Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


remover HJT

  • Please log in to reply
1 reply to this topic

#1 agarnier64


  • Members
  • 1 posts
  • Local time:08:59 PM

Posted 21 April 2005 - 05:45 PM

Logfile of HijackThis v1.99.1
Scan saved at 19:21:18, on 21/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=186
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\vimur.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\hrgdk.dll/sp.html#83556
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8D1F7C2E-2E52-3708-89C4-B589A70966FC} - C:\WINNT\sysxo32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es\msntb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Nqt] C:\WINNT\system32\Ocr.exe
O4 - HKLM\..\Run: [Service Host] C:\WINNT\system32\Services\{87F90577-325E-4168-82B6-30CC29335C4E}\SVCHOST.EXE
O4 - HKLM\..\Run: [Egf] C:\WINNT\system32\Poo.exe
O4 - HKLM\..\Run: [atipatxx] C:\WINNT\system32\atipatxx.exe
O4 - HKLM\..\Run: [Csa] C:\WINNT\system32\Ecf.exe
O4 - HKLM\..\Run: [Agt] C:\WINNT\system32\Bmb.exe
O4 - HKLM\..\Run: [Cro] C:\WINNT\system32\Slq.exe
O4 - HKLM\..\Run: [Fin] C:\WINNT\system32\Jna.exe
O4 - HKLM\..\Run: [Vpb] C:\WINNT\system32\Auh.exe
O4 - HKLM\..\Run: [Fsb] C:\WINNT\system32\Rkg.exe
O4 - HKLM\..\Run: [Qkm] C:\WINNT\system32\Qkc.exe
O4 - HKLM\..\Run: [Dhn] C:\WINNT\system32\Ogq.exe
O4 - HKLM\..\Run: [Mus] C:\WINNT\system32\Bbk.exe
O4 - HKLM\..\Run: [Enl] C:\WINNT\system32\Arp.exe
O4 - HKLM\..\Run: [Njj] C:\WINNT\system32\Sqa.exe
O4 - HKLM\..\Run: [Dlk] C:\WINNT\system32\Cmn.exe
O4 - HKLM\..\Run: [Fgc] C:\WINNT\system32\Fio.exe
O4 - HKLM\..\Run: [Ugf] C:\WINNT\system32\Vvt.exe
O4 - HKLM\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O4 - HKLM\..\RunServices: [atipatxx] C:\WINNT\system32\atipatxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Naughty Player] C:\ARCHIV~1\NAUGHT~1\NaughtyPlayer.exe -minimize
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1034.dll,InstantAccess
O4 - HKCU\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O4 - HKCU\..\Run: [Nqt] C:\WINNT\system32\Ocr.exe
O4 - HKCU\..\Run: [atipatxx] C:\WINNT\system32\atipatxx.exe
O4 - HKCU\..\Run: [Jjg] C:\WINNT\Chu.exe
O4 - HKCU\..\Run: [Egf] C:\WINNT\system32\Poo.exe
O4 - HKCU\..\Run: [Csa] C:\WINNT\system32\Ecf.exe
O4 - HKCU\..\Run: [Agt] C:\WINNT\system32\Bmb.exe
O4 - HKCU\..\Run: [Cro] C:\WINNT\system32\Slq.exe
O4 - HKCU\..\Run: [Fin] C:\WINNT\system32\Jna.exe
O4 - HKCU\..\Run: [Vpb] C:\WINNT\system32\Auh.exe
O4 - HKCU\..\Run: [Jlj] C:\WINNT\Udv.exe
O4 - HKCU\..\Run: [Fsb] C:\WINNT\system32\Rkg.exe
O4 - HKCU\..\Run: [Tdl] C:\WINNT\Tni.exe
O4 - HKCU\..\Run: [Hok] C:\WINNT\Gko.exe
O4 - HKCU\..\Run: [Qkm] C:\WINNT\system32\Qkc.exe
O4 - HKCU\..\Run: [Dhn] C:\WINNT\system32\Ogq.exe
O4 - HKCU\..\Run: [Mus] C:\WINNT\system32\Bbk.exe
O4 - HKCU\..\Run: [Dtj] C:\WINNT\Eel.exe
O4 - HKCU\..\Run: [Enl] C:\WINNT\system32\Arp.exe
O4 - HKCU\..\Run: [Tbr] C:\WINNT\Qrq.exe
O4 - HKCU\..\Run: [Hbq] C:\WINNT\Ndi.exe
O4 - HKCU\..\Run: [Njj] C:\WINNT\system32\Sqa.exe
O4 - HKCU\..\Run: [Dlk] C:\WINNT\system32\Cmn.exe
O4 - HKCU\..\Run: [Qjm] C:\WINNT\Alb.exe
O4 - HKCU\..\Run: [Fgc] C:\WINNT\system32\Fio.exe
O4 - HKCU\..\Run: [Ugf] C:\WINNT\system32\Vvt.exe
O4 - HKCU\..\Run: [Mhp] C:\WINNT\Gpj.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_ES.cab
O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EC...UTH_1034_ES.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_ES.cab
O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll
O20 - Winlogon Notify: ntfs32 - C:\WINNT\SYSTEM32\ntfs32.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINNT\atleu.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)


#2 didom


  • Members
  • 1,389 posts
  • Gender:Male
  • Local time:02:59 AM

Posted 22 April 2005 - 06:29 AM

Please download Intermute's CWShredder from here:
  • Save it to the desktop and run it.
  • Click "Fix" to remove the CWS infection.
Then please download About:Buster from here:
  • Unzip the files to a convenient location such as C:\AboutBuster.
  • Run AboutBuster.exe.
  • Read the instructions then click OK to proceed.
  • Click "Check for Updates", and then "Download Updates" to update About:Buster to the newest version.
  • Click Start to begin the scan.
- If prompted to end the Explorer.exe process, click Yes.
- Your desktop may disappear --- this is normal.
  • Allow the program to scan twice, and when complete click "Save Log".
    This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.
  • Please post the entire contents of that logfile here for me.
    Please also restart your computer and post a new HijackThis log.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users