My HijackThis log file

["[{/*@ñDr&*\}]"®]

Ok, I done as you said it found sum virus and disinfected I´m going to post the report of the viruses it found and after the hijack this log:


Incident Status Location

Virus:W32/Sdbot.gen.worm Disinfected Operating system
Virus:Trj/StartPage.EB Disinfected C:\Documents and Settings\Andre\Desktop\André\Utilitarios\dllfix\submit.zip[defo.dll]
Virus:Trj/StartPage.EB Disinfected C:\RECYCLER\S-1-5-21-436374069-1935655697-839522115-1003\Dc1.dll
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp




-----Now the Hijackthis-----


Logfile of HijackThis v1.97.7
Scan saved at 23:39:33, on 19/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Discador Terra\tdd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\ICQLite\ICQLite.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://messenger.microsoft.com/br
R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
O4 - HKLM\..\Run: [Microsoft CONFIG] winmx.exe
O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
O4 - HKLM\..\Run: [Microsoft Update Macahine] winedll.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft CONFIG] winmx.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
O4 - HKLM\..\RunServices: [Microsoft Update Macahine] winedll.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe
O4 - HKCU\..\Run: [Microsoft CONFIG] winmx.exe
O4 - HKCU\..\Run: [Microsoft Update] lsac.exe
O4 - HKCU\..\Run: [Microsoft Update Macahine] winedll.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Barra do iG (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab27571.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10

[TonyKlein]

With all browser windows closed, check, and have Hijack This fix all of the following items, restart your computer, then post a fresh log; there's probably some work to be done yet...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll

O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)

O4 - HKLM\..\Run: [Microsoft CONFIG] winmx.exe
O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
O4 - HKLM\..\Run: [Microsoft Update Macahine] winedll.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft CONFIG] winmx.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
O4 - HKLM\..\RunServices: [Microsoft Update Macahine] winedll.exe
O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe
O4 - HKCU\..\Run: [Microsoft CONFIG] winmx.exe
O4 - HKCU\..\Run: [Microsoft Update] lsac.exe
O4 - HKCU\..\Run: [Microsoft Update Macahine] winedll.exe

["[{/*@ñDr&*\}]"®]

Ok, I´ve done as you said and here the new log:

Logfile of HijackThis v1.97.7
Scan saved at 15:04:25, on 20/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Discador Terra\tdd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://messenger.microsoft.com/br
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Barra do iG (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab27571.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[TonyKlein]

I just noticed you're running an obsolete version of Hijack This. Would you please download the latest version here and post a log with that one:

http://www.wilderssecurity.com/showthread.php?t=12516, and download Hijack This.

Also, copy the contents of the quote box to Notepad.

Name the file Appinit.bat and save on your Desktop as type 'All Files'.

Quote:

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat

This will create a file on the desktop named windows.txt

Upload windows.txt in your next reply. To do that do not use quick reply.
Instead press the Reply button. When you do you will be able to attach a file to your reply. Attach Windows.txt

We need to make sure we're not overlooking anything!

["[{/*@ñDr&*\}]"®]

Ok, here is the HiJack This log:

Logfile of HijackThis v1.98.0
Scan saved at 20:56:12, on 20/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Discador Terra\tdd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\ICQLite\ICQLite.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis1980hf.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.microsoft.com/br
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab27571.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10

[TonyKlein]

That looks harmless enough!

Just have Hijack This fix this item:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


After that you should be good to go.

["[{/*@ñDr&*\}]"®]

Thanks for all, I´m just posting this last hijack to be sure of and one last question : How do you understand the logs?Lol

Logfile of HijackThis v1.98.0
Scan saved at 14:42:42, on 21/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Discador Terra\tdd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis1980hf.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.microsoft.com/br
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab27571.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10

[TonyKlein]

Clean log; well done!

As to how we manage to interpret the logs, long story,, but it comes down to experience, research, and hanging and posting at boards like this for far too many hours every day....

["[{/*@ñDr&*\}]"®]

Thank you very much, Thanks to all of you who helped me fot this time, continue with this work.

And if I ever get any problem I´m going to bother you

[TonyKlein]

You're welcome; glad we were able to help.

["[{/*@ñDr&*\}]"®]

Hi again, I´m bothering you again because lots of pop-ups started to show up again and my initial page changed too and lots of pop-ups saying i have spyware....you already heard it.Plz, what to do once more


Thanks

["[{/*@ñDr&*\}]"®]

As I already know I have to put a Hijack This Logfile here it is:

Logfile of HijackThis v1.98.0
Scan saved at 13:10:42, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\javaor32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Discador Terra\tdd.exe
C:\WINDOWS\system32\sysva.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
D:\ICQLite\ICQLite.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis1980hf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\tfksu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\system32\tfksu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\tfksu.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.microsoft.com/br
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D18C678-DFB1-FFBF-DBEF-7B9FA152DCF5} - C:\WINDOWS\apphp32.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
O4 - HKLM\..\Run: [sysva.exe] C:\WINDOWS\system32\sysva.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab27571.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10

[bigc73542]

Please take a look at the link it will explain our new policy on HJT logs. The link has some more links to other forums that still work HJT logs. This thread is now closed.


thank you

bigc