My HijackThis log file

Discussion in 'adware, spyware & hijack cleaning' started by "[{/*@?Dr&*\}]"?, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    I´m having problems with an apparently spyware in my computer because when i was on the internet and i opened a IE the IE opened in a diferent page then usual( I always left it in about:blank and a site opens with the adress of abou^:blank but it´s not about:blank). I already tried to change the initial page but it stills opening the same page and lots of pop-ups opens saying I´m with a spyware.

    Well, the I was instructed by a modereator of this site to send you the hijackthis log file. I used the Ad-aware and after that i used HijackThis.exe and here is the log files:

    Ad-aware:
    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :quarta-feira, 9 de junho de 2004 22:38:10
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R315 06.06.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    9-6-2004 22:38:10 - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 10-6-2004 00:54:28
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 10-6-2004 00:54:33
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-6-2004 00:54:33
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Aplicativo de servi
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Sistema operacional Microsoft
    Created on : 28/10/2001 17:07:26
    Last accessed : 10/6/2004 00:52:04
    Last modified : 28/10/2001 17:07:26

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-6-2004 00:54:33
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 9/9/2002 17:08:40
    Last accessed : 10/6/2004 00:52:04
    Last modified : 9/9/2002 17:08:40

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-6-2004 00:54:33
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 28/10/2001 17:07:30
    Last accessed : 10/6/2004 00:52:04
    Last modified : 28/10/2001 17:07:30

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-6-2004 00:54:33
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 28/10/2001 17:07:30
    Last accessed : 10/6/2004 00:52:04
    Last modified : 28/10/2001 17:07:30

    #:7 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 10-6-2004 00:54:35
    BasePriority : Normal
    FileSize : 982 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Sistema operacional Microsoft
    Created on : 9/9/2002 17:08:34
    Last accessed : 10/6/2004 00:57:03
    Last modified : 9/9/2002 17:08:34

    #:8 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-6-2004 00:54:35
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 28/10/2001 17:07:28
    Last accessed : 10/6/2004 00:52:04
    Last modified : 28/10/2001 17:07:28

    #:9 [avgserv.exe]
    FilePath : C:\ARQUIV~1\Grisoft\AVG6\
    ThreadCreationTime : 10-6-2004 00:54:35
    BasePriority : Normal
    FileSize : 16 KB
    FileVersion : 6.0.1.696
    ProductVersion : 6.0.1.696
    Copyright : Copyright (c) GRISOFT 1998-2004
    CompanyName : GRISOFT s.r.o
    FileDescription : AvgServ - displays notification message
    InternalName : AvgServ
    OriginalFilename : AvgServ
    ProductName : AVG6
    Created on : 8/6/2004 00:42:05
    Last accessed : 10/6/2004 00:52:04
    Last modified : 8/6/2004 00:42:05

    #:10 [mdm.exe]
    FilePath : C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\
    ThreadCreationTime : 10-6-2004 00:54:35
    BasePriority : Normal
    FileSize : 264 KB
    FileVersion : 7.00.9064.9150
    ProductVersion : 7.00.9064.9150
    Copyright : Copyright (C) Microsoft Corp. 1997-2000
    CompanyName : Microsoft Corporation
    FileDescription : Machine Debug Manager
    InternalName : mdm.exe
    OriginalFilename : mdm.exe
    ProductName : Microsoft Development Environment
    Created on : 23/2/2001 13:07:30
    Last accessed : 10/6/2004 00:52:04
    Last modified : 23/2/2001 13:07:30

    #:11 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-6-2004 00:54:36
    BasePriority : Normal
    FileSize : 80 KB
    FileVersion : 6.14.10.5216
    ProductVersion : 6.14.10.5216
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 52.16
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 52.16
    Created on : 8/4/2004 19:32:25
    Last accessed : 10/6/2004 00:52:04
    Last modified : 25/11/2003 07:43:56

    #:12 [smagent.exe]
    FilePath : C:\Arquivos de programas\Analog Devices\SoundMAX\
    ThreadCreationTime : 10-6-2004 00:54:36
    BasePriority : Normal
    FileSize : 44 KB
    FileVersion : 3, 2, 6, 0
    ProductVersion : 3, 2, 6, 0
    Copyright : Copyright
    CompanyName : Analog Devices, Inc.
    FileDescription : SoundMAX service agent component
    InternalName : SMAgent
    OriginalFilename : SMAgent.exe
    ProductName : SoundMAX service agent
    Created on : 8/4/2004 19:39:59
    Last accessed : 10/6/2004 00:52:04
    Last modified : 20/9/2002 19:50:10

    #:13 [avgcc32.exe]
    FilePath : C:\ARQUIV~1\Grisoft\AVG6\
    ThreadCreationTime : 10-6-2004 00:54:37
    BasePriority : Normal
    FileSize : 337 KB
    FileVersion : 6, 0, 0, 515
    ProductVersion : 6, 0, 0, 0
    Copyright : Copyright
    CompanyName : GRISOFT s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC32
    OriginalFilename : AvgCC32.EXE
    ProductName : AVG Anti-Virus System
    Created on : 8/4/2004 19:59:04
    Last accessed : 10/6/2004 00:54:38
    Last modified : 18/12/2003 09:00:00

    #:14 [agrsmmsg.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 10-6-2004 00:54:37
    BasePriority : Normal
    FileSize : 86 KB
    FileVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
    ProductVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
    Copyright : Copyright
    CompanyName : Agere Systems
    FileDescription : SoftModem Messaging Applet
    InternalName : smdmstat.exe
    OriginalFilename : smdmstat.exe
    ProductName : Agere SoftModem Messaging Applet
    Created on : 23/4/2004 19:33:16
    Last accessed : 10/6/2004 00:54:28
    Last modified : 14/2/2003 03:59:00

    #:15 [tdd.exe]
    FilePath : C:\Arquivos de programas\Discador Terra\
    ThreadCreationTime : 10-6-2004 00:54:37
    BasePriority : Normal
    FileSize : 1711 KB
    Created on : 8/4/2004 20:40:34
    Last accessed : 10/6/2004 01:04:24
    Last modified : 6/8/2002 15:21:58

    #:16 [rundll32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-6-2004 00:54:37
    BasePriority : Normal
    FileSize : 31 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Executa uma DLL como um aplicativo
    InternalName : rundll
    OriginalFilename : RUNDLL.EXE
    ProductName : Sistema operacional Microsoft
    Created on : 28/10/2001 17:07:24
    Last accessed : 10/6/2004 00:54:37
    Last modified : 28/10/2001 17:07:24

    #:17 [icqlite.exe]
    FilePath : D:\ICQLite\
    ThreadCreationTime : 10-6-2004 01:04:30
    BasePriority : Normal
    FileSize : 1673 KB
    FileVersion : 555
    ProductVersion : 1, 0, 0
    Copyright : Copyright (C) 2002
    CompanyName : ICQ Ltd.
    FileDescription : ICQLite
    InternalName : ICQ Lite
    OriginalFilename : ICQLite.exe
    ProductName : ICQLite
    Created on : 22/5/2004 01:44:52
    Last accessed : 10/6/2004 01:05:19
    Last modified : 29/9/2003 12:58:18

    #:18 [msnmsgr.exe]
    FilePath : C:\Arquivos de programas\MSN Messenger\
    ThreadCreationTime : 10-6-2004 01:04:34
    BasePriority : Normal
    FileSize : 4572 KB
    FileVersion : 6.1.0211
    ProductVersion : Version 6.1
    Copyright : Copyright (c) Microsoft Corporation 1997-2003
    CompanyName : Microsoft Corporation
    FileDescription : Messenger
    InternalName : msnmsgr
    OriginalFilename : msnmsgr.exe
    ProductName : Messenger
    Created on : 5/3/2004 02:01:00
    Last accessed : 10/6/2004 01:23:09
    Last modified : 5/3/2004 02:01:00

    #:19 [iexplore.exe]
    FilePath : C:\Arquivos de programas\Internet Explorer\
    ThreadCreationTime : 10-6-2004 01:05:12
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Sistema operacional Microsoft
    Created on : 8/4/2004 19:24:50
    Last accessed : 10/6/2004 01:15:59
    Last modified : 9/9/2002 17:08:38

    #:20 [ad-aware.exe]
    FilePath : D:\Lavasoft\AD-AWA~1\
    ThreadCreationTime : 10-6-2004 01:37:35
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 10/6/2004 01:33:42
    Last accessed : 10/6/2004 01:33:51
    Last modified : 13/7/2003 00:00:20

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Alexa Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 2


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"

    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 4


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : andre@adserver.terra.com[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 10/6/2004 01:08:59
    Last accessed : 10/6/2004 01:08:59
    Last modified : 10/6/2004 01:08:59



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@atdmt[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 10/6/2004 01:20:12
    Last accessed : 10/6/2004 01:20:12
    Last modified : 10/6/2004 01:20:12



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@doubleclick[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 9/6/2004 18:46:42
    Last accessed : 10/6/2004 00:49:46
    Last modified : 10/6/2004 00:49:46



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@promo.match[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 10/6/2004 01:06:16
    Last accessed : 10/6/2004 01:06:16
    Last modified : 10/6/2004 01:06:16


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/html


    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/plain


    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 3
    Objects found so far: 11


    22:39:50 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:01:39:532
    Objects scanned :45156
    Objects identified :11
    Objects ignored :0
    New objects :11

    HijackThis.exe:
    Logfile of HijackThis v1.97.7
    Scan saved at 22:42:17, on 9/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
    C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Discador Terra\tdd.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\ICQLite\ICQLite.exe
    C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
    C:\Arquivos de programas\Internet Explorer\iexplore.exe
    D:\Lavasoft\AD-AWA~1\Ad-aware.exe
    C:\Documents and Settings\Andre\Desktop\André\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\defo.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\defo.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\defo.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\defo.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\defo.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\defo.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://messenger.microsoft.com/br
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {712214EB-C828-4231-9CB6-EAD83632FCBF} - C:\WINDOWS\System32\defo.dll
    O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Barra do iG (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10

    Thanks
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    downloadf http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice but on the root drive, most likely C:\

    1.Run start.bat and press option 1. 'output.txt' will be created in the folder
    post the output.txt file here and we'll tell you what to do next
     
  3. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Here it´s

    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    qui 10/06/2004
    16:16

    System Info:

    Microsoft Windows XP [versÆo 5.1.2600]
    C: "" (60AA:604A) - FS:NTFS clusters:4k
    Total: 20 974 428 160 [20G] - Free: 11 081 420 800 [10G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Arquivos de programas\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4487 C:\Arquivos de programas\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;



    Locked or 'Suspect' file(s) found...


    Scanning for main Hijacker:
    File found was C:\WINDOWS\System32\DEFO.DLL
    Md5 tested As 027F60F048B78ABF3E49E75D6447024B


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{712214EB-C828-4231-9CB6-EAD83632FCBF}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EEF1E3D-FD97-4401-BCDB-5827F2D11709}]
    @=""

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{BE792EE0-50CB-4B38-A218-AA3A4F2E29A4}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{BE792EE0-50CB-4B38-A218-AA3A4F2E29A4}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Usu*rios
    (IO) ALLOW Read BUILTIN\Usu*rios
    (NI) ALLOW Read BUILTIN\Usu*rios avan‡ados
    (IO) ALLOW Read BUILTIN\Usu*rios avan‡ados
    (NI) ALLOW Full access BUILTIN\Administradores
    (IO) ALLOW Full access BUILTIN\Administradores
    (NI) ALLOW Full access AUTORIDADE NT\SYSTEM
    (IO) ALLOW Full access AUTORIDADE NT\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administradores
    (IO) ALLOW Full access PROPRIETµRIO CRIADOR

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Usu*rios
    Read BUILTIN\Usu*rios avan‡ados
    Full access BUILTIN\Administradores
    Full access AUTORIDADE NT\SYSTEM


    
     
  4. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    My computer is going crazy.I don´t know if you can see it in this files. It´s presenting the effects of the XP´ blaster. My conection is getting stucked sometimes.I´m going crzy too. Please answer me as quick as possible. :(
     
  5. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Okay here I´m again from the last message posted until now i was trying to solve problems here i get rid of 7 viruses 5 worms and 2 backdoor trojans...and i still have the spyware that i think made all this viruses to appear so i need your help as soon as possible cause they´ll keep coming until i get rid of the source.! :( :ninja:
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Run start.bat again and choose option 2. Hit '1' and enter dll name manually:
    C:\WINDOWS\System32\DEFO.DLL

    Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

    You should also run CWShredderfinally to clean up other entries

    Post a new HijackThis log when you are done.

    Regards,

    Pieter
     
  7. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    I´ve done what you said. I ran star.bat and I did the fix of the defo.dll it made two errors the first said "If errors then no found" and the second "If errors then sucessful" well it rebooted the windows and said that if don´t opened nothing at startup to run second.bat then it criated a log file here it is:
    CWSDLL/Searchx Appinit Fix By Shadowwar
    Version 3.01 060504
    Please Do not mirror Without Permission!
    I can be contacted at spywaresubmit at aol.com
    sex 11/06/2004
    13:36

    Backing up Registry Hive

    A operação foi concluída com êxito.

    Deleting Windows Key

    A operação foi concluída com êxito.

    Adding Test Windows Key

    A operação foi concluída com êxito.

    Restoring temp Values Key

    A operação foi concluída com êxito.

    Deleting Bad Appinit Value

    A operação foi concluída com êxito.


    Backup of Modified Hiv

    A operação foi concluída com êxito.

    Deleting test Windows key

    A operação foi concluída com êxito.

    Deleting Filter text
    Windows XP Detected
    Running from C:\Documents and Settings\Andre\Desktop\Andr‚\dllfix
    Scanning for Locked File
    Scanning For main hijacker.
    Found Main Hijacker Dll:C:\WINDOWS\System32\DEFO.DLL
    Md5 tested As 027F60F048B78ABF3E49E75D6447024B
    Processing File Manually
    C:\WINDOWS\system32\defo.dll
    Md5 Check of C:\WINDOWS\system32\defo.dll

    Md5 tested As 027F60F048B78ABF3E49E75D6447024B
    File was found but md5 didnt match
    MD5 was: 027F60F048B78ABF3E49E75D6447024B
    Resetting file attributes
    Processing ACL of: <\\?\C:\WINDOWS\system32\defo.dll>

    SetACL finished successfully.
    File was zipped for submission to Shadowwar
    File is located at C:\Documents and Settings\Andre\Desktop\Andr‚\dllfix\submit.zip
    please Email a copy to spywaresubmit at aol.com
    Please include a link to your post.
    File is still in original location now unlocked.
    It is now ok to proceed with Rest of Cleanup.

    Adding Back Windows Key

    A operação foi concluída com êxito.

    Restoring Registry Hive

    A operação foi concluída com êxito.


    Restoring Cleaned Appinit Value

    A operação foi concluída com êxito.

    Then I ran CWShredder.exe it found and removed 6 files of the IE.I ran Ad-aware(updated)and here is its logfile:


    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :sexta-feira, 11 de junho de 2004 14:52:36
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R316 11.06.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    11-6-2004 14:52:36 - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 11-6-2004 16:37:29
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 11-6-2004 16:37:33
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-6-2004 16:37:33
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Aplicativo de servi
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Sistema operacional Microsoft
    Created on : 28/10/2001 17:07:26
    Last accessed : 11/6/2004 17:41:00
    Last modified : 28/10/2001 17:07:26

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-6-2004 16:37:33
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 9/9/2002 17:08:40
    Last accessed : 11/6/2004 17:41:00
    Last modified : 11/6/2004 05:25:46

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-6-2004 16:37:34
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 28/10/2001 17:07:30
    Last accessed : 11/6/2004 17:41:00
    Last modified : 28/10/2001 17:07:30

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 11-6-2004 16:37:34
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 28/10/2001 17:07:30
    Last accessed : 11/6/2004 17:41:00
    Last modified : 28/10/2001 17:07:30

    #:7 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 11-6-2004 16:37:35
    BasePriority : Normal
    FileSize : 982 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Sistema operacional Microsoft
    Created on : 9/9/2002 17:08:34
    Last accessed : 11/6/2004 17:41:00
    Last modified : 9/9/2002 17:08:34

    #:8 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-6-2004 16:37:35
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 28/10/2001 17:07:28
    Last accessed : 11/6/2004 17:41:00
    Last modified : 28/10/2001 17:07:28

    #:9 [avgserv.exe]
    FilePath : C:\ARQUIV~1\Grisoft\AVG6\
    ThreadCreationTime : 11-6-2004 16:37:35
    BasePriority : Normal
    FileSize : 16 KB
    FileVersion : 6.0.1.696
    ProductVersion : 6.0.1.696
    Copyright : Copyright (c) GRISOFT 1998-2004
    CompanyName : GRISOFT s.r.o
    FileDescription : AvgServ - displays notification message
    InternalName : AvgServ
    OriginalFilename : AvgServ
    ProductName : AVG6
    Created on : 8/6/2004 00:42:05
    Last accessed : 11/6/2004 17:41:00
    Last modified : 8/6/2004 00:42:05

    #:10 [mdm.exe]
    FilePath : C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\
    ThreadCreationTime : 11-6-2004 16:37:35
    BasePriority : Normal
    FileSize : 264 KB
    FileVersion : 7.00.9064.9150
    ProductVersion : 7.00.9064.9150
    Copyright : Copyright (C) Microsoft Corp. 1997-2000
    CompanyName : Microsoft Corporation
    FileDescription : Machine Debug Manager
    InternalName : mdm.exe
    OriginalFilename : mdm.exe
    ProductName : Microsoft Development Environment
    Created on : 23/2/2001 13:07:30
    Last accessed : 11/6/2004 17:41:00
    Last modified : 23/2/2001 13:07:30

    #:11 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 11-6-2004 16:37:35
    BasePriority : Normal
    FileSize : 80 KB
    FileVersion : 6.14.10.5216
    ProductVersion : 6.14.10.5216
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 52.16
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 52.16
    Created on : 8/4/2004 19:32:25
    Last accessed : 11/6/2004 17:41:00
    Last modified : 25/11/2003 07:43:56

    #:12 [smagent.exe]
    FilePath : C:\Arquivos de programas\Analog Devices\SoundMAX\
    ThreadCreationTime : 11-6-2004 16:37:35
    BasePriority : Normal
    FileSize : 44 KB
    FileVersion : 3, 2, 6, 0
    ProductVersion : 3, 2, 6, 0
    Copyright : Copyright
    CompanyName : Analog Devices, Inc.
    FileDescription : SoundMAX service agent component
    InternalName : SMAgent
    OriginalFilename : SMAgent.exe
    ProductName : SoundMAX service agent
    Created on : 8/4/2004 19:39:59
    Last accessed : 11/6/2004 17:41:00
    Last modified : 20/9/2002 19:50:10

    #:13 [avgcc32.exe]
    FilePath : C:\ARQUIV~1\Grisoft\AVG6\
    ThreadCreationTime : 11-6-2004 16:38:14
    BasePriority : Normal
    FileSize : 337 KB
    FileVersion : 6, 0, 0, 515
    ProductVersion : 6, 0, 0, 0
    Copyright : Copyright
    CompanyName : GRISOFT s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC32
    OriginalFilename : AvgCC32.EXE
    ProductName : AVG Anti-Virus System
    Created on : 8/4/2004 19:59:04
    Last accessed : 11/6/2004 17:41:44
    Last modified : 18/12/2003 09:00:00

    #:14 [agrsmmsg.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 11-6-2004 16:38:14
    BasePriority : Normal
    FileSize : 86 KB
    FileVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
    ProductVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
    Copyright : Copyright
    CompanyName : Agere Systems
    FileDescription : SoftModem Messaging Applet
    InternalName : smdmstat.exe
    OriginalFilename : smdmstat.exe
    ProductName : Agere SoftModem Messaging Applet
    Created on : 23/4/2004 19:33:16
    Last accessed : 11/6/2004 17:41:00
    Last modified : 14/2/2003 03:59:00

    #:15 [tdd.exe]
    FilePath : C:\Arquivos de programas\Discador Terra\
    ThreadCreationTime : 11-6-2004 16:38:14
    BasePriority : Normal
    FileSize : 1711 KB
    Created on : 8/4/2004 20:40:34
    Last accessed : 11/6/2004 17:41:00
    Last modified : 6/8/2002 15:21:58

    #:16 [winmx.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 11-6-2004 16:38:14
    BasePriority : Normal
    FileSize : 87 KB
    Created on : 11/6/2004 02:45:22
    Last accessed : 11/6/2004 17:41:00
    Last modified : 11/6/2004 03:17:18

    #:17 [rundll32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 11-6-2004 16:38:14
    BasePriority : Normal
    FileSize : 31 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Executa uma DLL como um aplicativo
    InternalName : rundll
    OriginalFilename : RUNDLL.EXE
    ProductName : Sistema operacional Microsoft
    Created on : 28/10/2001 17:07:24
    Last accessed : 11/6/2004 17:41:00
    Last modified : 28/10/2001 17:07:24

    #:18 [ad-aware.exe]
    FilePath : D:\Lavasoft\AD-AWA~1\
    ThreadCreationTime : 11-6-2004 17:35:15
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 10/6/2004 01:33:42
    Last accessed : 11/6/2004 17:35:15
    Last modified : 13/7/2003 00:00:20

    #:19 [avgw.exe]
    FilePath : C:\Arquivos de programas\Grisoft\AVG6\
    ThreadCreationTime : 11-6-2004 17:45:11
    BasePriority : Normal
    FileSize : 428 KB
    FileVersion : 6, 0, 0, 516
    ProductVersion : 6, 0, 0, 0
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG 6.0 Application
    InternalName : avgw
    OriginalFilename : avgw.exe
    ProductName : AVG Anti-Virus System
    Created on : 8/4/2004 19:59:04
    Last accessed : 11/6/2004 17:45:12
    Last modified : 18/12/2003 09:00:00

    #:20 [cmd.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-6-2004 17:46:26
    BasePriority : Normal
    FileSize : 378 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Processador de comandos do Windows
    InternalName : cmd
    OriginalFilename : Cmd.Exe
    ProductName : Sistema operacional Microsoft
    Created on : 28/10/2001 17:06:12
    Last accessed : 11/6/2004 17:47:34
    Last modified : 28/10/2001 17:06:12

    #:21 [tftp.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-6-2004 17:46:32
    BasePriority : Normal
    FileSize : 17 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Aplicativo de protocolo de transfer
    InternalName : tftp.exe
    OriginalFilename : tftp.exe
    ProductName : Sistema operacional Microsoft
    Created on : 28/10/2001 17:07:32
    Last accessed : 11/6/2004 17:44:49
    Last modified : 28/10/2001 17:07:32

    #:22 [iexplore.exe]
    FilePath : C:\Arquivos de programas\Internet Explorer\
    ThreadCreationTime : 11-6-2004 17:49:48
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Sistema operacional Microsoft
    Created on : 8/4/2004 19:24:50
    Last accessed : 11/6/2004 17:51:26
    Last modified : 9/9/2002 17:08:38

    #:23 [iexplore.exe]
    FilePath : C:\Arquivos de programas\Internet Explorer\
    ThreadCreationTime : 11-6-2004 17:51:26
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Sistema operacional Microsoft
    Created on : 8/4/2004 19:24:50
    Last accessed : 11/6/2004 17:51:26
    Last modified : 9/9/2002 17:08:38

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Alexa Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 2


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"

    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 4

    Tracking Cookie Object recognized!
    Type : File
    Data : andre@atdmt[2].txt
    Object : C:\Documents and Settings\Andre\Configurações locais\Temp\Cookies\

    Created on : 30/5/2004 22:42:33
    Last accessed : 11/6/2004 17:42:35
    Last modified : 30/5/2004 22:42:33



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@2o7[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 11/6/2004 17:42:23
    Last accessed : 11/6/2004 17:42:34
    Last modified : 11/6/2004 17:42:34



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@doubleclick[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 11/6/2004 00:57:53
    Last accessed : 11/6/2004 17:36:09
    Last modified : 11/6/2004 00:58:11



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@ehg.hitbox[2].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 11/6/2004 17:40:21
    Last accessed : 11/6/2004 17:40:28
    Last modified : 11/6/2004 17:40:28



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@gator[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 11/6/2004 03:12:07
    Last accessed : 11/6/2004 17:42:40
    Last modified : 11/6/2004 03:12:07



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@hitbox[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 11/6/2004 17:40:06
    Last accessed : 11/6/2004 17:40:28
    Last modified : 11/6/2004 17:40:28



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@promo.match[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 11/6/2004 06:08:00
    Last accessed : 11/6/2004 17:42:40
    Last modified : 11/6/2004 06:08:00



    Tracking Cookie Object recognized!
    Type : File
    Data : andre@qksrv[1].txt
    Object : C:\Documents and Settings\Andre\Cookies\

    Created on : 11/6/2004 04:23:49
    Last accessed : 11/6/2004 17:42:40
    Last modified : 11/6/2004 04:23:49



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 12


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 13


    14:57:40 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:05:04:0
    Objects scanned :78403
    Objects identified :13
    Objects ignored :0
    New objects :13
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I'll send a message to shadowwar to take a look at this log for you as It doesn't look right to me and he developed the fix that cures this hijacker
     
  9. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Ok, but I just ask you to be quick because if you have read my messages so far you know the troubles I´ve been having.
    Thanks
     
  10. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Guys, I´m still having problems with my computer.I´m Still waiting for reply :doubt:
     
  11. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Bumping up in hopes it can be looked at further.
     
  13. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Guys are you thereo_O?
     
  14. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Guys are you still trying?or you just forgot about me?
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Download Beta-Fix.exe from here: http://freeatlast.100free.com/Beta-Fix.exe

    Double Click on the Beta-Fix.exe and it will install the batch file in its own folder in the same location as the file you downloaded.

    Open the Beta-Fix folder and double click on !LOG!.bat
    [IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the Beta-Fix folder.

    Relax, sit back and wait a few minutes while the program collects the necessary information.

    *NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


    When the program is finished:

    Open the Beta-Fix folder.
    Post the contents of Log.txt in this thread.
    Do the same for the file Win.txt

    Regards,

    Pieter
     
  16. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    First of all, I want to let you know i ran CWSheredder long time ago and the IE started normally.I forgot it, and if it would help you I´m sorry i didn´t said it before. I ran this program and here is the log.txt:


    Microsoft Windows XP [versÆo 5.1.2600]
    O tipo do sistema de arquivos ‚ NTFS.
    C: nÆo est* sujo.

    qua 23/06/2004
    12:46am up 0 days, 0:24
    »»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
    Files listed in this section (in System32) are not always definitive!
    Always Double Check and be sure the file pointed doesn't exist!

    »»Locked or 'Suspect' file(s) found...


    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    »»»Special 'locked' files scan in 'System32'........
    **File C:\DOCUME~1\Andre\Desktop\ANDR~1\UTILIT~1\Beta-Fix\Beta-Fix\LIST.TXT

    ****Filtering files in System32... (-h -s -r...) ***
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    No matches found.

    No matches found.
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Usu*rios
    (IO) ALLOW Read BUILTIN\Usu*rios
    (NI) ALLOW Read BUILTIN\Usu*rios avan‡ados
    (IO) ALLOW Read BUILTIN\Usu*rios avan‡ados
    (NI) ALLOW Full access BUILTIN\Administradores
    (IO) ALLOW Full access BUILTIN\Administradores
    (NI) ALLOW Full access AUTORIDADE NT\SYSTEM
    (IO) ALLOW Full access AUTORIDADE NT\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administradores
    (IO) ALLOW Full access PROPRIETµRIO CRIADOR

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Usu*rios
    Read BUILTIN\Usu*rios avan‡ados
    Full access BUILTIN\Administradores
    Full access AUTORIDADE NT\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group ANDR-UWW9TL3NOJ\Nenhum.
    User is a member of group \Todos.
    User is a member of group BUILTIN\Administradores.
    User is a member of group BUILTIN\Usuários.
    User is a member of group \LOCAL.
    User is a member of group AUTORIDADE NT\INTERATIVO.
    User is a member of group AUTORIDADE NT\Usuários autenticados.

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administradores
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administradores
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x AUTORIDADE NT\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- AUTORIDADE NT\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x ANDR-UWW9TL3NOJ\Andre
    Allow 0000001B -co- 10000000 ---A ---- ---- \PROPRIETÁRIO CRIADOR
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Usuários
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Usuários
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Usuários
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Usuários

    Owner: ANDR-UWW9TL3NOJ\Andre

    Primary Group: ANDR-UWW9TL3NOJ\Nenhum



    »»»»»»Backups created...»»»»»»
    12:46am up 0 days, 0:24
    qua 23/06/2004

    A C:\DOCUME~1\Andre\Desktop\ANDR~1\UTILIT~1\Beta-Fix\Beta-Fix\winBackup.hiv
    --a-- - - - - - 8,192 06-23-2004 winbackup.hiv
    A C:\DOCUME~1\Andre\Desktop\ANDR~1\UTILIT~1\Beta-Fix\Beta-Fix\keys1\winkey.reg
    --a-- - - - - - 287 06-23-2004 winkey.reg

    »»Performing 16bit string scan....

    ---------- WIN.TXT
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "Appinit_Dlls"=""

    Windowsows
    UDeviceNotSelectedTimeout
    GDIProcessHandleQuota
    Spooler
    swapdisk
    TransmissionRetryTimeout
    USERProcessHandleQuota/
    Appinit

    **File C:\DOCUME~1\Andre\Desktop\ANDR~1\UTILIT~1\Beta-Fix\Beta-Fix\WIN.TXT
            Ðÿÿÿvk  è   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  o£Þ— ¸ Ðÿÿÿvk  €'   ŒóGDIProcessHandleQuota·øÏðÿÿÿ9 0  EùÑ&àÿÿÿvk  `   Ì”Spooleråðÿÿÿy e s Øáöwàÿÿÿvk  €   R¿swapdisk ¸  @ p ¨ Ðÿÿÿvk  0   kâTransmissionRetryTimeoutÐÿÿÿvk  €'   C USERProcessHandleQuota/ àÿÿÿ¸  @ p ¨ Ø ( Øÿÿÿvk  €   | Appinit_Dllsÿÿÿÿ°
    


    WIN.TXT:

    regf       Pugf hbin  *ÿÿÿnk, bª2¦ÒOÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ  € ÿÿÿÿ 0  O N  WindowsowsÿÿÿÿÿÿÈþÿÿsk € €    ”     ì
         !
     €  !      #
     €  #  ?    
         ?   
        ?    
            Ðÿÿÿvk  è   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  o£Þ— ¸ Ðÿÿÿvk  €'   ŒóGDIProcessHandleQuota·øÏðÿÿÿ9 0  EùÑ&àÿÿÿvk  `   Ì”Spooleråðÿÿÿy e s Øáöwàÿÿÿvk  €   R¿swapdisk ¸  @ p ¨ Ðÿÿÿvk  0   kâTransmissionRetryTimeoutÐÿÿÿvk  €'   C USERProcessHandleQuota/ àÿÿÿ¸  @ p ¨ Ø ( Øÿÿÿvk  €   | Appinit_Dllsÿÿÿÿ°
     
  17. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
  18. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I am sorry,

    Your last logs were clean. Are you still having problems? o_O

    Regards,

    Pieter
     
  20. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Sometimes a window of the Windows Messenger Center says that i have spyware to enter a site, it´s spawn but it says.but nothing beyond this... what you reccomend me to prevent if im clean??
     
  21. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Here I´m again. I´ve been having some problems since yesterday.Everytime I restart the computer a error message appears about a tss.exe and my inicial page of the IE was another. I did this: I entered msconfig and tried to disable it to start at the inicialization of the windows and changed the IE inicial page to abou:blank, it helped for a while but after 3 reboots it apperead again, so i searched on internet for some information and did what a person with the same problem did, I entered the regedit and cheged the values of two msaps.dll. Ialso saw the date the tss.exe was created and it was created yesterday then i thought " if my computer was working without this until yesterday, this is not required for my pc working"

    So I´d like some information and what to do about it. It appears to have been solved but i dont know yet.

    Thanks,
    André
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Tss.exe is a known Search hijacker, a Trojan.Win32.Small variant.

    Would you please post a fresh Hijack This log, so that we could advise you what to do?
     
  23. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Logfile of HijackThis v1.97.7
    Scan saved at 15:50:59, on 15/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\winmx.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    D:\ZONELA~1\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Arquivos de programas\Discador Terra\tdd.exe
    C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
    D:\ICQLite\ICQLite.exe
    C:\WINDOWS\System32\winedll.exe
    C:\Arquivos de programas\Internet Explorer\iexplore.exe
    C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://messenger.microsoft.com/br
    R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
    O4 - HKLM\..\Run: [Microsoft CONFIG] winmx.exe
    O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
    O4 - HKLM\..\Run: [Microsoft Update Macahine] winedll.exe
    O4 - HKLM\..\Run: [Zone Labs Client] D:\ZONELA~1\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\RunServices: [Microsoft CONFIG] winmx.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Macahine] winedll.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe
    O4 - HKCU\..\Run: [Microsoft CONFIG] winmx.exe
    O4 - HKCU\..\Run: [Microsoft Update] lsac.exe
    O4 - HKCU\..\Run: [Microsoft Update Macahine] winedll.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Barra do iG (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.10 200.176.2.12
     
  24. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    I noticed too that my computer when I go into Start-> Documents it opened lots of docs that i didnt open
     
  25. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    That's a severely infected computer. I suggest you start by running an online virus scan at Panda Active Scan

    When done restart your computer, and post a fresh log; there will be more to do!
     
Thread Status:
Not open for further replies.