well....it's just the same thing of there othrs that needs help AVG keeps finding it and I can't find the source.....so....any help is welcome^^

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue. Put a check by "Create a desktop icon" then click "Next" again. Continue to follow the rest of the prompts from there. At the final dialogue box click "Finish" and it will launch Hijack This. Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly. We will need some tools. Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ Don't run it yet. Download Ewido Security Suite then set it up this way Ewido Setup Instructions Don't run it yet Be sure to update ewido Download killbox to your desktop from this link Killbox Don't run it yet Run this free online scan from Panda When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

Logfile of HijackThis v1.99.1 Scan saved at 10:11:23, on 13/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe E:\Thiago\Alcohol\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\Explorer.exe C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\pctspk.exe C:\Program Files\DSLink180U\Adsl\dslstat.exe C:\Program Files\DSLink180U\Adsl\dslagent.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\DOBE~1\chkdsk.exe C:\WINDOWS\system32\sistray.exe C:\Arquivos de programas\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Arquivos de programas\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/mail?.intl=br R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = chasqueproxy.ufrgs.br:3128 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\DSLink180U\Adsl\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\DSLink180U\Adsl\dslagent.exe O4 - HKLM\..\Run: [Atualizador - Puxa Rápido] E:\Thiago\Puxa Rapido\Atualiza.exe O4 - HKCU\..\Run: [Mosl] "C:\WINDOWS\system32\DOBE~1\chkdsk.exe" -vt yazr O4 - Startup: Reboot.exe O4 - Global Startup: KYESCAN.lnk = C:\Arquivos de programas\ScannerP\kyescan.exe O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{14BAD614-9D02-4563-BCB7-489766424545}: NameServer = 200.175.89.139 200.175.5.139 O17 - HKLM\System\CS1\Services\Tcpip\..\{14BAD614-9D02-4563-BCB7-489766424545}: NameServer = 200.175.89.139 200.175.5.139 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winmbj32 - C:\WINDOWS\SYSTEM32\winmbj32.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Thiago\Alcohol\Alcohol 120\StarWind\StarWindService.exe

Please download SmitRemFix from this link http://siri.geekstogo.com/SmitfraudFix.php Then extract the contents to your desktop. Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd" Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

SmitFraudFix v2.60 Scan done at 8:27:47,60, qua 14/06/2006 Run from C:\Documents and Settings\XP\Desktop\SmitfraudFix OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\ld????.tmp FOUND ! C:\WINDOWS\system32\regperf.exe FOUND ! C:\WINDOWS\system32\stdole3.tlb FOUND ! C:\WINDOWS\system32\1024\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\XP\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\XP\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Arquivos de programas »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Minha p gina inicial atual" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd" Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Reboot into safe mode. Run Ewido from safe mode and let it delete all that it finds. Run ATF-Cleaner from safe mode . Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Reboot to normal mode. Run this free online scan from Panda When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it along with a new Hijack This log.