Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

problem with www.free6.se


  • Please log in to reply

#1
jmaya

jmaya

    New Member

  • Member
  • Pip
  • 3 posts
when I start Internet explorer, run a page www.free6.se and i can't remove it, i tried with spysweep and mcafee antispyware and it doesn't work, please give a solution, thanks.
Logfile of HijackThis v1.97.7
Scan saved at 13:46:56, on 12-12-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Archivos de programa\WinPoET\WrOS.EXE
C:\Archivos de programa\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Archivos de programa\WinPoET\winpppoverethernet.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmon.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system\lsass.exe
C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
C:\Archivos de programa\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
D:\Mis documentos\programas\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acapomil.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {8D98C324-C957-4FE0-95FE-D5BA629AC9E9} - C:\WINDOWS\lbbho.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7C8E1B3-F3B7-4A93-A108-553E1A9B4597} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Archivos de programa\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Archivos de programa\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [z-wrdialer] "C:\Archivos de programa\WinPoET\wrdialer.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Microsoft SourceSafe] C:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Archivos de programa\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Patches Value] WinGasys.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Windows SSL File] winssv.exe
O4 - HKCU\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [AdWare SpyWare Removal] C:\Archivos de programa\AdWare SpyWare Removal\AdWare SpyWare Removal.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Referencia (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: latam.msn.com
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1100061560968
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{198DC8F0-001E-4016-B14E-9AFDB6E8A698}: NameServer = 200.28.4.129 200.28.4.130
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
I'll be answering your question in a few minutes.

Have to do some research.

Regards,

Pieter
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: C:\WINDOWS\lbbho.dll - {8D98C324-C957-4FE0-95FE-D5BA629AC9E9} - C:\WINDOWS\lbbho.dll

O4 - HKLM\..\Run: [Microsoft SourceSafe] C:\WINDOWS\system\lsass.exe

O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Patches Value] WinGasys.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Windows SSL File] winssv.exe
O4 - HKCU\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [AdWare SpyWare Removal] C:\Archivos de programa\AdWare SpyWare Removal\AdWare SpyWare Removal.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot after doing so, preferably into safe mode and delete:
C:\WINDOWS\system\lsass.exe <= Please note that you should NOT try to delete C:\WINDOWS\system32\lsass.exe which is the real Windows file

Post a new log when you are done.
If you have any confidential information like passwords stored on your computer, I would change them as soon as possible.

Regards,

Pieter
  • 0

#4
jmaya

jmaya

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
pieter, I removed the items that you wrote, but it doesn't works, this is the new hijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 0:26:18, on 13-12-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Archivos de programa\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Archivos de programa\WinPoET\winpppoverethernet.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
C:\Archivos de programa\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmon.exe
C:\Archivos de programa\WinPoET\WrOS.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
D:\Mis documentos\programas\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acapomil.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7C8E1B3-F3B7-4A93-A108-553E1A9B4597} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Archivos de programa\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Archivos de programa\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [z-wrdialer] "C:\Archivos de programa\WinPoET\wrdialer.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Archivos de programa\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Referencia (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: latam.msn.com
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1100061560968
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{198DC8F0-001E-4016-B14E-9AFDB6E8A698}: NameServer = 200.28.4.129 200.28.4.130
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Your log looks OK.

Can you tell me when exactly this page comes up?

Regards,

Pieter
  • 0

#6
jmaya

jmaya

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
the page that comes up is www.free6.se, it happens twice, after a few seconds when I start internet exlorer.

thanks.
  • 0

#7
DRY_GIN2

DRY_GIN2

    New Member

  • Member
  • Pip
  • 2 posts
Hey man, you are out of luck with HiJackThis or SpyBot on this one
I got the same free6.se problem with my IE

This is virus or worm and can be removed only with antivirus software

I'm not a guru in antivirus market, but I used online antivirus scan tool provided by panda activescan (as were advised by someone else on simular thread)

(just in case):

http://www.pandasoft...n_principal.htm

It find and desinfect couple of programs on my computer and afterwhat everything seems to be ok

here is Panda ActiveScan log file:


Incident Status Location

Virus:Trj/StartPage.FH Disinfected D:\C-Drive\HiJackThis\backup-20041012-012009-923.dll
Virus:Trj/StartPage.FH Disinfected D:\C-Drive\HiJackThis\backup-20041023-064806-283.dll
Virus:Trj/Aders.A No disinfected D:\C-Drive\x.cab[vbsys.dll]
Virus:Trj/StartPage.FH Disinfected E:\WINDOWS\Downloaded Program Files\Q330995.exe
Virus:Trj/Downloader.AJ Disinfected E:\WINDOWS\Downloaded Program Files\Q678340.exe
Virus:Trj/Agent.CA Disinfected E:\WINDOWS\system32\vbsys2.dll
Hope it helps

Regards
  • 0

#8
DRY_GIN2

DRY_GIN2

    New Member

  • Member
  • Pip
  • 2 posts
One more thing, if someone interested,

x.cab is seems to be the installer of this worm

it has inf file "start.INF"
*****************************
[Setup Hooks]
hookplace=hookplace

[hookplace]
run=rundll32 %EXTRACT_DIR%\vbsys.dll start path=%EXTRACT_DIR%\vbsys.dll

[Version]
Signature="$CHICAGO$"
AdvancedInf=2.0
*****************************
and a dll file called "vbsys.dll"

if someone need this files to incorporate in antispyware/antivirus software
I can send it upon request

regards.
  • 0

#9
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Jmaya:

Do you still need assistance? If so, download the latest version of Hijack This - 1.99 in my signature. It is much better at picking up the latest problems.
  • 0

#10
dry_gin

dry_gin

    New Member

  • Member
  • Pip
  • 1 posts
Actually version 1.99 will show this as installed service, so it is now possible to delete via HiJack
HiJack rulez!
  • 0

#11
kazzeh

kazzeh

    New Member

  • Member
  • Pip
  • 1 posts
I have the same problem with free6.se but I don't understand any of this stuff and have no idea what to do :tazz: Can someone help?

Also, is this related to the PWSteal.Banker.B virus and W32.Pinfi?

Thanks

Kaz
  • 0

#12
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hey kazzeh. Welcome to GTG. :tazz:

Please start a new thread with your downloaded hijack this log, and we'll get after it.

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log as a new topic in the Hijack This forum. It will get a better response there from the people most qualified to analyze logs.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide. Also see this post.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP