Jump to content


Photo

hijackthis log... please help, weary by now


  • Please log in to reply
6 replies to this topic

#1 bruised_borrowed

bruised_borrowed

    Member

  • New Member
  • Pip
  • 3 posts

Posted 06 June 2004 - 09:55 PM

This is a log i took from my latest scan of my computer. i'm gettin sooooo many un erasable recurring logs that its tiring me beyond belief

Tried:
IE erasers
CWshredder
Adaware6
PurgeIE Pro
Internet Eraser
Smart Protector Pro

Any help is greatly appreciated
Jordan



Logfile of HijackThis v1.97.7
Scan saved at 8:51:20 PM, on 06/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SXGDSENU.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\IMATION\SDA\SDACCEL.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\SMART PROTECTOR PRO\SMARTPROTECTORPRO.EXE
C:\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = dl.cssd.ab.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presar...&query=%s&i=enu
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [TaskPlus] C:\TASKPLUS\TASKPLUS0.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Brasil] C:\WINDOWS\Brasil.pif
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AOL Instant Messenger ™] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPSTEALT] "C:\PROGRAM FILES\SMART PROTECTOR PRO\SMARTPROTECTORPRO.EXE" /stealt
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = ?
O4 - Startup: Imation SuperDisk Accelerator.lnk = ?
O4 - Startup: Run WinVNC (App Mode).lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Startup: LimeWire 3.8.7.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{06EE3071-6551-422D-8D5F-9D1816070C47}\NewShortcut1_1.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse....iveX/winrep.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 255.255.255.0

#2 Starwaves

Starwaves

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 06 June 2004 - 10:34 PM

Hi,

You have the W32.Opaserv.Worm

Download the FixOpsrv.exe Worm removal tool from:
W32.Opaserv Worm Removal Tool

Save the file to your download folder or the Windows desktop (or removable media known to be uninfected, if possible).

To check the authenticity of the digital signature, refer to the section, "Digital signature."

Close all the programs before you run the tool.

If you are on a network or have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

Double-click the FixOpsrv.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer.

Run the removal tool again to ensure that the system is clean.

------->

Post a fresh Hijack log,

:)

#3 bruised_borrowed

bruised_borrowed

    Member

  • New Member
  • Pip
  • 3 posts

Posted 06 June 2004 - 10:58 PM

Thanks for the advice bud, but I ran Symantec Norton the tool following the outlined procedure, but alas, I do not, apparently, have the opaserv worm. I'm contemplating rebuilding my whole *#&#* computer... Very disheartening really, so many posts over so many boards, yet it seems that no one really knows what to do about it.

Starwaves? any more advice? seems like you know what to look for, so anything else, *anyone* has, I'd appreciate the advice.

Thanks so much
Jordan

#4 Starwaves

Starwaves

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 06 June 2004 - 11:54 PM

Hi Jordan,

I see the worm -- this is it's signature --->

C:\WINDOWS\Brasil.pif

And here is it's location in your Hijack log:
O4 - HKLM\..\Run: [Brasil] C:\WINDOWS\Brasil.pif

That - 04 - location is in the registry key 'RUN' where it should be, so it runs automatically at startup,

Your saying that you ran the tool and it said 'you were not infected' ?

-----------

It's best to check a few things manually,

Click on Start / Run / win.ini < type that

Look for the lines:
run= c:\ScrSvr.exe
run= c:\tmp.ini


If you see those line, delete them with your mouse, then close 'win.ini' and save changes,

------

Go back to 'RUN' .... and type in tmp.ini , if it opens, you should see
run= c:\windows\scrsvr.exe

Delete the line,

-------------

Click start / run / regedit < type
Navigate through these folders by clicking on the + sign, till you come to 'RUN'

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane look for: C:\WINDOWS\Brasil.pif or C:\WINDOWS\brasil.exe & run= c:\ScrSvr.exe

Right click and delete them, you have to right click the icon to their left in the 'name' column,

---------

Run Hijack this again and put a check next to all the following and click FIX,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presar...&query=%s&i=enu

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Brasil] C:\WINDOWS\Brasil.pif

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


=====> Post a fresh Hijack This log <=======

Edited by Starwaves, 06 June 2004 - 11:57 PM.


#5 bruised_borrowed

bruised_borrowed

    Member

  • New Member
  • Pip
  • 3 posts

Posted 07 June 2004 - 10:11 AM

Thanks for the advice again Starwaves.

However on my thorough search for the components that you sent me looking for. Nothing was there, but the problem. The same webpages appear in my browser log. The same pages from about a month ago, and only those 1 days pages appear in my history.

None of the components I was looking for were there, and the problem persists.

Heres my new hijackthis log, and as you can see I erased the components I was looking for, but the problem still persists, even thought the "Brasil" tags are now gone....

Any other suggestions or have I inherited some bug from hell?

Maybe this is important to note, every time I use internet eraser, I can run the program back to back consequtively, without even opening IE, and the same URL's are ALWAYS deleted, but always return instantaneously.

Thanks again.... I must admit I've never had a problem this thorough on my computer before, and its really startin to annoy me

THanks, Bye



Logfile of HijackThis v1.97.7
Scan saved at 9:04:33 AM, on 07/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SXGDSENU.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\IMATION\SDA\SDACCEL.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...ilogin.srf?id=2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [TaskPlus] C:\TASKPLUS\TASKPLUS0.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = ?
O4 - Startup: Imation SuperDisk Accelerator.lnk = ?
O4 - Startup: Run WinVNC (App Mode).lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Startup: LimeWire 3.8.7.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{06EE3071-6551-422D-8D5F-9D1816070C47}\NewShortcut1_1.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse....iveX/winrep.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 255.255.255.0

#6 Starwaves

Starwaves

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 07 June 2004 - 08:30 PM

Hi Jordan,

A couple things to think about. Watch for that 04 - BRASIL entry in your log, that's unexplainable for now, but you did some good work running down all it's associations.

Could you post some of those 'website URLS' that keep coming back after you delete them. What exactly are the logs your getting? Where? Give me an example,

There are still some 'resource' issues in your Hijack log that you can correct and benifit from.

Run you hijack scan again and delete the following:

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Both of those are huge on your systems resources, disable both:
DISABLE FINDFAST.EXE

Disable LOADQM:

Reboot your PC and find  LOADQM  in the  C:\WINDOWS  folder.  Rename it to  LOADQM.EXE.OLD  as if you do not it will otherwise get put back in your Task List at some stage or other  (on some PCs you may need to boot into Safe Mode before you are able to rename LOADQM).



------>
Use your search to find your "hosts" file, use quotations, checkmark 'Search subfolders'

Open in Notepad or Wordpad,

Clean out all references except 127.0.0.1 localhost

Unless you are specifically blocking certain sites.

Some good online scans to run>
BitDefender Virus/Trojan Scan
RavantVirus Online Scan


:)

#7 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 June 2004 - 02:26 PM

Starwaves, If you want to post help here at SWI, please see
The various helper groups here.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button