• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Adware/Spyware

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
C

CISAvril

Registered
Joined
Nov 29, 2002
I have a pretty bad case of spyware I think. HEre is my hijack file: I think it probably has to do with inet20009 but I couldn't find much on google how to repair it.



Logfile of HijackThis v1.97.7
Scan saved at 10:10:12 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Arvain\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F1 - win.ini: run=C:\WINDOWS\inet20009\winlogon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20009\winlogon.exe
O4 - HKLM\..\RunServices: [WinLoader] win32key.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20009\winlogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
ibm00001.exe is a trojan. c:\secure32.html doesn't look too hot either.
And WinLogon.exe is only supposed to be run from c:\windosw\system32
 
I agree wholeheartedly with klingens.

I also do not recognize win32key, as a valid process. I am not 100% sure, but I have never seen that file run (or even exist) for all the years that I have worked with windows.
 
You must log in or register to reply here.

Similar threads

J
Putting Windows10 on a diet.... Tablet PC
Replies
3
Views
459
Alaric
Alaric
M
XP explorer.exe often freez
Replies
0
Views
640
MarkWW
M
c627627
How to make a Windows 7 SP1 Convenience Rollup ISO with all updates up to 2016
18 19 20 21 22
Replies
427
Views
49K
c627627
c627627
rebelwarlock
Something really fishy going on with firefox
Replies
7
Views
995
c627627
c627627
c627627
How I modded my Windows 10 installation - How (not) to install Windows 10
Replies
2
Views
9K
c627627
c627627
Back