[]Pai_Natal[]

Hi there... I think i have a little problem in my computer, it's about a virus (i think) and i'm trying to do everything but i can't remove that... i will post the log file...

Logfile of HijackThis v1.97.7
Scan saved at 2:06:24, on 07-05-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programas\Norton SystemWorks\Norton Internet Security\NISUM.EXE
C:\Programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Programas\Norton SystemWorks\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Programas\Norton SystemWorks\Norton Internet Security\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\SymTray.exe
C:\WINNT\twain_32\VIVID\VIVID.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Norton SystemWorks\Norton Internet Security\IAMAPP.EXE
F:\MouseTrackPacked\MouseTrack.exe
C:\Programas\Netcount\Netcount.exe
D:\Mirc\mirc.exe
D:\MyScript\mirc32.exe
C:\WINNT\system32\rundll32.exe
F:\Windows Uptime\Windows Uptime.exe
C:\Programas\Avant Browser\iexplore.exe
C:\Documents and Settings\Administrador\Ambiente de trabalho\HijackThis.exe
C:\Programas\Lavasoft\Ad-aware 6\Ad-aware.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
F1 - win.ini: load=C:\WINNT\TWAIN_32\Vivid\VIVID.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@2070,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Programas\Ficheiros comuns\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [iamapp] C:\Programas\Norton SystemWorks\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programas\ICQ\NDetect.exe
O4 - HKCU\..\Run: [BMT] F:\MouseTrackPacked\MouseTrack.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Programas\Ficheiros comuns\Symantec Shared\Symtrdr.exe
O4 - Startup: Netcount.lnk = C:\Programas\Netcount\Netcount.exe
O4 - Startup: CAINETA.lnk = D:\Mirc\mirc.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DOWNLO~1\dapextie.htm
O8 - Extra context menu item: Abrir todos os links nesta página... - C:\Programas\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Adicionar à lista negra - C:\Programas\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Bloquear todas as imagens do mesmo servidor - C:\Programas\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Destacar - C:\Programas\Avant Browser\Highlight.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DOWNLO~1\dapextie2.htm
O8 - Extra context menu item: Procurar - C:\Programas\Avant Browser\Search.htm
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[gamehead200]

Have you used an AV scanner, or Ad-Aware, Spybot Search & Destroy, or anything like that other than what you got the log file from?

[]Pai_Natal[]

I used Ad-ware and the spybot... and finally Hijackthis to see this log file... i think it's a variant of a worm... or something like that!

[gamehead200]

Quote

Pai_Natal[,May 7 2004, 07:19 PM]I used Ad-ware and the spybot... and finally Hijackthis to see this log file... i think it's a variant of a worm... or something like that!

You might want to run an AV scanner just to be sure... Also, disable system restore when you run your AV!

[]Pai_Natal[]

The windows 2000 don't have system restore... and i have run the ad-ware to clean all the garbage... the spybot found something else and i clean that... but the "bug" continues!

[gamehead200]

Quote

Pai_Natal[,May 8 2004, 10:30 AM]The windows 2000 don't have system restore... and i have run the ad-ware to clean all the garbage... the spybot found something else and i clean that... but the "bug" continues!

Disconnect from the Internet, put up a firewall, go back on, and scan.

[netmatrix]

hai,

Select the following lines in Hijackthis. And choose Fix! Before choosing the Fix this button be sure to close all Intenet Explorer and Windows Explorer windows.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html


O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=

O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab



You may have to restart the computer. Just to be sure run the Hijackthis software after you reboot and if you find any more of the above listed lines. Then choose them and select fix this.

Also make sure you run Spybot and Adaware after you run this.
And also do a virus scan of your system..

Hope that helps.