Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Browser Hijacking, Please Help. Hijackthis Log Posted


  • Please log in to reply
9 replies to this topic

#1 Xico Zéi

Xico Zéi

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 April 2007 - 03:57 PM

My altavista/google/yahoo search results are redirected to webpages like hrena.com,... I can't get rid of this problem :scratch:
Hijackthis.log follows:

Logfile of HijackThis v1.99.1
Scan saved at 22:44:46, on 2007-04-27
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAMAS\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAMAS\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMAS\AHEAD\INCD\INCD.EXE
C:\PROGRAMAS\FICHEIROS COMUNS\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMAS\ACD SYSTEMS\IMAGEFOX\IMAGEFOX.EXE
C:\PROGRAMAS\3.0M SD DSC\CONSOLE\WATCH.EXE
C:\HIDEIT.EXE
C:\PROGRAMAS\MUSTEK 1200 UB PLUS\DRIVER\WATCH.EXE
C:\PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\TEMP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.av.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [McShld9x] C:\Programas\McAfee.com\VSO\mcshld9x.exe
O4 - Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
O4 - Startup: ImageFox.lnk = C:\Programas\ACD Systems\ImageFox\ImageFox.exe
O4 - Startup: Watch.lnk = C:\Programas\3.0M SD DSC\Console\Watch.exe
O4 - Startup: HIDEIT.lnk = C:\HIDEIT.EXE
O4 - Startup: Watch_Scanner.lnk = C:\Programas\Mustek 1200 UB Plus\Driver\WATCH.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.geoweb.pt...r2/mgaxctrl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.m...pdatePortal.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/d.../webinstall.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...n9x/AvSniff.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...014/mcfscan.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/cab/mvt.cab

Thanks and forgive me any mistakes because English is not my first language

    Advertisements

Register to Remove


#2 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 28 April 2007 - 12:46 PM

Howdy Xico Zéi, I will be reviewing your log and will post back here once the review is complete.

#3 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 28 April 2007 - 02:31 PM

Let's start repairs now.

Please download FixWareout from here

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet).

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.

Once your desktop loads, please post the contents of the logfile C:\fixwareout\report.txt along with a new HijackThis log.

Note: You must must be online to run this utility.



Also go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. You can use separate posts here if needed.

#4 Xico Zéi

Xico Zéi

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 29 April 2007 - 04:42 AM

Hello Jintan! Thankks for your support.
Now the requested logs:
1- c:\Fixwareout\report.txt

Fixwareout Last edited 4/5/2007
Post this report in the forums please

Random Runs removed from HKLM
"kdasp.exe"=-


We recommend getting a free online scan
Computer Associates eTrust AV Web Scanner: http://www3.ca.com/v.../virusscan.aspx

Hosts file was reset, If you use a custom hosts file please replace it.

2- HijackThis.log

Logfile of HijackThis v1.99.1
Scan saved at 11:38:04, on 2007-04-29
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAMAS\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAMAS\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMAS\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMAS\FICHEIROS COMUNS\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMAS\ACD SYSTEMS\IMAGEFOX\IMAGEFOX.EXE
C:\PROGRAMAS\3.0M SD DSC\CONSOLE\WATCH.EXE
C:\HIDEIT.EXE
C:\PROGRAMAS\MUSTEK 1200 UB PLUS\DRIVER\WATCH.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\TEMP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.av.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [McShld9x] C:\Programas\McAfee.com\VSO\mcshld9x.exe
O4 - Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
O4 - Startup: ImageFox.lnk = C:\Programas\ACD Systems\ImageFox\ImageFox.exe
O4 - Startup: Watch.lnk = C:\Programas\3.0M SD DSC\Console\Watch.exe
O4 - Startup: HIDEIT.lnk = C:\HIDEIT.EXE
O4 - Startup: Watch_Scanner.lnk = C:\Programas\Mustek 1200 UB Plus\Driver\WATCH.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.geoweb.pt...r2/mgaxctrl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.m...pdatePortal.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/d.../webinstall.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...n9x/AvSniff.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...014/mcfscan.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/cab/mvt.cab

#5 Xico Zéi

Xico Zéi

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 29 April 2007 - 04:45 AM

and the StartUp Programs log:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"LoadQM" = "loadqm.exe" [MS]
"ICSMGR" = "ICSMGR.EXE" [MS]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"InCD" = "C:\Programas\Ahead\InCD\InCD.exe" ["Nero AG"]
"TkBellExe" = ""C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"VSOCheckTask" = ""C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask" ["McAfee, Inc."]
"MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"]
"MCTskShd" = "C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe" ["McAfee, Inc"]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
"KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS]
"McShld9x" = "C:\Programas\McAfee.com\VSO\mcshld9x.exe" ["McAfee, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Programa de configuração do Windows - Conversor FAT32"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
PerUser_Enable_Inis\(Default) = "Programa de configuração do Windows - Acessibilidade"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {HKLM...CLSID} = "Nero Shell Extension Property Sheet"
\InProcServer32\(Default) = "C:\Programas\Ahead\nero\neroshx.dll" ["Ahead Software AG"]
"{68f32140-2ca3-11d0-acc1-444553540000}" = "PicaView"
-> {HKLM...CLSID} = "PicaView Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ACDSYS~1\PICAVIEW\PicaView.dll" ["ACD Systems, Ltd."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Explorador do ambiente de trabalho"
-> {HKLM...CLSID} = "Explorador do ambiente de trabalho"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\PROGRAMAS\REAL\REALONE PLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
yEnc32\(Default) = "{8CDA2F05-B2BA-4AC7-B731-51E9E6B006E1}"
-> {HKLM...CLSID} = "yEnc32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Programas\eSite Media\yEnc32\yEnc32Shell.dll" [null data]
PicaView\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}"
-> {HKLM...CLSID} = "PicaView Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ACDSYS~1\PICAVIEW\PicaView.dll" ["ACD Systems, Ltd."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


System Policies {policy setting}:
---------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"CDRAutoRun" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}

"NoToolbarCustomize" = (REG_DWORD) hex:0x00000000
{Disable customizing browser toolbar buttons}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoBandCustomize" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoToolbarCustomize" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"GeneralTab" = (REG_DWORD) hex:0x00000000
{Disable the General page}

"HomePage" = (REG_DWORD) hex:0x00000000
{Disable changing home page settings}

"Cache" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"History" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Colors" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"links" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Fonts" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Languages" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Accessibility" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"SecurityTab" = (REG_DWORD) hex:0x00000000
{Disable the Security page}

"ContentTab" = (REG_DWORD) hex:0x00000000
{Disable the Content page}

"Ratings" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Certificates" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest Passwords" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ConnectionsTab" = (REG_DWORD) hex:0x00000000
{Disable the Connections page}

"Connection Settings" = (REG_DWORD) hex:0x00000000
{Disable changing connection settings}

"Connwiz Admin Lock" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Proxy" = (REG_DWORD) hex:0x00000000
{Disable changing proxy settings}

"ProgramsTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Messaging" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ResetWebSettings" = (REG_DWORD) hex:0x00000000
{Disable the Reset Web Settings feature}

"Check_If_Default" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"AdvancedTab" = (REG_DWORD) hex:0x00000000
{Disable the Advanced page}

"Advanced" = (REG_DWORD) hex:0x00000000
{Disable changing Advanced page settings}

HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"GeneralTab" = (REG_DWORD) hex:0x00000000
{Disable the General page}

"HomePage" = (REG_DWORD) hex:0x00000000
{Disable changing home page settings}

"Cache" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"History" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Colors" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"links" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Fonts" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Languages" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Accessibility" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"SecurityTab" = (REG_DWORD) hex:0x00000000
{Disable the Security page}

"ContentTab" = (REG_DWORD) hex:0x00000000
{Disable the Content page}

"Ratings" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Certificates" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest Passwords" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ConnectionsTab" = (REG_DWORD) hex:0x00000000
{Disable the Connections page}

"Connection Settings" = (REG_DWORD) hex:0x00000000
{Disable changing connection settings}

"Connwiz Admin Lock" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Proxy" = (REG_DWORD) hex:0x00000000
{Disable changing proxy settings}

"ProgramsTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Messaging" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ResetWebSettings" = (REG_DWORD) hex:0x00000000
{Disable the Reset Web Settings feature}

"Check_If_Default" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"AdvancedTab" = (REG_DWORD) hex:0x00000000
{Disable the Advanced page}

"Advanced" = (REG_DWORD) hex:0x00000000
{Disable changing Advanced page settings}

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoJITSetup" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoJITSetup" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserSaveAs" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileNew" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBrowserClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileOpen" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoTheaterMode" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoViewSource" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFavorites" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoAddingChannels" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBrowserOptions" = (REG_DWORD) hex:0x00000000
{Tools menu: Disable Internet Options... menu option}

"NoBrowserContextMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoOpeninNewWnd" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserSaveAs" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileNew" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBrowserClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileOpen" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoTheaterMode" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoViewSource" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFavorites" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoAddingChannels" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBrowserOptions" = (REG_DWORD) hex:0x00000000
{Tools menu: Disable Internet Options... menu option}

"NoBrowserContextMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoOpeninNewWnd" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by System Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Os meus documentos\As minhas imagens\ariane_test.jpg"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Menu Iniciar\Programas\Arranque
"Microsoft Office" -> shortcut to: "C:\Programas\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"ImageFox" -> shortcut to: "C:\Programas\ACD Systems\ImageFox\ImageFox.exe" ["ACD Systems, Ltd."]
"Watch" -> shortcut to: "C:\Programas\3.0M SD DSC\Console\Watch.exe" [","]
"HIDEIT" -> shortcut to: "C:\HIDEIT.EXE" ["Ñacañaca ltd."]
"Watch_Scanner" -> shortcut to: "C:\Programas\Mustek 1200 UB Plus\Driver\WATCH.exe" ["Common Group"]


Enabled Scheduled Tasks:
------------------------

"Programador PCHealth para a recolha de dados" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSSHL.DLL" ["McAfee, Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\MSJAVA.DLL" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "NavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
<<H>> "DesktopItemNavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
<<H>> "NavigationCanceled" = "res://shdoclc.dll/navcancl.htm" [MS]
<<H>> "OfflineInformation" = "res://shdoclc.dll/offcancl.htm" [MS]
<<H>> "PostNotCached" = "res://mshtml.dll/repost.htm" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
usbmon.dll\Driver = "usbmon.dll" [MS]
hpzs9x08\Driver = "hpzs9x08.dll" ["HP"]


----------
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 56 seconds, including 18 seconds for message boxes)

#6 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 29 April 2007 - 05:52 PM

Looks like FixWareout was successful in removing some malware. Are you still having the redirect problems at this time? Let's do some clean-up and check with an additional scan now.


Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab


The following items block changes being made to your Internet Explorer homepage and settings (under Tools -> Internet Options). Lately these are more often placed by choice through selections made in softwares such as SpyBot or Spyware Blaster (or even McAfee there). Although you can fix these now, I see other unique policy settings listed in your Silent Runners log that suggest these entries were set, and should be changed, through some software you have there.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present



Then reboot, and go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.


And go here for an online AV scan (requires IE to run).

Scan "Local Disks" and when finished save the scan log and then post the log here along with a new HijackThis log please.

#7 Xico Zéi

Xico Zéi

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 30 April 2007 - 04:47 PM

Are you still having the redirect problems at this time?

No. As far as I can tell no problems at all. Thank YOU! :thumbup:

Although you can fix these now, ... and should be changed, through some software you have there

I'm not sure about what do you mean... :scratch: Should I take any action? I never used SpyBot or Spyware Blaster. I do have McAfee (and Ad-Aware SE Personal) but I can't remember if they changed (or asked me to change something about IE)

Now those logs. ActiveScan scan log:

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe


HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 23:38:10, on 2007-04-30
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAMAS\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAMAS\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMAS\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMAS\FICHEIROS COMUNS\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMAS\ACD SYSTEMS\IMAGEFOX\IMAGEFOX.EXE
C:\PROGRAMAS\3.0M SD DSC\CONSOLE\WATCH.EXE
C:\HIDEIT.EXE
C:\PROGRAMAS\MUSTEK 1200 UB PLUS\DRIVER\WATCH.EXE
C:\PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\TEMP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.av.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAMAS\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [McShld9x] C:\Programas\McAfee.com\VSO\mcshld9x.exe
O4 - Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
O4 - Startup: ImageFox.lnk = C:\Programas\ACD Systems\ImageFox\ImageFox.exe
O4 - Startup: Watch.lnk = C:\Programas\3.0M SD DSC\Console\Watch.exe
O4 - Startup: HIDEIT.lnk = C:\HIDEIT.EXE
O4 - Startup: Watch_Scanner.lnk = C:\Programas\Mustek 1200 UB Plus\Driver\WATCH.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.geoweb.pt...r2/mgaxctrl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.m...pdatePortal.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/d.../webinstall.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...n9x/AvSniff.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...014/mcfscan.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/cab/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

#8 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 06 May 2007 - 07:45 AM

I am not quite sure why Xico Zéi, but in going back through the requests I have worked with recently I see that my last post either didn't get saved here or I made some error when posting.


Panda only located a file that is part of the Fixwareout tool you used there. If you wish you can delete the entire C:\fixwareout folder at thie time.

The logs show clean now, and it sounds like everything is running well there, at least when we last discussed things. The Internet Explorer restrictions I mentioned are often security settings that can be chosen using some of the softwares I mentioned. If you have no recollection of selecting these security settings we can change them now through HijackThis. This will allow you full access to all change options in your IE Tools - Internet Options panel.


Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present



A reboot will be required to complete these changes.


If everything else is working okay then I would also like to recommend reviewing the information Here to make sure you stay malware free.

#9 Xico Zéi

Xico Zéi

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 06 May 2007 - 04:05 PM

I made some error when posting

... lol, Jintan it happens to the best!

More seriously Thank you for your support! Everything is running as it used to be.

I will read the contents in that final link you posted and try to stay malware free.

Thank you very much! :wavey:

Edited by Xico Zéi, 06 May 2007 - 04:06 PM.


#10 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 07 May 2007 - 01:10 PM

Glad to assist Xico Zéi.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users