Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infection from MSN / Help required on HijackThis log :)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infection from MSN / Help required on HijackThis log :)

Unread postby Taff » August 25th, 2007, 8:46 am

Yesterday i've got an infection from a file i received from MSN...
I've also tryed to manually removed all the files related to it (i've found 3 of them + prefetch) but as soon as i log onto MSN they're somehow back. This kind of virus (dunno exactly what it is) opens chat windows with all the online contacts attempting to send itself. I've saved my HijackThis log files and i hope some1 can help me with my problem. Thank you all for help <3.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.13.15, on 25/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Spyware Doctor\SDTrayApp.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\chcp.exe
C:\Programmi\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\iTunes\iTunes.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programmi\MSN Messenger\usnsvc.exe
c:\y8o7w8b4f1q5.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Taff\Desktop\test.exe
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Programmi\WinRAR\WinRAR.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Diagnostica SpeedTouch USB] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [chcp.exe] C:\WINDOWS\chcp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Taff\Dati applicazioni\Mozilla\Firefox\Profiles\u2sgeyv6.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Taff\Dati applicazioni\Mozilla\Firefox\Profiles/u2sgeyv6.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Programmi\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0033751406
O17 - HKLM\System\CCS\Services\Tcpip\..\{376AE6CA-D62A-4386-8856-BD4F13D5A967}: NameServer = 213.205.36.70 213.205.32.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{376AE6CA-D62A-4386-8856-BD4F13D5A967}: NameServer = 213.205.36.70 213.205.32.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am
Advertisement
Register to Remove

Unread postby Bob4 » August 25th, 2007, 11:47 am

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

All hijackthis logs I ask for should be done in normal mode ( not safe mode)

Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!


Is this Hijackthis renamed ?
C:\Documents and Settings\Taff\Desktop\test.exe

______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked



O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)




Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\y8o7w8b4f1q5.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")





_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\WINDOWS\chcp.exe


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html


___________________________________
______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).


_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.




_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Kasperskys
  • The report from Jottis/virus total
  • Let me know about test.exe

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Taff » August 25th, 2007, 11:55 am

Ty so much for the help. I see that this will take time, but i'll follow all the suggestion u will be giving me.
Yes, test.exe is HijackThis renamed. I've seen that on a forum and i tought it was a good thing to do.
I'll start doing what u ask and i'll keep u informed :)
ty again <3
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am

Unread postby Taff » August 25th, 2007, 12:02 pm

Ok i've fixed the line in HijackThis and i processed the file with OTMoveIt. This is the result u asked for :)

c:\y8o7w8b4f1q5.exe moved successfully.

Created on 08/25/2007 17.59.41
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am

Unread postby Taff » August 25th, 2007, 12:13 pm

Here's the scan of chcp.exe

Antivirus / Version / Last Update / Result
AhnLab-V3 2007.8.25.0 2007.08.24 -
AntiVir 7.4.1.63 2007.08.24 HEUR/Crypted
Authentium 4.93.8 2007.08.25 -
Avast 4.7.1029.0 2007.08.25 -
AVG 7.5.0.484 2007.08.24 SHeur.IFU
BitDefender 7.2 2007.08.25 -
CAT-QuickHeal 9.00 2007.08.25 Backdoor.SdBot.gen
ClamAV 0.91 2007.08.25 -
DrWeb 4.33 2007.08.25 -
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5085 2007.08.24 -
Ewido 4.0 2007.08.25 -
FileAdvisor 1 2007.08.25 -
Fortinet 2.91.0.0 2007.08.25 -
F-Prot 4.3.2.48 2007.08.25 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.25 Generic.Sdbot
Kaspersky 4.0.2.24 2007.08.25 Backdoor.Win32.SdBot.bmh
McAfee 5105 2007.08.24 -
Microsoft 1.2803 2007.08.25 -
NOD32v2 2484 2007.08.25 IRC/SdBot
Norman 5.80.02 2007.08.24 -
Panda 9.0.0.4 2007.08.25 Generic Worm
Prevx1 V2 2007.08.25 Generic.Malware
Rising 19.37.42.00 2007.08.24 -
Sophos 4.21.0 2007.08.25 -
Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious
Symantec 10 2007.08.25 W32.SillyIM
TheHacker 6.1.8.172 2007.08.25 Backdoor/SdBot.bmh
VBA32 3.12.2.3 2007.08.24 -
VirusBuster 4.3.26:9 2007.08.24 Worm.Agent.VCU
Webwasher-Gateway 6.0.1 2007.08.25 Heuristic.Crypted
Informazioni addizionali
File size: 434176 bytes
MD5: be2f46df65d7940c9c44f4e91e2d0cf3
SHA1: 1314b1d12f054496a51d9893871960533a19c162
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 00936C3069
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am

Unread postby Taff » August 25th, 2007, 3:25 pm

Ok i've finally finished Kaspersky's Scan and here's the result.
Sorry by the way for the multi-reply answer, since u asked for 1 only reply...
For the little i can understand my compures has more than i virus/worm whatever. It would be wonderful if u could help me fixing this. <3

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, August 25, 2007 9:22:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/08/2007
Kaspersky Anti-Virus database records: 389807
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 57398
Number of viruses found: 7
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 02:40:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Taff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Taff\Documenti\Musica\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Cronologia\History.IE5\MSHist012007082520070826\index.dat Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Dati applicazioni\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Temp\~DFEF3E.tmp Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Temp\~DFEF51.tmp Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Taff\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Taff\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Taff\ntuser.dat.LOG Object is locked skipped
C:\h1b9i6h4u6j1.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Programmi\File comuni\delsim\del.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP102\A0017082.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP102\A0017086.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP103\A0018100.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP103\A0018101.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP104\A0018111.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP105\A0018119.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP105\A0018141.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP105\A0018142.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\System Volume Information\_restore{4BC011B6-29D1-460C-B8FD-DAFE584550E1}\RP105\change.log Object is locked skipped
C:\WINDOWS\chcp.exe Infected: Backdoor.Win32.SdBot.bmh skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\F0538_jpg.zip/www.F0538_jpg-msn.com Infected: Backdoor.Win32.SdBot.bmh skipped
C:\WINDOWS\F0538_jpg.zip ZIP: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\y8o7w8b4f1q5.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
D:\4742863a487fed8bede00981fe60f02f\msxml4-KB927978-enu.log Object is locked skipped
D:\My Download Files\Programs\WinZip 9.0+KeyGen.zip/WinZip 9.0 KeyGen.exe Infected: Trojan.Win32.StartPage.tr skipped
D:\My Download Files\Programs\WinZip 9.0+KeyGen.zip ZIP: infected - 1 skipped
D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip/NERO5031.ZIP/nero5031.exe Infected: Email-Worm.Win32.Hybris.b skipped
D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip/NERO5031.ZIP Infected: Email-Worm.Win32.Hybris.b skipped
D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip/Cdrwin.3.8c.zip/cdr38c-e.exe Infected: Email-Worm.Win32.Hybris.b skipped
D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip/Cdrwin.3.8c.zip Infected: Email-Worm.Win32.Hybris.b skipped
D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip ZIP: infected - 4 skipped
D:\Overnet\Incoming\Filez\[PC GAME NOCD] Pro Evolution Soccer 6 nocd crack.zip/install.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
D:\Overnet\Incoming\Filez\[PC GAME NOCD] Pro Evolution Soccer 6 nocd crack.zip/install.exe Infected: Trojan-Dropper.Win32.Peerad.a skipped
D:\Overnet\Incoming\Filez\[PC GAME NOCD] Pro Evolution Soccer 6 nocd crack.zip ZIP: infected - 2 skipped
D:\Overnet\Incoming\Rally Masters Michelin Race of Champions demo(1).zip/Rally Masters Michelin Race of Champions demo.exe Infected: Trojan-Downloader.Win32.Bagle.bp skipped
D:\Overnet\Incoming\Rally Masters Michelin Race of Champions demo(1).zip ZIP: infected - 1 skipped
D:\Overnet\Incoming\Rally Masters Michelin Race of Champions demo(2).zip/Rally Masters Michelin Race of Champions demo.exe Infected: Email-Worm.Win32.Bagle.hv skipped
D:\Overnet\Incoming\Rally Masters Michelin Race of Champions demo(2).zip ZIP: infected - 1 skipped
D:\Overnet\Temp\001.part Object is locked skipped
D:\Overnet\Temp\002.part Object is locked skipped
D:\Overnet\Temp\003.part Object is locked skipped
D:\Overnet\Temp\004.part Object is locked skipped
D:\Overnet\Temp\005.part Object is locked skipped
D:\Overnet\Temp\015.part Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am

Unread postby Bob4 » August 25th, 2007, 5:01 pm

Been waiting for the new HJT log. Guess we'll just go from here.

Looks as if download free stuff and keygens got you into this. If you continue to do these things you will become reinfected. Please do not use E mule while were cleaning your machine!


Also I see no signs of an active anti virus. Is this your choice? I will be recommending 2 of which I hope you install only one .

Also were going to look a bit further as we are still finding things.


___________________________________
DISABLE Spyware Doctor
It is a good program, but ... it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked



O4 - HKLM\..\Run: [chcp.exe] C:\WINDOWS\chcp.exe



+++++++++++++++++++++++++++++


  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\h1b9i6h4u6j1.exe
    C:\Programmi\File comuni\delsim\del.exe
    C:\WINDOWS\chcp.exe
    C:\WINDOWS\F0538_jpg.zip
    D:\My Download Files\Programs\WinZip 9.0+KeyGen.zip
    D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip/NERO5031.ZIP
    D:\Overnet\Incoming\Filez\[PC GAME NOCD] Pro Evolution Soccer 6 nocd crack.zip
    D:\Overnet\Incoming\Rally Masters Michelin Race of Champions demo(1).zip
    D:\Overnet\Incoming\Rally Masters Michelin Race of Champions demo(2).zip


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")



+++++++++++++++++++++++++++++++++

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).


+++++++++++++++++++++++++++++++++++++++

AVG Anti-Spyware:

NOTE: This is not an anti virus program. You will still need to get one in place.
________________________________________
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).



    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    • Open up AVG anti Malware

Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
  • Reboot in normal mode.


_________________________________________________________




I see no signs of an anti virus program.. I suggest you get one in asap.
I will list 2 free anti virus programs just choose 1.

AVG FREE

Avast

Download and install one of these and run a full scan.

_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from AVG antiMalware
  • The report from OT MOVE IT

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Taff » August 25th, 2007, 7:06 pm

Ty again for help.
I'm sorry but i had to fix some things and i could not answer before.
I searched for chcp.exe in HijackThis but, dunno why, it is not listed.
Of course i didn't ignore it, the only thing i did was just turning off Spyware Doctor as u told me. I'll post the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1.02.32, on 26/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\CDSpeed.exe
C:\Programmi\Google\Google Updater\GoogleUpdater.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programmi\MSN Messenger\usnsvc.exe
c:\h1b9i6h4u6j1.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\iTunes\iTunes.exe
C:\Documents and Settings\Taff\Desktop\test.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Diagnostica SpeedTouch USB] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CDSpeed.exe] C:\WINDOWS\CDSpeed.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Taff\Dati applicazioni\Mozilla\Firefox\Profiles\u2sgeyv6.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Taff\Dati applicazioni\Mozilla\Firefox\Profiles/u2sgeyv6.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Programmi\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0033751406
O17 - HKLM\System\CCS\Services\Tcpip\..\{376AE6CA-D62A-4386-8856-BD4F13D5A967}: NameServer = 213.205.36.70 213.205.32.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{376AE6CA-D62A-4386-8856-BD4F13D5A967}: NameServer = 213.205.36.70 213.205.32.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am

Unread postby Bob4 » August 25th, 2007, 7:27 pm

Run the AVG scan and post that along with the OTMOVEIT log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Taff » August 25th, 2007, 10:08 pm

OTMoveIt result:

C:\h1b9i6h4u6j1.exe moved successfully.
C:\Programmi\File comuni\delsim\del.exe moved successfully.
C:\WINDOWS\chcp.exe moved successfully.
C:\WINDOWS\F0538_jpg.zip moved successfully.
D:\My Download Files\Programs\WinZip 9.0+KeyGen.zip moved successfully.
File/Folder D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip/NERO5031.ZIP not found.
D:\Overnet\Incoming\Filez\[PC GAME NOCD] Pro Evolution Soccer 6 nocd crack.zip moved successfully.
D:\Overnet\Incoming\Rally Masters Michelin Race of Champions demo(1).zip moved successfully.
D:\Overnet\Incoming\Rally Masters Michelin Race of Champions demo(2).zip moved successfully.






---------------------------------------------------------
AVG Anti-Spyware - Rapporto scansione
---------------------------------------------------------

+ Creato alle: 3.53.01 26/08/2007

+ Risultato scansione:



D:\Overnet\Incoming\Games\GTA San Andreas\GTA.San.Andreas.FullDVD.Multilaguaje.WwW.EliteRips.CoM.ERG\GTA SAN ANDREAS CRACK BY HOODLUM.rar/HOODLUM\HLM-INTR.EXE -> Backdoor.Hupigon.kg : Ripulito con backup (in quarantena)
D:\My Download Files\Crackz\WinDVD_v3.00_build_57.zip/windvd.crack.30057.exe -> Backdoor.Theef.111 : Ripulito con backup (in quarantena)
D:\My Download Files\Crackz\Nero Burning Rom v6.3.1.6. Keygen.zip/Keygen.exe -> Hijacker.Befins.b : Ripulito con backup (in quarantena)
D:\My Download Files\Crackz\Command_And_Conquer_Generals_Plus_3_Trainer-FLTDOX.DonkeyNL.ShareReactor.rar/trainer.exe -> Hijacker.Small : Ripulito con backup (in quarantena)
C:\_OTMoveIt\MovedFiles\My Download Files\Programs\WinZip 9.0+KeyGen.zip/WinZip 9.0 KeyGen.exe -> Hijacker.StartPage.tr : Ripulito con backup (in quarantena)
C:\WINDOWS\system32\config\systemprofile\Cookies\system@skype[1].txt -> TrackingCookie.Skype : Ripulito.
D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip/Cdrwin.3.8c.zip/cdr38c-e.exe -> Worm.Hybris.b : Ripulito con backup (in quarantena)
D:\Overnet\Incoming\Filez\Sim City 2000 Microsoft Windows Xp Full Version - (Downloadfullprogs Cjb Net).zip/NERO5031.ZIP/nero5031.exe -> Worm.Hybris.b : Ripulito con backup (in quarantena)


::Fine rapporto

(Ripulito = Cleaned / In quarantena = In Quarantine)

I've also confirmed the quarantine to all files moved with OTMoveIt.
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am

Unread postby Bob4 » August 26th, 2007, 5:47 am

As I ask for a new HJT log it should be the last thing you do as I am looking for certain changes after we do things.

Please post a new HJT log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Taff » August 26th, 2007, 9:12 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.11.18, on 26/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\CDSpeed.exe
C:\Programmi\Spyware Doctor\SDTrayApp.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\MSN Messenger\usnsvc.exe
c:\h1b9i6h4u6j1.exe
C:\Documents and Settings\Taff\Desktop\Antiworm shitz0r\test.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Diagnostica SpeedTouch USB] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CDSpeed.exe] C:\WINDOWS\CDSpeed.exe
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Taff\Dati applicazioni\Mozilla\Firefox\Profiles\u2sgeyv6.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Taff\Dati applicazioni\Mozilla\Firefox\Profiles/u2sgeyv6.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Programmi\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0033751406
O17 - HKLM\System\CCS\Services\Tcpip\..\{376AE6CA-D62A-4386-8856-BD4F13D5A967}: NameServer = 213.205.36.70 213.205.32.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{376AE6CA-D62A-4386-8856-BD4F13D5A967}: NameServer = 213.205.36.70 213.205.32.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am

Unread postby Bob4 » August 26th, 2007, 2:40 pm

Good job on installing the anti virus program!


c:\h1b9i6h4u6j1.exe is back !!!!

Some thing may be still hiding from us .

I see you did remove it with OTMOVET but it's back. Something must be creating it.

Let's see if we can find out what's doing this.



_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\WINDOWS\CDSpeed.exe


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html




______________________________
1. Download Combo fix from one of these locations.
http://www.techsupportforum.com/sectool ... mboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply . (c:\comboFix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


____________________________________________




Download GMER's application from here

or

Here

Save it to your desktop.

Create a new folder in c: drive called Gmer

Click on Start then My Computer then double click Local Disk C:

Now right click anywhere on the open window and choose New then Folder Type in GMER and hit the Enter key.

Unzip the GMER zip file by double clicking on the desktop icon and save it to the GMER folder you just made.

Now Navigate to that folder (Gmer)
and double click the GMER.exe file

Click the Rootkit tab

Please, DO NOT select the "Show all" checkbox during the scan.

and click the Scan button.

IMPORTANT: Do NOT use the computer while the scan is in progress.


Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.






_____________________________
In your next reply I would like to see:
  • The report from comboFix
  • The report from Jottis/virus total
  • The report from Gmer
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Taff » August 26th, 2007, 5:45 pm

Sorry if couldn't answer before but today i had to work really hard :(
By the way here's the logs u asked me... :)

ComboFix's log:
ComboFix 07-08-25.2 - "Taff" 2007-08-26 23.14.37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.594 [GMT 2:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Autorun.inf
C:\DOCUME~1\Taff\DATIAP~1\microsoft\internet explorer\quick launch\intern~1.lnk
C:\WINDOWS\system32\_003770_.tmp.dll
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-26 23:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-26 13:08 <DIR> d--h----- C:\Programmi\File comuni\delsim
2007-08-26 01:30 52,224 --a------ C:\h1b9i6h4u6j1.exe
2007-08-26 01:15 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-25 18:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-25 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Kaspersky Lab
2007-08-25 18:15 <DIR> d-------- C:\Programmi\CCleaner
2007-08-25 16:35 435,200 -r-hs---- C:\WINDOWS\CDSpeed.exe
2007-08-24 19:28 <DIR> d-------- C:\Programmi\Windows Live
2007-08-24 19:28 <DIR> d-------- C:\Programmi\Messenger Plus! Live
2007-08-24 18:32 <DIR> d-------- C:\Programmi\MSN Messenger
2007-08-23 19:00 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-22 12:40 <DIR> d-------- C:\HospitalTycoon
2007-08-22 04:24 <DIR> d-------- C:\Programmi\iTunes
2007-08-22 04:24 <DIR> d-------- C:\Programmi\iPod
2007-08-21 19:31 <DIR> d-------- C:\Programmi\MSXML 6.0
2007-08-21 18:20 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-02 23:08 <DIR> d-------- C:\DOCUME~1\Taff\DATIAP~1\vlc
2007-08-02 02:42 <DIR> d-------- C:\Programmi\AC3Filter
2007-07-30 15:12 <DIR> d-------- C:\Programmi\File comuni\DirectX
2007-07-30 15:03 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-07-30 15:03 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-07-30 15:03 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-07-30 15:03 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-07-30 15:03 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-07-30 15:03 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-07-30 15:03 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-07-30 15:03 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-07-30 15:03 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-07-30 15:03 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-07-30 15:00 <DIR> d-------- C:\Programmi\Codemasters
2007-07-30 14:55 5,248 --a------ C:\WINDOWS\system32\drivers\a347scsi.sys
2007-07-30 14:55 160,640 --a------ C:\WINDOWS\system32\drivers\a347bus.sys
2007-07-30 14:55 <DIR> d-------- C:\Programmi\Alcohol Soft


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-25 23:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Google Updater
2007-08-25 19:05 --------- d-------- C:\Programmi\eMule
2007-08-24 17:26 --------- d-------- C:\Programmi\Spyware Doctor
2007-08-22 04:23 --------- d-------- C:\Programmi\Apple Software Update
2007-08-14 17:02 82248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-14 17:02 57672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-14 17:02 40264 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-14 17:02 29000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-04 15:43 --------- d-------- C:\Programmi\World of Warcraft
2007-08-02 23:07 --------- d-------- C:\Programmi\VideoLAN
2007-07-31 15:44 --------- d-------- C:\DOCUME~1\Taff\DATIAP~1\Apple Computer
2007-07-31 15:44 --------- d-------- C:\DOCUME~1\Taff\DATIAP~1\Apple Computer
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 02:16 --------- d-------- C:\Programmi\CDex_150
2007-07-21 13:36 --------- d-------- C:\WINDOWS\system32\config\SYSTEM~1\DATIAP~1\PC Tools
2007-07-20 20:03 --------- d-------- C:\Programmi\QuickTime
2007-07-12 13:19 --------- d-------- C:\Programmi\File comuni\Symantec Shared
2007-07-12 03:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Google
2007-07-11 18:31 --------- d-------- C:\Programmi\Norton Security Scan
2007-07-06 01:33 --------- d-------- C:\Programmi\File comuni\Apple
2007-07-06 01:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Apple
2007-06-28 20:10 --------- d-------- C:\DOCUME~1\Taff\DATIAP~1\Skype
2007-06-28 20:10 --------- d-------- C:\DOCUME~1\Taff\DATIAP~1\Skype
2007-06-26 08:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 15:30 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:22 1035776 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-12-13 13:01]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-12-13 13:01]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-12-13 13:01]
"Diagnostica SpeedTouch USB"="C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-05-03 10:40]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 15:39 C:\WINDOWS\system32\bthprops.cpl]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"CDSpeed.exe"="C:\WINDOWS\CDSpeed.exe" [2007-08-25 16:35]
"!AVG Anti-Spyware"="C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-26 01:17]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-26 04:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"StartCCC"="C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Taff\Dati applicazioni\Mozilla\Firefox\Profiles\u2sgeyv6.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Taff\Dati applicazioni\Mozilla\Firefox\Profiles/u2sgeyv6.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae62cea4-0af4-11dc-a5c5-000272808c59}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- G:\Recycled\ctfmon.exe


Contents of the 'Scheduled Tasks' folder
2007-08-22 02:23:39 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Programmi\Apple Software Update\SoftwareUpdate.exe
2007-08-24 13:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Programmi\Norton Security Scan\Nss.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 23:21:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 23:23:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-26 23:23

--- E O F ---

Jotti's report:
Scan taken on 26 Aug 2007 21:27:15 (GMT)
A-Squared Found nothing
AntiVir Found WORM/IRCBot.435200
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found SHeur.JBL
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.IRCBot.aex
Fortinet Found W32/IRCBot.AEX!tr.bdr
Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.aex
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

GMer's result:
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-26 23:43:59
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT a347bus.sys ZwClose
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT a347bus.sys ZwSetSystemPowerState
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwSetValueKey
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

? C:\DOCUME~1\Taff\IMPOST~1\Temp\catchme.sys Impossibile trovare il file specificato.

---- User code sections - GMER 1.0.13 ----

.text C:\Programmi\internet explorer\iexplore.exe[3372] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 435FF2A1 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\internet explorer\iexplore.exe[3372] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 43790297 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\internet explorer\iexplore.exe[3372] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 43790218 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\internet explorer\iexplore.exe[3372] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 4379025C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\internet explorer\iexplore.exe[3372] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 437901A4 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\internet explorer\iexplore.exe[3372] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 437901DE C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\internet explorer\iexplore.exe[3372] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 437902D2 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\internet explorer\iexplore.exe[3372] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 4362164E C:\WINDOWS\system32\IEFRAME.dll

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8673FB60

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F74231DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F74231DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7423454] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F74231DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7416F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7B4C404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7B4C404] avg7rsw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8685A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B8685A] avgtdi.sys
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 8648F108
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8648F108
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 86437508
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 8648F108
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER
Taff
Active Member
 
Posts: 13
Joined: August 25th, 2007, 8:22 am

Unread postby Bob4 » August 26th, 2007, 7:21 pm

Hopefully we found it.


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O4 - HKLM\..\Run: [CDSpeed.exe] C:\WINDOWS\CDSpeed.exe





  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Programmi\File comuni\delsim
    C:\h1b9i6h4u6j1.exe
    C:\WINDOWS\CDSpeed.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")





_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from OT moveit
  • Let me know how things seem to be running
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware