Jump to content


Photo

Browser takes me to super-spider.com


  • This topic is locked This topic is locked
15 replies to this topic

#1 NowhereMan

NowhereMan

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 04 June 2004 - 03:40 PM

Hello

My home page has been changed to super-spider.com and I can't change it because the option has been blocked. I tried to remove this hijack following the article but none of the options did work.

Also I couldn't find the hijack in any list. :scratchhead:

Any help will be greatly appreciated.

My HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 16:38:20, on 04/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Documents and Settings\Miguel\Mis documentos\HijackThis.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\agki.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\r9u647emcetx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [WebScan] C:\ARCHIV~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E73C086-346A-41B6-A7C1-90578B77F0D7}: NameServer = 200.50.96.90 200.54.144.227

#2 Lappen

Lappen

    Member

  • Retired Staff
  • Pip
  • 77 posts

Posted 05 June 2004 - 08:34 AM

Hi!

You have been infected by Coolwebsearch and some other things...

Please download the latest version of CWShredder from here or here

If you are unable to download that file because of the Hijack, please post back. If you are able to get the file follow the instructions below.

Run it.
Check for update, if it needs to update please allow it to do so.

Click fix/next. Let it fix all if finds.
Reboot

Run it again (to be sure it worked)
Click fix/next. Let it fix all if finds.
Reboot

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Reboot

After that go to windows update and download all critical updates.

After installing go back and download some more and repeat that until all updates are done.

Reboot

Run a new HJT log and post it here as a reply to this topic since there will be more that needs fixing.

#3 NowhereMan

NowhereMan

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 09 June 2004 - 11:44 AM

Thank you very much, but now I have another big problem, something has been blocking my internet conection, all seems to work fine but sometimes the only thing that I can see is the super-spider start page. I supose that's the hijack.

I'll try to clean it with the CWShredder but maybe I won't be able to update it, does it works?.

I'll keep you inform about it and thanks again.

Edited by NowhereMan, 09 June 2004 - 03:32 PM.


#4 Lappen

Lappen

    Member

  • Retired Staff
  • Pip
  • 77 posts

Posted 10 June 2004 - 09:48 AM

I will wait for your next reply then, if you cant update the CWShredder, run it as is.

#5 NowhereMan

NowhereMan

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 10 June 2004 - 11:07 AM

I was able to do everything you said (CWShredder updated, virus scan and windows update) with no problems. The HouseCall found 151 infected files and just 2 of them couldn’t be cleaned or deleted because they were currently in use during the scan:

Virus TROJ KREPPER.Q File C:\Documents and Settings\Miguel\Configuracion Local\Temp\2100860.tmp

Virus TROJ KREPPER.Q File C:\Documents and Settings\Miguel\Configuracion Local\Temp\194509.tmp

This is my new HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 11:40:46, on 10/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Miguel\Mis documentos\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\r9u647emcetx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [WebScan] C:\ARCHIV~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E73C086-346A-41B6-A7C1-90578B77F0D7}: NameServer = 200.50.96.90 200.54.144.227

#6 Lappen

Lappen

    Member

  • Retired Staff
  • Pip
  • 77 posts

Posted 10 June 2004 - 01:05 PM

Hi again NowhereMan, The CWS infection is still there :(

Please try to get rid of that and the Virus problem by doing this. It might not fix your problem but it's worth a try.

Check that you have the latest version (1.59.0 or later) of cwshredder from here

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Run cwshredder.
Click fix/next. Let it fix all if finds.
Reboot to Safe mode again

Run it again (to be sure it worked)
Click fix/next. Let it fix all if finds.
Reboot (normal)

Do a virus scan (again) here .
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Run a new HJT log and post it here since there will be more that needs fixing.

#7 NowhereMan

NowhereMan

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 15 June 2004 - 09:13 AM

Hi Lappen

I did everything you said and I also searched for tmp files, I was able to delete all of them. I searched again and there were no tmp files. I did all in the safe mode.

Then I rebooted to normal and I did the virus scan. The HouseCall found 1 infected file and it couldn’t be cleaned or deleted because they were currently in use during the scan:

Virus TROJ KREPPER.Q File C:\Documents and Settings\Miguel\Configuracion Local\Temp\250970.tmp

This is my new HJT:

Logfile of HijackThis v1.97.7
Scan saved at 10:07:39, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Archivos de programa\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Miguel\Mis documentos\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\r9u647emcetx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [WebScan] C:\ARCHIV~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [z-wrdialer] C:\Archivos de programa\WinPoET Broadband Connection\WrDialer.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E73C086-346A-41B6-A7C1-90578B77F0D7}: NameServer = 200.50.96.90 200.54.144.227

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 15 June 2004 - 04:03 PM

Hi guys, there is a random bho associated with this one that I want to check out further.

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, find, zip and send this file:

C:\WINDOWS\System32\r9u647emcetx.dll

to this e-mail address including a link to this thread in the body of the email.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\r9u647emcetx.dll
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab

Reboot when done, rescan with HJT and post a new log here for a final check over.
Posted Image

#9 NowhereMan

NowhereMan

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 15 June 2004 - 05:30 PM

Hi Daemon

I sent you the e-mail with the file and I did what you said. For the first time I didn't see any super spider when I entered to the internet explorer. Thank you so much.

Here's the HJT:

Logfile of HijackThis v1.97.7
Scan saved at 18:23:17, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Documents and Settings\Miguel\Mis documentos\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [z-wrdialer] C:\Archivos de programa\WinPoET Broadband Connection\WrDialer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E73C086-346A-41B6-A7C1-90578B77F0D7}: NameServer = 200.50.96.90 200.54.144.227

#10 Lappen

Lappen

    Member

  • Retired Staff
  • Pip
  • 77 posts

Posted 16 June 2004 - 12:26 AM

Thanx for stepping in Daemon :thumbsup:

NowhereMan, the log looks clean now as far as I can tell.

How are your browser and computer behaving? Are you still having that file shoving up in Virus scans?

I would wait for Daemon to post back but while waiting please read this page

>> How Did I Get Infected In The First Place?

#11 NowhereMan

NowhereMan

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 16 June 2004 - 08:25 AM

My browser is working ok, no more internet shortcuts have been added to my favourites, no more super-spider pages have appeared, my internet options are no longer blocked and I could change my start-page. So far the computer has no problems.

Even though a new virus scan (from HouseCall) has found 18 infected files, the same virus (TROJ KREPPER.Q) in the same location (C:\Documents and Settings\Miguel\Configuracion Local\Temp\xxxxxx.tmp), but this time all of them could be deleted. What should I do? :wtf:

I would like to change IE and I’ll take any recommendation that could help me to prevent something like this happen again. Should I change my antivirus too?

Thank you both of you guys. Thanks for your help and understanding.

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 16 June 2004 - 12:04 PM

I got the file - thanks :) Lappen is absolutely right - your log is clean now. Follow the recommendations in the link he provided to help stay clean.

See if this helps with the virus scan. Click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so. Repeat for all log-in accounts on your computer.
Posted Image

#13 NowhereMan

NowhereMan

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 16 June 2004 - 12:29 PM

Hi Daemon

Thanks for the advise, I just have one question, do I have to check all boxes under Items to clear or just the Internet Explorer ones?.

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 16 June 2004 - 12:32 PM

I do them all with the exception of cookies as I use something else to manage those.
Posted Image

#15 NowhereMan

NowhereMan

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 16 June 2004 - 01:08 PM

Thanks a lot Daemon, the virus scan did not found any viruses, System Security Suite solved the problem. I'll follow your recommendations.

You guys are the best.

#16 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 16 June 2004 - 01:10 PM

Glad we could help :D

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button