[jmaya]

when I start Internet explorer, run a page www.free6.se and i can't remove it, i tried with spysweep and mcafee antispyware and it doesn't work, please give a solution, thanks.
Logfile of HijackThis v1.97.7
Scan saved at 13:46:56, on 12-12-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Archivos de programa\WinPoET\WrOS.EXE
C:\Archivos de programa\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Archivos de programa\WinPoET\winpppoverethernet.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmon.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system\lsass.exe
C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
C:\Archivos de programa\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
D:\Mis documentos\programas\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acapomil.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {8D98C324-C957-4FE0-95FE-D5BA629AC9E9} - C:\WINDOWS\lbbho.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7C8E1B3-F3B7-4A93-A108-553E1A9B4597} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Archivos de programa\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Archivos de programa\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [z-wrdialer] "C:\Archivos de programa\WinPoET\wrdialer.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Microsoft SourceSafe] C:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Archivos de programa\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Patches Value] WinGasys.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Windows SSL File] winssv.exe
O4 - HKCU\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [AdWare SpyWare Removal] C:\Archivos de programa\AdWare SpyWare Removal\AdWare SpyWare Removal.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Referencia (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: latam.msn.com
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1100061560968
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{198DC8F0-001E-4016-B14E-9AFDB6E8A698}: NameServer = 200.28.4.129 200.28.4.130

[Advertisements]

I'll be answering your question in a few minutes.

Have to do some research.

Regards,

Pieter

[Metallica]

I'll be answering your question in a few minutes.

Have to do some research.

Regards,

Pieter

[Metallica]

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: C:\WINDOWS\lbbho.dll - {8D98C324-C957-4FE0-95FE-D5BA629AC9E9} - C:\WINDOWS\lbbho.dll

O4 - HKLM\..\Run: [Microsoft SourceSafe] C:\WINDOWS\system\lsass.exe

O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Patches Value] WinGasys.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Windows SSL File] winssv.exe
O4 - HKCU\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [AdWare SpyWare Removal] C:\Archivos de programa\AdWare SpyWare Removal\AdWare SpyWare Removal.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot after doing so, preferably into safe mode and delete:
C:\WINDOWS\system\lsass.exe <= Please note that you should NOT try to delete C:\WINDOWS\system32\lsass.exe which is the real Windows file

Post a new log when you are done.
If you have any confidential information like passwords stored on your computer, I would change them as soon as possible.

Regards,

Pieter

[jmaya]

pieter, I removed the items that you wrote, but it doesn't works, this is the new hijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 0:26:18, on 13-12-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Archivos de programa\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Archivos de programa\WinPoET\winpppoverethernet.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
C:\Archivos de programa\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmon.exe
C:\Archivos de programa\WinPoET\WrOS.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
D:\Mis documentos\programas\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acapomil.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7C8E1B3-F3B7-4A93-A108-553E1A9B4597} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Archivos de programa\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Archivos de programa\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [z-wrdialer] "C:\Archivos de programa\WinPoET\wrdialer.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Archivos de programa\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Referencia (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: latam.msn.com
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1100061560968
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{198DC8F0-001E-4016-B14E-9AFDB6E8A698}: NameServer = 200.28.4.129 200.28.4.130

[Metallica]

Your log looks OK.

Can you tell me when exactly this page comes up?

Regards,

Pieter

[jmaya]

the page that comes up is www.free6.se, it happens twice, after a few seconds when I start internet exlorer.

thanks.

[DRY_GIN2]

Hey man, you are out of luck with HiJackThis or SpyBot on this one
I got the same free6.se problem with my IE

This is virus or worm and can be removed only with antivirus software

I'm not a guru in antivirus market, but I used online antivirus scan tool provided by panda activescan (as were advised by someone else on simular thread)

(just in case):

http://www.pandasoft...n_principal.htm

It find and desinfect couple of programs on my computer and afterwhat everything seems to be ok

here is Panda ActiveScan log file:


Incident Status Location

Virus:Trj/StartPage.FH Disinfected D:\C-Drive\HiJackThis\backup-20041012-012009-923.dll
Virus:Trj/StartPage.FH Disinfected D:\C-Drive\HiJackThis\backup-20041023-064806-283.dll
Virus:Trj/Aders.A No disinfected D:\C-Drive\x.cab[vbsys.dll]
Virus:Trj/StartPage.FH Disinfected E:\WINDOWS\Downloaded Program Files\Q330995.exe
Virus:Trj/Downloader.AJ Disinfected E:\WINDOWS\Downloaded Program Files\Q678340.exe
Virus:Trj/Agent.CA Disinfected E:\WINDOWS\system32\vbsys2.dll
Hope it helps

Regards

[DRY_GIN2]

One more thing, if someone interested,

x.cab is seems to be the installer of this worm

it has inf file "start.INF"
*****************************
[Setup Hooks]
hookplace=hookplace

[hookplace]
run=rundll32 %EXTRACT_DIR%\vbsys.dll start path=%EXTRACT_DIR%\vbsys.dll

[Version]
Signature="$CHICAGO$"
AdvancedInf=2.0
*****************************
and a dll file called "vbsys.dll"

if someone need this files to incorporate in antispyware/antivirus software
I can send it upon request

regards.

[coachwife6]

Jmaya:

Do you still need assistance? If so, download the latest version of Hijack This - 1.99 in my signature. It is much better at picking up the latest problems.

[dry_gin]

Actually version 1.99 will show this as installed service, so it is now possible to delete via HiJack
HiJack rulez!

[kazzeh]

I have the same problem with free6.se but I don't understand any of this stuff and have no idea what to do Can someone help?

Also, is this related to the PWSteal.Banker.B virus and W32.Pinfi?

Thanks

Kaz

[coachwife6]

Hey kazzeh. Welcome to GTG.

Please start a new thread with your downloaded hijack this log, and we'll get after it.

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log as a new topic in the Hijack This forum. It will get a better response there from the people most qualified to analyze logs.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide. Also see this post.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.