pokapoka

[ehgpdantas]

Hi,

I am having problem with pokapoka trojan. Follows a HijacjThis logfile done in safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 19:47:19, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\Explorer.EXE
E:\Arquivos de programas\hjt\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Arquivos de programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ASUS Probe] E:\Arquivos de programas\Asus\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [Microsoft Update 64 BIT] schvost.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] schvost.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "E:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [services32] E:\Arquivos de programas\Arquivos comuns\Windows\mc-58-12-0000080.exe
O4 - Startup: SpywareGuard.lnk = E:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,910,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe

[POADB]

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Download LQfix and save it to your desktop. Extract the file to your desktop but do not use it yet!

Unplug your computer from the Internet when you have finished downloading


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO SAFE MODE

1. Restart the computer. The computer begins processing a set of instructions known as BIOS.
2. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
3. Continue to do so until the 'Windows Advanced Options' menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files

1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. Enable the option for `Show hidden files and folder´
3. Disable the option for `Hide file extensions for known types´
4. Disable the option for `Hide protected operating system files´
5. Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Doubleclick LQfix.bat that you saved on your desktop earlier.
A dos window will open and close again, this is normal.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

• Microsoft Antispyware - it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.- Please read this discussion to help you decide - Microsoft Antispyware “Ignores” Claria adware
  

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O4 - HKLM\..\Run: [Microsoft Update 64 BIT] schvost.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] schvost.exe
O4 - HKCU\..\Run: [services32] E:\Arquivos de programas\Arquivos comuns\Windows\mc-58-12-0000080.exe


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Locate and delete the following folder(s), if present:

• E:\WINDOWS\etb\

Locate and delete the following file(s), if present:

• E:\Arquivos de programas\Arquivos comuns\Windows\mc-58-12-0000080.exe

Search for & delete ... using Start> Search... the following file(s), if present:

• schvost.exe
  windir32.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE

Do an online scan at one of the following sites:

• Panda ActiveScan
• Kaspersky Anti-Virus Web Scanner
• BitDefender Online Scanner
• Trend Micro™ HouseCall

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

1. HiJackThis
2. Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[ehgpdantas]

Hi POADB,

I've did what you recommended and uninstalled MSAS. Find below the HJT log and anti-virus logs. I ran Panda, Kaspersky and Bitdefender. I did not ran TM House Call because I had already ran it before and also because I have it installed in my computer. Why didn't it detect anything?

Best regards,

Eduardo

--------------------------------------------------------------------------
HijackThis
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:58:16, on 13/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Arquivos de programas\Messenger\msmsgs.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Arquivos de programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\Arquivos de programas\SpywareGuard\sgmain.exe
E:\Arquivos de programas\SpywareGuard\sgbhp.exe
E:\WINDOWS\Explorer.EXE
E:\Arquivos de programas\Internet Explorer\iexplore.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.EXE
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCCGUIDE.EXE
E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Arquivos de programas\hjt\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKCU\..\Run: [MSMSGS] "E:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "E:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe

--------------------------------------------------------------------------
Panda
--------------------------------------------------------------------------
Incident Status Location

Dialer:dialer.xd No disinfected E:\WINDOWS\switchagreement.txt
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
Dialer:Dialer.ABR No disinfected E:\Arquivos de programas\hjt\backups\backup-20050717-004010-806.inf
Adware:Adware/MediaTickets No disinfected E:\Arquivos de programas\Microsoft AntiSpyware\DeactivatedItems\18F9FBA9-FE52-4FA0-B948-159E36.asq
Adware:Adware/Lop No disinfected E:\Documents and Settings\All Users\Dados de aplicativos\Ante Enc Flaw Knob\intra meal.exe
Adware:Adware/Lop No disinfected E:\Documents and Settings\All Users\Dados de aplicativos\Litegriddriveglue\NEW BIN.exe
Dialer:Dialer.BEP No disinfected E:\WINDOWS\a pasta do edu\internt.exe
Dialer:Dialer.Gen No disinfected E:\WINDOWS\a pasta do edu\switchagreement.txt
Dialer:Dialer.Gen No disinfected E:\WINDOWS\switchagreement.txt
--------------------------------------------------------------------------
Kaspersky
--------------------------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, August 13, 2005 12:19:04
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/08/2005
Kaspersky Anti-Virus database records: 143371
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 79389
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 2449 sec

Infected Object Name - Virus Name
E:\Documents and Settings\All Users\Dados de aplicativos\Ante Enc Flaw Knob\intra meal.exe Infected: not-a-virus:AdWare.Lop.p
E:\Documents and Settings\All Users\Dados de aplicativos\Litegriddriveglue\NEW BIN.exe Infected: Trojan-Downloader.Win32.Swizzor.de
E:\WINDOWS\a pasta do edu\internt.exe Infected: Trojan.Win32.Dialer.eb

Scan process completed.

--------------------------------------------------------------------------
Bit Defender
--------------------------------------------------------------------------

BitDefender Online Scanner - Real Time Virus Report



Generated at: Sat, Aug 13, 2005 - 12:56:18


--------------------------------------------------------------------------------





Scan Info



Scanned Files
286223

Infected Files
0








Virus Detected



No virus found.











--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

[POADB]

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Please download CleanUp! (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Do not run it yet!

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

E:\WINDOWS\switchagreement.txt
E:\Arquivos de programas\hjt\backups\backup-20050717-004010-806.inf
E:\Arquivos de programas\Microsoft AntiSpyware\DeactivatedItems\18F9FBA9-FE52-4FA0-B948-159E36.asq
E:\Documents and Settings\All Users\Dados de aplicativos\Ante Enc Flaw Knob\intra meal.exe
E:\Documents and Settings\All Users\Dados de aplicativos\Litegriddriveglue\NEW BIN.exe
E:\WINDOWS\a pasta do edu\internt.exe
E:\WINDOWS\a pasta do edu\switchagreement.txt
E:\WINDOWS\switchagreement.txt

Delete this folder!!

E:\Arquivos de programas\Microsoft AntiSpyware\

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep stored in these locations, Move them now!!!

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

Re run Panda and post the results along with a new HJT log.

[ehgpdantas]

Hi POADB,

I followed your instructions. I installed Cleanup3.1 once 4.0 was not recommende for XP 64bits (which I think is the case of my windows). I could not delete MSAS folder at once because Windows stated it was in use (however the folder was empty...). After logoff and login I succeeded in deleting it. Trend Micro antispyware found and cleaned two entries and Panda still found something. I am posting fresh HJT logs (although there 4 users on this PC I am posting 4 logs) and Panda's log.

Eduardo

--------------------------------------------------------------------------
Panda
--------------------------------------------------------------------------

Incident Status Location

Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
--------------------------------------------------------------------------
HJT Edu
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:43:33, on 13/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
E:\Arquivos de programas\Messenger\msmsgs.exe
E:\Arquivos de programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\Arquivos de programas\SpywareGuard\sgmain.exe
E:\Arquivos de programas\SpywareGuard\sgbhp.exe
E:\WINDOWS\Explorer.EXE
E:\Arquivos de programas\hjt\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKCU\..\Run: [MSMSGS] "E:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "E:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe



--------------------------------------------------------------------------
HJT Gab
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:35:21, on 13/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
E:\Arquivos de programas\MSN Messenger\msnmsgr.exe
E:\Arquivos de programas\Messenger\msmsgs.exe
E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Arquivos de programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\Arquivos de programas\hjt\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKCU\..\Run: [msnmsgr] "E:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe



--------------------------------------------------------------------------
HJT Isa
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:33:06, on 13/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
E:\Arquivos de programas\Messenger\msmsgs.exe
E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Arquivos de programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\Arquivos de programas\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKCU\..\Run: [MSMSGS] "E:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "E:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe



--------------------------------------------------------------------------
HJT Raq
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:28:48, on 13/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
E:\Arquivos de programas\MSN Messenger\msnmsgr.exe
E:\Arquivos de programas\Messenger\msmsgs.exe
E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Arquivos de programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\Arquivos de programas\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKCU\..\Run: [msnmsgr] "E:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] E:\Arquivos de programas\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe

[POADB]

Please download the following:

HomeSearchFix

CWShredder - Save it to Desktop.

• Open CWShredder and click - I AGREE
• Click - Check For Update
• Close CWShredder after updating

Disconnect from the Internet.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE

1. Restart the computer. The computer begins processing a set of instructions known as BIOS.
2. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
3. Continue to do so until the 'Windows Advanced Options' menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run CWShredder & click on [Fix].

Unzip HomeSearchFix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Reboot your computer back to Normal Mode and re-run Panda. Post the results. If the scan is clean - just say so.

[ehgpdantas]

Hi,

Panda still found a problem.


Incident Status Location

Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry

[POADB]

Then it's an orpaned entry.. You won't have to worry about it.

You could try:

Download CCleaner - Install

When you have installed it, click on the Registry tab and then click - Scan for issue. When it has finished scanning click Fix selected issues You may do this a few times.

Otherwise Your system is CLEAN

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Create a new System Restore point
   • click Start >> Run - type SYSDM.CPL & press Enter
   • select the System Restore Tab
   • tick on the checkbox - "Turn off System Restore on all drives"
   • click Apply
   • then untick the same checkbox & click OK
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   Understanding and Using Firewalls
   fgfgfgfg
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will further enhance your safety

• IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
  
• MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software
  

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[ehgpdantas]

Thank you.