Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Lop


  • This topic is locked This topic is locked
2 replies to this topic

#1 hijacked

hijacked

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 15 November 2005 - 05:29 PM

Hi everybody
I asked for help before, for my pc, and you helped me...and now my pc is working perfectly
Now, my cousinīs pc is full of pop-ups and the pop-up blocker is on...
There are too many problems with this pc, and itīs slow...I`m posting the hijackthis log...
Iīd be happy if it starts to work again

thanx


Logfile of HijackThis v1.99.1
Scan saved at 20:29:41, on 15/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe
C:\Arquivos de programas\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Hotbar\bin\4.6.1.0\Hbinst.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Ares Lite Edition\Ares.exe
C:\Arquivos de programas\MessengerDiscovery\msgdiscoveryx.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\Arquivos de programas\DV Series\Console\Watch.exe
C:\Arquivos de programas\AOL Brasil 7.0a\waol.exe
C:\Arquivos de programas\MSN Apps\Updater\01.05.0000.1009\pt-br\msnappau.exe
C:\Arquivos de programas\Hotbar\bin\4.5.3.0\HbSrv.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\ARQUIV~1\WINZIP32\winzip32.exe
C:\Documents and Settings\DanielC\Configuraįões locais\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.knwhyobwemcrpjlu.biz/GNQxaVL1dG...xXjggMqRRzs.jpg
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Arquivos de programas\ICQToolbar\toolbaru.dll (file missing)
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\ARQUIV~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Arquivos de programas\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\ARQUIV~1\ADVANC~1\ADVANC~1.DLL (file missing)
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\IGV6\igshop.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Arquivos de programas\Hotbar\bin\4.5.3.0\HbHostIE.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: (no name) - {BDBE0155-DC12-5C3F-0C60-A8CA9B6CC4FF} - C:\DOCUME~1\DanielC\DADOSD~1\MEDIAS~1\close draw.exe
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\IGV6\igshop.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Arquivos de programas\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Arquivos de programas\Hotbar\bin\4.5.3.0\HbHostIE.dll
O4 - HKLM\..\Run: [RealTray] C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [har] C:\WINDOWS\har.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [navapp] C:\Arquivos de programas\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Arquivos de programas\Hotbar\bin\4.5.3.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Seek new long dog] C:\Documents and Settings\All Users\Dados de aplicativos\MAPI AMOK SEEK NEW\WaveScr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Hotbar] C:\Arquivos de programas\Hotbar\bin\4.6.1.0\Hbinst.exe /Upgrade
O4 - HKCU\..\Run: [SysBrand] C:\Documents and Settings\DanielC\Desktop\No Enter\sysbrand.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares Lite Edition\Ares.exe" -h
O4 - HKCU\..\Run: [MessengerDiscovery] C:\Arquivos de programas\MessengerDiscovery\msgdiscoveryx.exe
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DashPoll] C:\DOCUME~1\DanielC\DADOSD~1\EXTRAL~1\Platform User.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AOL Brasil 7.0 Ícone da Barra Inferior.lnk = C:\Arquivos de programas\AOL Brasil 7.0a\aoltray.exe
O4 - Global Startup: Watch.lnk = C:\Arquivos de programas\DV Series\Console\Watch.exe
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Arquivos de programas\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Arquivos de programas\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Arquivos de programas\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Arquivos de programas\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\IGV6\igshop.dll (file missing)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Arquivos de programas\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1057_XP.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} (WebBar Class) - http://www.advancedsearchbar.com/searchbarsetup2.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O16 - DPF: {FF521631-31DA-48AC-B4E9-390A7694C906} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EC..._1_30_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0192BE49-0C40-437F-A117-C18BB08D8297}: NameServer = 198.81.9.150
O17 - HKLM\System\CS1\Services\Tcpip\..\{0192BE49-0C40-437F-A117-C18BB08D8297}: NameServer = 198.81.9.150
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:06:12 PM

Posted 16 November 2005 - 02:38 PM

Hello hijacked and welcome to BleepingComputer. Quite an assortment you have here.


You have HijackThis running from a temporary or zip folder. Any backup files HJT creates during the repair process will not be secure if left in this folder. Before we use HJT to get rid of some entries, we need to get it into a permanent location.

Create a folder on the C: drive called "C:\HJT". You can do this by opening My Computer then double click on Local Disk (C:). In a clear area right click and select New then Folder and name it "HJT". Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder. If required a tutorial is here.


I would like you to have some files scanned for me. Go to the Jotti's malware scan site and submit the following files for a malware scan:

C:\WINDOWS\har.exe
C:\Documents and Settings\DanielC\Desktop\No Enter\sysbrand.exe


Post the results of the scans in your next reply.


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.knwhyobwemcrpjlu.biz/GNQxaVL1dG...xXjggMqRRzs.jpg
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Arquivos de programas\ICQToolbar\toolbaru.dll (file missing)

O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Arquivos de programas\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\ARQUIV~1\ADVANC~1\ADVANC~1.DLL (file missing)
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\IGV6\igshop.dll (file missing)
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Arquivos de programas\Hotbar\bin\4.5.3.0\HbHostIE.dll
O2 - BHO: (no name) - {BDBE0155-DC12-5C3F-0C60-A8CA9B6CC4FF} - C:\DOCUME~1\DanielC\DADOSD~1\MEDIAS~1\close draw.exe

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\IGV6\igshop.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Arquivos de programas\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Arquivos de programas\Hotbar\bin\4.5.3.0\HbHostIE.dll

O4 - HKLM\..\Run: [WeatherOnTray] C:\Arquivos de programas\Hotbar\bin\4.5.3.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [Seek new long dog] C:\Documents and Settings\All Users\Dados de aplicativos\MAPI AMOK SEEK NEW\WaveScr.exe
O4 - HKLM\..\Run: [Hotbar] C:\Arquivos de programas\Hotbar\bin\4.6.1.0\Hbinst.exe /Upgrade
O4 - HKCU\..\Run: [DashPoll] C:\DOCUME~1\DanielC\DADOSD~1\EXTRAL~1\Platform User.exe

O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Arquivos de programas\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Arquivos de programas\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1057_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O16 - DPF: {FF521631-31DA-48AC-B4E9-390A7694C906} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EC..._1_30_EN_XP.cab

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINDOWS\mslagent\ <--Folders
C:\Arquivos de programas\MyWay\
C:\Arquivos de programas\Hotbar\
C:\Arquivos de programas\ICQToolbar\
C:\Arquivos de programas\ShopperReports\
C:\Documents and Settings\All Users\Dados de aplicativos\MAPI AMOK SEEK NEW\

C:\Documents and Settings\DanielC\DADOSD~1\MEDIAS~1\ <--Folder, starts with Medias...
C:\Documents and Settings\DanielC\DADOSD~1\EXTRAL~1\ <--Folder, starts with Xtral...


Reboot.


I need you to check for hidden scheduled tasks that may be reinstalling LOP.

Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad:

dir c:\windows\tasks /a > sched.txt
notepad sched.txt
del sched.txt


Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as sched.bat. Close Notepad.

Double click on sched.bat and a notepad file should open. Copy the contents of that file to your next post.


Along with the results of the Jotti scans and the sched.bat, please post a fresh HJT log.
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:06:12 PM

Posted 30 November 2005 - 10:54 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users