help - how to get rid of trojan-downloader.win32.small.htb?

[distillata]

Dear people,
two days ago Zone Alarm detected this trojan called trojan-downloader.win32.small.htb, but it is unable to repair it, quarantine it, delete it or ignore it. it just freezes everything.

i installed nod32 trial version, but it seems not to be updated with this virus definition, as it doesn't find it.

i run the hijackthis (shutting down zone alarm) and here come the log and the "extra" in attachment.

what shall i do to remove it? please help me, i have to deliver my thesis...:(((

Deckard's System Scanner v20071014.68
Run by aga on 2008-02-08 18:12:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-02-08 17:12:48 UTC - RP817 - Deckard's System Scanner Restore Point
3: 2008-02-08 17:07:19 UTC - RP816 - Last known good configuration
2: 2008-02-08 17:07:05 UTC - RP815 - Installed ESET NOD32 Antivirus
1: 2008-02-08 17:07:04 UTC - RP814 - Java(TM) 6 Update 3 installato


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.34 GiB (less than 15%) free.


-- HijackThis (run as aga.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.14.27, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\aga\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\aga.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7129D651-4A8D-4DA7-9238-371D5FFE2F89} - C:\WINDOWS\system32\ddccy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\yaywwvw.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\aga\IMPOST~1\Temp\2007916135519_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1EDF25DE-DFB2-40CA-AA83-30AE7DA8C203} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...34/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yaywwvw - C:\WINDOWS\SYSTEM32\yaywwvw.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: RIO Mass Storage C (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6563 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S2 Aspi32 - c:\windows\system32\drivers\aspi32.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RioMSC (RIO Mass Storage C) - c:\windows\system32\riomsc.exe <Not Verified; Digital Networks North America, Inc.; Rio Mass Storage Class Device Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Controller USB ( Universal Serial Bus)
Device ID: PCI\VEN_1039&DEV_7002&SUBSYS_70011849&REV_00\3&61AAA01&0&1A
Manufacturer:
Name: Controller USB ( Universal Serial Bus)
PNP Device ID: PCI\VEN_1039&DEV_7002&SUBSYS_70011849&REV_00\3&61AAA01&0&1A
Service:


-- Files created between 2008-01-08 and 2008-02-08 -----------------------------

2008-02-08 18:14:13 0 d-------- C:\Programmi\Trend Micro
2008-02-08 1848 3012 --ahs---- C:\WINDOWS\system32\yccdd.ini2
2008-02-08 1828 338432 --a------ C:\WINDOWS\system32\ddccy.dll
2008-02-03 20:59:32 2243260 --ah----- C:\WINDOWS\system32\spython.bin
2008-02-03 17:37:38 38400 --a------ C:\WINDOWS\system32\awtqpnk.dll
2008-02-03 17:35:03 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-02-03 17:35:01 696320 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-03 17:31:18 38400 --a------ C:\WINDOWS\system32\yaywwvw.dll
2008-02-03 16:07:49 0 d-------- C:\Programmi\iolo


-- Find3M Report ---------------------------------------------------------------

2008-02-05 01:16:22 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000002-80271102}.dat
2008-02-05 01:16:22 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-00000009-00001102-00000002-80271102}.dat
2008-02-04 16:51:21 425432 --a------ C:\WINDOWS\system32\perfh010.dat
2008-02-04 16:51:21 63180 --a------ C:\WINDOWS\system32\perfc010.dat
2008-02-04 1656 7907 --a------ C:\WINDOWS\mozver.dat
2008-02-04 1605 0 d-------- C:\Programmi\Java
2008-02-03 17:55:03 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\iolo
2008-02-03 17:27:44 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Azureus
2008-02-03 15:59:45 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-02-03 05:16:26 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Skype
2008-02-03 01:31:23 0 d-------- C:\Programmi\Soulseek
2008-02-01 15:25:10 512 --a------ C:\ScanSectorLog.dat
2008-01-29 00:53:44 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\dvdcss
2008-01-29 00:53:29 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\BSplayer Pro
2008-01-28 17:14:07 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\VoipBuster
2008-01-17 03:29:29 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Adobe
2008-01-16 04:29:12 0 d-------- C:\Programmi\File comuni\Adobe
2008-01-16 04:21:06 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\AdobeUM
2008-01-07 14:53:07 0 d-------- C:\Programmi\Azureus
2007-12-15 18:07:29 0 d-------- C:\Programmi\Free Music Zilla
2007-12-15 17:47:36 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\FMZilla
2007-11-28 22:17:33 335 --a------ C:\WINDOWS\mozregistry.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7129D651-4A8D-4DA7-9238-371D5FFE2F89}]
08/02/2008 18.06 338432 --a------ C:\WINDOWS\system32\ddccy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}]
03/02/2008 17.31 38400 --a------ C:\WINDOWS\system32\yaywwvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [30/10/2002 10.40]
"Cmaudio"="cmicnfg.cpl" []
"WINDVDPatch"="CTHELPER.EXE" [02/07/2002 17.56 C:\WINDOWS\system32\CTHELPER.EXE]
"Cleanup"="C:\DOCUME~1\aga\IMPOST~1\Temp\2007916135519_mcappins.exe" []
"ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16.05]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01.11]
"egui"="C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" [21/12/2007 08.21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 23.39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}"= C:\WINDOWS\system32\yaywwvw.dll [03/02/2008 17.31 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywwvw]
yaywwvw.dll 03/02/2008 17.31 38400 C:\WINDOWS\system32\yaywwvw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddccy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Programmi\ICQLite\ICQLite.exe -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programmi\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Programmi\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Programmi\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ImapiService"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-02-08 18:16:04 ------------

[eXPeri3nc3]

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

[eXPeri3nc3]

Hi distillata,

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result.

----------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

• When the tool is finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log so we may continue cleaning the system.

--------------------------------------------------------------------

Please also provide details of any problems you encountered whilst performing the above steps (if any) & update us on how the computer behaves now.

--------------------------------------------------------------------

[distillata]

Hello, thanks for helping me.
here is the combofix log:

ComboFix 08-02.05.3 - aga 2008-02-08 21.16.14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.725 [GMT 1:00]
Eseguito da: C:\Documents and Settings\aga\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\yaywwvw.dll
C:\WINDOWS\system32\awtqpnk.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\yaywwvw.dll
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini2

.
((((((((((((((((((((((((( Files Creati Da 2008-01-08 al 2008-02-08 )))))))))))))))))))))))))))))))))))
.

2008-02-08 18:14 . 2008-02-08 18:14 <DIR> d-------- C:\Programmi\Trend Micro
2008-02-08 18:12 . 2008-02-08 18:12 <DIR> d-------- C:\Deckard
2008-02-04 17:58 . 2008-02-04 17:58 <DIR> d-------- C:\Programmi\ESET
2008-02-04 17:58 . 2008-02-04 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\ESET
2008-02-04 16:49 . 2008-02-04 17:44 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-02-04 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 20:59 . 2008-02-03 20:59 2,243,260 --ah----- C:\WINDOWS\system32\spython.bin
2008-02-03 17:55 . 2008-02-03 17:55 <DIR> d-------- C:\Documents and Settings\aga\Dati applicazioni\iolo
2008-02-03 17:35 . 2006-03-28 08:54 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-03 17:35 . 2006-03-28 08:55 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-02-03 17:00 . 2008-02-04 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\iolo
2008-02-03 16:10 . 2008-02-03 16:10 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-02-03 16:07 . 2008-02-04 02:13 <DIR> d-------- C:\Programmi\iolo
2008-02-03 15:53 . 2008-02-03 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\MailFrontier
2008-02-03 15:51 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-29 00:53 . 2008-01-29 00:53 <DIR> d-------- C:\Documents and Settings\aga\Dati applicazioni\dvdcss
2008-01-13 02:50 . 2008-01-13 02:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-13 02:50 . 2008-01-13 02:50 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 20:56 36,918,816 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-08 20:53 497,540 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-04 15:06 --------- d-----w C:\Programmi\Java
2008-02-03 16:27 --------- d-----w C:\Documents and Settings\aga\Dati applicazioni\Azureus
2008-02-03 04:16 --------- d-----w C:\Documents and Settings\aga\Dati applicazioni\Skype
2008-02-03 00:31 --------- d-----w C:\Programmi\Soulseek
2008-02-01 14:25 512 ----a-w C:\ScanSectorLog.dat
2008-01-28 23:53 --------- d-----w C:\Documents and Settings\aga\Dati applicazioni\BSplayer Pro
2008-01-28 16:14 --------- d-----w C:\Documents and Settings\aga\Dati applicazioni\VoipBuster
2008-01-16 03:29 --------- d-----w C:\Programmi\File comuni\Adobe
2008-01-16 03:21 --------- d-----w C:\Documents and Settings\aga\Dati applicazioni\AdobeUM
2008-01-07 13:53 --------- d-----w C:\Programmi\Azureus
2007-12-21 07:21 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 07:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 07:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-15 17:07 --------- d-----w C:\Programmi\Free Music Zilla
2007-12-15 16:47 --------- d-----w C:\Documents and Settings\aga\Dati applicazioni\FMZilla
2007-11-14 15:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2006-03-05 16:53 22,288 -c--a-w C:\Documents and Settings\aga\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-10-30 10:40 28672]
"Cmaudio"="cmicnfg.cpl" []
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"egui"="C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 23:39 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2005-02-17 17:37 2903636 C:\Programmi\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2004-05-25 21:47 98304 C:\Programmi\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Programmi\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
--a--c--- 2002-07-12 11:15 106496 C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-12 13:57 25367592 C:\Programmi\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2004-02-22 22:44 32881 C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Programmi\File comuni\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 19:41 33792 C:\Programmi\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Programmi\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ImapiService"=3 (0x3)

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 06:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 07:08]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 21:56:26
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Ora fine scansione: 2008-02-08 2255 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 21:03:41
.
2008-01-09 22:07:07 --- E O F ---



and here is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.09.54, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1EDF25DE-DFB2-40CA-AA83-30AE7DA8C203} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...34/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: RIO Mass Storage C (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5515 bytes

[distillata]

forgot to add, zone alarm (which launches itself after every reboot) is now scanning the system. (while before it was warning me directly about that trojan threat.)

hope this is a good sign.
also, just a question, of course I trust you but if I'm not mistaken you made me remove the "yahoo search toolbar" or something similar? I had that for a long time and it was annoying and I couldn't get rid of it (so thank you) but it was never reported to be a trojan? or is that the "hole" that the trojan was using? just curious.

[distillata]

updates:
zone alarm finished scanning and found now 2 times the same trojan,
under C:\qooBox\Quarantine\C\windows\system32\awtqpnk.dll.vir

and C:\qooBox\Quarantine\catchme20008-02-08_215559.15.zip

i cannot happen to "repair" them with zone alarm but it "quarantined" them

[tetonbob]

Patience, please.

eXPeri3nc3 will be back as soon as he can. He's in quite a different time zone.

Those items are in Quarantine as they are, so it's ok to ignore them, or ok to allow your AV to move them.

[eXPeri3nc3]

Hi distillata,

What we removed is something called Red.clientapps. It is a search page hijacker and it is no way connected to or related with yahoo. Infections like these are barely detected by antivirus because it is no more or less a hijacker than what other providers (or manufacturers like HP) do.

----------------------------------------------------------------------

Can you please clarify your sentence?

Quote:

i installed nod32 trial version, but it seems not to be updated with this virus definition, as it doesn't find it.

Do you mean that you cannot update your virus definitions, or Nod32 just cannot detect and remove the virus? Please let me know in your next reply.

Also, which do you prefer to use, ZoneAlarm Security Suite or ESET Nod32? Having more than one AntiVirus installed can cause system conflict even if one is disabled.

----------------------------------------------------------------------

Now, before proceeding any further, please go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System



For your system, use the download for:

Microsoft Windows XP Professional Service Pack 2

Download the file & save it as its originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

----------------------------------------------------------------------

[distillata]

Hello again,
for some reason I didn't receive any notice that you had replied...anyway.

about nod32, i meant that it won't detect the virus.

here is the combofix log:


windowsXP-KB310994-SP2-Pro_BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)|WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons



I won't reboot until you instruct me on how to proceed.
Please note that after producing this log the computer won't connect to the internet anymore. (tried with both mozilla and explorer..)

hope to hear from you soon, and thanks.

[tetonbob]

Thanks for your patience.

You may reboot as required.

In fact, please do so now, and let us know if your internet connection is re-established.

[distillata]

hi tetonbob,
thank you, i sleep less than two meters from my pc:)

i rebooted and now the connection is working.

am i clean?

regards.

[tetonbob]

There will be more instructions to follow. eXPeri3nc3 is working on the next instructions. He's in a different time zone, so I didn't want you to wait to be able to reboot the machine.

[eXPeri3nc3]

Hi distillata,

My replies might be late as I am in a different time zone. You forgot to answer one of my questions, so I will ask again. Which do you prefer to use, ZoneAlarm Security Suite or ESET Nod32? ZoneAlarm Security Suite has a built-in anti-virus component, so ZoneAlarm Security Suite might cause conflict to Nod32 even though it's disabled, so it would be best to ask you.

----------------------------------------------------------------------

For the Eset case of not detecting virus/malwares, not every AntiVirus application will catch every new variant.

----------------------------------------------------------------------

I see that you are using an outdated version of Firefox. We would like you to update it to the latest version which is 2.0.0.12 as numerous security patches and enhancements have been made for the new version. Malware writers tend to exploit outdated version of softwares.

Please look at this link --> http://www.netsquirrel.com/articles/update_firefox.html
It should give you a better idea on how to update your firefox to the latest version. A restart of your Firefox browser is needed to complete the upgrade.

----------------------------------------------------------------------

P2P - I see you have P2P softwares (Azureus, BitTorrent 3.4.2, eMule, Pando, and SoulSeek) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

----------------------------------------------------------------------

Next,

Did you install System Mechanic 7 before? Please tell me in your next reply.

Also, did you configure files with .js, .reg , .scr, and .vbs extensions to open automatically in Notepad? Please let me know as well.

----------------------------------------------------------------------

Now, open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

----------------------------------------------------------------------

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When it completes, post the main.txt in your next reply.

----------------------------------------------------------------------

In your next reply, please post the following logs:

• Kaspersky Extended Scan Log
• main.txt

How is your system behaving now?

----------------------------------------------------------------------

[distillata]

Hello again,
thanks for your reply.

- I disinstalled ESET Nod32, as that was just a trial version that I hoped could help me when I first found out about the infection. However I am open for suggestions on Firewall/Antivirus other than ZoneAlarm. On my laptop I use COMODO free version. is that ok?

- yes, i had system mechanics 7 (and 6) installed, in fact I believe that caused my problem, or at least I can tell you the trojan was detected a couple of hours after that i finished running their "total care". I saw this program advertised on the zone alarm page, so I thought it was a safe and useful utility for my pc running quite slow. what about it?

- I ll keep the P2P software for now, I use them with care and this is the first time in years that I get troubles...I am aware that they are a vehicle of malware, but I use them in a very limited way.

- here's the kasperky's log. the scan run for 4 hours, and it didn't find anything, but it didn't ask me if i wanted to save anything as text, so I will just copy/paste what it said.
Ah, I shut down zone alarm antivirus during the scan.

Following also comes the main.txt you asked for.


Kaspersky's:

Total number of scanned objects: 66990
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 04:08:37



Deckard's System Scanner v20071014.68
Run by aga on 2008-02-16 14:40:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 1.34 GiB (less than 15%) free.


-- HijackThis (run as aga.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.40.12, on 16/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Documents and Settings\aga\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\aga.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1EDF25DE-DFB2-40CA-AA83-30AE7DA8C203} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...34/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: RIO Mass Storage C (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5102 bytes

-- Files created between 2008-01-16 and 2008-02-16 -----------------------------

2008-02-16 10:07:10 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-16 10:07:05 0 d-------- C:\WINDOWS\LastGood
2008-02-13 16:18:46 260272 --a------ C:\cmldr
2008-02-13 16:18:34 0 d-------- C:\cmdcons
2008-02-13 16:09:59 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-02-08 21:12:59 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-08 21:12:59 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-08 21:12:59 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-08 21:12:59 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-08 18:14:13 0 d-------- C:\Programmi\Trend Micro
2008-02-03 20:59:32 2243260 --ah----- C:\WINDOWS\system32\spython.bin
2008-02-03 17:35:03 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-02-03 17:35:01 696320 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-03 16:07:49 0 d-------- C:\Programmi\iolo


-- Find3M Report ---------------------------------------------------------------

2008-02-16 09:57:41 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000002-80271102}.dat
2008-02-16 09:57:41 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-00000009-00001102-00000002-80271102}.dat
2008-02-14 17:15:46 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-04 16:51:21 425432 --a------ C:\WINDOWS\system32\perfh010.dat
2008-02-04 16:51:21 63180 --a------ C:\WINDOWS\system32\perfc010.dat
2008-02-04 1656 7907 --a------ C:\WINDOWS\mozver.dat
2008-02-04 1605 0 d-------- C:\Programmi\Java
2008-02-03 17:55:03 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\iolo
2008-02-03 17:27:44 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Azureus
2008-02-03 05:16:26 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Skype
2008-02-03 01:31:23 0 d-------- C:\Programmi\Soulseek
2008-02-01 15:25:10 512 --a------ C:\ScanSectorLog.dat
2008-01-29 00:53:44 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\dvdcss
2008-01-29 00:53:29 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\BSplayer Pro
2008-01-28 17:14:07 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\VoipBuster
2008-01-17 03:29:29 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\Adobe
2008-01-16 04:29:12 0 d-------- C:\Programmi\File comuni\Adobe
2008-01-16 04:21:06 0 d-------- C:\Documents and Settings\aga\Dati applicazioni\AdobeUM
2008-01-07 14:53:07 0 d-------- C:\Programmi\Azureus
2007-11-28 22:17:33 335 --a------ C:\WINDOWS\mozregistry.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [30/10/2002 10.40]
"WINDVDPatch"="CTHELPER.EXE" [02/07/2002 17.56 C:\WINDOWS\system32\CTHELPER.EXE]
"ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16.05]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01.11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 23.39]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Programmi\ICQLite\ICQLite.exe -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programmi\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Programmi\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Programmi\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ImapiService"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-02-16 14:41:19 ------------

[eXPeri3nc3]

Hi distillata,

You forget to answer one of my questions... Would you mind to answer them please?

Quote:

Also, did you configure files with .js, .reg , .scr, and .vbs extensions to open automatically in Notepad? Please let me know as well.

Thanks.

[distillata]

oh right.
no, i don't think I did anything of the sort. at least not in the last year.
I can't remember if I ever did it anyway.

but i use also this editpad lite, maybe it claimed some file associations?

[eXPeri3nc3]

Hi distillata,

In my opinion, if editpad lite claimed that few file associations it will be associated with editpad lite not notepad. =)

Well, Zone Alarm Security Suite have both firewall and antivirus components already, so there is no need to change it. Comodo Firewall and Comodo AV is also a good choice.

System Mechanics is a legitimate software, nothing wrong with it. I just need to query about that to determine that the folder iolo is legitimate.

If you want to keep the P2P softwares, it's up to you. Be very careful when downloading anything from them, make sure you scan everything before you execute them.

-----------------------------------------------------------

Now, click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /daft

• Click on Scan.
• Tick the boxes in Red then Click on Fix
• Click Scan again, you should get a message "All Associations OK!
• Next, click Save Log, and post this log in your next reply.

-----------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u4.
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• In the drop-down menu next to Platform select Windows
• Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

-----------------------------------------------------------

Please post the Daft log in your next reply.

[eXPeri3nc3]

Hi distillata,

You may skip the step where DAFT needs to be run. Reason being that System Mechanic claims those associations. For more information, please click here --> http://www.lavasoftsupport.com/lofiv....php/t883.html

Please continue on by updating your java to the latest version.

[distillata]

hi again,
i have been trying to uninstall all java versions i had, but I can't seem to do it with this "java 2 platform enterprise edition 1.4 sdk".
it stays on "0%" forever.
all applications are closed. and the pc is offline.
what should i do?

best regards,
distillata

[Ried]

Hello distillata,

You do not want to uninstall that version of Java--just the Runtime versions. In your case, it would be these:

Java 2 Runtime Environment, SE v1.4.2_04
Java(TM) 6 Update 3


Also, how is the system behaving now?