Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help to shot down the imb00001.exe [RESOLVED]

Started by agua-marinha , Sep 27 2006 02:19 AM

  • This topic is locked This topic is locked

#1
agua-marinha
Posted 27 September 2006 - 02:19 AM

agua-marinha

    Member

  • Member
  • PipPip
  • 22 posts
I dont know what i can do :(
I need help to shot this malware down
I post my hijackthis log here

Logfile of HijackThis v1.99.1
Scan saved at 9:59:01, on 27-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\thunderbird.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\WINDOWS\system\smsc.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system\msmsgc.cmd
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\pedro nunes\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://br.rd.yahoo.c...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://br.rd.yahoo.c...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://br.rd.yahoo.c...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\thunderbird.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SemanticInsight] C:\Programme\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [algxxs] C:\WINDOWS\alggx.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\Microsoft.exe
O4 - HKLM\..\Run: [thunderbird] C:\WINDOWS\System32\thunderbird.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\ckwpd.exe
O4 - HKLM\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKLM\..\Run: [3fbe088d.exe] C:\WINDOWS\System32\3fbe088d.exe
O4 - HKLM\..\Run: [Shell] C:\WINDOWS\system\smsc.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [shell] "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [3fbe088d.exe] C:\Dokumente und Einstellungen\pedro nunes\Lokale Einstellungen\Anwendungsdaten\3fbe088d.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: bw+0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programme\RXToolBar\sfcont.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: hpdj - HP - C:\DOKUME~1\PEDRON~1\LOKALE~1\Temp\hpdj.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Ill wait for your help thank ;) :thumbsup:

agua-marinha
  • 0

Advertisements

#2
JSntgRvr
Posted 27 September 2006 - 06:32 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, agua-marinha :whistling:

Welcome to Geeks to go.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications

Download the enclosed file: [attachment=10919:attachment]
Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Shellfix.reg . Do nothing with it yet.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\thunderbird.exe
O4 - HKLM\..\Run: [algxxs] C:\WINDOWS\alggx.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\Microsoft.exe
O4 - HKLM\..\Run: [thunderbird] C:\WINDOWS\System32\thunderbird.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\ckwpd.exe
O4 - HKLM\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKLM\..\Run: [3fbe088d.exe] C:\WINDOWS\System32\3fbe088d.exe
O4 - HKLM\..\Run: [Shell] C:\WINDOWS\system\smsc.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\RunServices: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [shell] "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [3fbe088d.exe] C:\Dokumente und Einstellungen\pedro nunes\Lokale Einstellungen\Anwendungsdaten\3fbe088d.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O18 - Protocol: bw+0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {70D85CE8-D4BA-4540-A596-8207311DC89F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Be carefull with the 018 entries. Do not mark the following line:

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Double click on the Shellfix.reg file and select Yes when prompted to merge it into the registry.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Logitech Desktop Messenger

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Logitech\Desktop Messenger
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe
    C:\Dokumente und Einstellungen\pedro nunes\Lokale Einstellungen\Anwendungsdaten\3fbe088d.exe
    C:\WINDOWS\thunderbird.exe
    C:\WINDOWS\alggx.exe
    C:\WINDOWS\Microsoft.exe
    C:\Program Files\ckwpd.exe
    c:\windows\system32\removenot.exe
    C:\WINDOWS\System32\3fbe088d.exe
    C:\WINDOWS\system\smsc.exe
    C:\WINDOWS\System32\ntsystem.exe
    C:\WINDOWS\.protected
    C:\WINDOWS\System32\drivers\etc\.protected
    C:\Documents and Settings\pedro nunes\Start Menu\Programs\Startup\.protected
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply along with a Hijackthis log..

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Warning : running option #2 on a non infected computer in Normal Mode will remove your Desktop background.
  • 0

#3
agua-marinha
Posted 28 September 2006 - 08:15 AM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I try every steps but no exit!
I dont know why!
when i start my pc get allways one tab with c:\ programe\gemeinsame dateien\microsoft shared\web folders \imb00001.exe :blink:


Thanks :whistling:
agua-marinha
  • 0

#4
JSntgRvr
Posted 28 September 2006 - 12:37 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, agua-marinha :whistling:
  • Please download Combofix to your desktop from Here or Here:
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
agua-marinha
Posted 05 October 2006 - 07:31 AM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi!
Thanks for your help again.
There is my combo fix log

pedro nunes - 06-10-05 15:22:04,90 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Dokumente und Einstellungen\pedro nunes\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\Install.dat


((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))


2006-09-26 14:53 153,088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2006-09-20 19:46 4,096 --a------ C:\WINDOWS\system32\ntsystem.exe
2006-09-20 15:26 4,608 --a------ C:\WINDOWS\system32\ntoskrnl.dll
2006-09-16 10:19 134,884 --a------ C:\WINDOWS\rar.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-05 13:10 -------- d-------- C:\Programme\eMule
2006-10-03 14:44 -------- d-------- C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\Macromedia
2006-09-28 16:17 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-09-28 14:48 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-09-28 14:29 -------- d-------- C:\Programme\ERUNT
2006-09-26 15:06 -------- d-------- C:\Programme\Hijackthis
2006-09-26 14:53 -------- d-------- C:\Programme\EarthLink
2006-09-13 08:34 -------- d--h----- C:\Programme\WindowsUpdate
2006-09-02 21:09 -------- d-------- C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\Google
2006-08-25 21:55 -------- d-------- C:\Programme\Google
2006-08-18 21:20 43 --a------ C:\WINDOWS\system32\PerfStringV4.7.dll
2006-08-18 21:19 -------- d-------- C:\Programme\WinAntiVirus Pro 2006
2006-08-18 21:13 -------- d-------- C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\WinAntiVirus Pro 2006
2006-08-18 21:06 -------- d-------- C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006
2006-08-18 21:04 88280 --a------ C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\winantiviruspro2006freeinstall[1].exe
2006-08-18 21:00 -------- d-------- C:\Programme\Ultimate Defender
2006-08-18 20:48 -------- d-------- C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\Ultimate Defender
2006-08-18 20:31 1397 --a------ C:\sepyenx.exe
2006-08-18 20:30 13312 --a------ C:\bumvwcja.exe
2006-08-18 20:29 72704 --a------ C:\rlwhjkl.exe
2006-08-18 20:29 32768 --a------ C:\fxsvo.exe
2006-08-18 20:29 1024 --a------ C:\ipupyxw.exe
2006-08-18 02:27 721883 ---hs---- C:\WINDOWS\thunderbird.exe
2006-08-18 02:27 721883 ---hs---- C:\WINDOWS\system32\thunderbird.exe
2006-08-18 02:27 688128 --a------ C:\WINDOWS\system32\libeay32.dll
2006-08-18 02:27 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2006-08-18 02:27 15360 --a------ C:\WINDOWS\system32\msdtkysx.dll
2006-08-15 19:40 -------- d-------- C:\Programme\DivX
2006-08-15 15:00 46795 --a------ C:\WINDOWS\winherp32.exe
2006-07-11 07:56 468984 --a------ C:\WINDOWS\Microsoft.cmd
2006-07-10 18:42 440832 --a------ C:\WINDOWS\lsssas.exe
2006-07-10 18:42 283648 --a------ C:\WINDOWS\regfixxsx.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\\Programme\\Logitech\\Video\\ManifestEngine.exe boot"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"MsnMsgr"="\"C:\\Programme\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Programme\\Gemeinsame Dateien\\Ahead\\lib\\NMBgMonitor.exe\""
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"removenot"="c:\\windows\\system32\\removenot.exe"
"3fbe088d.exe"="C:\\Dokumente und Einstellungen\\pedro nunes\\Lokale Einstellungen\\Anwendungsdaten\\3fbe088d.exe"
"swg"="C:\\Programme\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Programme\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Programme\\Logitech\\Video\\LogiTray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"SemanticInsight"="C:\\Programme\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HP Software Update"="C:\\Programme\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"DeviceDiscovery"="C:\\Programme\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Programme\\Ahead\\InCD\\InCD.exe"
"algxxs"="C:\\WINDOWS\\alggx.exe"
"Windows Update"="C:\\WINDOWS\\Microsoft.exe"
"thunderbird"="C:\\WINDOWS\\System32\\thunderbird.exe"
"SysTray"="C:\\Program Files\\ckwpd.exe"
"removenot"="c:\\windows\\system32\\removenot.exe"
"3fbe088d.exe"="C:\\WINDOWS\\System32\\3fbe088d.exe"
"Shell"="C:\\WINDOWS\\system\\smsc.exe"
"gwiz"="C:\\WINDOWS\\System32\\ntsystem.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"removenot"="c:\\windows\\system32\\removenot.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www2.meegos.c.../wallpaper.gif"
"SubscribedURL"="http://www2.meegos.c.../wallpaper.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,12,03,00,00,19,01,00,00,32,00,00,00,32,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,32,00,00,00,32,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,a1,03,09,48,e7,77,88,32,e6,77,ff,ff,ff,ff,de,60,\
e5,77,28,ae,98,06

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"Wallpaper"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\WebReg 20060922171509.job

Completion time: 05-10-2006 15:22:47.53
ComboFix.txt


and my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 15:23:12, on 05-10-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\thunderbird.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\WINDOWS\system\smsc.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system\msmsgc.cmd
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOKUME~1\PEDRON~1\LOKALE~1\Temp\hkxqwfui.exe
C:\WINDOWS\System32\cmd.exe
C:\Dokumente und Einstellungen\pedro nunes\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://br.rd.yahoo.c...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://br.rd.yahoo.c...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://br.rd.yahoo.c...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\thunderbird.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SemanticInsight] C:\Programme\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [algxxs] C:\WINDOWS\alggx.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\Microsoft.exe
O4 - HKLM\..\Run: [thunderbird] C:\WINDOWS\System32\thunderbird.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\ckwpd.exe
O4 - HKLM\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKLM\..\Run: [3fbe088d.exe] C:\WINDOWS\System32\3fbe088d.exe
O4 - HKLM\..\Run: [Shell] C:\WINDOWS\system\smsc.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [3fbe088d.exe] C:\Dokumente und Einstellungen\pedro nunes\Lokale Einstellungen\Anwendungsdaten\3fbe088d.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: .protected
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: .protected
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programme\RXToolBar\sfcont.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\PEDRON~1\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks
agua-marinha
  • 0

#6
JSntgRvr
Posted 05 October 2006 - 12:13 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, agua-marinha :whistling:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

* Go to Control Panel > Internet Options. Click on the Programs tab, then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" Delete everything except for "My Current Home Page". Click OK then Apply and OK.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below if exist.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [algxxs] C:\WINDOWS\alggx.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\Microsoft.exe
O4 - HKLM\..\Run: [thunderbird] C:\WINDOWS\System32\thunderbird.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\ckwpd.exe
O4 - HKLM\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKLM\..\Run: [3fbe088d.exe] C:\WINDOWS\System32\3fbe088d.exe
O4 - HKLM\..\Run: [Shell] C:\WINDOWS\system\smsc.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [3fbe088d.exe] C:\Dokumente und Einstellungen\pedro nunes\Lokale Einstellungen\Anwendungsdaten\3fbe088d.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

WinAntiVirus Pro 2006
Ultimate Defender

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Programme\WinAntiVirus Pro 2006
C:\Programme\Ultimate Defender
C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\Ultimate Defender
C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\WinAntiVirus Pro 2006
C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\UNWISE.EXE
    C:\WINDOWS\system32\ntsystem.exe
    C:\WINDOWS\system32\ntoskrnl.dll
    C:\WINDOWS\rar.exe
    C:\WINDOWS\system32\PerfStringV4.7.dll
    C:\Dokumente und Einstellungen\pedro nunes\Anwendungsdaten\winantiviruspro2006freeinstall[1].exe
    C:\sepyenx.exe
    C:\bumvwcja.exe
    C:\rlwhjkl.exe
    C:\fxsvo.exe
    C:\ipupyxw.exe
    C:\Program Files\ckwpd.exe
    C:\WINDOWS\thunderbird.exe
    C:\WINDOWS\system32\thunderbird.exe
    C:\WINDOWS\system32\libeay32.dll
    C:\WINDOWS\system32\ssleay32.dll
    C:\WINDOWS\system32\msdtkysx.dll
    c:\windows\system32\removenot.exe
    C:\WINDOWS\System32\3fbe088d.exe
    C:\WINDOWS\System32\ntsystem.exe
    C:\WINDOWS\system\smsc.exe
    C:\WINDOWS\winherp32.exe
    C:\WINDOWS\Microsoft.cmd
    C:\WINDOWS\Microsoft.exe
    C:\WINDOWS\lsssas.exe
    C:\WINDOWS\regfixxsx.exe
    c:\secure32.html
    C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
    C:\WINDOWS\alggx.exe
    C:\Dokumente und Einstellungen\pedro nunes\Lokale Einstellungen\Anwendungsdaten\3fbe088d.exe
    C:\Documents and Settings\pedro nunes\Start Menu\Programs\Startup\.protected
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Post a fresh Hijackthis log and the contents of the C:\rapport.txt. Let me know how it went.
  • 0

#7
agua-marinha
Posted 07 October 2006 - 07:29 AM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi jSntgRvr

Theres my fresh hijacksthis

Logfile of HijackThis v1.99.1
Scan saved at 15:17:34, on 07-10-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\thunderbird.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\Dokumente und Einstellungen\pedro nunes\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\thunderbird.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SemanticInsight] C:\Programme\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [thunderbird] C:\WINDOWS\System32\thunderbird.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programme\RXToolBar\sfcont.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\PEDRON~1\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


and the c:\rapport.txt

SmitFraudFix v2.105

Scan done at 13:51:13,12, 07-10-2006
Run from C:\Dokumente und Einstellungen\pedro nunes\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\uniq Deleted
C:\WINDOWS\.protected Deleted
C:\DOKUME~1\PEDRON~1\STARTM~1\PROGRA~1\AUTOST~1\.protected Deleted
C:\DOKUME~1\ALLUSE~1\STARTM~1\PROGRA~1\AUTOST~1\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


But the get allways the same tab us before , and a new one, were that says c:\windows\thunderburd.exe can not found
:whistling:

But thanks anyway
i´ll wait for more help


thanks
agua-marinha
  • 0

#8
JSntgRvr
Posted 07 October 2006 - 12:16 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, agua-marinha :whistling:

Please backup the registry again with ERUNT.

Download the enclosed file: [attachment=11042:attachment]
Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Once extracted, open the folder and double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

Restart the Computer. (It is important)

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Ugrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Please click Here to download AVG as an Antivirus program.

Post a fresh Hijackthis log afterward.
  • 0

#9
agua-marinha
Posted 07 October 2006 - 03:08 PM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi JSntgRvr :help:

I think this time work it good
Thank you very much for your help :whistling:
The tab is gone.

But the AGv detected interner worms, trojan horses, backdoors and trojan horses :blink:
What can i do??? to put this pc in order!!??



here is the fresh HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 22:55:16, on 07-10-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programme\Grisoft\AVG Free\avgcc.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\pedro nunes\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SemanticInsight] C:\Programme\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programme\RXToolBar\sfcont.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\PEDRON~1\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Thanks for your exelent help
:) agua-marinha
  • 0

#10
JSntgRvr
Posted 07 October 2006 - 05:03 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, agua-marinha. :whistling:

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly in Safe Mode.

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:

Run the CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Close the Shredder.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Launch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido .
Restart back into Windows normally now.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a fresh Hijackthis log along with the Ewido and ActiveScan reports.
  • 0

Advertisements

#11
agua-marinha
Posted 08 October 2006 - 12:38 PM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi JSntgRvr :whistling:

there is a fresh HiJachThis log

Logfile of HijackThis v1.99.1
Scan saved at 20:30:57, on 08-10-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programme\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\pedro nunes\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SemanticInsight] C:\Programme\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\PEDRON~1\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



The ewido rapport


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:53:51 08-10-2006

+ Scan result:



HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\Program Files\SpySheriff\Uninstall.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044467.exe -> Backdoor.Delf.api : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044666.exe -> Backdoor.Delf.api : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044672.scr -> Backdoor.Delf.api : Cleaned with backup (quarantined).
C:\WINDOWS\system\msmsgc.cmd -> Downloader.Delf.alu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044457.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044665.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044458.exe -> Downloader.Small.ddb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044658.exe -> Downloader.Small.ddb : Cleaned with backup (quarantined).
C:\!KillBox\ntsystem.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP199\A0044299.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP199\A0044315.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044331.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044343.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044360.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044371.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044382.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044393.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044408.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044420.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044434.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044439.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044452.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\!KillBox\lsssas.exe -> Logger.Banker.bnz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044470.exe -> Logger.Banker.bnz : Cleaned with backup (quarantined).
C:\WINDOWS\temp000a.tmp -> Logger.Banker.bnz : Cleaned with backup (quarantined).
C:\!KillBox\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044456.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044460.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044659.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044453.dll -> Trojan.Agent.rx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044662.dll -> Trojan.Agent.rx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044461.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044660.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044459.exe -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044664.exe -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044669.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044670.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044657.exe -> Worm.Backterra.d : Cleaned with backup (quarantined).


::Report end


The active scan report:

Incident Status Location

Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32a.sys
Potentially unwanted tool:application/winantivirus2006 Not disinfected c:\dokumente und einstellungen\all users\anwendungsdaten\WinAntiVirus Pro 2006
Potentially unwanted tool:application/need2find Not disinfected c:\programme\Need2Find
Potentially unwanted tool:application/altnet Not disinfected hkey_classes_root\clsid\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}
Adware:adware/rxtoolbar Not disinfected Windows Registry
Virus:Trj/Jupillites.P Disinfected C:\!KillBox\msdtkysx.dll
Virus:Trj/Downloader.KAC Disinfected C:\!KillBox\winherp32.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Cookies\pedro nunes@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Cookies\pedro nunes@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Cookies\pedro nunes@mediaplex[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Eigene Dateien\Unzipped\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Jupillites.P Disinfected C:\WINDOWS\system32\msdtkysx.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Thanks for your help

:blink: agua-marinha
  • 0

#12
agua-marinha
Posted 08 October 2006 - 12:40 PM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi JSntgRvr :whistling:

there is a fresh HiJachThis log

Logfile of HijackThis v1.99.1
Scan saved at 20:30:57, on 08-10-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programme\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\pedro nunes\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SemanticInsight] C:\Programme\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\PEDRON~1\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



The ewido rapport


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:53:51 08-10-2006

+ Scan result:



HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\Program Files\SpySheriff\Uninstall.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044467.exe -> Backdoor.Delf.api : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044666.exe -> Backdoor.Delf.api : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044672.scr -> Backdoor.Delf.api : Cleaned with backup (quarantined).
C:\WINDOWS\system\msmsgc.cmd -> Downloader.Delf.alu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044457.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044665.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044458.exe -> Downloader.Small.ddb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044658.exe -> Downloader.Small.ddb : Cleaned with backup (quarantined).
C:\!KillBox\ntsystem.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP199\A0044299.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP199\A0044315.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044331.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044343.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044360.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044371.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044382.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044393.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044408.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044420.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044434.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044439.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044452.exe -> Hijacker.Agent.hg : Cleaned with backup (quarantined).
C:\!KillBox\lsssas.exe -> Logger.Banker.bnz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044470.exe -> Logger.Banker.bnz : Cleaned with backup (quarantined).
C:\WINDOWS\temp000a.tmp -> Logger.Banker.bnz : Cleaned with backup (quarantined).
C:\!KillBox\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044456.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044460.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044659.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044453.dll -> Trojan.Agent.rx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044662.dll -> Trojan.Agent.rx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044461.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044660.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP200\A0044459.exe -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044664.exe -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044669.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044670.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{62BF9594-22CD-4F44-AB3C-5607C15DAE3F}\RP202\A0044657.exe -> Worm.Backterra.d : Cleaned with backup (quarantined).


::Report end


The active scan report:

Incident Status Location

Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32a.sys
Potentially unwanted tool:application/winantivirus2006 Not disinfected c:\dokumente und einstellungen\all users\anwendungsdaten\WinAntiVirus Pro 2006
Potentially unwanted tool:application/need2find Not disinfected c:\programme\Need2Find
Potentially unwanted tool:application/altnet Not disinfected hkey_classes_root\clsid\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}
Adware:adware/rxtoolbar Not disinfected Windows Registry
Virus:Trj/Jupillites.P Disinfected C:\!KillBox\msdtkysx.dll
Virus:Trj/Downloader.KAC Disinfected C:\!KillBox\winherp32.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Cookies\pedro nunes@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Cookies\pedro nunes@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Cookies\pedro nunes@mediaplex[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\pedro nunes\Eigene Dateien\Unzipped\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Jupillites.P Disinfected C:\WINDOWS\system32\msdtkysx.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Thanks for your help

:blink: agua-marinha
  • 0

#13
JSntgRvr
Posted 08 October 2006 - 01:45 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, agua-marinha :whistling:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

c:\dokumente und einstellungen\all users\anwendungsdaten\WinAntiVirus Pro 2006
c:\programme\Need2Find

Run Killbox.exe. Paste the following locations into Killbox one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click no...and proceed with the next file. Once you get to the last one click YES and it will reboot.

c:\windows\smdat32a.sys
C:\WINDOWS\system32\msdtkysx.dll
C:\WINDOWS\System32\ntsystem.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure not to miss any.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Post a fresh Hijackthis log and let me know how is the computer doing?
  • 0

#14
agua-marinha
Posted 14 October 2006 - 02:05 PM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi JSntgRvr

I cant make the last steps that you say
when i click on my desktop i dont find " my computer"

Thanks for your help
:whistling:
agua-marinha
  • 0

#15
JSntgRvr
Posted 14 October 2006 - 04:40 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, agua-marinha :whistling:

Hi JSntgRvr

I cant make the last steps that you say
when i click on my desktop i dont find " my computer"

Thanks for your help
:blink:
agua-marinha

Click on Start, then right click on My Computer. Should have the same effect.

Once done, post a fresh Hijackthis log and let me know how is the computer doing.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP