Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

CN.wAQdn, Hupigon13 and other

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

CN.wAQdn, Hupigon13 and other

Unread postby keplero » October 20th, 2008, 5:58 pm

Hi all,
I experienced my first infection, and I think can't remove it on my own, so calling for your help.
Resuming my laptop from hibernation, copies of InternetExplorer started popping out,
pointing to various type of advertising pages, one or two pop windows random every 1 or 2 minutes.
It's seems to be the only damage, but this is enough !
After looking at Spybot forum and Malware Removal, these were my steps:

- HJT installation
- Spybot --> search update (already 1.6) --> immunize
- wireless internet connection disabled
- reboot in safe mode
- run Spybot search: found these
CN.wAQdN (SBI $ABCAF88C)
Hupigon13 (SBI $D5A7DCB6)
Microsoft.Windows.Security.InternetExplorer (SBI $366713D4)
-->fixed items
- run Spybot search: found this
CN.wAQdN (SBI $ABCAF88C)
-->fixed item
- run Spybot search: found this
CN.wAQdN (SBI $ABCAF88C)
-->fixed item
- run Spybot search: nothing detected
- Spybot settings: at next system start perform a scan of system
- reboot: this (*) is the log from Spybot system startup report
- closed Spybot --> system started, and I saw many DOS windows with DEL command closing on error (not able to read type of error)
- run HJT: this (**) is the log

Maybe this note it's useful. I see in C:\WINDOWS some files with the date/time of the first pop: LSASS.EXE, LSPRN.EXE
I delete these files, or move in another directory, but they came back in C:\WINDOWS at the next pop.
Also SHAPI32.DLL, DIVX32.DLL, IEXPLORER.HTML came back, but with actual date/time.

As popping windows are again in action :(
please help me.
Thank's to all of you.



(*)

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-08-14 blindman.exe (1.0.0.8 )
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2004-04-27 unins000.exe (51.13.0.0)
2008-10-18 unins001.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-08-14 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-08-14 Tools.dll (2.1.5.7)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2008-09-02 Includes\Adware.sbi
2008-10-14 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-09-02 Includes\Dialer.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-09-02 Includes\Hijackers.sbi
2008-10-07 Includes\HijackersC.sbi
2008-09-09 Includes\Keyloggers.sbi
2008-10-14 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-10-08 Includes\Malware.sbi
2008-10-14 Includes\MalwareC.sbi
2008-09-02 Includes\PUPS.sbi
2008-10-14 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-09-30 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-09-09 Includes\Spyware.sbi
2008-10-14 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-10-15 Includes\Trojans.sbi
2008-10-14 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, AcctMgr
command: C:\Programmi\Norton Password Manager\AcctMgr.exe /startup
file: C:\Programmi\Norton Password Manager\AcctMgr.exe
size: 586856
MD5: 4D59B55E5110C22A3017F2AA5BE17921

Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F

Located: HK_LM:Run, ccApp
command: "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
file: C:\Programmi\File comuni\Symantec Shared\ccApp.exe
size: 48800
MD5: 0749F1314ED43AE413811E04C60AAA29

Located: HK_LM:Run, Client Access Check Version
command: "C:\Programmi\IBM\Client Access\cwbckver.exe" LOGIN
file: C:\Programmi\IBM\Client Access\cwbckver.exe
size: 45106
MD5: 8F2D4B54CA39F51AA711D7E4A5558E5C

Located: HK_LM:Run, Client Access Express Welcome
command: "C:\Programmi\IBM\Client Access\cwbwlwiz.exe"
file: C:\Programmi\IBM\Client Access\cwbwlwiz.exe
size: 20480
MD5: 1EF10A997CA0229376E8BEB062EC3615

Located: HK_LM:Run, Client Access Help Update
command: "C:\Programmi\IBM\Client Access\cwbinhlp.exe"
file: C:\Programmi\IBM\Client Access\cwbinhlp.exe
size: 24576
MD5: EF72AF94D1539BA5FA19E74F159B374C

Located: HK_LM:Run, Client Access Service
command: "C:\Programmi\IBM\Client Access\cwbsvstr.exe"
file: C:\Programmi\IBM\Client Access\cwbsvstr.exe
size: 20530
MD5: EEA01712BBD0AE07FF856546E4050829

Located: HK_LM:Run, DLA
command: C:\WINDOWS\System32\DLA\DLACTRLW.EXE
file: C:\WINDOWS\System32\DLA\DLACTRLW.EXE
size: 122940
MD5: E3A9C76AD9192C82F80326ECDDA21C34

Located: HK_LM:Run, FinePrint Dispatcher v5
command: "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
size: 487424
MD5: 430F617B214360CC68BC258C6CD28A52

Located: HK_LM:Run, High Definition Audio Property Page Shortcut
command: CHDAudPropShortcut.exe
file: C:\WINDOWS\system32\CHDAudPropShortcut.exe
size: 61952
MD5: FC162EC20A667347C1E861C0B1C53C6D

Located: HK_LM:Run, IntelWireless
command: "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
file: C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
size: 602182
MD5: D4830448B45CDD45F4285DC6E152764F

Located: HK_LM:Run, IntelZeroConfig
command: "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
file: C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
size: 667718
MD5: 5A6ACFF04D39D4C16F1FF52682C3B1B0

Located: HK_LM:Run, Norton Ghost 9.0
command: C:\Programmi\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
file: C:\Programmi\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
size: 1126400
MD5: 60EC38D29B41FC824D1B7BE600657E33

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 7557120
MD5: D525870A485011C59776355607AF353D

Located: HK_LM:Run, NvMediaCenter
command: RunDLL32.exe NvMCTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\NvMCTray.dll
size: 86016
MD5: CE732B70E0A46A3DF1A6679D07F10742

Located: HK_LM:Run, nwiz
command: nwiz.exe /installquiet
file: C:\WINDOWS\system32\nwiz.exe
size: 1519616
MD5: 231C547D261D5BE976C1D788C7D84E30

Located: HK_LM:Run, pdfFactory Pro Dispatcher v2
command: "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
size: 487424
MD5: E754897641D07249F5C878EDFF7956EC

Located: HK_LM:Run, Print Spooler
command: C:\WINDOWS\system32\SPOOLER.EXE
file: C:\WINDOWS\system32\SPOOLER.EXE
size: 660730
MD5: FC7E0D08A7C1A12B7B9D81A76FE3DC5E

Located: HK_LM:Run, Printer Driver
command: C:\WINDOWS\system32\PRINTDRV.EXE
file: C:\WINDOWS\system32\PRINTDRV.EXE
size: 501248
MD5: 8938ACB134BAA937D0CED8BC0CA708F9

Located: HK_LM:Run, QD FastAndSafe
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, SmoothView
command: C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
file: C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
size: 118784
MD5: 25BC5744AAED8FBD4FEF765FCA7921F5

Located: HK_LM:Run, SynTPEnh
command: C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
file: C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
size: 761948
MD5: 6668B0E0B95E75CE3F3C8F737830F320

Located: HK_LM:Run, Toshiba Hotkey Utility
command: "C:\Programmi\Toshiba\Windows Utilities\Hotkey.exe" /lang IT
file: C:\Programmi\Toshiba\Windows Utilities\Hotkey.exe
size: 1773568
MD5: 209DA567605D72113061D09948FE19DB

Located: HK_LM:Run, ToshibaApp
command: C:\WINDOWS\SMSC\CIRHID\V1_0_0000_0\ToshibaRC.exe
file: C:\WINDOWS\SMSC\CIRHID\V1_0_0000_0\ToshibaRC.exe
size: 110592
MD5: 91F6AF916C7ACE8C6E1960B65BA66CE5

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\\vptray.exe
file: C:\PROGRA~1\SYMANT~1\\vptray.exe
size: 85648
MD5: 8E8A48AA2EA22A6A57AC000CAD779CE7

Located: HK_LM:RunOnce, SpybotDeletingA6467
command: command /c del "C:\WINDOWS\lsass.exe"
file: command /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:RunOnce, SpybotDeletingA81
command: command /c del "C:\WINDOWS\lsass.exe"
file: command /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:RunOnce, SpybotDeletingC734
command: cmd /c del "C:\WINDOWS\lsass.exe"
file: cmd /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:RunOnce, SpybotDeletingC8619
command: cmd /c del "C:\WINDOWS\lsass.exe"
file: cmd /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, PCSuiteTrayApplication (DISABLED)
command: C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
file: C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5B33B4265966EE063C7FBEA28958D9C2

Located: HK_CU:Run, PcSync
where: .DEFAULT...
command: C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
file: C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE
where: PE_C_ADMINISTRATOR...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5B33B4265966EE063C7FBEA28958D9C2

Located: HK_CU:Run, TOSCDSPD
where: PE_C_ADMINISTRATOR...
command: C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
file: C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
size: 65536
MD5: A703C4731596880BBF98F79BD6F6E0EC

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-19...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5B33B4265966EE063C7FBEA28958D9C2

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-20...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5B33B4265966EE063C7FBEA28958D9C2

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5B33B4265966EE063C7FBEA28958D9C2

Located: HK_CU:Run, Norton SystemWorks
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: "C:\Programmi\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
file: C:\Programmi\Norton SystemWorks\cfgwiz.exe
size: 132248
MD5: 0F0E1A4C60F61D8B67DC235D6D85FC68

Located: HK_CU:Run, TOSCDSPD
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
file: C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
size: 65536
MD5: A703C4731596880BBF98F79BD6F6E0EC

Located: HK_CU:RunOnce, SpybotDeletingB2300
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: command /c del "C:\WINDOWS\lsass.exe"
file: command /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, SpybotDeletingB8502
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: command /c del "C:\WINDOWS\lsass.exe"
file: command /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, SpybotDeletingB9659
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: command /c del "C:\WINDOWS\lsass.exe"
file: command /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, SpybotDeletingD1398
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: cmd /c del "C:\WINDOWS\lsass.exe"
file: cmd /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, SpybotDeletingD4745
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: cmd /c del "C:\WINDOWS\lsass.exe"
file: cmd /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, SpybotDeletingD5604
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: cmd /c del "C:\WINDOWS\lsass.exe"
file: cmd /c del "C:\WINDOWS\lsass.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, MSMSGS (DISABLED)
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: "C:\Programmi\Messenger\msmsgs.exe" /background
file: C:\Programmi\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259

Located: HK_CU:Run, SRS Audio Sandbox (DISABLED)
where: S-1-5-21-3985604673-1240505574-1246722473-1005...
command: "C:\Programmi\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
file: C:\Programmi\SRS Labs\Audio Sandbox\SRSSSC.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5B33B4265966EE063C7FBEA28958D9C2

Located: HK_CU:Run, PcSync
where: S-1-5-18...
command: C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
file: C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Esecuzione automatica (comune), Bluetooth Manager.lnk
where: C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica...
command: C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
file: C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
size: 1753088
MD5: 7DC9FB9437B4A84A45A090CBD1D6AC38

Located: Esecuzione automatica (comune), RAMASST.lnk
where: C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica...
command: C:\WINDOWS\system32\RAMASST.exe
file: C:\WINDOWS\system32\RAMASST.exe
size: 155648
MD5: 5648152AD2CCAB0265EAB9711755F484

Located: Esecuzione automatica (comune), VPN Client.lnk
where: C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica...
command: C:\WINDOWS\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico
file: C:\WINDOWS\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico
size: 6144
MD5: 85AB6C3089BEE58999B434E114E8A64C

Located: Esecuzione automatica (utente), Webshots.lnk
where: C:\Documents and Settings\CCC\Menu Avvio\Programmi\Esecuzione automatica...
command: C:\Programmi\Webshots\Launcher.exe
file: C:\Programmi\Webshots\Launcher.exe
size: 45056
MD5: C49ABED368CA0F06EFF3C715C62C781C

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, NavLogon
command: C:\WINDOWS\system32\NavLogon.dll
file: C:\WINDOWS\system32\NavLogon.dll
size: 43664
MD5: AEB5C5FF1B3FE9994534E5D47B87E282

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!


-------------------------------------------------------------------------------------

(**)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.27.07, on 20/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SMSC\CIRHID\V1_0_0000_0\ToshibaRC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Toshiba\Windows Utilities\Hotkey.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Programmi\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Programmi\Norton Password Manager\AcctMgr.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\PRINTDRV.EXE
C:\WINDOWS\system32\SPOOLER.EXE
C:\Programmi\Synaptics\SynTP\Toshiba.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\lsass.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Webshots\webshots.scr
C:\WINDOWS\LSPRN.EXE
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programmi\Free Download Manager\iefdmcks.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ToshibaApp] C:\WINDOWS\SMSC\CIRHID\V1_0_0000_0\ToshibaRC.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Programmi\Toshiba\Windows Utilities\Hotkey.exe" /lang IT
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Programmi\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Programmi\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Programmi\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Programmi\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Programmi\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AcctMgr] C:\Programmi\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Printer Driver] C:\WINDOWS\system32\PRINTDRV.EXE
O4 - HKLM\..\Run: [Print Spooler] C:\WINDOWS\system32\SPOOLER.EXE
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Programmi\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [LocalSecurityAuthoritySubsystem] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Policies\Explorer\Run: [PrinterSecurityLayer] C:\WINDOWS\LSPRN.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Programmi\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5605034515
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E1B086D-632D-4E64-AD6C-7F94D0069BCD}: NameServer = 193.70.152.25
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Comando remoto iSeries Access per Windows (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12128 bytes
keplero
Active Member
 
Posts: 2
Joined: October 19th, 2008, 6:02 pm
Advertisement
Register to Remove

Re: CN.wAQdn, Hupigon13 and other

Unread postby Shaba » October 22nd, 2008, 4:01 am

Hi keplero

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: CN.wAQdn, Hupigon13 and other

Unread postby keplero » October 22nd, 2008, 5:36 pm

Hi Shaba,
If I can't relay on my laptop no more, I think that reinstall it's the better solution :(

Some questions:
- do I "format" the hd , than reinstall OS ?
- Antivirus Symantec Corporate 10.0.2.2000, engine 81.2.0.25: is still a good solution, or it's better search for something else?
- I have a copy of MyDocument folder and other files on an external drive, that was disconnected from laptotp before I saw the effect of this trojan. Can I reconnect the external drive to the reinstalled laptop, or have I to follow some procedure before ?
Please, should you have any suggestions, you are welcome !

Thank's so much for your good work.
keplero
Active Member
 
Posts: 2
Joined: October 19th, 2008, 6:02 pm

Re: CN.wAQdn, Hupigon13 and other

Unread postby Shaba » October 23rd, 2008, 3:44 am

"Some questions:
- do I "format" the hd , than reinstall OS ?
- Antivirus Symantec Corporate 10.0.2.2000, engine 81.2.0.25: is still a good solution, or it's better search for something else?
- I have a copy of MyDocument folder and other files on an external drive, that was disconnected from laptotp before I saw the effect of this trojan. Can I reconnect the external drive to the reinstalled laptop, or have I to follow some procedure before ?"

Reinstalling OS will format HD, too.

Symantec AV should be fine.

It should be pretty safe but I recommend to disable autorun before that, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: CN.wAQdn, Hupigon13 and other

Unread postby Shaba » October 28th, 2008, 9:16 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware