hello everyone,
I joined this forum because of all the helpfull tips from guys like Mr Budfred about the hijack logs! Can I post my hijackthis scan log somewhere here? would I paste it here in one of these quick reply boxes?
Thanks
Orlando

Hello,
Please let me apologize for not knowing where to ask a question but I can´t seem to find the place that explains how to use this forum. I want to post a question, look for some help and always see the message, "you may not post new threads"--i registered and am able to log in. How do I get started, went to the FAQ but didn´t find the basics there. Maybe I´m not looking in the right places.
sorry for any inconvenience by making this quick reply here
thanks
Orlando

Welcome to http://www.pcguide.com/ubb/pcgubb.gif

I am not sure where you saw the message that you may not post new threads, but that is exactly what you need to do rather than tagging your message onto someone else's thread... I split your comments off to your own thread here...

You will need to use Post Reply to post your HJT log... Quick Reply will not allow enough room for most logs and we need to see the whole log in order to help... Be sure to describe whatever problem led you to post the log... Use more than one reply if needed...

Hi my computer has become slow and my audio program, samplitude 7.0 is taking a long to time open, a really long time to close wave file windows after doing bouncing and mixing. I wonder if something is running on my system that I don´t need. Here´s my scan log. I sure hope I am pasting this in the right place.
Logfile of HijackThis v1.99.1
Scan saved at 03:00:51, on 18/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
F:\Arquivos de programas\nod32krn.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
F:\Arquivos de programas\PQDrive Image\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\digi96.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Arquivos comuns\InterVideo\FastTVSync\FastTVSync.exe
F:\Arquivos de programas\nod32kui.exe
C:\WINDOWS\system32\LVCOMSX.EXE
F:\Arquivos de programas\Logicam\LogiTray.exe
F:\Arquivos de programas\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
F:\Arquivos de programas\Logicam\FxSvr2.exe
C:\Arquivos de programas\Outlook Express\msimn.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
F:\Arquivos de programas\Phone\Skype.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
F:\Arquivos de programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Arquivos de programas\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RMETray] digi96.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Arquivos de programas\Arquivos comuns\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Attune_DSM] C:\ARQUIV~1\Aveo\Attune\bin\Disk Space Manager.exe
O4 - HKLM\..\Run: [InCD] F:\Arquivos de programas\InCD\InCD.exe
O4 - HKLM\..\Run: [nod32kui] "F:\Arquivos de programas\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] F:\Arquivos de programas\Logicam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] F:\Arquivos de programas\Logicam\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Arquivos de programas\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "F:\Arquivos de programas\Logicam\ManifestEngine.exe" boot
O4 - Global Startup: Microsoft Office.lnk = F:\Arquivos de programas\Office10\OSA.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Arquivos de programas\Adobe\Reader\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://F:\ARQUIV~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&[url]http://home.microsoft.com/intl/br/access/allinone.asp[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134152571859[/url]
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - [url]https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{443BE894-9924-42C2-BEFD-81874EEC488E}: NameServer = 200.165.132.154 200.149.55.142
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: pushow32.dll
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - F:\Arquivos de programas\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - F:\Arquivos de programas\PQDrive Image\Agent\PQV2iSvc.exe

Have you run any scanning/cleaning programs already?? If not please do this:

Please download, install, and update the NEW free version of Ewido trojan scanner (http://www.ewido.net/en/download/):

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

From the main ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful")

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

Check "Perform action with all infections".

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


Then open an HJT scan and put checks by these if they are still there:

O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O20 - AppInit_DLLs: pushow32.dll

Close all open windows except HJT and press Fix checked...

Use Windows Search to find and delete this file... Set the search to include hidden and system files:

pushow32.dll

Reboot and post a fresh HJT log and the Ewido log... Note if you are still having problems...

Logfile of HijackThis v1.99.1
Scan saved at 10:33:39, on 18/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
F:\Arquivos de programas\nod32krn.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
F:\Arquivos de programas\PQDrive Image\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\digi96.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Arquivos comuns\InterVideo\FastTVSync\FastTVSync.exe
F:\Arquivos de programas\nod32kui.exe
C:\WINDOWS\system32\LVCOMSX.EXE
F:\Arquivos de programas\Logicam\LogiTray.exe
F:\Arquivos de programas\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Arquivos de programas\Logicam\FxSvr2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
F:\Arquivos de programas\Logicam\AlbumDB2.exe
F:\Arquivos de programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Arquivos de programas\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RMETray] digi96.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Arquivos de programas\Arquivos comuns\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Attune_DSM] C:\ARQUIV~1\Aveo\Attune\bin\Disk Space Manager.exe
O4 - HKLM\..\Run: [InCD] F:\Arquivos de programas\InCD\InCD.exe
O4 - HKLM\..\Run: [nod32kui] "F:\Arquivos de programas\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] F:\Arquivos de programas\Logicam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] F:\Arquivos de programas\Logicam\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Arquivos de programas\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "F:\Arquivos de programas\Logicam\ManifestEngine.exe" boot
O4 - Global Startup: Microsoft Office.lnk = F:\Arquivos de programas\Office10\OSA.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Arquivos de programas\Adobe\Reader\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://F:\ARQUIV~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&[url]http://home.microsoft.com/intl/br/access/allinone.asp[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134152571859[/url]
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - [url]https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{443BE894-9924-42C2-BEFD-81874EEC488E}: NameServer = 200.165.132.154 200.149.55.142
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - F:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - F:\Arquivos de programas\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - F:\Arquivos de programas\PQDrive Image\Agent\PQV2iSvc.exe


---------------------------------------------------------
ewido anti-malware - Relatório de verificação
---------------------------------------------------------

+ Criado em: 10:14:11, 18/6/2006
+ Relatório-Checksum: 9B1297F1

+ Resultado da verificação:

HKU\S-1-5-21-861567501-879983540-725345543-1003\Software\IST -> Adware.ISTBar : Limpo com backup
[1308] C:\WINDOWS\system32\pushow32.dll -> Adware.AdvertMen : Limpo com backup
[3120] C:\WINDOWS\system32\pushow32.dll -> Adware.AdvertMen : Erro durante a limpeza
C:\WINDOWS\system32\pushow46.dll -> Adware.AdvertMen : Limpo com backup
C:\WINDOWS\system32\pushow0.dll -> Adware.AdvertMen : Limpo com backup
C:\WINDOWS\system32\pushow32.dll -> Adware.AdvertMen : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Configurações locais\Temporary Internet Files\Content.IE5\EP076DA5\istdownload[1].exe -> Downloader.IstBar.pe : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Meus documentos\Downloads\get your feet back on the ground 41.rar/install.exe -> Hijacker.Agent.hi : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@statcounter[1].txt -> TrackingCookie.Statcounter : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@casalemedia[2].txt -> TrackingCookie.Casalemedia : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@atdmt[2].txt -> TrackingCookie.Atdmt : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@www.myaffiliateprogr am[2].txt -> TrackingCookie.Myaffiliateprogram : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@doubleclick[1].txt -> TrackingCookie.Doubleclick : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@qksrv[2].txt -> TrackingCookie.Qksrv : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@perf.overture[1].txt -> TrackingCookie.Overture : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@data3.perf.overture[2].txt -> TrackingCookie.Overture : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@edge.ru4[2].txt -> TrackingCookie.Ru4 : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@fastclick[2].txt -> TrackingCookie.Fastclick : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@c.goclick[2].txt -> TrackingCookie.Goclick : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@server.iad.liveperso n[2].txt -> TrackingCookie.Liveperson : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@2o7[2].txt -> TrackingCookie.2o7 : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@adtech[2].txt -> TrackingCookie.Adtech : Limpo com backup
C:\System Volume Information\_restore{373B7A6A-12C8-4734-97AA-B92E3B61AF8E}\RP403\A0136457.exe -> Hijacker.Agent.hi : Limpo com backup
C:\System Volume Information\_restore{373B7A6A-12C8-4734-97AA-B92E3B61AF8E}\RP403\A0136458.exe -> Hijacker.Agent.hi : Limpo com backup
F:\Softwares\Nero Serials\nero 7 serial (3).zip/1.wmv -> Downloader.Wimad.d : Limpo com backup


::Fim do Relatório

Logfile of HijackThis v1.99.1
Scan saved at 10:33:39, on 18/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
F:\Arquivos de programas\nod32krn.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
F:\Arquivos de programas\PQDrive Image\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\digi96.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Arquivos comuns\InterVideo\FastTVSync\FastTVSync.exe
F:\Arquivos de programas\nod32kui.exe
C:\WINDOWS\system32\LVCOMSX.EXE
F:\Arquivos de programas\Logicam\LogiTray.exe
F:\Arquivos de programas\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Arquivos de programas\Logicam\FxSvr2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
F:\Arquivos de programas\Logicam\AlbumDB2.exe
F:\Arquivos de programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Arquivos de programas\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RMETray] digi96.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Arquivos de programas\Arquivos comuns\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Attune_DSM] C:\ARQUIV~1\Aveo\Attune\bin\Disk Space Manager.exe
O4 - HKLM\..\Run: [InCD] F:\Arquivos de programas\InCD\InCD.exe
O4 - HKLM\..\Run: [nod32kui] "F:\Arquivos de programas\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] F:\Arquivos de programas\Logicam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] F:\Arquivos de programas\Logicam\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Arquivos de programas\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "F:\Arquivos de programas\Logicam\ManifestEngine.exe" boot
O4 - Global Startup: Microsoft Office.lnk = F:\Arquivos de programas\Office10\OSA.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Arquivos de programas\Adobe\Reader\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://F:\ARQUIV~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&[url]http://home.microsoft.com/intl/br/access/allinone.asp[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134152571859[/url]
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - [url]https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{443BE894-9924-42C2-BEFD-81874EEC488E}: NameServer = 200.165.132.154 200.149.55.142
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - F:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - F:\Arquivos de programas\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - F:\Arquivos de programas\PQDrive Image\Agent\PQV2iSvc.exe

---------------------------------------------------------
ewido anti-malware - Relatório de verificação
---------------------------------------------------------

+ Criado em: 10:14:11, 18/6/2006
+ Relatório-Checksum: 9B1297F1

+ Resultado da verificação:

HKU\S-1-5-21-861567501-879983540-725345543-1003\Software\IST -> Adware.ISTBar : Limpo com backup
[1308] C:\WINDOWS\system32\pushow32.dll -> Adware.AdvertMen : Limpo com backup
[3120] C:\WINDOWS\system32\pushow32.dll -> Adware.AdvertMen : Erro durante a limpeza
C:\WINDOWS\system32\pushow46.dll -> Adware.AdvertMen : Limpo com backup
C:\WINDOWS\system32\pushow0.dll -> Adware.AdvertMen : Limpo com backup
C:\WINDOWS\system32\pushow32.dll -> Adware.AdvertMen : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Configurações locais\Temporary Internet Files\Content.IE5\EP076DA5\istdownload[1].exe -> Downloader.IstBar.pe : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Meus documentos\Downloads\get your feet back on the ground 41.rar/install.exe -> Hijacker.Agent.hi : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@statcounter[1].txt -> TrackingCookie.Statcounter : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@casalemedia[2].txt -> TrackingCookie.Casalemedia : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@atdmt[2].txt -> TrackingCookie.Atdmt : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@www.myaffiliateprogr am[2].txt -> TrackingCookie.Myaffiliateprogram : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@doubleclick[1].txt -> TrackingCookie.Doubleclick : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@qksrv[2].txt -> TrackingCookie.Qksrv : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@perf.overture[1].txt -> TrackingCookie.Overture : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@data3.perf.overture[2].txt -> TrackingCookie.Overture : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@edge.ru4[2].txt -> TrackingCookie.Ru4 : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@fastclick[2].txt -> TrackingCookie.Fastclick : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@c.goclick[2].txt -> TrackingCookie.Goclick : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@server.iad.liveperso n[2].txt -> TrackingCookie.Liveperson : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@2o7[2].txt -> TrackingCookie.2o7 : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Limpo com backup
C:\Documents and Settings\Lon.BOVE\Cookies\lon@adtech[2].txt -> TrackingCookie.Adtech : Limpo com backup
C:\System Volume Information\_restore{373B7A6A-12C8-4734-97AA-B92E3B61AF8E}\RP403\A0136457.exe -> Hijacker.Agent.hi : Limpo com backup
C:\System Volume Information\_restore{373B7A6A-12C8-4734-97AA-B92E3B61AF8E}\RP403\A0136458.exe -> Hijacker.Agent.hi : Limpo com backup
F:\Softwares\Nero Serials\nero 7 serial (3).zip/1.wmv -> Downloader.Wimad.d : Limpo com backup


::Fim do Relatório

Why did you post everything twice?? Are you still having a problem?? It looks like the malware is gone....

Thanks so much for your help. I am sorry the logs got posted twice. I hit the submit button and got a message to wait some seconds and do it again- so I did! I´ve been searching for the operation manual for this site or some other help sections to explain things better because I don´t want to interfere with such a helpful process that takes place here and this language is often hard for me.
Thanks
Orlando
Orlando

Did you read the FAQ?? Also, the sticky threads in the first couple of forums can be helpful...

Meanwhile, I still need to know how your system is working to see if we need to do more...

Hi Mr Budfred,
My musical life is still strange on my machine
My "personal" system, which I use a lot for music, that has internet, is still slow with my audio program, samplitude 7.0 take forever to open and I have to hit what in English I think is finalize process, the think in the task manager, to close it. When I do a mix of a song (multitrack to stereo-i work in 32 bit floating point)-the mix process works normal, the editing process works fine, I can crunch lots of data, lots of plugins, no problem but when the time comes to close the wave file that was the result of the mix, it takes 30 seconds to a minute just to close the window.
When I go to the same program which is on my "music" partition and do the same thing, it opens and closes quickly and the wave files close in a flash

All my programs are installed in my F drive- have "two" C drive paritions-one is hidden when the other is in use- I use "partion - magic", the version just before it was swallowed up by Norton.

The other stuff is working great, and even my DVD recording world seems to be must happier.

I tried to take MSN out of my bootup but XP complains everytime- I wish I could find a way to acitive it when I need it. Other than that, I hope I get a chance to learn more stuff from you and find away to start a thread, I´ll go to the FAQs again and that other place you told me about.
Thanks a lot
Orlando

`BTW-- My music system only has Samplitude and the music stuff, plugins, no inter net or NOD-which I use on the "home" partition. As a matter of fact, I´d like to know how to streamline that partition even more -eg, take out MSN, ETC-but I think that is a topic for another thread- any suggestions. I have service pack 2. Also, is there a way to actualize my non-net system by saving actualizations from my net partition and then applying them to the "music" partion. Or do you think I can just stay in my "unactualized" world that works great for music with the "if its not broke don´t fix it philosophy"?
thanks again
Orlando

I am not sure what is going on with your recording and how to approach it, maybe someone else will have some ideas...

If you want to turn off MSN, I think fixing these items with HJT will do that and you will need to start it manually if you want it:

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

Also, I was not able to find out what this is... Do you know?? It is possible that it is bad... If you don't know what it is, Right click on the file and look at Properties... If you don't recognize the company, you can submit it to Jotti...

O4 - HKLM\..\Run: [RMETray] digi96.exe

Jotti's malware scan at http://virusscan.jotti.org/ and upload the file for scanning and post the results here.

`BTW-- My music system only has Samplitude and the music stuff, plugins, no inter net or NOD-which I use on the "home" partition. As a matter of fact, I´d like to know how to streamline that partition even more -eg, take out MSN, ETC-but I think that is a topic for another thread- any suggestions. I have service pack 2. Also, is there a way to actualize my non-net system by saving actualizations from my net partition and then applying them to the "music" partion. Or do you think I can just stay in my "unactualized" world that works great for music with the "if its not broke don´t fix it philosophy"?
thanks again
Orlando
I don't know the answers to most of your questions here...

If the log we have been working on is for your music partition, it did get infected and it does need to be protected...

Hi Budfred,
Well, I guess I´m in good shape then. RME is a wonderful company that makes Soundcards and other very reliable interfaces between the analogue and digital audio world. There stuff is pretty much conflict proof and compatible with everything, there support is unbelievable. Do a search and check out their site RME --
I´ll check out the MSN advice, OK? Thanks
Oh yes, my audio partion is not infected, it´s never seen internet--
maybe I should run a scan anyway
Thanks
Orlando