dounloader.small

Discussion in 'adware, spyware & hijack cleaning' started by filo, May 21, 2004.

Thread Status:
Not open for further replies.
  1. filo

    filo Registered Member

    Joined:
    May 17, 2004
    Posts:
    1
    Logfile of HijackThis v1.97.7
    Scan saved at 09:09:10 p.m., on 20/05/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG6\AVGCC32.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\ARCHIVOS DE PROGRAMA\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aifind.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aifind.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=132047
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://aifind.info/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\SYSTEM\MSXSLAB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIV~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARCHIV~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .mpeg: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006_cracks.cab
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hello filo,

    Important: Create a folder on the C: drive called C:\HJT.
    You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
    Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Delete the old copy please.


    You have a varient of the coolwebsearch trojan. Please download CWShredder by Merijin from here:

    http://spywarewarrior.com/files/CWShredder.exe

    After downloading it, run the program by clicking the "Fix" button and let it fix all varients.


    Then, check the boxes next to all these, close all other windows, then click Fix Checked.



    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\SYSTEM\MSXSLAB.DLL

    O14 - IERESET.INF: SEARCH_PAGE_URL=

    O14 - IERESET.INF: START_PAGE_URL=

    O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...0006_cracks.cab

    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab


    After that, Reboot and post a new log.
     
Thread Status:
Not open for further replies.