• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
bruised_borrowed

hijackthis log... please help, weary by now

7 posts in this topic

This is a log i took from my latest scan of my computer. i'm gettin sooooo many un erasable recurring logs that its tiring me beyond belief

 

Tried:

IE erasers

CWshredder

Adaware6

PurgeIE Pro

Internet Eraser

Smart Protector Pro

 

Any help is greatly appreciated

Jordan

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 8:51:20 PM, on 06/06/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\SA3DSRV.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\WINDOWS\SYSTEM\SXGDSENU.EXE

C:\MOUSE\SYSTEM\EM_EXEC.EXE

C:\COMPAQ\INTERNET\CISRVR.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\IMATION\SDA\SDACCEL.EXE

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\SMART PROTECTOR PRO\SMARTPROTECTORPRO.EXE

C:\TEMP\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = dl.cssd.ab.ca

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...&s=search&i=enu

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirec...&query=%s&i=enu

R3 - Default URLSearchHook is missing

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Essdc] essdc.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [sXGDSENU] SXGDSENU.exe

O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe

O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN

O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE

O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART

O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"

O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe

O4 - HKLM\..\Run: [TaskPlus] C:\TASKPLUS\TASKPLUS0.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [brasil] C:\WINDOWS\Brasil.pif

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [HC Reminder] hc.exe

O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe

O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKCU\..\Run: [AOL Instant Messenger ] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sPSTEALT] "C:\PROGRAM FILES\SMART PROTECTOR PRO\SMARTPROTECTORPRO.EXE" /stealt

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = ?

O4 - Startup: Imation SuperDisk Accelerator.lnk = ?

O4 - Startup: Run WinVNC (App Mode).lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe

O4 - Startup: LimeWire 3.8.7.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{06EE3071-6551-422D-8D5F-9D1816070C47}\NewShortcut1_1.exe

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 255.255.255.0

Share this post


Link to post
Share on other sites

Hi,

 

You have the W32.Opaserv.Worm

 

Download the FixOpsrv.exe Worm removal tool from:

W32.Opaserv Worm Removal Tool

 

Save the file to your download folder or the Windows desktop (or removable media known to be uninfected, if possible).

 

To check the authenticity of the digital signature, refer to the section, "Digital signature."

 

Close all the programs before you run the tool.

 

If you are on a network or have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

 

Double-click the FixOpsrv.exe file to start the removal tool.

Click Start to begin the process, and then allow the tool to run.

Restart the computer.

 

Run the removal tool again to ensure that the system is clean.

 

------->

 

Post a fresh Hijack log,

 

:)

Share this post


Link to post
Share on other sites

Thanks for the advice bud, but I ran Symantec Norton the tool following the outlined procedure, but alas, I do not, apparently, have the opaserv worm. I'm contemplating rebuilding my whole *#* computer... Very disheartening really, so many posts over so many boards, yet it seems that no one really knows what to do about it.

 

Starwaves? any more advice? seems like you know what to look for, so anything else, *anyone* has, I'd appreciate the advice.

 

Thanks so much

Jordan

Share this post


Link to post
Share on other sites

Hi Jordan,

 

I see the worm -- this is it's signature --->

 

C:\WINDOWS\Brasil.pif

 

And here is it's location in your Hijack log:

O4 - HKLM\..\Run: [brasil] C:\WINDOWS\Brasil.pif

 

That - 04 - location is in the registry key 'RUN' where it should be, so it runs automatically at startup,

 

Your saying that you ran the tool and it said 'you were not infected' ?

 

-----------

 

It's best to check a few things manually,

 

Click on Start / Run / win.ini < type that

 

Look for the lines:

run= c:\ScrSvr.exe

run= c:\tmp.ini

 

If you see those line, delete them with your mouse, then close 'win.ini' and save changes,

 

------

 

Go back to 'RUN' .... and type in tmp.ini , if it opens, you should see

run= c:\windows\scrsvr.exe

 

Delete the line,

 

-------------

 

Click start / run / regedit < type

Navigate through these folders by clicking on the + sign, till you come to 'RUN'

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

In the right pane look for: C:\WINDOWS\Brasil.pif or C:\WINDOWS\brasil.exe & run= c:\ScrSvr.exe

 

Right click and delete them, you have to right click the icon to their left in the 'name' column,

 

---------

 

Run Hijack this again and put a check next to all the following and click FIX,

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...&s=search&i=enu

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirec...&query=%s&i=enu

 

R3 - Default URLSearchHook is missing

 

O4 - HKLM\..\Run: [brasil] C:\WINDOWS\Brasil.pif

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

 

=====> Post a fresh Hijack This log <=======

Edited by Starwaves

Share this post


Link to post
Share on other sites

Thanks for the advice again Starwaves.

 

However on my thorough search for the components that you sent me looking for. Nothing was there, but the problem. The same webpages appear in my browser log. The same pages from about a month ago, and only those 1 days pages appear in my history.

 

None of the components I was looking for were there, and the problem persists.

 

Heres my new hijackthis log, and as you can see I erased the components I was looking for, but the problem still persists, even thought the "Brasil" tags are now gone....

 

Any other suggestions or have I inherited some bug from hell?

 

Maybe this is important to note, every time I use internet eraser, I can run the program back to back consequtively, without even opening IE, and the same URL's are ALWAYS deleted, but always return instantaneously.

 

Thanks again.... I must admit I've never had a problem this thorough on my computer before, and its really startin to annoy me

 

THanks, Bye

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:04:33 AM, on 07/06/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\SA3DSRV.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\WINDOWS\SYSTEM\SXGDSENU.EXE

C:\MOUSE\SYSTEM\EM_EXEC.EXE

C:\COMPAQ\INTERNET\CISRVR.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\IMATION\SDA\SDACCEL.EXE

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\TEMP\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Essdc] essdc.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [sXGDSENU] SXGDSENU.exe

O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe

O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN

O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE

O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART

O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"

O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe

O4 - HKLM\..\Run: [TaskPlus] C:\TASKPLUS\TASKPLUS0.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE

O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [HC Reminder] hc.exe

O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe

O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = ?

O4 - Startup: Imation SuperDisk Accelerator.lnk = ?

O4 - Startup: Run WinVNC (App Mode).lnk = C:\Program Files\ORL\VNC\WinVNC.exe

O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe

O4 - Startup: LimeWire 3.8.7.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{06EE3071-6551-422D-8D5F-9D1816070C47}\NewShortcut1_1.exe

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 255.255.255.0

Share this post


Link to post
Share on other sites

Hi Jordan,

 

A couple things to think about. Watch for that 04 - BRASIL entry in your log, that's unexplainable for now, but you did some good work running down all it's associations.

 

Could you post some of those 'website URLS' that keep coming back after you delete them. What exactly are the logs your getting? Where? Give me an example,

 

There are still some 'resource' issues in your Hijack log that you can correct and benifit from.

 

Run you hijack scan again and delete the following:

 

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

 

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

 

Both of those are huge on your systems resources, disable both:

DISABLE FINDFAST.EXE

 

Disable LOADQM:

 

Reboot your PC and find  LOADQM  in the  C:\WINDOWS  folder.  Rename it to  LOADQM.EXE.OLD  as if you do not it will otherwise get put back in your Task List at some stage or other  (on some PCs you may need to boot into Safe Mode before you are able to rename LOADQM).

 

------>

Use your search to find your "hosts" file, use quotations, checkmark 'Search subfolders'

 

Open in Notepad or Wordpad,

 

Clean out all references except 127.0.0.1 localhost

 

Unless you are specifically blocking certain sites.

 

Some good online scans to run>

BitDefender Virus/Trojan Scan

RavantVirus Online Scan

 

 

:)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0