Re: Hijack??My log

From: Chuck (none_at_example.net)
Date: 06/18/04 

Date: 18 Jun 2004 02:26:14 -0500

On 17 Jun 2004 22:55:09 -0700, *email_address_deleted* (Jerry Arzin) wrote:

>From: h974483@graduate.hku.hk (Jerry Arzin)
>Newsgroups: microsoft.public.windows.inetexplorer.ie6.browser
>Subject: Hijack??MY LOG
>NNTP-Posting-Host: 202.180.83.6
>Message-ID: <33b5a863.0406172153.8afef42@posting.google.com>
>
>ello,
>
>My computer was hijacked by a ebook website a few days ago. Everything
>I clicked was connected to a search engine called www.ntsearch.com.
>Some of my freinds tell me that the virus was called Torjan and it was
>orginated from a Java Script.As my knowledge is so limited, I cannot
>gain any advantages from downloading and running adware, spybot and
>Hijack this to my computer. However, I did a scan from Hijack this and
>here is the log:

<SNIP HJT and SSD logs>

>The problem is I have two systems in my computer, one is Window 98 and
>another is XP. For XP that was the infected one because everything I
>read was linked to a search website called www.ntsearch.com and all
>the chinese characters become question marks like this ??????. It is a
>great nuisances to me and all other users in my family. Can somebody
>please read this log and interpret it?
>
>Many thanks.
>
>--JA

Jerry,

I see some entries that you could (and probably should) get rid of. And some
very interesting entries that I'd bet indicate problems.

Not Needed:
C:\WINDOWS\SYSTEM\KHOOKER.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot

Verify location of this file (what folder is it in):
O4 - HKLM\..\Run: [internat.exe] internat.exe
<http://www.sysinfo.org/startuplist.php?filter=internat.exe>

These are very suspicious:
O4 - Startup: Windows &#27284;&#26696;&#32317;&#31649;.lnk
O4 - Startup: MS-DOS &#27169;&#24335;.pif

Knowing what I do about the current wave of hijackers, HijackThis is only the
start (though an essential start) to removing them. I would advise you to post
your HJT log to one, or more, of the spyware expert forums (and please post a
link here to your post there):
<http://forums.net-integration.net/>
<http://forums.spywareinfo.com/>
<http://spywarewarrior.com/index.php>
<http://forums.tomcoyote.org/>
<http://www.wilderssecurity.com/>

And Jerry, please don't contribute to the spread and success of email address
mining viruses. Learn to munge your email address properly, to keep yourself a
bit safer when posting to open forums. Protect yourself and the rest of the
internet - never post your address unmunged.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Loading