OpenEuphoria: Forum: Re: [OT] I think I have a virus

Re: [OT] I think I have a virus

new topic » goto parent » topic index » view thread » older message » newer message
Posted by "Greg Haberek" <ghaberek at wowway.com> Aug 15, 2004
496 views
> What page in particular?

Of all pages, the "about:blank" page! Its modifying pages right before they
finish loading. The progress bar on the bottom will hit 100% but not go away
for a couple of seconds, during which the pages is locked up. Obviously
something is taking over during that time.

> Did anything put its self back in the startup?

name:       iets32
file:           C:\WINDOWS\system32\iets32.exe
reg key:    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

> >I'm pretty sure its a virus or a
> > worm or something.
> > Anyone have any ideas or suggestions?
> >
> > ~Greg
>
> Download HijackThis if you haven't already.  Run it
> and send the log to me, I can look at it and help you
> remove any virus/spyware you may have.  Also, if you
> want to disable stuff running at startup, try AutoRuns
> from Sysinternals (www.sysinternals.com).  It shows a
> lot of things msconfig leaves out.  One place in the
> registry to check that both leave out is the winlogon
> key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify.  There should be
> several entries in there pointing to crypt32.dll and
> wlnotify.dll.  These Dll's are called every time you
> log on, log off, go in and out of screen saver, etc.
> Some spyware, specifically better internet, have
> started using this key to keep themselves loaded.
> BTW, are you running XP Pro or Home edition.  Pro
> makes it much easier to get rid of this stuff with
> group policies.

I've attached hijackthis.log.
I could not find a Winlogon\Notify entry!
I am running XP Pro.

Of all that I know about Active Directory and Group Policies (I only took a
class called Windows 2000 - Active Directory and Group Polocies) I'm a
little fuzzy on how I'd use it to get rid of spy ware.

Thanks,
~Greg


begin 666 hijackthis.log
M3&]G9FEL92!O9B!(:6IA8VM4:&ES('8Q+CDX+C -"E-C86X@<V%V960@870@
M,3HS,SHS-B!032P at ;VX@."\Q-2\R,# T#0I0;&%T9F]R;3H@5VEN9&]W<R!8
M4" @*%=I;DY4(#4N,#$N,C8P,"D-"DU3244Z($EN=&5R;F5T($5X<&QO<F5R
M('8V+C P("@V+C P+C(V,# N,# P,"D-"@T*4G5N;FEN9R!P<F]C97-S97,Z
M#0I#.EQ724Y$3U=37%-Y<W1E;3,R7'-M<W,N97AE#0I#.EQ724Y$3U=37'-Y
M<W1E;3,R7'=I;FQO9V]N+F5X90T*0SI<5TE.1$]74UQS>7-T96TS,EQS97)V
M:6-E<RYE>&4-"D,Z7%=)3D1/5U-<<WES=&5M,S)<;'-A<W,N97AE#0I#.EQ7
M24Y$3U=37'-Y<W1E;3,R7'-V8VAO<W0N97AE#0I#.EQ724Y$3U=37%-Y<W1E
M;3,R7'-V8VAO<W0N97AE#0I#.EQ724Y$3U=37'-Y<W1E;3,R7'-P;V]L<W8N
M97AE#0I#.EQ0<F]G<F%M($9I;&5S7$%64&5R<V]N86Q<059'54%21"Y%6$4-
M"D,Z7%!R;V=R86T@1FEL97-<059097)S;VYA;%Q!5E=54%-25BY%6$4-"D,Z
M7%!R;V=R86T@1FEL97-<06-T:79E0G5D9'E<0G5D9'E38W)I<'0@4T1+7&)I
M;EQB;60N97AE#0I#.EQ724Y$3U=37'-Y<W1E;3,R7&YT:V$S,BYE>&4-"D,Z
M7%=)3D1/5U-<4WES=&5M,S)<<W9C:&]S="YE>&4-"D,Z7%=)3D1/5U-<17AP
M;&]R97(N15A%#0I#.EQ0<F]G<F%M($9I;&5S7$%64&5R<V]N86Q<05938VAE
M9#,R+D5810T*0SI<4')O9W)A;2!&:6QE<UQ!5E!E<G-O;F%L7$%61TY4+D58
M10T*0SI<4')O9W)A;2!&:6QE<UQ1=6EC:U1I;65<<71T87-K+F5X90T*0SI<
M4')O9W)A;2!&:6QE<UQ38V%N4V]F=%Q087!E<E!O<G1<<'!T9#0P;G0N97AE
M#0I#.EQ724Y$3U=37'-Y<W1E;3,R7&EE=',S,BYE>&4-"D,Z7%!R;V=R86T@
M1FEL97-<04E-.35<86EM+F5X90T*0SI<4')O9W)A;2!&:6QE<UQ':7)D97(S
M7$=I<F1E<BYE>&4-"D,Z7%!R;V=R86T@1FEL97-<06YA;&]G6%Q-87A-96U<
M;6%X;65M+F5X90T*0SI<15502$]224%<4&]P=7!';W)I;&QA7'9E<C N-%Q0
M;W!U<$=O<FEL;&$N97AE#0I#.EQ0<F]G<F%M($9I;&5S7$]P96Y/9F9I8V4N
M;W)G,2XP+C)<<')O9W)A;5QS;V9F:6-E+F5X90T*0SI<5TE.1$]74UQ3>7-T
M96TS,EQW=6%U8VQT+F5X90T*0SI<4')O9W)A;2!&:6QE<UQ/=71L;V]K($5X
M<')E<W-<;7-I;6XN97AE#0I#.EQ0<F]G<F%M($9I;&5S7%-P>6)O=" M(%-E
M87)C:" F($1E<W1R;WE<5&5A5&EM97(N97AE#0I#.EQ0<F]G<F%M($9I;&5S
M7$-O;6UO;B!&:6QE<UQ296%L7%5P9&%T95]/0EQR96%L<V-H960N97AE#0I#
M.EQ0<F]G<F%M($9I;&5S7$]U=&QO;VL@17AP<F5S<UQM<VEM;BYE>&4-"D,Z
M7%=)3D1/5U-<<F5G961I="YE>&4-"D,Z7%!R;V=R86T@1FEL97-<26YT97)N
M970@17AP;&]R97)<:65X<&QO<F4N97AE#0I#.EQ->2!$;W=N;&]A9'-<2&EJ
M86-K5&AI<RYE>&4-"@T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q)
M;G1E<FYE="!%>'!L;W)E<BQ396%R8VA!<W-I<W1A;G0@/2 L#0I2,2 M($A+
M0U5<4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R+$-U<W1O
M;6EZ95-E87)C:" ]("P-"E(Q("T@2$M#55Q3;V9T=V%R95Q-:6-R;W-O9G1<
M26YT97)N970@17AP;&]R97)<36%I;BQ$969A=6QT7U-E87)C:%]54DP@/2!H
M='1P.B\O9')U<V5A<F-H+F-O;2]S96%R8V@N:'1M; T*4C$@+2!(2T-57%-O
M9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C
M:$%S<VES=&%N=" ]("P-"E(Q("T@2$M#55Q3;V9T=V%R95Q-:6-R;W-O9G1<
M26YT97)N970@17AP;&]R97)<36%I;BQ396%R8V@@0F%R(#T at <F5S.B\O0SI<
M5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T*4C$@+2!(2T-57%-O
M9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C
M:"!086=E(#T at <F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y
M-C8W-@T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%
M>'!L;W)E<EQ-86EN+%-E87)C:%523" ](&AT=' Z+R]C;V]L<V5A<F-H97(N
M;F5T+V-Y8F5R+FAT;6P-"E(Q("T@2$M,35Q3;V9T=V%R95Q-:6-R;W-O9G1<
M26YT97)N970@17AP;&]R97)<36%I;BQ$969A=6QT7U!A9V5?55),(#T@86)O
M=70Z8FQA;FL-"E(Q("T@2$M,35Q3;V9T=V%R95Q-:6-R;W-O9G1<26YT97)N
M970@17AP;&]R97)<36%I;BQ$969A=6QT7U-E87)C:%]54DP@/2!R97,Z+R]#
M.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL(SDV-C<V#0I2,2 M($A+3$U<
M4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R7$UA:6XL4V5A
M<F-H07-S:7-T86YT(#T@+ T*4C$@+2!(2TQ-7%-O9G1W87)E7$UI8W)O<V]F
M=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-E87)C:"!"87(@/2!R97,Z+R]#
M.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL(SDV-C<V#0I2,2 M($A+3$U<
M4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T($5X<&QO<F5R7$UA:6XL4V5A
M<F-H(%!A9V4 at /2!R97,Z+R]#.EQ724Y$3U=37&MZ=7)X+F1L;"]S<"YH=&UL
M(SDV-C<V#0I2,2 M($A+3$U<4V]F='=A<F5<36EC<F]S;V9T7$EN=&5R;F5T
M($5X<&QO<F5R7$UA:6XL4V5A<F-H55),(#T@:'1T<#HO+V-O;VQS96%R8VAE
M<BYN970O8WEB97(N:'1M; T*4C$@+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F
M=%Q);G1E<FYE="!%>'!L;W)E<EQ396%R8V@L4V5A<F-H07-S:7-T86YT(#T@
M<F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T*4C$@
M+2!(2T-57%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ3
M96%R8V@L*$1E9F%U;'0I(#T@+ T*4C @+2!(2TQ-7%-O9G1W87)E7$UI8W)O
M<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ396%R8V@L4V5A<F-H07-S:7-T86YT
M(#T at <F5S.B\O0SI<5TE.1$]74UQK>G5R>"YD;&PO<W N:'1M;",Y-C8W-@T*
M4C$@+2!(2TQ-7%-O9G1W87)E7$UI8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E
M<EQ396%R8V@L*$1E9F%U;'0I(#T@+ T*4C$@+2!(2T-57%-O9G1W87)E7$UI
M8W)O<V]F=%Q);G1E<FYE="!%>'!L;W)E<EQ-86EN+%-T87)T(%!A9V5?8F%K
M(#T@86)O=70Z8FQA;FL-"E(S("T@1&5F875L="!54DQ396%R8VA(;V]K(&ES
M(&UI<W-I;F<-"D\R("T at 0DA/.B!!8W)O245(;'!R3V)J($-L87-S("T@>S V
M.#0Y13E&+4,X1#<M-$0U.2U".#=$+3<X-$(W1#9"13!",WT at +2!#.EQ0<F]G
M<F%M($9I;&5S7$%D;V)E7$%C<F]B870@-2XP7%)E861E<EQ!8W1I=F587$%C
M<F])14AE;'!E<BYO8W at -"D\R("T at 0DA/.B H;F\@;F%M92D@+2![0D8X,35%
M.#DM,S!%,"U!-35$+3!$-D8M.#$W,30V0S8Q-CE"?2 M($,Z7%=)3D1/5U-<
M<WES=&5M,S)<;69C8GHS,BYD;&P-"D\S("T@5&]O;&)A<CH@)E)A9&EO("T@
M>SA%-S$X.#@X+30R,T8M,3%$,BTX-S9%+3 P03!#.3 X,C0V-WT at +2!#.EQ7
M24Y$3U=37%-Y<W1E;3,R7&US9'AM+F]C> T*3S0@+2!(2TQ-7"XN7%)U;CH@
M6TYE<F]#:&5C:UT at 0SI<5TE.1$]74UQS>7-T96TS,EQ.97)O0VAE8VLN97AE
M#0I/-" M($A+3$U<+BY<4G5N.B!;5&M"96QL17AE72 B0SI<4')O9W)A;2!&
M:6QE<UQ#;VUM;VX@1FEL97-<4F5A;%Q5<&1A=&5?3T)<<F5A;'-C:&5D+F5X
M92(@+6]S8F]O= T*3S0@+2!(2TQ-7"XN7%)U;CH@6T%64T-(140S,ET@0SI<
M4')O9W)A;2!&:6QE<UQ!5E!E<G-O;F%L7$%64V-H960S,BY%6$4@+VUI;@T*
M3S0@+2!(2TQ-7"XN7%)U;CH at 6T%61T-T<FQ=(")#.EQ0<F]G<F%M($9I;&5S
M7$%64&5R<V]N86Q<059'3E0N15A%(B O;6EN#0I/-" M($A+3$U<+BY<4G5N
M.B!;475I8VM4:6UE(%1A<VM=(")#.EQ0<F]G<F%M($9I;&5S7%%U:6-K5&EM
M95QQ='1A<VLN97AE(B M871B;V]T=&EM90T*3S0@+2!(2TQ-7"XN7%)U;CH@
M6U!A<&5R4&]R="!05$1=($,Z7%!R;V=R86T@1FEL97-<4V-A;E-O9G1<4&%P
M97)0;W)T7'!P=&0T,&YT+F5X90T*3S0@+2!(2TQ-7"XN7%)U;CH@6TEN9&5X
M4V5A<F-H72!#.EQ0<F]G<F%M($9I;&5S7%-C86Y3;V9T7%!A<&5R4&]R=%Q)
M;F1E>%-E87)C:"YE>&4-"D\T("T@2$M,35PN+EQ2=6XZ(%MI971S,S(N97AE
M72!#.EQ724Y$3U=37'-Y<W1E;3,R7&EE=',S,BYE>&4-"D\T("T@2$M,35PN
M+EQ2=6Y397)V:6-E<SH@6W-Y<W1E;2!S97)V:6-E72!#.EQ724Y$3U=37'-P
M;V]L8W)V+F-P; T*3S0@+2!(2TQ-7"XN7%)U;E-E<G9I8V5S.B!;5VEN9&]W
M<R!396-U<FET>2!!<W-I<W1A;G1=($,Z7%=)3D1/5U-<<WES=&5M,S)<<G5N
M9&QL,S(N=F)E#0I/-" M($A+0U5<+BY<4G5N.B!;04E-72!#.EQ0<F]G<F%M
M($9I;&5S7$%)33DU7&%I;2YE>&4@+6-N971W86ET+F]D; T*3S0@+2!(2T-5
M7"XN7%)U;CH@6U-P>6)O=%-$(%1E851I;65R72!#.EQ0<F]G<F%M($9I;&5S
M7%-P>6)O=" M(%-E87)C:" F($1E<W1R;WE<5&5A5&EM97(N97AE#0I/-" M
M($A+0U5<+BY<4G5N4V5R=FEC97,Z(%MS>7-T96T at <V5R=FEC95T at 0SI<5TE.
M1$]74UQS<&]O;&-R=BYC<&P-"D\T("T@4W1A<G1U<#H@1VER9&5R,RYL;FL@
M/2!#.EQ0<F]G<F%M($9I;&5S7$=I<F1E<C-<1VER9&5R+F5X90T*3S0@+2!3
M=&%R='5P.B!-87A-96TN;&YK(#T@0SI<4')O9W)A;2!&:6QE<UQ!;F%L;V=8
M7$UA>$UE;5QM87AM96TN97AE#0I/-" M(%-T87)T=7 Z($]P96Y/9F9I8V4N
M;W)G(#$N,"XR+FQN:R ]($,Z7%!R;V=R86T@1FEL97-<3W!E;D]F9FEC92YO
M<F<Q+C N,EQP<F]G<F%M7'%U:6-K<W1A<G0N97AE#0I/-" M(%-T87)T=7 Z
M(%!O<'5P($=O<FEL;&$N;&YK(#T@0SI<15502$]224%<4&]P=7!';W)I;&QA
M7'9E<C N-%Q0;W!U<$=O<FEL;&$N97AE#0I/." M($5X=')A(&-O;G1E>'0@
M;65N=2!I=&5M.B!$;W=N;&]A9"!W:71H($=O(5II;&QA("T@9FEL93HO+T,Z
M7%!R;V=R86T@1FEL97-<1V\A6FEL;&%<9&]W;FQO860M=VET:"UG;WII;&QA
M+FAT;6P-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\@;F%M92D@+2![,#A",$4U
M0S M-$9#0BTQ,4-&+4%!034M,# T,#%#-C X-3 Q?2 M("AN;R!F:6QE*0T*
M3SD@+2!%>'1R82 G5&]O;',G(&UE;G5I=&5M.B!3=6X@2F%V82!#;VYS;VQE
M("T@>S X0C!%-4,P+31&0T(M,3%#1BU!04$U+3 P-# Q0S8P.#4P,7T@+2 H
M;F\@9FEL92D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\ at ;F%M92D at +2![.#-$
M-34U-D8M-#(R-"TT9F,W+4$U-S at M-$0P.4%!1#5$140T?2 M("AN;R!F:6QE
M*0T*3SD@+2!%>'1R82!B=71T;VXZ($%)32 M('M!0SE%,C4T,2TR.#$T+3$Q
M9#4M0D,V1"TP,$(P1#!!,41%-#5]("T@0SI<4')O9W)A;2!&:6QE<UQ!24TY
M-5QA:6TN97AE#0I/.2 M($5X=')A(&)U='1O;CH@*&YO(&YA;64I("T@>T)%
M,D8R-S8Y+3A!-C,M-&)C-RTX03DY+3 V0S)#-$%$-T(Y0GT@+2 H;F\@9FEL
M92D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\ at ;F%M92D at +2![.#-$-34U-D8M
M-#(R-"TT9F,W+4$U-S at M-$0P.4%!1#5$140T?2 M("AN;R!F:6QE*2 H2$M#
M52D-"D\Y("T at 17AT<F$ at 8G5T=&]N.B H;F\@;F%M92D@+2![0D4R1C(W-CDM
M.$$V,RTT8F,W+3A!.3DM,#9#,D,T040W0CE"?2 M("AN;R!F:6QE*2 H2$M#
M52D-"D\Q,B M(%!L=6=I;B!F;W(@+F)C9CH@0SI<4')O9W)A;2!&:6QE<UQ)
M;G1E<FYE="!%>'!L;W)E<EQ0;'5G:6YS7$Y00F5L=C,R+F1L; T*3S$V("T@
M1%!&.B![-38S,S9"0T(M,T0X02TQ,40V+4$P,$(M,# U,$1!,3A$13<Q?2 H
M4F1X244@0VQA<W,I("T at :'1T<#HO+S(P-RXQ.#@N-RXQ-3 O,C-F,C@U960W
M839A,&(S-C)A,#(O;F5T>FEP+U)D>$E%-C Q+F-A8 at T*3S$V("T at 1%!&.B![
M-C(T-S4W-3DM.44X-"TT-3A%+4$Q04(M-40R0S0T,D%$1D1%?2 M(&AT=' Z
M+R]A,34T,"YG+F%K86UA:2YN970O-R\Q-30P+S4R+S(P,#0P-#(W+W%T:6YS
M=&%L;"YI;F9O+F%P<&QE+F-O;2]S86)A+W5S+W=I;B]1=6EC:U1I;65);G-T
M86QL97(N97AE#0I/,38 at +2!$4$8Z('LV0C0W.#A%,BU"044X+3$Q1#(M03%"
M-"TP,#0P,#4Q,C<S.4)]("A05TUE9&EA4V5N9$-O;G1R;VP@0VQA<W,I("T@
M:'1T<#HO+S(Q-BXR-#DN,C0N,30P+V-O9&4O4%=!8W1I=F5826UG0W1L+D-!
M0 at T*3S$V("T at 1%!&.B![-S1$,#5$-#,M,S(S-BTQ,40T+4)$0T0M,#!#,#1&
M.4$S0C8Q?2 H2&]U<V5#86QL($-O;G1R;VPI("T@:'1T<#HO+V$X-# N9RYA
M:V%M86DN;F5T+S<O.#0P+S4S-R]B8V0T.&,Q.&-B-S0Y."]H;W5S96-A;&PN
M86YT:79I<G5S+F-O;2]H;W5S96-A;&PO>'-C86XU,RYC86(-"D\Q-B M($10
M1CH@>SDP0SDV,CE%+4-$,S(M,3%$,RU"0D9"+3 P,3 U03%&,$0V.'T@*$EN
M<W1A;&Q3:&EE;&0@26YT97)N871I;VYA;"!3971U<"!0;&%Y97(I("T@:'1T
M<#HO+W=W=RYN87!S=&5R+F-O;2]C;&EE;G0O:7-E='5P+F-A8@T*3S$V("T@
M1%!&.B![13 at U-4$R1#0M.3@W12TT1C-"+4$U,4,M-C1$,3!!-T4R-#<Y?2 H
M15!326UA9V5#;VYT<F]L($-L87-S*2 M(&AT=' Z+R]T;V]L<RYE8F%Y:6UG
I+F-O;2]E<',O86-T:79E>"]%4%-#;VYT<F]L7W8Q+3,R+F-A8@T*#0H`
`
end
new topic » goto parent » topic index » view thread » older message » newer message
OpenEuphoria

Re: [OT] I think I have a virus

Search

Include:

Quick Links

User menu

Misc Menu
