My HijackThis log file

Discussion in 'adware, spyware & hijack cleaning' started by "[{/*@?Dr&*\}]"?, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Ok, I done as you said it found sum virus and disinfected I´m going to post the report of the viruses it found and after the hijack this log:


    Incident Status Location

    Virus:W32/Sdbot.gen.worm Disinfected Operating system
    Virus:Trj/StartPage.EB Disinfected C:\Documents and Settings\Andre\Desktop\André\Utilitarios\dllfix\submit.zip[defo.dll]
    Virus:Trj/StartPage.EB Disinfected C:\RECYCLER\S-1-5-21-436374069-1935655697-839522115-1003\Dc1.dll
    Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp




    -----Now the Hijackthis-----


    Logfile of HijackThis v1.97.7
    Scan saved at 23:39:33, on 19/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
    C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Discador Terra\tdd.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\ICQLite\ICQLite.exe
    C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://messenger.microsoft.com/br
    R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
    O4 - HKLM\..\Run: [Microsoft CONFIG] winmx.exe
    O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
    O4 - HKLM\..\Run: [Microsoft Update Macahine] winedll.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\RunServices: [Microsoft CONFIG] winmx.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Macahine] winedll.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe
    O4 - HKCU\..\Run: [Microsoft CONFIG] winmx.exe
    O4 - HKCU\..\Run: [Microsoft Update] lsac.exe
    O4 - HKCU\..\Run: [Microsoft Update Macahine] winedll.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Barra do iG (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    With all browser windows closed, check, and have Hijack This fix all of the following items, restart your computer, then post a fresh log; there's probably some work to be done yet...

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll

    O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
    O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)

    O4 - HKLM\..\Run: [Microsoft CONFIG] winmx.exe
    O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
    O4 - HKLM\..\Run: [Microsoft Update Macahine] winedll.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\RunServices: [Microsoft CONFIG] winmx.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Macahine] winedll.exe
    O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe
    O4 - HKCU\..\Run: [Microsoft CONFIG] winmx.exe
    O4 - HKCU\..\Run: [Microsoft Update] lsac.exe
    O4 - HKCU\..\Run: [Microsoft Update Macahine] winedll.exe
     
  3. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Ok, I´ve done as you said and here the new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:04:25, on 20/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
    C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Discador Terra\tdd.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://messenger.microsoft.com/br
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Barra do iG (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    I just noticed you're running an obsolete version of Hijack This. Would you please download the latest version here and post a log with that one:

    https://www.wilderssecurity.com/showthread.php?t=12516, and download Hijack This.

    Also, copy the contents of the quote box to Notepad.

    Name the file Appinit.bat and save on your Desktop as type 'All Files'.

    Double click on Appinit.bat

    This will create a file on the desktop named windows.txt

    Upload windows.txt in your next reply. To do that do not use quick reply.
    Instead press the Reply button. When you do you will be able to attach a file to your reply. Attach Windows.txt

    We need to make sure we're not overlooking anything!
     
  5. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Ok, here is the HiJack This log:

    Logfile of HijackThis v1.98.0
    Scan saved at 20:56:12, on 20/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
    C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Discador Terra\tdd.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\ICQLite\ICQLite.exe
    C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
    C:\Arquivos de programas\Internet Explorer\iexplore.exe
    C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis1980hf.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.microsoft.com/br
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10
     

    Attached Files:

  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    That looks harmless enough! :)

    Just have Hijack This fix this item:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


    After that you should be good to go.
     
  7. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Thanks for all, I´m just posting this last hijack to be sure of and one last question : How do you understand the logs?Lol

    Logfile of HijackThis v1.98.0
    Scan saved at 14:42:42, on 21/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
    C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Discador Terra\tdd.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.microsoft.com/br
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Clean log; well done! :)

    As to how we manage to interpret the logs, long story,, but it comes down to experience, research, and hanging and posting at boards like this for far too many hours every day....
     
  9. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Thank you very much, Thanks to all of you who helped me fot this time, continue with this work.

    And if I ever get any problem I´m going to bother you :)
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    You're welcome; glad we were able to help. :)
     
  11. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    Hi again, I´m bothering you again because lots of pop-ups started to show up again and my initial page changed too and lots of pop-ups saying i have spyware....you already heard it.Plz, what to do once moreo_O


    Thanks
     
  12. "[{/*@?Dr&*\}]"?

    "[{/*@?Dr&*\}]"? Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    24
    As I already know I have to put a Hijack This Logfile here it is:

    Logfile of HijackThis v1.98.0
    Scan saved at 13:10:42, on 8/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\javaor32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Discador Terra\tdd.exe
    C:\WINDOWS\system32\sysva.exe
    C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
    D:\ICQLite\ICQLite.exe
    C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
    C:\Arquivos de programas\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Andre\Desktop\André\Utilitarios\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\tfksu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\system32\tfksu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\tfksu.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tfksu.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.microsoft.com/br
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:6588
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1D18C678-DFB1-FFBF-DBEF-7B9FA152DCF5} - C:\WINDOWS\apphp32.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tdd] C:\Arquivos de programas\Discador Terra\tdd.exe -F
    O4 - HKLM\..\Run: [sysva.exe] C:\WINDOWS\system32\sysva.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
    O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF352C64-DAE7-46F4-81A1-2AE2D9540BB7}: NameServer = 200.176.2.12 200.176.2.10
     
  13. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    Please take a look at the link it will explain our new policy on HJT logs. The link has some more links to other forums that still work HJT logs. This thread is now closed.


    thank you

    bigc
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.