Help me with HOOWAH and LINKS on the web pages

[fabricio]

Please,

I need some help fixing the HOOWAH popup´s and the sponsored links on the web pages. How can i fix it? I´ve read some posts and below is my HiJackThis:
The word from my web pages now have some sponsored links.
Please, help me in fixing these problems.

Fabricio


Logfile of HijackThis v1.99.1
Scan saved at 12:39:46, on 07/02/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\ARQUIVOS DE PROGRAMAS\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\PLANET\PLANNET WIRELESS LAN CONFIGURE UTILITY\RTLWAKE.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\DIGITAL IMAGING\BIN\HPQGALRY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\MEUS DOCUMENTOS\FABRíCIO\JOGOS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSS8245.DLL
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\SYSTEM\IRASHPQY.DLL
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\SYSTEM\IRSMMAOX.DLL
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEHABN.DLL
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\ARQUIVOS DE PROGRAMAS\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Camera Detector] C:\ARQUIV~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\SYSTEM\irasyncd.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\SYSTEM\irssyncd.exe
O4 - Startup: WL-8303.lnk = C:\Arquivos de programas\PLANET\Plannet Wireless Lan Configure Utility\RtlWake.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: Inicialização rápida do HP Image Zone.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.embraer.com.br/iNotes.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = www.sbs-net.com.br
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.149.134.5

[guestolo]

Can you do the following please

Make sure you have the latest versions of the first 2 scanners I post
If you don't, uninstall your versions from add/remove programs and install the latest

Download and Install Ad-Aware SE Personal 1.06

Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Don't run a scan yet

Download and Install Spybot 1.4 from
HERE
 or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check the boxes, and then download all updates
After the updates are complete
Close it out for now, we'll need it later

==Download and Install
Windows Cleanup! 4.0
Don't run this yet,

Save the rest of these instructions to a Notepad file saved to your desktop or Print them out for use in safe mode

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start >Programs menu).
Press the CleanUp! button to start the program.
Let it finish it's scan
When it's done, decline to restart the computer

Remain in safe mode

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Please reboot your computer at this time
On Restart, please restart back into safe mode

Back in Safe Mode
Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

Reboot back to Normal mode
Back in Windows

Come back here and post a fresh hijackthis log

[fabricio]

Thanks a lot Guestolo!!! I really appreciate your help! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' /> http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />
Did all the procedures you asked. It looks fine now, no green links and no hoowah. The clean up remove a huge amount of files, incredible!

Here´s the last log file:

Logfile of HijackThis v1.99.1
Scan saved at 19:02:24, on 08/02/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\ARQUIVOS DE PROGRAMAS\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\PLANET\PLANNET WIRELESS LAN CONFIGURE UTILITY\RTLWAKE.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\DIGITAL IMAGING\BIN\HPQGALRY.EXE
C:\MEUS DOCUMENTOS\FABRíCIO\JOGOS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE

R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\SYSTEM\IRSMMAOX.DLL
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEHABN.DLL
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\ARQUIVOS DE PROGRAMAS\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Camera Detector] C:\ARQUIV~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\SYSTEM\irssyncd.exe
O4 - Startup: WL-8303.lnk = C:\Arquivos de programas\PLANET\Plannet Wireless Lan Configure Utility\RtlWake.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: Inicialização rápida do HP Image Zone.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.embraer.com.br/iNotes.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = www.sbs-net.com.br
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.149.134.5



hoowah still happening!!!

[guestolo]

Can you do the following please
I would like to check on something

Please download QooFix9x and save it to your desktop.  Do NOT run it yet.

Do a "System scan only" with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched

O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\SYSTEM\IRSMMAOX.DLL
O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\SYSTEM\irssyncd.exe

If you don't recognize these next activex controls
Fix them too, they wil be reinstalled if needed
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.embraer.com.br/iNotes.cabO16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot into safe mode
You must be in safe mode to run the next tool

Double-click QooFix9x.exe and unzip it to the desktop.  Open the QooFix9x folder on your desktop and run RunThis.bat.  If you get a warning about running MS-DOS programs in Safe Mode, please just click OK to continue.  Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the QooFix9x folder.

[fabricio]

Guestolo,
I checked and removed the lines
R3 - Default URLSearch is missing
F1 - win.ini: run=hpfsched
and the others. The activeX i know the first and the last one. I removed the middle one.

But I think that I should not have removed. It stopped my computer. when i entered in the safe mode, nothing was working on the windows. no icons, no keyboard shortcuts, nothing. I tried to entere in the normal mode and nothing was working again. It asked me to register my windows again, with the name, keys, etc. then the same problem as in the safe mode.

i send the computer to a shop and they found out that I had a virus and that I should not have remove the F1 - win.ini: run=hpfsched.

But it seems to be working now. no popups (hoowah) and no green links.

Here´s the logfile:
I think is the same as before.

Appreaciate your help!!


Logfile of HijackThis v1.99.1
Scan saved at 17:35:44, on 09/02/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\ARQUIVOS DE PROGRAMAS\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\ARQUIVOS DE PROGRAMAS\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\PLANET\PLANNET WIRELESS LAN CONFIGURE UTILITY\RTLWAKE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\MEUS DOCUMENTOS\FABRíCIO\JOGOS\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT\SPYBOT~1\SDHELPER.DLL
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEHABN.DLL
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\SYSTEM\IRSMMAOX.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\ARQUIVOS DE PROGRAMAS\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Camera Detector] C:\ARQUIV~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\SYSTEM\irssyncd.exe
O4 - Startup: WL-8303.lnk = C:\Arquivos de programas\PLANET\Plannet Wireless Lan Configure Utility\RtlWake.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - <a href='http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab' target='_blank' rel='nofollow'>http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab</a>
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.embraer.com.br/iNotes.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = www.sbs-net.com.br
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.149.134.5

[guestolo]

There was no harm in removing that F1 line in your log
That would have no effect on the system
It's a reminder from HP and that's all!
Don't let them overrate what it really is
You can leave it if you want
They did more than try and remove a virus, they also removed Internet explorer 6
Your now running an older version of IE which will not have all the security patches

I don't like the way the shop left your computer
Can you please do the following
Use Internet Explorer and Run the online Panda ActiveScan
    * Once you are on the Panda site click the Scan your PC button.
    * A new window will open...click the big Check Now button.
    * Enter your Country.
    * Enter your State/Province.
    * Enter your e-mail address.
    * Select either "Home User or Company."
    * Click the big Scan Now button.
    * Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
    * Click on Local Disks to start the scan.

When the scan is complete
 click See Report, then click Save Report and save it to your Desktop.

Post this report back here please
You still show signs of malware in your log

[guestolo]

Since the user has not returned, this topic is locked