downloader.small.5.1

Discussion in 'adware, spyware & hijack cleaning' started by verorhcp, May 4, 2004.

Thread Status:
Not open for further replies.
  1. verorhcp

    verorhcp Registered Member

    Joined:
    May 4, 2004
    Posts:
    2
    well, I¨ve done everything you say:
    this is the hijackthis.logLogfile of HijackThis v1.97.7
    Scan saved at 12:10:19 a.m., on 04/05/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWSN\SYSTEM\KERNEL32.DLL
    C:\WINDOWSN\SYSTEM\MSGSRV32.EXE
    C:\WINDOWSN\SYSTEM\MPREXE.EXE
    C:\WINDOWSN\SYSTEM\mmtask.tsk
    C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWSN\SYSTEM\MSTASK.EXE
    C:\WINDOWSN\EXPLORER.EXE
    C:\WINDOWSN\TASKMON.EXE
    C:\WINDOWSN\SYSTEM\SYSTRAY.EXE
    C:\WINDOWSN\LOADQM.EXE
    C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWSN\SYSTEM\MSHTA.EXE
    C:\DISKSERV.EXE
    C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WZQKPICK.EXE
    C:\WINDOWSN\SYSTEM\WMIEXE.EXE
    C:\WINDOWSN\SYSTEM\RNAAPP.EXE
    C:\WINDOWSN\SYSTEM\TAPISRV.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWSN\SYSTEM\DDHELP.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WINZIP32.EXE
    C:\WINDOWSN\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uolsinectis.com.ar:80
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWSN\SYSTEM\MSXSLAB.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSN\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWSN\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWSN\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIV~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [LoadFont1] C:\WINDOWSN\FONTS\Arial.vbs
    O4 - HKLM\..\Run: [LoadFont2] C:\WINDOWSN\FONTS\Tahoma.vbs
    O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [Winhost] C:\WINDOWSN\winh.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARCHIV~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWSN\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [Disk Master] C:\diskserv.exe
    O4 - HKCU\..\Run: [Service Manager] C:\dxsound.exe
    O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Letras de canciones (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37901.5263541667
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
    O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
    O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

    please, help me to get rid of this virus. i can´t enter to the hotmail page
     
  2. verorhcp

    verorhcp Registered Member

    Joined:
    May 4, 2004
    Posts:
    2
    please, tell me what to do to destroy this trojan horse virus...
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi verorhcp,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWSN\SYSTEM\MSXSLAB.DLL

    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [LoadFont1] C:\WINDOWSN\FONTS\Arial.vbs
    O4 - HKLM\..\Run: [LoadFont2] C:\WINDOWSN\FONTS\Tahoma.vbs
    O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [Winhost] C:\WINDOWSN\winh.exe

    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
    O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab

    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
    O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab

    Then reboot into safe mode and delete:
    winmain.exe
    C:\Archivos de programa\Power Scan <= entire folder
    C:\WINDOWSN\winh.exe

    Also do an online virusscan, you will find several listed here: http://www.wilders.org/free_services.htm

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.