de programa\Archivos comunes\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with &Shareaza - res://C:\Archivos de programa\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Investigador (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.....chm::/load.exe
O16 - DPF: {10000000-1000-1234-1000-000000000000} - ms-its:mhtml:file://C:\foo.mhtml!http://www.xpehbam.b...ii.chm::/ex.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://66.230.167.18....chm::/cool.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.179.52/...nsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:\explorer.mht!http://www.cameup.co...::/ToolBand.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenido.../ruboskizo2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7638.2910185185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2781ADBB-13DD-421B-9906-009467397E65}: NameServer = 195.235.113.3,195.235.96.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{2781ADBB-13DD-421B-9906-009467397E65}: NameServer = 195.235.113.3,195.235.96.90

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 08 July 2004 - 05:29 PM

Hello. You have the sp.html variant of About:Blank. As it is not the 'hidden' kind it can be removed by About:Buster.

Please download About:Buster Version 1.25 and unzip it to your desktop.

Boot into safe mode with these Directions

Start About:Buster, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.


Ducky
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button