skull696 Posted March 1, 2005 Report Share Posted March 1, 2005 Hello people!I need desperately some help. I've been trying myself to fix the hijacked browser problem for some time now, but I havent succeeded. Here's my hijackthis log file.Logfile of HijackThis v1.99.1Scan saved at 11:44:08 a.m., on 01/03/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exeC:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXEC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Archivos de programa\Archivos comunes\Totem Shared\Uninstall0001\upd.exeC:\CwShredder\SpySub.exeC:\Hijack\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlF2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\System32\pavdr.exe,C:\WINDOWS\System32\userinit.exe,O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /sO4 - HKLM\..\Run: [uninstall0001] "C:\Archivos de programa\Archivos comunes\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3DancerO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: SpySubtract.lnk = C:\CwShredder\SpySub.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dllO9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXEO13 - DefaultPrefix: c:\searchpage.html?page=O13 - WWW Prefix: c:\searchpage.html?page=O13 - Home Prefix: c:\searchpage.html?page=O13 - Mosaic Prefix: c:\searchpage.html?page=O20 - AppInit_DLLs: PAVWAIT.DLLO23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exeO23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exeO23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exeO23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavProt.exeO23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exeO23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exeO23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exeAny help will be appreciated, thanks!/skull696 Link to post Share on other sites
Dragon Posted March 1, 2005 Report Share Posted March 1, 2005 To clean some of it out already, please download Spybot: Search and Destroy from http://www.safer-networking.org/index.php?page=download . Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.I'd Also Recommend you Download AdAware, Another good Antispyware Program From http://www.lavasoftusa.com/support/download/ . Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan. Do a scan on AdAware and Remove Everything it suggests. After This, Reboot and Post a Fresh HijackThis log Link to post Share on other sites
skull696 Posted March 4, 2005 Author Report Share Posted March 4, 2005 Hello! Thanks for the reply!Now I've done all that you mentioned. Here's my hijackthis log:**********Logfile of HijackThis v1.99.1Scan saved at 10:15:57 a.m., on 04/03/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exeC:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXEC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Archivos de programa\Media Player Classic\mplayerc.exeC:\Hijack\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlF2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\System32\pavdr.exe,C:\WINDOWS\System32\userinit.exe,O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /sO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: SpySubtract.lnk = C:\CwShredder\SpySub.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dllO9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXEO13 - DefaultPrefix: c:\searchpage.html?page=O13 - WWW Prefix: c:\searchpage.html?page=O13 - Home Prefix: c:\searchpage.html?page=O13 - Mosaic Prefix: c:\searchpage.html?page=O20 - AppInit_DLLs: PAVWAIT.DLLO23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exeO23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exeO23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exeO23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavProt.exeO23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exeO23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exeO23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe********************Any suggestions? Thanks! Link to post Share on other sites
Dragon Posted March 4, 2005 Report Share Posted March 4, 2005 You Have A Variant of the CoolWebSearch Trojan.Please Download CWShredder from http://cwshredder.net/bin/CWShredder.exel and run the Program twice. Press the "Fix Button" Let it fix all variants. Next, Close the program and Post a Fresh HijackThis log. Link to post Share on other sites
skull696 Posted March 10, 2005 Author Report Share Posted March 10, 2005 Hi!Now I've run CWShredder twice. This is the new hijackthis log file:***********Logfile of HijackThis v1.99.1Scan saved at 10:10:53 a.m., on 10/03/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exeC:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXEC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Archivos de programa\MSN Messenger\msnmsgr.exeC:\Hijack\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlF2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\System32\pavdr.exe,C:\WINDOWS\System32\userinit.exe,O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /sO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: SpySubtract.lnk = C:\CwShredder\SpySub.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dllO9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXEO13 - DefaultPrefix: c:\searchpage.html?page=O13 - WWW Prefix: c:\searchpage.html?page=O13 - Home Prefix: c:\searchpage.html?page=O13 - Mosaic Prefix: c:\searchpage.html?page=O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO20 - AppInit_DLLs: PAVWAIT.DLLO23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exeO23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exeO23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exeO23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavProt.exeO23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exeO23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exeO23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe******************Any suggestions or comments? Cool Websearch Trojan? How did I get infected with it?Thanks!/skull696 Link to post Share on other sites
Dragon Posted March 10, 2005 Report Share Posted March 10, 2005 you can get the cool web search trojan by going to one of any number of sites on the net ran by Cool Web Search.About:Buster - Download it and extract it to C:/aboutbuster.During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.Boot into safe mode:Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Run AboutBuster-Click Start to begin the process-Click OK on the Buster Report dialogue box to start the scanAboutBuster scans the computer for malicious files and deletes them.Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.Reboot If I have specified below, and Post a Fresh HijackThis log.R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlF2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /sO13 - DefaultPrefix: c:\searchpage.html?page=O13 - WWW Prefix: c:\searchpage.html?page=O13 - Home Prefix: c:\searchpage.html?page=O13 - Mosaic Prefix: c:\searchpage.html?page=O20 - AppInit_DLLs: PAVWAIT.DLLAfter this, Reboot and post a fresh Hijack this log Link to post Share on other sites
skull696 Posted March 11, 2005 Author Report Share Posted March 11, 2005 Hello!Now I've run aboutBuster. This is the new hijackthis log file. *******************Logfile of HijackThis v1.99.1Scan saved at 01:07:57 p.m., on 11/03/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exeC:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXEC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exeC:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\CwShredder\SpySub.exeC:\Hijack\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlF2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\System32\pavdr.exe,C:\WINDOWS\System32\userinit.exe,O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /sO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: SpySubtract.lnk = C:\CwShredder\SpySub.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dllO9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXEO13 - DefaultPrefix: c:\searchpage.html?page=O13 - WWW Prefix: c:\searchpage.html?page=O13 - Home Prefix: c:\searchpage.html?page=O13 - Mosaic Prefix: c:\searchpage.html?page=O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exeO23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exeO23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exeO23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavProt.exeO23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exeO23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exeO23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe********************The c:/searchpage.html entries just keep coming back again and again everytime hijackthis fixes them. /skull696 Link to post Share on other sites
Dragon Posted March 13, 2005 Report Share Posted March 13, 2005 Could You please Zip up and send c:\searchpage.html to Spyware Submissions please? We suspect this may be a new infection. Link to post Share on other sites
Recommended Posts