hey

ive got some popups and a slow computer. help me plz

Logfile of HijackThis v1.99.1
Scan saved at 20:40:02, on 22-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\HP\QuickPlay\QPService.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\MIGUEL~1\APPLIC~1\YSTEM3~1\rundll32.exe
C:\Programas\F?nts\u?erinit.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Apoint2K\Apntex.exe
C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Miguel Rodrigues\Ambiente de trabalho\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.143:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programas\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Programas\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKLM\..\Run: [DU Meter] C:\Programas\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjig.dll,startup
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ccqnkahy.dll",setvm
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\visjpomb.dll",setvm
O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eadr] "C:\DOCUME~1\MIGUEL~1\APPLIC~1\YSTEM3~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Qdjeiehm] C:\Programas\F?nts\u?erinit.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: .protected
O4 - Startup: XFX Game Controller.lnk = ?
O4 - Global Startup: .protected
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Netcall Phone.lnk = ?
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Programas\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Programas\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programas\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Serviço do Norton Protection Center (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

Previous topic:
http://forums.spybot.info/showthread.php?t=11503

sry ive been very busy that i havent seen pskelley reply. (http://forums.spybot.info/showthread.php?t=11503)

tnx for your help!

how can it compromise the security of my computer?
i dont want to reformat my comp

there is another way to get rid of trojans?

a system restore would help?

tnx for helping

sry ive been very busy that i havent seen pskelley reply. I understand, please understand also that we take time from our real lives and volunteer to help.

how can it compromise the security of my computer?
If you had taken time from "very busy" and read the information in the links I posted, you would not be asking this question.

i dont want to reformat my comp
That is your call, I can help you clean the computer but I can never say it is safe.

a system restore would help?You can try a system restore to a point before you got infected, I can not say if it will help, all I can say is you are loaded with infections and if you continue to take the computer online, chances are you are going to get more. You already have a tough cleanup ahead of you if you choose that route.

Thanks

hey pskelley



If you had taken time from "very busy" and read the information in the links I posted, you would not be asking this question.


yes i read all the information.

i tried a restore but, after restarting, it always says: "the computer cant be restored.."

spybot can help?

so the only way is to reinstall the OS?

Thanks!

Lots of information on line about how to do a System Restore:
http://www.google.com/search?hl=en&q=how+to+do+a+system+restore&btnG=Google+Search

"the computer cant be restored.."If you are receiving a message there has to be more to it that that?

spybot can help? <<< I am not sure what you are asking about Spybot?

so the only way is to reinstall the OS?No, that would not help, the computer has to be reformatted, reinstalling the operating system is just part of the proceedure.
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://www.google.com/search?hl=en&q=how+to+reformat&btnG=Google+Search

Keep in mind I did say this:
I may be able to help you clean the computer but you will never be able to be sure it is secure.
Thanks

i got rid of the v6.exe.
am i still infected with the backdoor trojans ?

Logfile of HijackThis v1.99.1
Scan saved at 12:51:30, on 28-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\HP\QuickPlay\QPService.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\Apoint2K\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Programas\Messenger\msmsgs.exe
C:\Documents and Settings\Miguel Rodrigues\Ambiente de trabalho\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.143:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programas\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Programas\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uedfarer.dll",setvm
O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: .protected
O4 - Startup: XFX Game Controller.lnk = ?
O4 - Global Startup: .protected
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Programas\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Programas\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programas\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Serviço do Norton Protection Center (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

This computer is loaded with infections, are you are asking me to show you how to clean it? If so, then start by keeping this computer offline unless you are troubleshooting.

You have this trojan: http://www.castlecops.com/s13852-KIT3.html
this trojan: http://www.castlecops.com/startuplist-13849.html
this unidentifiable worm: C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll
and markers that indicate a Smitfraud infection. If you wish to proceed with this cleanup, follow the direction:

http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions:

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post ONLY the C:\rapport.txt from Smitfraudfix.

Thanks

SmitFraudFix v2.158

Scan done at 13:50:25,65, 28-03-2007
Run from C:\Documents and Settings\Miguel Rodrigues\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\HP\QuickPlay\QPService.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\Apoint2K\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe
C:\Programas\Messenger\msmsgs.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Miguel Rodrigues


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Miguel Rodrigues\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\MIGUEL~1\MENUIN~1\PROGRA~1\Arranque\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\Arranque\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MIGUEL~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programas


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="A minha home page actual"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks for returning that information, please continue following the directions carefully.

1) Thanks to S!R! and anyone else who helped with this fix.

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.


Thanks to andymanchesta and anyone else who helped with the fix.

2) Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Post the C:\rapport.txt from Smitfraudfix, the contents of the Report.txt from SDFix and a new HJT log.

Thanks

hey

When i run the safe mode and after entering my password, i only see a black screen saying "Safe Mode". is this normal?

I ran the SmitfraudFix.exe by the comand line (using Safe Mode with comand line).
It didn't asked me to replace the infected file.



SmitFraudFix v2.158

Scan done at 19:18:10,39, 28-03-2007
Run from C:\Documents and Settings\Miguel Rodrigues\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\DOCUME~1\MIGUEL~1\MENUIN~1\PROGRA~1\Arranque\.protected Deleted
C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\Arranque\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Then i ran RunThis.bat in Safe Mode with comand line, i typed yes and i got this:

"Starting Repairs

Checking runing processes, services and files...

Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified" (Note: this is a translation because my win xp is in portuguese)

There is not any report file into SDFix.



Logfile of HijackThis v1.99.1
Scan saved at 20:05:11, on 28-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\HP\QuickPlay\QPService.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\Apoint2K\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programas\Windows NT\Acessórios\wordpad.exe
C:\Programas\Messenger\msmsgs.exe
C:\Documents and Settings\Miguel Rodrigues\Ambiente de trabalho\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.143:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programas\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Programas\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uedfarer.dll",setvm
O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: XFX Game Controller.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Programas\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Programas\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programas\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Serviço do Norton Protection Center (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

Thats all

tnx

Thanks for returning the information, I am not sure why you are having the issues, perhaps Smitfraudfix does not know the language.

As far as SDFix, if you follow the direction: Report.txt will also be copied to Clipboard ready for posting back on the forum Let's have a look at the results.

The first part of the fix for Smitfraud worked ok, the second part, SDFix has not worked. This fix will remove the really nasty trojans I mentioned in the linked in my last instructions, please read these directions carefully and run the fix again:

Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please take the time to read and follow the directions carefully. If you are unsure about what you are doing, please ask someone with more computer experience for help. If you run the fix the way it says to, it will remove the trojans and it will produce the report. We use the fix all of the time.

Thanks

Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


hey

I've done 3 times exactly what you said.

I always get this:

"Starting Repairs

Checking runing processes, services and files...

Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified"

Then it doesn't do anything.

The RunThis.bat is localized in "C:\SDFix\RunThis.bat"

Maybe because i'm runing Safe Mode with comand line?

Maybe because i'm runing Safe Mode with comand line?Then try following the directions please...

Then try following the directions please...

??
sry i don't understand what you mean.



When i run the safe mode and after entering my password, i only see a black screen saying "Safe Mode". is this normal?


What should i do after runing safe mode and entering my password? i only see a black screen saying "Safe Mode".

http://www.bleepingcomputer.com/tutorials/tutorial61.html
Using the F8 Method

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.
Do whatever tasks you require and when you are done reboot to boot back into normal mode

http://www.computerhope.com/issues/chsafe.htm

http://www.pcstats.com/articleview.cfm?articleID=1643

Hey

i got a big problem.

i did this: (http://www.bleepingcomputer.com/tuto...utorial61.html)

Using the System Configuration Tool Method

Step 1: Close all programs so that you have nothing open and are at the desktop.

Step 2: Click on the Start button then click on Run.

Step 3: In the Run field type msconfig as shown in the image below.



Figure 4. Starting Msconfig



Step 4: Press the OK button and the System Configuration Utility will start up. You will then see a screen similar to Figure 5 below.




Figure 5. Starting the System Configuration Utility



Step 5: Click on the tab labeled "BOOT.INI" which is designated by the red box in Figure 5 above. You will then be presented with a screen similar to Figure 6 below.




Figure 6. BOOT.INI Tab



Step 6: Put a checkmark in the checkbox labeled "/SAFEBOOT" designated by the red box in Figure 6 above. Then press the OK button. After pressing the button you will be presented with a confirmation box as shown in Figure 7 below.




Figure 7. Confirm Reboot



Step 7: Press the Restart button and let the computer reboot. It will now boot up into Safe Mode.

Now when i restart my computer I ALWAYS GET IN SAFE MODE.

As i said before, in safe mode i can't do anything!!

I only see a black screen saying safe mode (like in this pic http://www.bcot1.com/safemode03.jpg)

What can i do?

PLEASE help me

Once you get back to normal mode, please do not try to get to safe mode again unless you use the F8 method I originally posted. I have prepared manual instructions for removing the malware and will post them once you are in normal mode and let me know.

I still seriously believe you have problems caused by this junk, and that you really should consider a a reformat or at the very least reinstalling your Operating System. Your call.

Let's try this, please take your time and follow the directions carefully:

Method 2: tried and tested moments ago
- boot up in safe mode
- bring up taskmgr (alt/ctl/del)
- Select file: either use the browse button to get to this path and double click on msconfig.exe or type the entire path in by hand
C:\windows\pchealth\helpctr\binaries\msconfig.exe
This will bring you back to msconfig screen.
- From there you can select the boot.ini tab and unselect the /SAFEBOOT check box.
- Restart your PC and you should be ok


Let me know how it goes.

Thanks

nvm i got my computer back :)))

I typed NO to this message http://www.bcot1.com/safemode03.jpg because when i type YES the i only see a black screen saying safe mode. Must be a bug!!

Then i did the system restore and i got the computer in normal mode.

But i got all the virus again :D

see you

OK...that's a good thing. Here are the manual instructions, you can delete the SDFix.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uedfarer.dll",setvm
O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
(next two are Alexa toolbar resource wasters, but if you use Alexa you can leave them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

(I believe the "spool" folder should be deleted, if all that is in it are those two files, delete the folder)
C:\WINDOWS\system32\spool\cmd.exe <<< delete that file
C:\WINDOWS\system32\spool\hpprintqueue.exe <<< delete that file

C:\WINDOWS\system32\uedfarer.dll <<< delete that file

C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll <<< delete that file

5) Follow the directions in this link to download, update and run AVG Anti-Spyware. Make sure you delete or at least quarantine anything found and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the AVG Anti-Spyware scan report and a new HJT log. Add any comments you think will help.

Thanks

hey

I installed this antivirus http://www.free-av.com/ and it immediatly detected and i moved to quarantine these ones:

gebyv.dll
notepad.exe (from spool folder)
yhqgeae.dll
fhxovnj.dll
cmd.exe (from spool folder)

Am i safe from this ones?

They are still shown in hijack log. (no idea why)
But they are not anymore in the respective folders.. (spool..)

Logfile of HijackThis v1.99.1
Scan saved at 15:29:45, on 29-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\HP\QuickPlay\QPService.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\Programas\Apoint2K\Apntex.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\AntiVir PersonalEdition Classic\avcenter.exe
C:\Documents and Settings\Miguel Rodrigues\Ambiente de trabalho\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.143:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14EDF56F-48E6-4953-91A9-DD894A71562E} - C:\WINDOWS\system32\gebyv.dll
O2 - BHO: (no name) - {15FDD0E0-28C0-430C-8CE6-25BCC9BF50E2} - C:\WINDOWS\system32\ddcdabc.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\nnnlmmm.dll (file missing)
O2 - BHO: (no name) - {3FBE25C8-BF92-5FD5-3793-0A2C8BF02D24} - C:\WINDOWS\system32\oqkffqc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tvadupmp.dll (file missing)
O2 - BHO: (no name) - {69FB2C07-9D91-69F0-3349-00AE5946C225} - C:\WINDOWS\system32\yhqgeae.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar4.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\hnccaeca.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programas\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Programas\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uedfarer.dll",setvm
O4 - HKLM\..\Run: [avgnt] "C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: XFX Game Controller.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddcdabc - C:\WINDOWS\SYSTEM32\ddcdabc.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: nnnlmmm - nnnlmmm.dll (file missing)
O20 - Winlogon Notify: urqpnlj - urqpnlj.dll (file missing)
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programas\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe

Thanks for the feedback, let me provide you with some information first. You said this:

I installed this antivirus http://www.free-av.com/ and it immediatly detected and i moved to quarantine these ones:Please be aware of two things 1) without seeing a log from the antivirus program, there is no way I can comment on what it did or did not remove.
2) I want to advise you that you were running: Norton Internet Security and if you have installed another antivirus program, you need to view this information.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html

Beyond that, I can comment on the HJT log.

It appears you removed Symantec, but you have additional infections. These infections will attract more, my suggestion, if you wish to continue cleaning this computer is that you keep it offline except when you are troubleshooting. This infection appear to be Vundo and we need to try and remove it first:
Scan saved at 15:29:45, on 29-03-2007 <<< this is the HJT log I am looking at and all of the infections are still in the log including these new ones. If I am to continue, you are going to have to follow my directions and stop going off on your own and downloading stuff. I makes no difference to me, but please make up your mind if you want my help or not.

VUNDO
O2 - BHO: (no name) - {15FDD0E0-28C0-430C-8CE6-25BCC9BF50E2} - C:\WINDOWS\system32\ddcdabc.dll
O20 - Winlogon Notify: ddcdabc - C:\WINDOWS\SYSTEM32\ddcdabc.dll
O2 - BHO: (no name) - {14EDF56F-48E6-4953-91A9-DD894A71562E} - C:\WINDOWS\system32\gebyv.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html

Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

I need to see the Vundofix report and a new HJT log.

Thanks












Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html

...the computer has to be reformatted, reinstalling the operating system is just part of the proceedure.


k i did that

thanks for your help pskelley. :)

Logfile of HijackThis v1.99.1
Scan saved at 18:50:39, on 04-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\HP\QuickPlay\QPService.exe
C:\Programas\Apoint2K\Apntex.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Programas\Ficheiros comuns\Symantec Shared\NMain.exe
C:\Programas\Symantec\LiveUpdate\LUALL.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Messenger\msmsgs.exe
c:\PROGRA~1\NORTON~1\Aleupdat.exe
C:\DOCUME~1\PROPRI~1\DEFINI~1\Temp\Directório temporário 1 para hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programas\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Programas\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Programas\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Programas\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programas\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Serviço do Norton Protection Center (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

Logfile of HijackThis v1.99.1 Scan saved at 18:50:39, on 04-04-2007

I think you will find a Java update already. Start > Control Panel > Java Console (little coffee cup) > update tab > Update. I could be wrong.

You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

Everything else looks fine:bigthumb: and here is how to keep it that way.

Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
How to prevent Malware
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks