Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijackthis log from Italy

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijackthis log from Italy

Unread postby carra » March 6th, 2008, 5:30 pm

Hi,
I run the fabolous Spybot s&d to clean up my aunt's laptop, filled with viruses, but dialer CARPEDIEM VARS is still there and I am unable to remove it.
This is a huge problem to me, because this bloody dialer added a hundred of bucks to the bill of my aunt's dial-up connection!
How can I get rid of it?
I post in the following the logfile of Trend Micro HijackThis, looking for help.
Thanks in advance to anyone who will spend time here.

Michele from Italy




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.05.13, on 06/03/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\brsvc01a.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\brss01a.exe
C:\Windows\System32\CAP3RSK.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\atiptaxx.exe
C:\Programmi\Compaq\EAB\EabServr.exe
C:\Programmi\Compaq\EAB\bak\EabServr.exe
C:\Programmi\ClamWin\bin\ClamTray.exe
C:\Windows\System32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\System32\taskmgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/0410/bF8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Programmi\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Finestra di stato di Canon LASER SHOT LBP-1120.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Windows\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Windows\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0843926066
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\System32\brsvc01a.exe

--
End of file - 4078 bytes
carra
Active Member
 
Posts: 11
Joined: March 6th, 2008, 5:16 pm
Advertisement
Register to Remove

Re: Hijackthis log from Italy

Unread postby Vino Rosso » March 6th, 2008, 8:22 pm

Ciao Michele

Come va?

Is the laptop running XP or XP Pro?

1 - HijackThis Uninstall List
Run HijackThis then click on Open the Misc Tools section
If HijackThis is still open, click on Config > Misc Tools
Click on Open Uninstall Manager...
Click on Save list...
Leave the default filename as uninstall_list.txt and save the file to your Desktop
Close HijackThis.

On your Desktop, double-click on uninstall_list.txt and Notepad will open
In Notepad, click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the uninstall list in your next reply.

Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Hijackthis log from Italy

Unread postby carra » March 7th, 2008, 1:13 am

Caro Vino Rosso,
tutto bene, grazie.

The laptop has WXPPro on it.
In fact, Spybot is unable to remove CARPEDIEM VARS, even after a Windows SAFEBOOT, and I can't find the right process to kill, the right file(s) to delete nor the right REGkey to delete.
Thanks to anyone helping.
Have a good day.

Michele







Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Aggiornamento rapido per Windows XP - KB828741
Aggiornamento rapido per Windows XP - KB835732
Aggiornamento rapido per Windows XP - KB842773
Aggiornamento rapido Windows XP - KB823559
ATI Display Driver
Brother HL-1430
Canon LASER SHOT LBP-1120
ClamWin Free Antivirus 0.92
Compaq Easy Access Buttons 3.00 B3
Compaq Help and Support Center
Easy CD Creator 5 Basic
HijackThis 2.0.2
InterVideo WinDVD
LiveUpdate BVRP Software
Microsoft Office 2000 Premium
mobile PhoneTools
Mozilla Firefox (2.0.0.12)
Pacchetto aggiornamenti rapidi Windows XP [per ulteriori informazioni, vedere Q329115]
RTLSetup
Setup Compaq Software
SoundMAX
Spybot - Search & Destroy
Synaptics TouchPad
Windows XP Hotfix (SP1) [See Q308402 for more information]
Windows XP Hotfix (SP1) [See Q308677 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q317326 for more information]
Windows XP Hotfix (SP1) [See Q319632 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q815021
carra
Active Member
 
Posts: 11
Joined: March 6th, 2008, 5:16 pm

Re: Hijackthis log from Italy

Unread postby Vino Rosso » March 7th, 2008, 3:31 am

Michele

The dialler is not showing in the log so, given there many be other hidden problems as well, can you please run the following:

1 - Scan With ComboFix
Please visit >this webpage< at Bleeping Computer and follow the instructions for downloading and running ComboFix.

IMPORTANT !!! combofix.exe MUST be on your Desktop

2 - Status Check
Please reply with
  1. the ComboFix log
  2. a fresh HijackThis log
Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Hijackthis log from Italy

Unread postby carra » March 7th, 2008, 6:11 am

Hello,
I post hereafter two fresh logs from Combofix and Hijackthis.
I also run another scan with Spybot and it keeps bugging me with the CARPEDIEM VARS alert.
Is there maybe something wrong with Spybot s&d??
Thanks to anyone spending time here.







ComboFix 08-03-06.4 - padrone 2008-03-07 9.51.55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1040.18.108 [GMT 1:00]
Eseguito da: C:\Documents and Settings\padrone\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Programmi\WinBudget
C:\Programmi\WinBudget\bin\matrix.dat
C:\Programmi\WinBudget\bin\matrix.dll

.
((((((((((((((((((((((((( Files Creati Da 2008-02-07 al 2008-03-07 )))))))))))))))))))))))))))))))))))
.

2008-03-06 22:04 . 2008-03-06 22:04 <DIR> d-------- C:\Programmi\Trend Micro
2008-03-04 22:36 . 2008-03-04 22:37 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2008-03-04 22:36 . 2008-03-05 05:45 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-03-04 21:04 . 2008-03-04 22:18 <DIR> d-------- C:\Programmi\Winpooch
2008-03-04 18:31 . 2008-03-04 21:18 <DIR> d-------- C:\Programmi\ClamWin
2008-03-04 18:31 . 2008-03-04 18:32 <DIR> d-------- C:\Documents and Settings\padrone\Dati applicazioni\.clamwin
2008-03-04 18:31 . 2008-03-04 18:31 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 20:47 --------- d-----w C:\Programmi\Common Files
2008-03-04 21:16 --------- d-----w C:\Programmi\OpenOffice.org1.1.3
2008-03-04 17:32 --------- d-----w C:\Documents and Settings\padrone\Dati applicazioni\.clamwin
2008-03-04 17:25 --------- d-----w C:\Programmi\Astonsoft
2008-03-04 17:23 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-03-04 17:21 --------- d-----w C:\Documents and Settings\padrone\Dati applicazioni\MSN6
2008-01-20 16:30 --------- d-----w C:\Documents and Settings\padrone\Dati applicazioni\DeepBurner
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 172,101 2002-05-09 13:13:52 C:\compaq\cpqsetup\bak\cpqset.exe
----a-w 14,348 2008-03-01 18:42:15 C:\compaq\cpqsetup\cpqset.exe

----a-w 69,632 2002-04-09 10:49:54 C:\Programmi\COMPAQ\EAB\bak\EabServr.exe
----a-w 14,348 2008-03-01 18:42:15 C:\Programmi\COMPAQ\EAB\EabServr.exe

----a-w 684,032 2002-07-31 23:14:26 C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
----a-w 14,348 2008-03-01 18:42:15 C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

----a-w 540,672 2002-05-16 16:54:56 C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 14,348 2008-03-01 18:42:15 C:\Programmi\Synaptics\SynTP\SynTPEnh.exe

----a-w 126,976 2002-05-16 16:56:04 C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 14,348 2008-03-01 18:42:15 C:\Programmi\Synaptics\SynTP\SynTPLpr.exe

----a-w 13,312 2001-08-30 17:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 13,312 2001-08-31 05:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 22,528 2002-07-30 07:00:00 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\CAP3ONN.EXE

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\Windows\System32\ctfmon.exe" [2001-08-31 06:00 13312]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2001-08-02 01:14 1077277]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-04-07 23:23 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-04-07 23:23 286720 C:\WINDOWS\system32\atiptaxx.exe]
"eabconfg.cpl"="C:\Programmi\Compaq\EAB\EabServr.exe" [2008-03-01 19:42 14348]
"SynTPLpr"="C:\Programmi\Synaptics\SynTP\SynTPLpr.exe" [2008-03-01 19:42 14348]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2008-03-01 19:42 14348]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2008-03-01 19:42 14348]
"AdaptecDirectCD"="C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-03-01 19:42 14348]
"ClamWin"="C:\Programmi\ClamWin\bin\ClamTray.exe" [2008-01-20 22:08 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\Windows\System32\CTFMON.EXE" [2001-08-31 06:00 13312]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Finestra di stato di Canon LASER SHOT LBP-1120.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE [2002-07-30 08:00:00 30720]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56 65588]

S3 ALiIRDA;Driver periferica a infrarossi ALi;C:\Windows\System32\DRIVERS\alifir.sys [2001-08-17 21:49]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 09:53:40
Windows 5.1.2600 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-03-07 9.54.37
ComboFix-quarantined-files.txt 2008-03-07 08:54:35









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.05.13, on 07/03/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\brsvc01a.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\brss01a.exe
C:\Windows\System32\CAP3RSK.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe
C:\Windows\System32\atiptaxx.exe
C:\Programmi\Compaq\EAB\EabServr.exe
C:\Programmi\Compaq\EAB\bak\EabServr.exe
C:\Programmi\ClamWin\bin\ClamTray.exe
C:\Windows\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Programmi\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Finestra di stato di Canon LASER SHOT LBP-1120.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Windows\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Windows\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0843926066
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\System32\brsvc01a.exe

--
End of file - 4225 bytes
carra
Active Member
 
Posts: 11
Joined: March 6th, 2008, 5:16 pm

Re: Hijackthis log from Italy

Unread postby Vino Rosso » March 7th, 2008, 5:41 pm

Ciao

Please do not run any scans or install any programs while we are cleaning your computer :)

1 - Download and Run FindAWF
Please download FindAWF by noahdfear from >here<
Save the file to your desktop
Go to your Desktop and double-click on FindAWF.exe to run it
If your security software asks, please allow FindAWF to run
A command window will open - press any key to continue
Select 1 and press Enter on your keyboard
A Notepad window will open called awf.txt (this will have been saved to your desktop)
Click the Format menu and make sure that Wordwrap is NOT ticked. If it is then click on it to UNtick it.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the content with your next reply.

Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Hijackthis log from Italy

Unread postby carra » March 8th, 2008, 4:32 pm

Here follows the FindAWF report...
Any clue?
Thanks for your help.

Michele








Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\COMPAQ\CPQSETUP\BAK

09/05/2002 14.13 172.101 cpqset.exe
1 File 172.101 byte
2 Directory 33.806.692.352 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\PROGRA~1\MESSEN~1\BAK

0 File 0 byte
2 Directory 33.806.692.352 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\WINDOWS\SYSTEM32\BAK

30/08/2001 18.00 13.312 ctfmon.exe
1 File 13.312 byte
2 Directory 33.806.688.256 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\PROGRA~1\COMPAQ\EAB\BAK

09/04/2002 11.49 69.632 EabServr.exe
1 File 69.632 byte
2 Directory 33.806.688.256 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

16/05/2002 17.54 540.672 SynTPEnh.exe
16/05/2002 17.56 126.976 SynTPLpr.exe
2 File 667.648 byte
2 Directory 33.806.688.256 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0


01/08/2002 00.14 684.032 DirectCD.exe
1 File 684.032 byte
2 Directory 33.806.688.256 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

30/07/2002 08.00 22.528 CAP3ONN.EXE
1 File 22.528 byte
2 Directory 33.806.688.256 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 1 Mar 2008 "C:\compaq\cpqsetup\cpqset.exe"
172101 9 May 2002 "C:\compaq\cpqsetup\bak\cpqset.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 30 Aug 2001 "C:\WINDOWS\system32\bak\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\SoftwareDistribution\Download\59c09c8627b551c5be08ab5777d2dca8\ctfmon.exe"
14348 1 Mar 2008 "C:\Programmi\COMPAQ\EAB\EabServr.exe"
69632 9 Apr 2002 "C:\Programmi\COMPAQ\EAB\bak\EabServr.exe"
14348 1 Mar 2008 "C:\Programmi\Synaptics\SynTP\SynTPEnh.exe"
540672 16 May 2002 "C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe"
540672 16 May 2002 "C:\compaq\Touchpad\WinNT5\Full\ALL\SynTPEnh.exe"
14348 1 Mar 2008 "C:\Programmi\Synaptics\SynTP\SynTPLpr.exe"
126976 16 May 2002 "C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe"
126976 16 May 2002 "C:\compaq\Touchpad\WinNT5\Full\ALL\SynTPLpr.exe"
14348 1 Mar 2008 "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
684032 1 Aug 2002 "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
22528 30 Jul 2002 "C:\Documents and Settings\padrone\Desktop\LBP1120_WinXP\CAP3ONN.EXE"
22528 30 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\canonlaser_shot_lbp_91d2\CAP3ONN.EXE"
22528 30 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\CAP3ONN.EXE"


end of report
carra
Active Member
 
Posts: 11
Joined: March 6th, 2008, 5:16 pm

Re: Hijackthis log from Italy

Unread postby Vino Rosso » March 8th, 2008, 5:07 pm

Hi Michele

Next step...

1 - Replace Files With FindAWF
With your mouse, highlight the following list of files in the quote box, then press Ctrl+C (Copy)
"C:\compaq\cpqsetup\bak\cpqset.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Programmi\COMPAQ\EAB\bak\EabServr.exe"
"C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\CAP3ONN.EXE"

Go to your Desktop and double-click on FindAWF.exe to run it
If your security software asks, please allow FindAWF to run
A command window will open - press any key to continue
Select 2 and press Enter on your keyboard
A Notepad window will open called files.txt.
Follow the instructions and click below the line.
Press Ctrl+V to paste the list of files to be restored.
Click File > Save then File > Exit

When FindAWF has finished processing, a new Notepad window will open.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the content with your next reply.

Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Hijackthis log from Italy

Unread postby carra » March 9th, 2008, 10:30 am

Hi Vino Rosso.
These are my favourite VINI ROSSI: http://it.wikipedia.org/wiki/Gutturnio (no place like home) and http://en.wikipedia.org/wiki/Dolcetto (IMHO, the best).
Hereafter I post the new FindAWF log.
Is it possible to read some documentation about this 'cleansig' process my aunt's laptop is experiencing?
I definitely trust you but I'm curious to know what goes under the hood.
Thanks a lot.

Michele





Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully



bak folders found
~~~~~~~~~~~

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\COMPAQ\CPQSETUP\BAK

09/05/2002 14.13 172.101 cpqset.exe
1 File 172.101 byte
2 Directory 33.803.227.136 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\PROGRA~1\MESSEN~1\BAK

0 File 0 byte
2 Directory 33.803.227.136 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\WINDOWS\SYSTEM32\BAK

30/08/2001 18.00 13.312 ctfmon.exe
1 File 13.312 byte
2 Directory 33.803.223.040 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\PROGRA~1\COMPAQ\EAB\BAK

09/04/2002 11.49 69.632 EabServr.exe
1 File 69.632 byte
2 Directory 33.803.223.040 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

16/05/2002 17.54 540.672 SynTPEnh.exe
16/05/2002 17.56 126.976 SynTPLpr.exe
2 File 667.648 byte
2 Directory 33.803.223.040 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0


01/08/2002 00.14 684.032 DirectCD.exe
1 File 684.032 byte
2 Directory 33.803.223.040 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: C06C-7AC0

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

30/07/2002 08.00 22.528 CAP3ONN.EXE
1 File 22.528 byte
2 Directory 33.803.223.040 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

172101 9 May 2002 "C:\compaq\cpqsetup\cpqset.exe"
172101 9 May 2002 "C:\compaq\cpqsetup\bak\cpqset.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 30 Aug 2001 "C:\WINDOWS\LastGood\system32\ctfmon.exe"
13312 30 Aug 2001 "C:\WINDOWS\system32\bak\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\SoftwareDistribution\Download\59c09c8627b551c5be08ab5777d2dca8\ctfmon.exe"
69632 9 Apr 2002 "C:\Programmi\COMPAQ\EAB\EabServr.exe"
69632 9 Apr 2002 "C:\Programmi\COMPAQ\EAB\bak\EabServr.exe"
540672 16 May 2002 "C:\Programmi\Synaptics\SynTP\SynTPEnh.exe"
540672 16 May 2002 "C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe"
540672 16 May 2002 "C:\compaq\Touchpad\WinNT5\Full\ALL\SynTPEnh.exe"
126976 16 May 2002 "C:\Programmi\Synaptics\SynTP\SynTPLpr.exe"
126976 16 May 2002 "C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe"
126976 16 May 2002 "C:\compaq\Touchpad\WinNT5\Full\ALL\SynTPLpr.exe"
684032 1 Aug 2002 "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
684032 1 Aug 2002 "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
22528 30 Jul 2002 "C:\Documents and Settings\padrone\Desktop\LBP1120_WinXP\CAP3ONN.EXE"
22528 30 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE"
22528 30 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\canonlaser_shot_lbp_91d2\CAP3ONN.EXE"
22528 30 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\CAP3ONN.EXE"


end of report
carra
Active Member
 
Posts: 11
Joined: March 6th, 2008, 5:16 pm

Re: Hijackthis log from Italy

Unread postby Vino Rosso » March 9th, 2008, 3:04 pm

Ciao Michele

Here's one of my favourites: http://it.wikipedia.org/wiki/Amarone

carra wrote:Is it possible to read some documentation about this 'cleansig' process my aunt's laptop is experiencing?

The infection we've found, and there may yet be others, is Downloader.Agent.awf. This infection moves legitimate files into bak folders and renames itself as the original file.

1 - Delete Bak Folders With FindAWF
With your mouse, highlight the following list of folders in the quote box, then press Ctrl+C (Copy)
C:\compaq\cpqsetup\bak
C:\WINDOWS\system32\bak
C:\Programmi\COMPAQ\EAB\bak
C:\Programmi\Synaptics\SynTP\bak
C:\Programmi\Synaptics\SynTP\bak
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak

Go to your Desktop and double-click on FindAWF.exe to run it
If your security software asks, please allow FindAWF to run
A command window will open - press any key to continue
Select 3 and press Enter on your keyboard
A Notepad window will open called folders.txt.
Follow the instructions and click below the line.
Press Ctrl+V to paste the list of folders to be deleted.
Click File > Save then File > Exit

When FindAWF has finished processing, a new Notepad window will open.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the content with your next reply.

2 - Delete Domains With FindAWF
Go to your Desktop and double-click on FindAWF.exe to run it
If your security software asks, please allow FindAWF to run
A command window will open - press any key to continue
Select 4 and press Enter on your keyboard
When FindAWF has finished, the main menu will appear
Press E to Exit and press Enter on your keyboard.

3 - Kaspersky Online Scan
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image
  • Copy and paste the report in your next post.
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

4 - Check on status
After you have completed the above, please provide:
  1. the AWF report
  2. the Kaspersky report and
  3. a new HijackThis log
Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Hijackthis log from Italy

Unread postby carra » March 12th, 2008, 3:56 pm

Hi Vino,
You can find attached the three logs.
Thanks for Your collaboration
You do not have the required permissions to view the files attached to this post.
carra
Active Member
 
Posts: 11
Joined: March 6th, 2008, 5:16 pm

Re: Hijackthis log from Italy

Unread postby Vino Rosso » March 12th, 2008, 6:34 pm

Hi Michele

Unfortunately, it looks like there were a number of programs that were open or in use while the Kaspersky scan was running. As a result, there are many files that were not scanned and therefore we don't know whether they are infected.

We'll take a slightly different approach...

1 - Clean Up Temporary Files
Download CCleaner Slim from >here< and save it to your Desktop.

When the file has been saved, re-boot your computer - do not start any programs

On the Desktop, double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.
Complete the installation then:
  • Make sure that ALL programs and windows are still closed
  • Double-click the CCleaner shortcut on the desktop to start the program.
  • Click on the Options block on the left, then choose Cookies.
    • Under Cookies to Delete, highlight any cookies you would like to retain permanently
    • Click the right arrow > to move them to the Cookies to Keep window.
  • Go into Options > Advanced deselect/uncheck 'Only delete files in Windows Temp folders older than 48 hours'
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the 'Registry' feature unless you are very familiar with the registry.
  • After CCleaner has completed its process, click Exit.


Start Internet Explorer - do NOT start any other programs - and run another Kaspersky scan.


2 - Kaspersky Online Scan
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image
  • Copy and paste the report in your next post.
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Hijackthis log from Italy

Unread postby carra » March 13th, 2008, 4:03 am

Hi Vino Rosso,
I noticed myself that something went wrong with Kaspersky scan.
I'll follow Your directions but I point out that I switch off SpybotS&D while scanning.
Is it still possible that SpybotS&D locked a bunch of system files?
Thanks for helping.

carra
carra
Active Member
 
Posts: 11
Joined: March 6th, 2008, 5:16 pm

Re: Hijackthis log from Italy

Unread postby Vino Rosso » March 13th, 2008, 1:59 pm

It shouldn't have... and some of the files that were in use were nothing to do with SpyBot.

Please try the scan again as in my previous post.

Thanks
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Hijackthis log from Italy

Unread postby carra » March 14th, 2008, 12:19 pm

Hi Vino Rosso,
I attach the second report, with AWF HIJ and KASP logs.
Feels like something is messed up.
Looking forward for Your news.
Thanks for helping!

Michele "carra"
You do not have the required permissions to view the files attached to this post.
carra
Active Member
 
Posts: 11
Joined: March 6th, 2008, 5:16 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 50 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware