|
| ||
| Another "need help", this time from Brazil. Hi, everyone. I'm Milton, from Brazil, and I am impressed by the quality and friendlyness of your site/forum. To be honest, however, I just joined 'cause I need help, sort of desperately. Hope you don´t mind. My browser (IE6) has been hijacked - see HiJackThis log posted below. Panda Platinum tells me it has detected and deleted Adware/SearchExe, and I can see se.dll in the HijackThius log. But the problem won't go away. I have been battling this for three days, failing miserably. I have found your thread 15034 and followed the instructions (by Marsupial Moderator), without success. Even tried some variations, including running Panda Platinum, Ad-Aware SE and SpyBot repeatedly under safe mode. I have actually got clean readings from all of them, before and after manually deleting all files in the user and temp folders (according to the instructions in thread 15034), just to have the bug back when rebooting normally. Where is it hiding? A couple of other symptoms: 1) The first window I get after booting, or when I launch Windows Explorer or IE, is a Windows error message like this: Loading error. Access denied to C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\se.dll Even when I set the system to show hidden files, I never see that dll at that location, even under other users´ folders. 2) According to a friend, BitDefender Online Scanner could solve the problem, but I simply cannot get the ACtive-X content to be downloaded from the site, so it does not run. The same with Panda Online, even after custom setting to enable and allow everything! 3) BTW, I work with WIndows XP Pro, SP 2 Can anyone help me, please? Thanks JMAF Logfile of HijackThis v1.99.1 Scan saved at 09:59:12, on 22-08-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Arquivos de programas\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Arquivos de programas\QuickTime\qttask.exe C:\WINDOWS\system32\wscntfy.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\alg.exe C:\Andri\BiodiversidadeMarinha\AnalogX\Proxy\proxy.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe C:\WINDOWS\System32\svchost.exe C:\HiJack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\se.dll/space.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ufpr.br/ R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {B96D7CF3-85C1-4B4B-A253-4D85AFDFFA66} - C:\WINDOWS\system32\cgic.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [RoxAssistant] C:\Program Files\Common Files\Roxio Shared\Upgrade\RoxAssist.exe /s O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [SCANINICIO] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe" O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe" O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe" O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Proxy.lnk = C:\Andri\BiodiversidadeMarinha\AnalogX\Proxy\proxy.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/u...lorer1_8us.cab O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binarie...1015_EN_XP.cab O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/...erAX_Win32.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/...ayer5AxWin.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://celepar7.pr.gov.br/viewer/act...ivexviewer.cab O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{826B2A1B-77B3-4C7E-BFED-C97F3526D55C}: NameServer = 200.193.136.60,200.203.191.8 O18 - Filter: text/html - {CEB7FF8F-5B86-4B24-9619-95F0FF52843F} - C:\WINDOWS\system32\cgic.dll O18 - Filter: text/plain - {CEB7FF8F-5B86-4B24-9619-95F0FF52843F} - C:\WINDOWS\system32\cgic.dll O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe |
| ||
| Re: Another "need help", this time from Brazil. Hi and welcome Milton :). Download CWShredder 2.15 from here. Download\'SpSeHjfix\' to the desktop and then right click a blank part of the desktop and select new folder, call it spfix unzip the file into that folder. Disconnect from the net and Close ALL OPEN PROGRAMS. Run 'SpSeHjfix'. and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage. Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button. Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'. |
| ||
| Re: Another "need help", this time from Brazil. Thanks a lot, Crunchie! I am a little embarrassed, though, because I did not exactly follow your advice. Just after submitting my SOS, I was not ready to quit yet. So I decided to do my homework, and browsed through the site, in search of a solution. Before I got your reply, I found a post by dlh6213 (I guess), covering the removal of about:blank, CoolWebSearch and their variants. Its cocktail worked fine, and now I see maybe it was sort of over reacting, since yours was a simpler solution. Anyway, things seem to be back to normal, and the important thing to me is that you stood up to the spirit of your community by answering to my request. So, thank you again. Of course, I am posting below the HJT and SpSeHjfix logs, so that you can check them, just in case… ;-) Jmaf Logfile of HijackThis v1.99.1 Scan saved at 01:20:09, on 23-08-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe C:\Arquivos de programas\ewido\security suite\ewidoguard.exe C:\Arquivos de programas\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Arquivos de programas\QuickTime\qttask.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe C:\Andri\BiodiversidadeMarinha\AnalogX\Proxy\proxy.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe C:\HiJack\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ufpr.br/ O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [RoxAssistant] C:\Program Files\Common Files\Roxio Shared\Upgrade\RoxAssist.exe /s O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [SCANINICIO] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe" O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe" O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe" O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan O4 - Startup: Proxy.lnk = C:\Andri\BiodiversidadeMarinha\AnalogX\Proxy\proxy.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O17 - HKLM\System\CCS\Services\Tcpip\..\{826B2A1B-77B3-4C7E-BFED-C97F3526D55C}: NameServer = 200.193.136.60,200.203.191.8 O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoguard.exe O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe (8-22-05 22:46:28) SPSeHjFix started v1.1.2 (8-22-05 22:46:28) OS: WinXP Service Pack 2 (5.1.2600) (8-22-05 22:46:28) Language: português (8-22-05 22:46:28) Win-Path: C:\WINDOWS (8-22-05 22:46:28) System-Path: C:\WINDOWS\system32 (8-22-05 22:46:28) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\ (8-22-05 23:00:01) SPSeHjFix started v1.1.2 (8-22-05 23:00:01) OS: WinXP Service Pack 2 (5.1.2600) (8-22-05 23:00:01) Language: português (8-22-05 23:00:01) Win-Path: C:\WINDOWS (8-22-05 23:00:01) System-Path: C:\WINDOWS\system32 (8-22-05 23:00:01) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\ (8-22-05 23:00:12) Disinfection started (8-22-05 23:00:12) Bad-Dll(IEP): c:\docume~1\andrig~1\config~1\temp\se.dll (8-22-05 23:00:12) UBF: 6 - UBB: 5 - UBR: 11 (8-22-05 23:00:12) FilterKey: HKCR\text/html (deleted) (8-22-05 23:00:12) FilterKey: HKCR\CLSID\{CEB7FF8F-5B86-4B24-9619-95F0FF52843F} (deleted) (8-22-05 23:00:12) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting) (8-22-05 23:00:12) FilterKey: HKCR\text/plain (deleted) (8-22-05 23:00:12) FilterKey: HKCR\CLSID\{CEB7FF8F-5B86-4B24-9619-95F0FF52843F} (error while deleting) (8-22-05 23:00:12) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting) (8-22-05 23:00:12) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B96D7CF3-85C1-4B4B-A253-4D85AFDFFA66} (deleted) (8-22-05 23:00:12) BHO-Key: HKCR\CLSID\{B96D7CF3-85C1-4B4B-A253-4D85AFDFFA66} (deleted) (8-22-05 23:00:12) UBF: 4 - UBB: 4 - UBR: 11 (8-22-05 23:00:12) Bad IE-pages: deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\andrig~1\config~1\temp\se.dll/space.html deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\andrig~1\config~1\temp\se.dll/space.html deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank (8-22-05 23:00:12) Stealth-String not found (8-22-05 23:00:12) File added to delete: c:\windows\system32\cgic.dll (8-22-05 23:00:12) Reboot (8-22-05 23:01:27) SPSeHjFix started v1.1.2 (8-22-05 23:01:27) OS: WinXP Service Pack 2 (5.1.2600) (8-22-05 23:01:27) Language: português (8-22-05 23:01:27) Win-Path: C:\WINDOWS (8-22-05 23:01:27) System-Path: C:\WINDOWS\system32 (8-22-05 23:01:27) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\ (8-22-05 23:01:59) Disinfection started (8-22-05 23:01:59) Bad-Dll(IEP): (not found) (8-22-05 23:01:59) Bad-Dll(IEP) in BHO: (not found) (8-22-05 23:01:59) UBF: 4 - UBB: 4 - UBR: 11 (8-22-05 23:01:59) UBF: 4 - UBB: 4 - UBR: 11 (8-22-05 23:02:00) Bad IE-pages: (none) (8-22-05 23:02:00) Stealth-String not found (8-22-05 23:02:00) Not infected->END (8-22-05 23:24:06) SPSeHjFix started v1.1.2 (8-22-05 23:24:06) OS: WinXP Service Pack 2 (5.1.2600) (8-22-05 23:24:06) Language: português (8-22-05 23:24:06) Win-Path: C:\WINDOWS (8-22-05 23:24:06) System-Path: C:\WINDOWS\system32 (8-22-05 23:24:06) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\ (8-22-05 23:24:11) Disinfection started (8-22-05 23:24:11) Bad-Dll(IEP): (not found) (8-22-05 23:24:11) Bad-Dll(IEP) in BHO: (not found) (8-22-05 23:24:11) UBF: 4 - UBB: 4 - UBR: 11 (8-22-05 23:24:11) UBF: 4 - UBB: 4 - UBR: 11 (8-22-05 23:24:11) Bad IE-pages: deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank (8-22-05 23:24:11) Stealth-String not found (8-22-05 23:24:11) Not infected->END (8-22-05 23:24:56) SPSeHjFix started v1.1.2 (8-22-05 23:24:56) OS: WinXP Service Pack 2 (5.1.2600) (8-22-05 23:24:56) Language: português (8-22-05 23:24:56) Win-Path: C:\WINDOWS (8-22-05 23:24:56) System-Path: C:\WINDOWS\system32 (8-22-05 23:24:56) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\ (8-22-05 23:24:58) Disinfection started (8-22-05 23:24:58) Bad-Dll(IEP): (not found) (8-22-05 23:24:58) Bad-Dll(IEP) in BHO: (not found) (8-22-05 23:24:58) UBF: 4 - UBB: 4 - UBR: 11 (8-22-05 23:24:58) UBF: 4 - UBB: 4 - UBR: 11 (8-22-05 23:24:58) Bad IE-pages: (none) (8-22-05 23:24:58) Stealth-String not found (8-22-05 23:24:58) Not infected->END [QUOTE=crunchie]Hi and welcome Milton :). Download CWShredder 2.15 from here. |
| ||
| Re: Another "need help", this time from Brazil. You have some entries there that need removing. Good job you posted another log :D. =============== Go to Add/Remove programs and remove(uninstall) the following, if present: Spyware Vanisher The above could appear anywhere within the entry. Be careful not to remove any personal or system software. =============== Run HiJackThis, click "Scan", then check(tick) the following, if present: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked". =============== Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders: folders... C:\spywarevanisher-free - Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode". - Reboot. =============== After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now. |
| ||
| Re: Another "need help", this time from Brazil. Thanks, again! :cheesy: Here is the log. The Vanisher is still there... The PC is running just fine. Everything seems to be working nicely. BTW, which AV software do you recommend? Also, should I change my browser to Mozzila Firefox? Milton Logfile of HijackThis v1.99.1 Scan saved at 08:29:04, on 26-08-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe C:\Arquivos de programas\ewido\security suite\ewidoguard.exe C:\Arquivos de programas\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\SOUNDMAN.EXE C:\Arquivos de programas\QuickTime\qttask.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE C:\WINDOWS\system32\wuauclt.exe C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe C:\WINDOWS\System32\svchost.exe C:\HiJack\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ufpr.br/ O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [RoxAssistant] C:\Program Files\Common Files\Roxio Shared\Upgrade\RoxAssist.exe /s O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [SCANINICIO] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe" O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe" O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe" O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{826B2A1B-77B3-4C7E-BFED-C97F3526D55C}: NameServer = 200.193.136.60,200.203.191.8 O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoguard.exe O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe |
| ||
| Re: Another "need help", this time from Brazil. Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button. O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan When you have 'fix checked,' please delete this folder; C:\spywarevanisher-free Reboot. == I personally use the AV that is in my signature below. I find that it meets my needs more than adequately. == I would use almost any other browser than Internet Explorer, Opera being top of my list, with FireFox coming in next. |
| ||
| Re: Another "need help", this time from Brazil. OK, thank you. Only I cannot see the Vanisher folder. Set the system to show hidden and system files, did a search on the HD, and it was not there. After fixing, the entry does not appear anymore in the HJT log, so I guess everything is finally all right. Thanks for all the tips. :cool: Milton |
| ||
| Re: Another "need help", this time from Brazil. You are welcome Milton :). Congratulations! Your log looks clean - good work! =============== Now that your PC is clean you need to follow these easy steps to keeping it this way: Secure your Internet Explorer by going here and following the instructions there. Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still. Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature. [color=blue]Install and keep updated, Ad-Aware SE, and Spybot S&D. Run them both on a regular basis, following the manufacturer's recommendations. Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others. Clear your Temp folders. Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >Internet Options. Under the General tab click the Delete temporary internet files, delete all Offline content as well. Clear out Cookies. Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.) C:\Documents and Settings\username\Local Settings\Temp\ In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here. Empty the Recycle Bin. For XP users. After something like this it is a good idea to Flush the Restore Points and start fresh. To flush the XP system Restore Points. Go to Start>Run and type msconfig. Press enter. When msconfig opens, click the Launch System Restore Button. On the next page, click the System Restore Settings link on the left. Check the box labelled 'Turn off System restore'. Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created. Note that all previous restore points will be lost. =============== If you have any more problems, post back. - Happy surfing, crunchie. |
| All times are GMT -4. The time now is 12:07 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC