brave sentry removed,internet explorer not working

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by liliana325, Jun 29, 2006.

  1. liliana325

    liliana325 Private E-2

    I´m new around here,but I´ve been looking for help all over the internet,but I finally decided to ask here...

    yesterday as I was looking around the internet,I got the brave sentry message in my computer,and accidentally I clicked the text globe and I guess you all know what happened.....I started to look for help and found some stuff....first went to add/remove programs and removed brave sentry,but I still had the red circle with the X there....then I ran ewido and it seemed to remove brave sentry completely,no more messages or red circles....but then I realized that I couldnt access Task Manager and whenever I tried to use Internet Explorer it gives me an error message,the I found something about using smitfraudfix,I used it and it fixed the task manager problem,I can access now....but my internet explorer still isnt working! I really dont know what to do....I tried re-installing it,but it didnt help....

    this is the hijackthis log

    Edit by chaslang: Inline log attached

    I have to add that my computer is in spanish,since I´m mexican,most programs I have are in spanish,I hope that wont be a problem...and...I also need to say that I decided not to install SP2,because of all the problems I´ve heard about it....

    I really hope you can help....thanks in advance
     

    Attached Files:

    Last edited by a moderator: Jun 29, 2006
    liliana325, Jun 29, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please do not post any logs inline with messages. They must be attachments. Normal procedures require the steps of the READ & RUN ME FIRST Before Asking for Support sticky thread to be run first. However, since you do not have internet access. Let's try fixing a few things first to see if we can get internet access back. If we do then you will need to run the READ ME.

    I see a service from Symantec running. What do you have installed from Symantec? You already have F-Protect Antivirus so you should not have any other AV installed.

    Is your copy of Ewido a paid version or a free trial version?

    I see FireFox running. Does it connect to the Internet okay and is your problem only with IE?

    Are the below items something you configured:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.savewealth.com/support/ie6/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.savewealth.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com
    O1 - Hosts: 85.249.139.66 socks.tempservice.org
    O1 - Hosts: 85.249.138.154 socks.temphost.ws
    O1 - Hosts: 85.249.138.154 j006_fljkdr.fgkfps.com


    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Archivos de programa\BHO Plugin\plugin.dll
    O4 - HKLM\..\Run: [f2952072.exe] C:\WINDOWS\System32\f2952072.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [f2952072.exe] C:\Documents and Settings\Propietario\Configuración local\Datos de programa\f2952072.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
    O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\System32\f2952072.exe
    C:\Documents and Settings\Propietario\Configuración local\Datos de programa\f2952072.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 29, 2006
    #2
  3. liliana325

    liliana325 Private E-2

    oh I´m really really sorry,before doing anything I will answer your questions and then follow the steps,I never thought there would be any steps to follow before asking for help....

    about symantec,I really have no idea what I have installed,I used to have Norton,and a few months ago it expired,so the guy who fixes my computer most of the time,told me about F-Prot and he installed it on my computer,but I thought he had uninstalled everything from symantec

    my Ewido copy is the free trial version

    and yes,after internet explorer not working a friend told me about firefox,because I dont have another computer,and I needed internet access to ask for help,the internet connection works fine,I can use FireFox and messenger and all internet related things....the only thing not working is Internet Explorer

    so now I´ll go and follow the steps,thanks for taking the time to help

    I forgot to say that I downloaded ewido as a temporary solution,because F-Prot started to do something to my MSN messenger,I had trouble using messenger,it would log in and it would work slow,after a big search,lots of uninstalling and reinstalling,I found out that if F-Prot guard is running,my messenger doesnt work ok....I dont know why that happened,it was working fine before....
     
    Last edited: Jun 29, 2006
    liliana325, Jun 29, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to answer one of my questions:

    Since you have internet access, you should be able to run all of the READ & RUN ME accept step 6. Please do what I gave you in message number 2 first and then attach a new followup HJT log and tell me your current status.

    Then you should go back an start running all of the READ & RUN ME sticky procedure.
    When finished with it attach another new HJT log (and if you IE is now working, also attach the two logs from step 6).
     
    chaslang, Jun 29, 2006
    #4
  5. liliana325

    liliana325 Private E-2

    hi!

    about you cuestion,no,I dont even know what that is...though I see something that says "savewealth" and now that internet explorer is working,it opens with that as home page

    yes! internet explorer is working again! and things seem to be running just fine,I dont see any errors and internet explorer works great again:)

    here is the new HJT log
     

    Attached Files:

    liliana325, Jun 30, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All of those IP address in the O1 Hosts lines are in Russia. Are you in Russia?

    Example:
    Is this valid? Is this your ISP? Do you need those host file settings?


    Do you want your start pages to be www.savewealth.com? They appear to be hardcoded into your PC like the company who built your PC did it.
     
    chaslang, Jul 1, 2006
    #6
  7. liliana325

    liliana325 Private E-2

    I´m sorry I havent replied with the rest,I just havent been able to finish it...but in the meantime I can answer those..

    no,I´m not in Russia,I live in Mexico and I dont really know what my ISP is:confused:

    oh and I changed the home page,I dont want it to be savewealth.com so I just changed it and I´ve had no problems

    I just want to add that everything seems to be working fine,I havent been using the computer as much as I use to because of work,but I will try to finish and post a new HJT log today

    thanks for your help:)
     
    liliana325, Jul 3, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but if you ever use Reset Web Settings (which we often request), it will change back due to the below line in your HJT log:
    O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
     
    chaslang, Jul 3, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds