Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Very Slow PC

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Very Slow PC

Unread postby sined » October 22nd, 2006, 4:26 am

Hi,

my PC is getting really slow above all when scrolling/opening/closing windows. I have the feeling this is due to some Spyware/Malware. I noticed to have a running WINWORD.exe instance even if I've never run Winword but just restarted the PC.

Here is the HJT log.

Thanks,Sined


--------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 10.24.38, on 22/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://aulavirtuale.metid.polimi.it/Sit ... aterAx.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/in ... all_it.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F309C8-1ABF-4E45-966F-9459F1EEDD79}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Programmi\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm
Advertisement
Register to Remove

Unread postby Bob4 » October 26th, 2006, 7:47 am

_________________________________
Welcome to the Malware removal forums. I will be more than happy to help you work on your problems.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!




______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked




R3 - Default URLSearchHook is missing
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - <http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall_it.cab>

Lets look a bit further as nothing seems serious in your log.




______________________________
Download and install CCleaner from here.
NOTE: Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option .

If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.


Now open the program and click on Run Cleaner
( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).

You may opt out of cleaning cookies. If you clean them alls you will have to do is retype names and passwords for places you visit on the net 1 time.
I clean all my cookies out from time to time. It's not that big a deal if you remember passwords.
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla



___________________________________
Download AVG Anti-Spyware.

  • Install AVG Anti-Spyware.
  • Launch AVG by double-clicking on the icon.
  • The program will now open to the main screen.
  • You will need to update AVG to the latest definition files.

    • At the top of the main screen click Update.

      • Then in the Manual Update section, click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
  • When updates are completed, close AVG.

If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates
Do not use it yet.


________________________________________
Safe mode:
Please reboot to safe mode:
After the very first black screen start tapping the
F8 key until prompted with a list choose safe
mode.




_________________________________________
AVG Part 2
AVG
Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
Click on scanner
Click on Settings
Under How to act
Choose quarantine

Under Reports check automatically create report after every scan.
Now back to the scan tab andClick on Complete system scan

Let the program scan the machine .
When finished click apply all actions.


Exit AVG.
It will save a log in C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Reboot normally.

Post the log from AVG .





_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.


In your next reply I need to see the following

  • A new HJT log
  • the report from AVG
  • The report from Kasperskys


The winword.exe file you see is a legitimate program. It's probably configured to start up automatically
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby sined » October 29th, 2006, 6:30 pm

Hi,

I got this error when trying to execute the steps you told me for HJT:

-----------------------------------
Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard.
------------------------------------

Anyway, I just continued doing the rest and the following are the results.

Thanks for your help,

Sined



-----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23.24.17, on 29/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://aulavirtuale.metid.polimi.it/Sit ... aterAx.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F309C8-1ABF-4E45-966F-9459F1EEDD79}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Programmi\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe


------------------------------------------------------------------------------------


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 29, 2006 11:20:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/10/2006
Kaspersky Anti-Virus database records: 236099
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 92220
Number of viruses found: 15
Number of infected objects: 56 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:16:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Support\WDLog-08212006-153348.log Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02280000.VBN Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07B40000.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08740000.VBN Infected: Trojan-Clicker.Win32.Small.kj skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08740001.VBN Infected: Trojan-Clicker.Win32.Small.mc skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08740002.VBN Infected: Trojan-Clicker.Win32.Small.kj skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\092C0000.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AE80000.VBN Infected: Packed.Win32.PolyCrypt.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AE80001.VBN Infected: Packed.Win32.PolyCrypt.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AE80002.VBN Infected: Packed.Win32.PolyCrypt.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AE80003.VBN Infected: Packed.Win32.PolyCrypt.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AE80004.VBN Infected: Packed.Win32.PolyCrypt.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AE80005.VBN Infected: Packed.Win32.PolyCrypt.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B6C0000.VBN Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B6C0001.VBN Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B980000.VBN Infected: Trojan-PSW.Win32.Agent.ik skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B980002.VBN Infected: Trojan.Win32.Gload.e skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DEC0000.VBN Infected: Trojan-Clicker.Win32.Small.mc skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DEC0001.VBN Infected: Trojan.Win32.Obfuscated.d skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DEC0003.VBN Infected: Trojan-Clicker.Win32.Small.kj skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640000.VBN Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640001.VBN Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640002.VBN Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640003.VBN Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640004.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640005.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640006.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E680001.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840000.VBN Infected: Trojan.Win32.Obfuscated.d skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F080000.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0000.VBN/avenger/lykeh1.dll Infected: Trojan-Downloader.Win32.Agent.bq skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0001.VBN/avenger/lykeh1.dll Infected: Trojan-Downloader.Win32.Agent.bq skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0001.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0001.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0002.VBN Infected: Trojan.Win32.Gload.e skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0003.VBN Infected: Trojan.Win32.Gload.e skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0004.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0005.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0006.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0007.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0008.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0009.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C000A.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C000B.VBN Infected: Trojan.Win32.Gload.g skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C0000.VBN Infected: Trojan-PSW.Win32.Agent.ik skipped
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA40000.VBN Infected: Trojan-Dropper.Win32.Small.asf skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\xp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\xp\Dati applicazioni\Microsoft\Outlook\Accenture MAPI.srs Object is locked skipped
C:\Documents and Settings\xp\Dati applicazioni\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\xp\Documenti\CDC Drivers\Interfree\Interdialer\Idialer.exe/data/InstID.exe Infected: not-a-virus:Dialer.Win32.InterDialer.a skipped
C:\Documents and Settings\xp\Documenti\CDC Drivers\Interfree\Interdialer\Idialer.exe/data/Interdialer.exe Infected: not-a-virus:Dialer.Win32.InterDialer.a skipped
C:\Documents and Settings\xp\Documenti\CDC Drivers\Interfree\Interdialer\Idialer.exe/data Infected: not-a-virus:Dialer.Win32.InterDialer.a skipped
C:\Documents and Settings\xp\Documenti\CDC Drivers\Interfree\Interdialer\Idialer.exe PaquetBuilder: infected - 3 skipped
C:\Documents and Settings\xp\Documenti\Utility\mIRC\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\xp\Documenti\Utility\mIRC\mirc616.exe mIRC: infected - 1 skipped
C:\Documents and Settings\xp\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbdam Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbdao Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbeam Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbeao Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbm Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\fii.cf1 Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\fiih.ht1 Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\rpm.cf1 Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\archive1.pst Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Temp\ExchangePerflog_8484fa31f13ab90a655a6714.dat Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Temp\~DFD7B8.tmp Object is locked skipped
C:\Documents and Settings\xp\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\xp\Local Settings\Application Data\Microsoft\Outlook\Accenture\ACNOutlook03.ost Object is locked skipped
C:\Documents and Settings\xp\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\xp\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Network ICE\BlackICE\blackice-service.log Object is locked skipped
C:\Programmi\File comuni\System\AJo.exe Object is locked skipped
C:\Programmi\File comuni\System\aPr.exe Object is locked skipped
C:\Programmi\File comuni\System\AYZhyE.exe Object is locked skipped
C:\Programmi\File comuni\System\BSY.exe Object is locked skipped
C:\Programmi\File comuni\System\dbJGGn.exe Object is locked skipped
C:\Programmi\File comuni\System\Dsm.exe Object is locked skipped
C:\Programmi\File comuni\System\eWKLPx.exe Object is locked skipped
C:\Programmi\File comuni\System\FTbqQ.exe Object is locked skipped
C:\Programmi\File comuni\System\Gru.exe Object is locked skipped
C:\Programmi\File comuni\System\Hqu.exe Object is locked skipped
C:\Programmi\File comuni\System\iLJr.exe Object is locked skipped
C:\Programmi\File comuni\System\krn.exe Object is locked skipped
C:\Programmi\File comuni\System\kSHCT.exe Object is locked skipped
C:\Programmi\File comuni\System\mCl.exe Object is locked skipped
C:\Programmi\File comuni\System\MuH.exe Object is locked skipped
C:\Programmi\File comuni\System\rRmg.exe Object is locked skipped
C:\Programmi\File comuni\System\rsr.exe Object is locked skipped
C:\Programmi\File comuni\System\rZus.exe Object is locked skipped
C:\Programmi\File comuni\System\sAA.exe Object is locked skipped
C:\Programmi\File comuni\System\Texvly.exe Object is locked skipped
C:\Programmi\File comuni\System\Tnh.exe Object is locked skipped
C:\Programmi\File comuni\System\Wlhk.exe Object is locked skipped
C:\Programmi\File comuni\System\YrLG.exe Object is locked skipped
C:\Programmi\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Programmi\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{03040184-76C0-45DD-9FC9-678823937A85}\RP416\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\WPD\wpdtrace.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{924CD575-9642-4152-B518-4E9DD719CC2F}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\obbedbfl.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\v6cichrv.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Bob4 » October 29th, 2006, 6:57 pm

When you can post the log from AVG anti Malware.

Also tell me whom your Internet service provider is.
Does this look like them ?
Telecom Italia SPA




______________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepaths , copy and paste these filepaths: 1 at a time.


C:\WINDOWS\system32\obbedbfl.ini

C:\WINDOWS\system32\v6cichrv.ini


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby sined » November 3rd, 2006, 5:11 am

Hi...here are the required logs.

Thanks a lot,Sined


---------------------------------------------------------
AVG Anti-Spyware - Rapporto scansione
---------------------------------------------------------

+ Creato alle: 19.12.57 01/11/2006

+ Risultato scansione:



C:\Documents and Settings\xp\Cookies\xp@2o7[2].txt -> TrackingCookie.2o7 : Nessuna operazione eseguita.
C:\Documents and Settings\xp\Cookies\xp@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Nessuna operazione eseguita.
C:\Documents and Settings\xp\Cookies\xp@atdmt[2].txt -> TrackingCookie.Atdmt : Nessuna operazione eseguita.
C:\Documents and Settings\xp\Cookies\xp@doubleclick[1].txt -> TrackingCookie.Doubleclick : Nessuna operazione eseguita.
C:\Documents and Settings\xp\Cookies\xp@mediaplex[1].txt -> TrackingCookie.Mediaplex : Nessuna operazione eseguita.
C:\Documents and Settings\xp\Cookies\xp@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Nessuna operazione eseguita.


::Fine rapporto



----------------------------------------------------------------------------------


Service load: 0% 100%

File: obbedbfl.ini
Status: INFECTED/MALWARE
MD5 335dbf51169f21ad88e1360ee58f547a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Sahat.ao
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing






Service load: 0% 100%

File: v6cichrv.ini
Status: INFECTED/MALWARE
MD5 ef21f62d7428938495d34f16e275a11f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Adware.Sahat-3
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Sahat.ao
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Bob4 » November 3rd, 2006, 6:54 am

____________________________
Please download the Killbox by Option^Explicit

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\obbedbfl.ini
C:\WINDOWS\system32\v6cichrv.ini
C:\Programmi\File comuni\System\AJo.exe
C:\Programmi\File comuni\System\AYZhyE.exe
C:\Programmi\File comuni\System\BSY.exe
C:\Programmi\File comuni\System\dbJGGn.exe
C:\Programmi\File comuni\System\Dsm.exe
C:\Programmi\File comuni\System\eWKLPx.exe
C:\Programmi\File comuni\System\FTbqQ.exe
C:\Programmi\File comuni\System\Gru.exe
C:\Programmi\File comuni\System\Hqu.exe
C:\Programmi\File comuni\System\iLJr.exe
C:\Programmi\File comuni\System\krn.exe
C:\Programmi\File comuni\System\kSHCT.exe
C:\Programmi\File comuni\System\mCl.exe
C:\Programmi\File comuni\System\MuH.exe
C:\Programmi\File comuni\System\rRmg.exe
C:\Programmi\File comuni\System\rsr.exe
C:\Programmi\File comuni\System\rZus.exe
C:\Programmi\File comuni\System\sAA.exe
C:\Programmi\File comuni\System\Texvly.exe
C:\Programmi\File comuni\System\Tnh.exe
C:\Programmi\File comuni\System\Wlhk.exe
C:\Programmi\File comuni\System\YrLG.exe


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



_____________________

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please post the contents of combo fix log.
And a new HJT log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Bob4 » November 3rd, 2006, 8:20 am

I will be leaving for a weekend trip and back on Sunday.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby sined » November 3rd, 2006, 12:16 pm

Here are the logs!

Thanks Bob and have a nice weekend,

Sined


-----------------------------------------------------------------------------------

xp - 06-11-03 17.11.02,54 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\xp\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\xp\Dati applicazioni\Install.dat


((((((((((((((((((((((((((((((( Files Created from 2006-10-03 to 2006-11-03 ))))))))))))))))))))))))))))))))))


2006-10-27 20:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-03 17:09 -------- d-------- C:\Documents and Settings\xp\Dati applicazioni\Skype
2006-11-03 17:08 -------- d-------- C:\Programmi\Symantec AntiVirus
2006-11-01 17:21 -------- d-------- C:\Documents and Settings\xp\Dati applicazioni\AdobeUM
2006-10-29 23:24 -------- d-------- C:\Programmi\Hijackthis
2006-10-27 20:11 -------- d-------- C:\Programmi\Grisoft
2006-10-27 20:11 -------- d-------- C:\Programmi\ewido anti-spyware 4.0
2006-10-27 20:05 -------- d-------- C:\Programmi\CCleaner
2006-10-22 21:43 -------- d-------- C:\Documents and Settings\xp\Dati applicazioni\U3
2006-10-17 21:12 -------- d-------- C:\Documents and Settings\xp\Dati applicazioni\Google
2006-10-17 16:52 -------- d-------- C:\Programmi\Google
2006-10-01 20:43 -------- d-------- C:\Programmi\DivX
2006-10-01 20:18 -------- d-------- C:\Documents and Settings\xp\Dati applicazioni\CyberLink
2006-09-18 19:11 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 19:11 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-09-18 19:11 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-09-18 19:11 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-14 09:53 -------- d-------- C:\Programmi\MSN Messenger
2006-09-13 06:03 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-05 10:36 -------- d-------- C:\Programmi\MySpeed PC
2006-08-25 16:51 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 13:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:59 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-12 17:30 12249 --a------ C:\delfiles.bat
2006-08-11 18:35 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-08-11 18:35 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-08-11 18:35 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-08-11 18:35 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-08-11 18:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-11 18:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 18:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-08-11 18:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 18:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-08-11 18:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-08-11 18:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-08-11 18:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-11 18:31 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 18:31 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Programmi\\MSN Messenger\\MsnMsgr.Exe\" /background"
"LogitechSoftwareUpdate"="C:\\Programmi\\Logitech\\Video\\ManifestEngine.exe boot"
"Google Desktop Search"="\"C:\\Programmi\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"Skype"="\"C:\\Programmi\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"swg"="C:\\Programmi\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"RemoteControl"="C:\\Programmi\\CyberLink\\PowerDVD\\PDVDServ.exe"
"HP Component Manager"="\"C:\\Programmi\\HP\\hpcoretech\\hpcmpmgr.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Programmi\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Programmi\\Logitech\\Video\\LogiTray.exe"
"ccApp"="\"C:\\Programmi\\File comuni\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"HP Software Update"="C:\\Programmi\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Programmi\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Programmi\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Programmi\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Programmi\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061027-210051-156
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/in ... all_it.cab
backup-20061027-210051-364
R3 - Default URLSearchHook is missing
backup-20061027-210051-377
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
backup-20061019-125938-789
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.easyaccesssite.com/10243-23.exe
backup-20061019-125938-872
O23 - Service: NIEFMEUB - Unknown owner - C:\DOCUME~1\xp\IMPOST~1\Temp\NIEFMEUB.exe (file missing)
backup-20061019-125937-564
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://12.36.103.133/push.cab
backup-20060823-144239-137
O16 - DPF: {ECDFD956-C2EC-44F8-A553-3837EAA31F5C} - http://gromozon.com/eb2570a8/50400/1/xp/FreeAccess.ocx
backup-20060821-110250-844
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
backup-20060817-144726-328
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
backup-20060815-220157-293
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
backup-20060815-220157-376
R3 - Default URLSearchHook is missing
backup-20060813-161311-892
O2 - BHO: Class - {9402C8B6-4907-B268-996F-9EEF8A3BE369} - C:\WINDOWS\lykeh1.dll (file missing)
backup-20060813-161311-924
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcmt.exe (file missing)
backup-20060813-161311-112
R3 - Default URLSearchHook is missing
backup-20060813-161311-101
O4 - HKLM\..\Run: [lesv1.exe] C:\WINDOWS\TEMP\lesv1.exe
backup-20060813-161311-287
O4 - HKLM\..\Run: [sysmt.exe] C:\WINDOWS\system32\sysmt.exe
backup-20060813-161311-132
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20060812-185023-423
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://zllin.info/ihr/us091/ihr.cab
backup-20060812-185022-903
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.trafficredlight.net/10257-23.exe
backup-20060812-185021-947
O16 - DPF: {3C07C100-8745-4522-A398-361D1BF695D4} - http://xearl.com/5ef68ad4/52128/1/xp/FreeAccess.ocx
backup-20060812-184856-900
O15 - Trusted Zone: http://www.skymasters.biz
backup-20060812-184856-868
O15 - Trusted Zone: http://www.new-access.biz
backup-20060812-184856-557
O15 - Trusted Zone: http://www.contentcooler.biz
backup-20060812-184856-263
O15 - Trusted Zone: http://www.redfunny.com
backup-20060812-184856-640
O15 - Trusted Zone: http://www.archiviosex.net

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-03 17:12:09.90
C:\ComboFix.txt ... 06-11-03 17:12


-----------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 17.14.32, on 03/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://aulavirtuale.metid.polimi.it/Sit ... aterAx.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F309C8-1ABF-4E45-966F-9459F1EEDD79}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Programmi\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Bob4 » November 5th, 2006, 9:07 pm

Download GMER's application from here

Save it to your desktop.

Create a new folder in c: drive called Gmer

Click on Start then My Computer then double click Local Disk C:

Now right click anywhere on the open window and choose New then Folder Type in GMER and hit the Enter key.

Unzip the GMER zip file by double clicking on the desktop icon and save it to the GMER folder you just made.

Now Navigate to that folder (Gmer)
and double click the GMER.exe file

Click the Rootkit tab and click the Scan button.

IMPORTANT: Do NOT use the computer while the scan is in progress.

Please, do not select the "Show all" checkbox during the scan.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby sined » November 11th, 2006, 4:52 pm

Hi,

here is the log.

Thanks, Sined


----------------------------------------------------------------------------------

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-11 21:51:45
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT E1E00DE8 ZwConnectPort
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text tcpip.sys!IPRcvPacket + 27 AA8D55C7 8 Bytes JMP F72DC251 BlackDrv.sys
.text tcpip.sys!IPTransmit + 5 AA8D6C43 6 Bytes JMP F72DBFFD BlackDrv.sys
.text tcpip.sys!SetIPSecPtr + 10 AA8EB180 6 Bytes CALL F72DBE2E BlackDrv.sys
.text tcpip.sys!tcpxsum + 6F55 AA8F803D 1 Byte
.text ipfltdrv.sys F7693037 3 Bytes

---- Devices - GMER 1.0.12 ----

Device \Driver\IpFilterDriver \Device\IPFILTERDRIVER IRP_MJ_DEVICE_CONTROL [F72E995E] BlackDrv.sys

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\xp\Documenti\Immagini\07 Piscina e altre\CIMG0311.JPG:SummaryInformation
ADS C:\Documents and Settings\xp\Documenti\Immagini\07 Piscina e altre\CIMG0311.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\xp\Documenti\Immagini\Immagini Logitech\Immagini e video\Immagine 2.jpg:SummaryInformation
ADS C:\Documents and Settings\xp\Documenti\Immagini\Immagini Logitech\Immagini e video\Immagine 2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\xp\Documenti\My Ebay\Scarponi\Scarponi_touched.jpg:SummaryInformation
ADS C:\Documents and Settings\xp\Documenti\My Ebay\Scarponi\Scarponi_touched.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\xp\Documenti\My Jobs\CV\Isa.jpg:SummaryInformation
ADS C:\Documents and Settings\xp\Documenti\My Jobs\CV\Isa.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\msdfmap.ini:ffsnul
ADS C:\WINDOWS\Pietra verde.bmp:logbz
ADS C:\WINDOWS\pss\win.ini.backup:xsjez
ADS ...

---- EOF - GMER 1.0.12 ----
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Bob4 » November 11th, 2006, 8:56 pm

I'm not finding much in the way of Malware.

But you can navigate to these files and delete what I have in bold type.

C:\WINDOWS\msdfmap.ini
C:\WINDOWS\Pietra verde.bmp
C:\WINDOWS\pss\win.ini.backup

Lets try a few online scans to see if they produce any results.


1 - Dr Web CureIt
Download Dr.Web CureIt to the desktop by clicking: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and click Start > OK to allow the Express Scan to run
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the Scan tab, remove the mark at Heuristic analysis then click OK
    • Back at the main window, select the folder C:\WINDOWS\$NtServicePackUninstall$ to be scanned - a red dot appears by the selected folder
    • Click the green arrow at the right and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
      Image
      If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      Image
      This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can't be cured - this is in case we need samples
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.



______________________

Run an online scan here. Accept the ActiveX and selete 'clean':
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Save any report provided, and post it back here.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby sined » November 12th, 2006, 4:58 am

Ho Bob,

i'm not able to download Dr Web cureit...it look like the ftp site it is not working.

How do I proceed?

Thanks a lot, Sined
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Bob4 » November 12th, 2006, 7:18 am

I have made a slight error. Go to your recycle bin and restore the last 3 files I had you delete. They are just infected in a different way.

Do this by right clicking on each file and choose restore.

The download this tool
open it and copy these line in it 1 at a time
ADS Spy Download Link

Open that tool and make sure the folowing are checked.
  • Quick scan
  • Ignore safe system info data stream


The place a check mark by
these 3 if they show up.


these files and delete what I have in bold type.

C:\WINDOWS\msdfmap.ini
C:\WINDOWS\Pietra verde.bmp
C:\WINDOWS\pss\win.ini.backup

____________________
Pleas rertry the dr cure it. If it still isn't working
try the scan fom CA. The second I asked for.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby sined » November 12th, 2006, 4:59 pm

Hi Bob,

I usually shift+delete the files...so I guess I've lost those files.

What should I do now?

Btw...I'll be back on thursday this week...so no urgent response is required! ;-)

Thanks,Sined
sined
Regular Member
 
Posts: 31
Joined: August 12th, 2006, 1:12 pm

Unread postby Bob4 » November 12th, 2006, 8:07 pm

Try system restore going back to the day you deleted them.

1.
Click Start.

2.Point to All Programs.

3. Point to Accessories.

4.Point to System Tools.

5.Click System Restore.

Choose a dte close to when you deleted those files. The dates available will be bold.




Post a new HJT log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware