downloader.small.5.1

Discussion in 'adware, spyware & hijack cleaning' started by verorhcp, May 4, 2004.

Thread Status:
Not open for further replies.
  1. verorhcp

    verorhcp Registered Member

    Joined:
    May 4, 2004
    Posts:
    2
    well, I¨ve done everything you say:
    this is the hijackthis.logLogfile of HijackThis v1.97.7
    Scan saved at 12:10:19 a.m., on 04/05/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWSN\SYSTEM\KERNEL32.DLL
    C:\WINDOWSN\SYSTEM\MSGSRV32.EXE
    C:\WINDOWSN\SYSTEM\MPREXE.EXE
    C:\WINDOWSN\SYSTEM\mmtask.tsk
    C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWSN\SYSTEM\MSTASK.EXE
    C:\WINDOWSN\EXPLORER.EXE
    C:\WINDOWSN\TASKMON.EXE
    C:\WINDOWSN\SYSTEM\SYSTRAY.EXE
    C:\WINDOWSN\LOADQM.EXE
    C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWSN\SYSTEM\MSHTA.EXE
    C:\DISKSERV.EXE
    C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WZQKPICK.EXE
    C:\WINDOWSN\SYSTEM\WMIEXE.EXE
    C:\WINDOWSN\SYSTEM\RNAAPP.EXE
    C:\WINDOWSN\SYSTEM\TAPISRV.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWSN\SYSTEM\DDHELP.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WINZIP32.EXE
    C:\WINDOWSN\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uolsinectis.com.ar:80
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWSN\SYSTEM\MSXSLAB.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSN\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWSN\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWSN\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIV~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [LoadFont1] C:\WINDOWSN\FONTS\Arial.vbs
    O4 - HKLM\..\Run: [LoadFont2] C:\WINDOWSN\FONTS\Tahoma.vbs
    O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [Winhost] C:\WINDOWSN\winh.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARCHIV~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWSN\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [Disk Master] C:\diskserv.exe
    O4 - HKCU\..\Run: [Service Manager] C:\dxsound.exe
    O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Letras de canciones (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37901.5263541667
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
    O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
    O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

    please, help me to get rid of this virus. i can´t enter to the hotmail page
     
  2. verorhcp

    verorhcp Registered Member

    Joined:
    May 4, 2004
    Posts:
    2
    please, tell me what to do to destroy this trojan horse virus...
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi verorhcp,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWSN\SYSTEM\MSXSLAB.DLL

    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [LoadFont1] C:\WINDOWSN\FONTS\Arial.vbs
    O4 - HKLM\..\Run: [LoadFont2] C:\WINDOWSN\FONTS\Tahoma.vbs
    O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [Winhost] C:\WINDOWSN\winh.exe

    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
    O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab

    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
    O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab

    Then reboot into safe mode and delete:
    winmain.exe
    C:\Archivos de programa\Power Scan <= entire folder
    C:\WINDOWSN\winh.exe

    Also do an online virusscan, you will find several listed here: http://www.wilders.org/free_services.htm

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.