Member Avatar for jmaf

Hi, everyone.

I'm Milton, from Brazil, and I am impressed by the quality and friendlyness of your site/forum. To be honest, however, I just joined 'cause I need help, sort of desperately. Hope you don´t mind.

My browser (IE6) has been hijacked - see HiJackThis log posted below.
Panda Platinum tells me it has detected and deleted Adware/SearchExe, and I can see se.dll in the HijackThius log. But the problem won't go away.

I have been battling this for three days, failing miserably. I have found your thread 15034 and followed the instructions (by Marsupial Moderator), without success. Even tried some variations, including running Panda Platinum, Ad-Aware SE and SpyBot repeatedly under safe mode. I have actually got clean readings from all of them, before and after manually deleting all files in the user and temp folders (according to the instructions in thread 15034), just to have the bug back when rebooting normally. Where is it hiding?

A couple of other symptoms:
1) The first window I get after booting, or when I launch Windows Explorer or IE, is a Windows error message like this: Loading error. Access denied to C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\se.dll
Even when I set the system to show hidden files, I never see that dll at that location, even under other users´ folders.

2) According to a friend, BitDefender Online Scanner could solve the problem, but I simply cannot get the ACtive-X content to be downloaded from the site, so it does not run. The same with Panda Online, even after custom setting to enable and allow everything!

3) BTW, I work with WIndows XP Pro, SP 2

Can anyone help me, please?

Thanks

JMAF

Logfile of HijackThis v1.99.1
Scan saved at 09:59:12, on 22-08-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Andri\BiodiversidadeMarinha\AnalogX\Proxy\proxy.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ufpr.br/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B96D7CF3-85C1-4B4B-A253-4D85AFDFFA66} - C:\WINDOWS\system32\cgic.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxAssistant] C:\Program Files\Common Files\Roxio Shared\Upgrade\RoxAssist.exe /s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Proxy.lnk = C:\Andri\BiodiversidadeMarinha\AnalogX\Proxy\proxy.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1015_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/AXELPlayerAX_Win32.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://celepar7.pr.gov.br/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{826B2A1B-77B3-4C7E-BFED-C97F3526D55C}: NameServer = 200.193.136.60,200.203.191.8
O18 - Filter: text/html - {CEB7FF8F-5B86-4B24-9619-95F0FF52843F} - C:\WINDOWS\system32\cgic.dll
O18 - Filter: text/plain - {CEB7FF8F-5B86-4B24-9619-95F0FF52843F} - C:\WINDOWS\system32\cgic.dll
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe

  • 2 Contributors
  • 7 Replies
  • 179 Views
  • 5 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 7 Replies

Member Avatar for crunchie

Hi and welcome Milton :).

Download CWShredder 2.15 from here.

Download\'SpSeHjfix\' to the desktop and then
right click a blank part of the desktop and select new folder, call it spfix
unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Member Avatar for jmaf

Thanks a lot, Crunchie!

I am a little embarrassed, though, because I did not exactly follow your advice. Just after submitting my SOS, I was not ready to quit yet. So I decided to do my homework, and browsed through the site, in search of a solution. Before I got your reply, I found a post by dlh6213 (I guess), covering the removal of about:blank, CoolWebSearch and their variants. Its cocktail worked fine, and now I see maybe it was sort of over reacting, since yours was a simpler solution.

Anyway, things seem to be back to normal, and the important thing to me is that you stood up to the spirit of your community by answering to my request. So, thank you again. Of course, I am posting below the HJT and SpSeHjfix logs, so that you can check them, just in case… ;-)

Jmaf

Logfile of HijackThis v1.99.1
Scan saved at 01:20:09, on 23-08-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
C:\Arquivos de programas\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE
C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Andri\BiodiversidadeMarinha\AnalogX\Proxy\proxy.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\HiJack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ufpr.br/
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxAssistant] C:\Program Files\Common Files\Roxio Shared\Upgrade\RoxAssist.exe /s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - Startup: Proxy.lnk = C:\Andri\BiodiversidadeMarinha\AnalogX\Proxy\proxy.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{826B2A1B-77B3-4C7E-BFED-C97F3526D55C}: NameServer = 200.193.136.60,200.203.191.8
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe


(8-22-05 22:46:28) SPSeHjFix started v1.1.2
(8-22-05 22:46:28) OS: WinXP Service Pack 2 (5.1.2600)
(8-22-05 22:46:28) Language: português
(8-22-05 22:46:28) Win-Path: C:\WINDOWS
(8-22-05 22:46:28) System-Path: C:\WINDOWS\system32
(8-22-05 22:46:28) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\

(8-22-05 23:00:01) SPSeHjFix started v1.1.2
(8-22-05 23:00:01) OS: WinXP Service Pack 2 (5.1.2600)
(8-22-05 23:00:01) Language: português
(8-22-05 23:00:01) Win-Path: C:\WINDOWS
(8-22-05 23:00:01) System-Path: C:\WINDOWS\system32
(8-22-05 23:00:01) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\
(8-22-05 23:00:12) Disinfection started
(8-22-05 23:00:12) Bad-Dll(IEP): c:\docume~1\andrig~1\config~1\temp\se.dll
(8-22-05 23:00:12) UBF: 6 - UBB: 5 - UBR: 11
(8-22-05 23:00:12) FilterKey: HKCR\text/html (deleted)
(8-22-05 23:00:12) FilterKey: HKCR\CLSID\{CEB7FF8F-5B86-4B24-9619-95F0FF52843F} (deleted)
(8-22-05 23:00:12) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(8-22-05 23:00:12) FilterKey: HKCR\text/plain (deleted)
(8-22-05 23:00:12) FilterKey: HKCR\CLSID\{CEB7FF8F-5B86-4B24-9619-95F0FF52843F} (error while deleting)
(8-22-05 23:00:12) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(8-22-05 23:00:12) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B96D7CF3-85C1-4B4B-A253-4D85AFDFFA66} (deleted)
(8-22-05 23:00:12) BHO-Key: HKCR\CLSID\{B96D7CF3-85C1-4B4B-A253-4D85AFDFFA66} (deleted)
(8-22-05 23:00:12) UBF: 4 - UBB: 4 - UBR: 11
(8-22-05 23:00:12) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\andrig~1\config~1\temp\se.dll/space.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\andrig~1\config~1\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(8-22-05 23:00:12) Stealth-String not found
(8-22-05 23:00:12) File added to delete: c:\windows\system32\cgic.dll
(8-22-05 23:00:12) Reboot


(8-22-05 23:01:27) SPSeHjFix started v1.1.2
(8-22-05 23:01:27) OS: WinXP Service Pack 2 (5.1.2600)
(8-22-05 23:01:27) Language: português
(8-22-05 23:01:27) Win-Path: C:\WINDOWS
(8-22-05 23:01:27) System-Path: C:\WINDOWS\system32
(8-22-05 23:01:27) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\
(8-22-05 23:01:59) Disinfection started
(8-22-05 23:01:59) Bad-Dll(IEP): (not found)
(8-22-05 23:01:59) Bad-Dll(IEP) in BHO: (not found)
(8-22-05 23:01:59) UBF: 4 - UBB: 4 - UBR: 11
(8-22-05 23:01:59) UBF: 4 - UBB: 4 - UBR: 11
(8-22-05 23:02:00) Bad IE-pages: (none)
(8-22-05 23:02:00) Stealth-String not found
(8-22-05 23:02:00) Not infected->END


(8-22-05 23:24:06) SPSeHjFix started v1.1.2
(8-22-05 23:24:06) OS: WinXP Service Pack 2 (5.1.2600)
(8-22-05 23:24:06) Language: português
(8-22-05 23:24:06) Win-Path: C:\WINDOWS
(8-22-05 23:24:06) System-Path: C:\WINDOWS\system32
(8-22-05 23:24:06) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\
(8-22-05 23:24:11) Disinfection started
(8-22-05 23:24:11) Bad-Dll(IEP): (not found)
(8-22-05 23:24:11) Bad-Dll(IEP) in BHO: (not found)
(8-22-05 23:24:11) UBF: 4 - UBB: 4 - UBR: 11
(8-22-05 23:24:11) UBF: 4 - UBB: 4 - UBR: 11
(8-22-05 23:24:11) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
(8-22-05 23:24:11) Stealth-String not found
(8-22-05 23:24:11) Not infected->END


(8-22-05 23:24:56) SPSeHjFix started v1.1.2
(8-22-05 23:24:56) OS: WinXP Service Pack 2 (5.1.2600)
(8-22-05 23:24:56) Language: português
(8-22-05 23:24:56) Win-Path: C:\WINDOWS
(8-22-05 23:24:56) System-Path: C:\WINDOWS\system32
(8-22-05 23:24:56) Temp-Path: C:\DOCUME~1\ANDRIG~1\CONFIG~1\Temp\
(8-22-05 23:24:58) Disinfection started
(8-22-05 23:24:58) Bad-Dll(IEP): (not found)
(8-22-05 23:24:58) Bad-Dll(IEP) in BHO: (not found)
(8-22-05 23:24:58) UBF: 4 - UBB: 4 - UBR: 11
(8-22-05 23:24:58) UBF: 4 - UBB: 4 - UBR: 11
(8-22-05 23:24:58) Bad IE-pages: (none)
(8-22-05 23:24:58) Stealth-String not found
(8-22-05 23:24:58) Not infected->END


Hi and welcome Milton :).

Download CWShredder 2.15 from here.

Member Avatar for crunchie

You have some entries there that need removing. Good job you posted another log :D.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Spyware Vanisher

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\spywarevanisher-free

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Member Avatar for jmaf

Thanks, again! :cheesy: Here is the log. The Vanisher is still there...

The PC is running just fine. Everything seems to be working nicely. BTW, which AV software do you recommend? Also, should I change my browser to Mozzila Firefox?

Milton

Logfile of HijackThis v1.99.1
Scan saved at 08:29:04, on 26-08-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
C:\Arquivos de programas\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\HiJack\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ufpr.br/
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxAssistant] C:\Program Files\Common Files\Roxio Shared\Upgrade\RoxAssist.exe /s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Arquivos de programas\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{826B2A1B-77B3-4C7E-BFED-C97F3526D55C}: NameServer = 200.193.136.60,200.203.191.8
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Arquivos de programas\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe

Member Avatar for crunchie

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan

When you have 'fix checked,' please delete this folder;

C:\spywarevanisher-free

Reboot.

==

I personally use the AV that is in my signature below. I find that it meets my needs more than adequately.

==

I would use almost any other browser than Internet Explorer, Opera being top of my list, with FireFox coming in next.

Member Avatar for jmaf

OK, thank you. Only I cannot see the Vanisher folder. Set the system to show hidden and system files, did a search on the HD, and it was not there.

After fixing, the entry does not appear anymore in the HJT log, so I guess everything is finally all right.

Thanks for all the tips. :cool:

Milton

Member Avatar for crunchie

You are welcome Milton :).

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.