Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi, I already tried the suggestions in other topic,but...


  • Please log in to reply
3 replies to this topic

#1 blackwarmanga

blackwarmanga

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 15 May 2005 - 02:22 AM

Hi, I already tried to follow the suggestions in another topic, so I didn't have to trouble you, but there are still some problems, and please, I would appreciate some help.

I recently got infected with an adware virus. I have an older verion of Norton, and it didn't detect any problems. I ran the Symantec online scan and nothing showed up, finally I used the Panda scan , and this are the results.


Incident Status Location
Adware:Adware/SearchExe No Disenfected C:\WINDOWS\TEMP\SE.DLL

Adware:Adware/SearchExe No disinfected C:\windows\TEMP\se.dll

Adware:Adware/CWS.Aboutblank No disinfected Windows Registry

Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll

Adware:Adware/BlueScreenWarningNo disinfected C:\wp.bmp

Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll

Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\se.dll

Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Archivos temporales de Internet\Content.IE5\NDV8SZG1\arr3[1].jar[Gummy.class]

Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Archivos temporales de Internet\Content.IE5\NDV8SZG1\arr3[1].jar[Counter.class]

Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Archivos temporales de Internet\Content.IE5\NDV8SZG1\arr3[1].jar[VerifierBug.class]

Virus:Trj/Downloader.AOP Disinfected C:\web.exe

Adware:Adware/BlueScreenWarningNo disinfected C:\wp.bmp

I already eliminated "wp.bmp", "se.dll" and all the internet temporary files, I never found "wldr.dll". I eliminated them in safe mode. I don't see many problems now. But now everytime I restart my computer it appears an error message telling me that "se.dll" was not found, so I guess the file corrupted in my "windows entry" is still calling for this file. And even stranger, now when I try to modify the desktop (you know...wallpapers,screensavers,resolution,etc...)there are some tags missing, included the wallpaper one, so I can't modify it (stretch,center,etc...).Then I download the "hijackthis_sfx" and ran it. Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 02:12:46 a.m., on 15/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\TCDPLAY.DRV
C:\WINDOWS\SYSTEM\TWBROWSE.DRV
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\RunDLL.exe
C:\BSW.EXE
C:\ARCHIVOS DE PROGRAMA\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por AOL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Archivos de programa\GetRight\xx2gr.dll
O2 - BHO: (no name) - {8BF659C1-C43C-11D9-BF61-608E44EDD4C6} - C:\WINDOWS\SYSTEM\GOCO.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [THotkey] THotkey.exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\ARCHIV~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AOLDialer] C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TCDPlay] TCDPlay.drv
O4 - HKLM\..\RunServices: [TWBrowse] TWBrowse.drv
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AllerCalc] "C:\Archivos de programa\AllerCalc\AllerCalc.exe" /i
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - Startup: Ícono de Bandeja America Online México 9.0 .lnk = C:\Archivos de programa\America Online 9.0\aoltray.exe
O4 - Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Startup: Registro de Lotus SmartSuite Versión 9.lnk = C:\lotus\register\remind32.exe
O4 - Startup: DeskHide.lnk = C:\Archivos de programa\DeskHide\deskhide.exe
O8 - Extra context menu item: & - res://C:\ARCHIVOS DE PROGRAMA\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Archivos de programa\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Archivos de programa\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {A3C32F60-C43C-11D9-BF61-608E53C18C8E} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A3C32F60-C43C-11D9-BF61-608E53C18C8E} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {A3C32F60-C43C-11D9-BF61-608E53C18C8E} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A3C32F60-C43C-11D9-BF61-608E53C18C8E} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com.mx/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {8BF659C0-C43C-11D9-BF61-608E2BA1715D} - C:\WINDOWS\SYSTEM\GOCO.DLL
O18 - Filter: text/plain - {8BF659C0-C43C-11D9-BF61-608E2BA1715D} - C:\WINDOWS\SYSTEM\GOCO.DLL


Please, I Really can't think of anything else to do.Please give me a hand.

PS:My windows update feature hasn't work properly since I reinstalled windows a few months ago. Every time I try to use it, it appears an error message , and tells me that IE must restart. ????.

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:53 AM

Posted 15 May 2005 - 06:55 PM

Hello blackwarmanga and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Please perform the following steps:
  • Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).
  • Download SpSeHjfix.zip and unzip it to it's own folder. Do not run it yet.
  • Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.
  • Start in Safe Mode Using the F8 method:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
  • Disconnect from the net and Close ALL OPEN PROGRAMS.
  • Run SpSeHjfix and click on Start Disinfection.
    When it's finished it will reboot your machine to finish the cleaning process.
    The tool creates a log of the fix which will appear in the folder that SpSeHjfix is located in.
  • Now run CWShredder and click on the Fix -> button.
  • Reboot and repeat the above process.
Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 blackwarmanga

blackwarmanga
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 03 September 2005 - 12:53 AM

Hi, I am very sorry for not following your instructions sooner, but I don't have a cd-burner , so I wanted to back-up my files before doing all this, and then after some time, I forgot to do this.
But, well, now I did it. I have new programs, etc.. so the new hijack log may be diferent , but I followed your steps, except that the second time I tried to run the SpSeHjfix , it never finished, so I coul't get a new log. But, anyway , after folllowing all the other steps,I have a new Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 12:48:13 a.m., on 03/09/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\TCDPLAY.DRV
C:\WINDOWS\SYSTEM\TWBROWSE.DRV
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\RunDLL.exe
C:\BSW.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\AMERICA ONLINE 8.0\AOLTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\AMERICA ONLINE 8.0\WAOL.EXE
C:\ARCHIVOS DE PROGRAMA\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por AOL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Archivos de programa\GetRight\xx2gr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\ARCHIVOS DE PROGRAMA\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [THotkey] THotkey.exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\ARCHIV~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AOLDialer] C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Archivos de programa\Archivos comunes\AOL\EE\AOLHostManager.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TCDPlay] TCDPlay.drv
O4 - HKLM\..\RunServices: [TWBrowse] TWBrowse.drv
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AllerCalc] "C:\Archivos de programa\AllerCalc\AllerCalc.exe" /i
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\Run: [DesktopMagic] C:\ARCHIVOS DE PROGRAMA\FUSION SOFTWARE\DESKTOP MAGIC\DESKMAGIC.EXE
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [AllerCalc] "C:\Archivos de programa\AllerCalc\AllerCalc.exe" /i
O4 - HKCU\..\RunServices: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\RunServices: [DesktopMagic] C:\ARCHIVOS DE PROGRAMA\FUSION SOFTWARE\DESKTOP MAGIC\DESKMAGIC.EXE
O4 - Startup: America Online México Tray Icon.lnk = C:\Archivos de programa\America Online 8.0\aoltray.exe
O4 - Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Startup: Registro de Lotus SmartSuite Versión 9.lnk = C:\lotus\register\remind32.exe
O4 - Startup: DeskHide.lnk = C:\Archivos de programa\DeskHide\deskhide.exe
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: & - res://C:\ARCHIVOS DE PROGRAMA\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Archivos de programa\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Archivos de programa\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Bùsqueda - res://C:\ARCHIVOS DE PROGRAMA\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {A3C32F60-C43C-11D9-BF61-608E53C18C8E} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A3C32F60-C43C-11D9-BF61-608E53C18C8E} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\ARCHIVOS DE PROGRAMA\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\ARCHIVOS DE PROGRAMA\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {A3C32F60-C43C-11D9-BF61-608E53C18C8E} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A3C32F60-C43C-11D9-BF61-608E53C18C8E} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com.mx/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

OK, so, does anything was fixed up?
bye, and thanks in advanced for your time

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:53 AM

Posted 03 September 2005 - 12:09 PM

Hi blackwarmanga. Ok, let's start again. Please print these directions and then proceed with the following steps in order.

Step #1

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Step #2

Place a shortcut to Panda ActiveScan on your desktop.

Step #3

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.
Don't run it yet!

Step #4

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:<items>
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Step #7

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

Now we need to clean the wininet.dll file.
  • Click Start>Run, type command into the Open editbox and click the ok button
  • At the command prompt type copy c:\windows\system\wininet.dll c:\windows\desktop
  • Reboot the computer
  • Scan the desktop folder with eTrust Web Scanner
  • When done, make sure the box is check for wininet.dll and click Cure
  • Reboot to the Command Prompt
  • Type del c:\windows\system\wininet.dll and press the Enter key
  • Type del c:\windows\system\oleadm.dll and press the Enter key
  • Type del c:\windows\system\oleext.dll and press the Enter key
  • Type copy c:\windows\desktop\wininet.dll c:\windows\system and press the Enter key
  • Reboot normally
Step #9

Change the Display properties by doing the following:
  • Click Start>Settings>Control Panel
  • Double-click Display
  • Click the Web tab
  • Uncheck "View my Active desktop as a web page"
  • Click Ok then Apply then ok again.
  • Close the Control Panel
Step #10
  • Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).
  • Download SpSeHjfix.zip and unzip it to it's own folder. Do not run it yet.
  • Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.
  • Start in Safe Mode Using the F8 method:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
  • Disconnect from the net and Close ALL OPEN PROGRAMS.
  • Run SpSeHjfix and click on Start Disinfection.
    When it's finished it will reboot your machine to finish the cleaning process.
    The tool creates a log of the fix which will appear in the folder that SpSeHjfix is located in.
  • Now run CWShredder and click on the Fix -> button.
  • Reboot and repeat the above process starting with Step 4.
Step #11

Now click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the SpSeHjfix Log by using Add Reply.

Let us know if any problems persist.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users