Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log...se.dll and more problems


  • Please log in to reply
10 replies to this topic

#1 hijacked

hijacked

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 17 February 2005 - 11:52 PM

Hi
I have been having some problems with pc hijacking,...

Here comes the hijackthis log...if anyone can help me to solve this problem...

Logfile of HijackThis v1.99.1
Scan saved at 02:14:27, on 18/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nbthelp.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Ahead\InCD\InCD.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
E:\Coisas\SACANA~1\M-DOWN~1\WinZip\winzip32.exe
C:\DOCUME~1\Felipe\CONFIG~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Felipe\CONFIG~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Felipe\CONFIG~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {61203649-CE9A-4E84-902F-001CC4168CA5} - C:\WINDOWS\System32\cbjb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\se.dll,DllInstall
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.222.0.34 200.202.193.75
O18 - Filter: text/html - {0500B636-D6C2-4152-B257-6835019BEBE1} - C:\WINDOWS\System32\cbjb.dll
O18 - Filter: text/plain - {0500B636-D6C2-4152-B257-6835019BEBE1} - C:\WINDOWS\System32\cbjb.dll
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Serviço de Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. (Netbios Helper) - Unknown owner - C:\WINDOWS\System32\nbthelp.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 18 February 2005 - 01:44 PM

Hello hijacked,

Let's start by running some scans and seeing what they come up with. They should take out some of the malware.

***************************************************

Please download, update and run (one at a time of course!)
Spybot 1.3 and Adaware SE

Fix whatever they suggest.

***************************************************

If you need help running these tools, here are some helpful tutorials.
Spybot 1.3 Tutorial
Adaware SE Tutorial


***************************************************

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.



***************************************************


Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to.

***************************************************


I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the Panda Scan Online virus scanner
or Trend Micro Housecall Online virus scanner


***************************************************

C:\DOCUME~1\Felipe\CONFIG~1\Temp\HijackThis.exe


You need to put Hijackthis in its own folder, not in a temp folder. Here is how you make a Hijackthis folder:

Click My Computer, then
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Next, reboot and post a fresh HijackThis log to this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 19 February 2005 - 04:18 PM

Hi...here's the new hijackthis log

PS: SifuMike...thanks for the last help...I only couldn't do the online anti-virus...some problems with my connection...i think.

Logfile of HijackThis v1.99.1
Scan saved at 19:13:42, on 19/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Ahead\InCD\InCD.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Netwmon.exe
C:\Arquivos de programas\ACD Systems\ACDSee\ACDSee.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Felipe\CONFIG~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Felipe\CONFIG~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {61203649-CE9A-4E84-902F-001CC4168CA5} - C:\WINDOWS\System32\cbjb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.222.0.34 200.202.193.75
O18 - Filter: text/html - {D2A01AA0-9DFC-44CF-B829-DFAEFF8F8802} - C:\WINDOWS\System32\cbjb.dll
O18 - Filter: text/plain - {D2A01AA0-9DFC-44CF-B829-DFAEFF8F8802} - C:\WINDOWS\System32\cbjb.dll
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 19 February 2005 - 06:15 PM

Hello hijakced,

You have a CWS infection on your computer. We will soon have it removed. :thumbsup:

Download the latest version of Adaware SE here:
http://www.lavasoft.de/support/download/
Install it, but don't run it yet.
Click on the globe in the upper right hand corner to get the latest updates.

******************************************************

Please download the CWShredder 2.1 (Stand-alone version).
http://www.intermute.com/spysubtract/cwshr...r_download.html
(don't run it yet we will get to that in a minute)

******************************************************


Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)


******************************************************

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Felipe\CONFIG~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Felipe\CONFIG~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {61203649-CE9A-4E84-902F-001CC4168CA5} - C:\WINDOWS\System32\cbjb.dll


If this Domain does not belong to your ISP, or your firms network, this entry should be fixed. Do you know the IP or Domain '200.222.0.34 200.202.193.75'?
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.222.0.34 200.202.193.75

O18 - Filter: text/html - {D2A01AA0-9DFC-44CF-B829-DFAEFF8F8802} - C:\WINDOWS\System32\cbjb.dll
O18 - Filter: text/plain - {D2A01AA0-9DFC-44CF-B829-DFAEFF8F8802} - C:\WINDOWS\System32\cbjb.dll


******************************************************

Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the O2 - BHO: entry from your HijackThis log.

It is currently :
C:\WINDOWS\System32\cbjb.dll <-- file

Select Unload DLL, and click OK on the prompts that follow.

******************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Run the CWShredder. Let it fix everything it finds.

Scan with AdAware SE to automatically remove the txt and html protocol associations and to clean up the remnants of the hijack.

Run Adaware SE with the following settings:


Configure Ad-aware

Click on the Gear-shaped icon at the top to open the Settings window.

All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.

General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)


Scanning Settings

Scan Within Archives

Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.

Scan Active Processes

Scan Registry

Deep Scan Registry

Scan my IE favorites for banned URL’s

Scan my Hosts file

Advanced Settings - Enable all four options under 'Log-file Detail level'

Tweak Settings

Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'

Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'

Click Proceed

Click on the 'Start' button in the lower right.

Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.

Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.

Close Ad-aware


If Ad-Aware SE needs to reboot to finish cleaning, please let it.

******************************************************

Please run the following online scan and let it fix everything it finds:
TrendMicro http://housecall.trendmicro.com/housecall/start_corp.asp

******************************************************


Reboot and post a new Hijackthis log.

******************************************************
You have a suspicious file we need to check. Go to
Jotti's malware scan press the Browse button, and find C:\WINDOWS\System32\Netwmon.exe, then upload and scan it.
Let me know the results.
Copy and paste the output to this thread

Here is what a sample output of Jotti Scan looks like:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 20 February 2005 - 08:55 PM

Hi again...I did all that you told me to do...only the anti-virus that i did the panda instead the other one...but i still have CME II and gator...the ad-wares...and some things I think came back...but the mais problem (the about: blank) is gone...thanx

Logfile of HijackThis v1.99.1
Scan saved at 22:49:17, on 20/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\Netwmon.exe
C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Ahead\InCD\InCD.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.222.0.34 200.202.193.75
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 20 February 2005 - 09:06 PM

I uploaded the netwmon.exe file and the netmon.exe...both are possibly infected...look there

File: Netwmon.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
Packers detected: EXE32PACK

AntiVir No viruses found (0.41 seconds taken)
Avast No viruses found (1.53 seconds taken)
AVG Antivirus No viruses found (0.62 seconds taken)
BitDefender No viruses found (0.56 seconds taken)
ClamAV No viruses found (0.59 seconds taken)
Dr.Web No viruses found (0.87 seconds taken)
F-Prot Antivirus No viruses found (0.11 seconds taken)
Fortinet No viruses found (0.39 seconds taken)
Kaspersky Anti-Virus No viruses found (0.99 seconds taken)
mks_vir No viruses found (0.23 seconds taken)
NOD32 probably unknown NewHeur_PE (probable variant) (0.55 seconds taken)
Norman Virus Control No viruses found (3.17 seconds taken)


File: Netmon.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
Packers detected: PE_PATCH.MORPHINE, MORPHINE

AntiVir No viruses found (1.66 seconds taken)
Avast No viruses found (1.76 seconds taken)
AVG Antivirus No viruses found (1.62 seconds taken)
BitDefender No viruses found (1.85 seconds taken)
ClamAV No viruses found (1.83 seconds taken)
Dr.Web No viruses found (1.74 seconds taken)
F-Prot Antivirus No viruses found (0.22 seconds taken)
Fortinet No viruses found (0.80 seconds taken)
Kaspersky Anti-Virus No viruses found (2.40 seconds taken)
mks_vir Win32.4 (probable variant) (0.54 seconds taken)
NOD32 probably unknown NewHeur_PE (probable variant) (1.12 seconds taken)
Norman Virus Control No viruses found (7.97 seconds taken)

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 20 February 2005 - 09:59 PM

Hello hijacked,

Before we do anything with Netwmon.exe, I need to know if you installed it or do you know what it is?
If you did not install it, and do not know what it is, then continue.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each.
C:\WINDOWS\System32\Netwmon.exe

****************************************************

While in Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe


****************************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:

C:\WINDOWS\System32\Netwmon.exe <==file

****************************************************
Let empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.


****************************************************


Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 21 February 2005 - 11:28 PM

Hi...I couldn't "kill proccess" for netwmon.exe...and I couldn't also erase or even rename the file in the system32 folder...but my computer is running well, with no about: blank or a-dware pop-ups problems...what should I do?

#9 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 21 February 2005 - 11:30 PM

Hi...I couldn't "kill proccess" for netwmon.exe...and I couldn't also erase or even rename the file in the system32 folder...but my computer is running well, with no about: blank or a-dware pop-ups problems...what should I do?

Logfile of HijackThis v1.99.1
Scan saved at 01:28:36, on 22/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Ahead\InCD\InCD.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\soundblaster.exe
C:\WINDOWS\System32\soundblaster.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Netwmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.222.0.34 200.202.193.75
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 21 February 2005 - 11:31 PM

deleted post

Edited by SifuMike, 21 February 2005 - 11:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 21 February 2005 - 11:59 PM

Hello hijacked,

The file is there, as it shows up in your log. It is proctected and/or hidden and that is why you are not finding it.

Download KillBox to the desktop. Do not run it yet, we will be using it later.


Do this:
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

****************************************************

Please boot into Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each.
C:\WINDOWS\System32\Netwmon.exe

****************************************************

While in Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe

****************************************************
Run Killbox program ,In the field labeled "Full Path of File to Delete" enter

C:\WINDOWS\System32\Netwmon.exe

select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, press the Yes button

****************************************************

empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.


****************************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users