# Hijack this log



## ludisimoes (Oct 25, 2003)

Please tell me if you see anything dangerous and also how to remove that.

Logfile of HijackThis v1.97.3
Scan saved at 16:38:23, on 25/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\ARQUIVOS DE PROGRAMAS\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
C:\ARQUIVOS DE PROGRAMAS\SIS305_V1.03.53\UTILITY\SISTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\SIS305_V1.03.53\UTILITY\3D\KHOOKER.EXE
C:\WINDOWS\SYSTEM\PWSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ARQUIVOS DE PROGRAMAS\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\REAL\UPDATE_OB\REALSCHED.EXE
C:\ARQUIVOS DE PROGRAMAS\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\REGPROT\REGPROT.EXE
C:\ARQUIVOS DE PROGRAMAS\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\ARQUIVOS DE PROGRAMAS\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
D:\DOWNLOADS\VACINA ANTI VIRUS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.chocolaterie.com.br
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.chocolaterie.com.br
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [SiS Tray] C:\ARQUIVOS DE PROGRAMAS\SIS305_V1.03.53\UTILITY\SISTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\Arquivos de programas\SiS305_V1.03.53\utility\3d\khooker.exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\ARQUIV~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Arquivos de programas\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\ARQUIVOS DE PROGRAMAS\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Arquivos de programas\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg
O4 - HKLM\..\Run: [CreateCD] C:\ARQUIV~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\ARQUIVOS DE PROGRAMAS\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\ARQUIVOS DE PROGRAMAS\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow popups - file://C:\ARQUIVOS DE PROGRAMAS\ULTIMATE POPUP KILLER\POPUPKILLER.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\ARQUIV~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## putasolution (Mar 20, 2003)

Welcome to Hijack this, ludisimoes

Restart Hijack this and put a check mark against the following:

O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
O4 - HKLM\..\Run: [SiS KHooker] C:\Arquivos de programas\SiS305_V1.03.53\utility\3d\khooker.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc

Click *Fix Checked*

Restart your computer and go to C:\WINDOWS\SYSTEM

Right click and delete the following file

*pc32.exe*

Now update your anti virus software and do a FULL scan


----------



## ludisimoes (Oct 25, 2003)

I will try and tell you the results as soon as posible. Thank you very much.


----------



## ludisimoes (Oct 25, 2003)

My Internet Explorer current user homepage has been changed to www.searchby.net and I don`t know why.

Can you help me ? My current log:

Logfile of HijackThis v1.97.3
Scan saved at 01:17:07, on 26/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\DOWNLOADS\VACINA ANTI VIRUS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.chocolaterie.com.br
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.chocolaterie.com.br
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\ARQUIVOS DE PROGRAMAS\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow popups - file://C:\ARQUIVOS DE PROGRAMAS\ULTIMATE POPUP KILLER\POPUPKILLER.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## putasolution (Mar 20, 2003)

Ok. In that case I suggest that you add the folllowing to fix using Hijack this

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.chocolaterie.com.br
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.chocolaterie.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.chocolaterie.com.br
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=


----------



## ludisimoes (Oct 25, 2003)

Game over ! The problem was fixed excluding the Popup killer. Thank you very much !!!!!!!!!


----------

