got win32/agent.AW by msn

[nagymonika]

Hello there.
I got win32/agent.AW from a link attached to an active chat with a friend in msn messenger.
Usually I don't open these links but this time it followed an animated question mark. I misunderstood the question and opened it. In the same moment I realized my mistake but it was late, a virus was put in c:/documents and settings/Monika/Impostazioni locali/temporary internet files/contentIE5/7PJHAX43: loader[1].exe and in the same time appears infected sdfvinfo.exe in C:/ (info from AVG)
The result is trojan horses and tracking cookies everywhere.
I suspect virus tried to infect also some exe files in zips of Nero which I eliminated.
I run an msn cleaning on-line program so at least it seams I'm not spreading the virus. Anyway I'm not using msn for the moment.
I think my computer is on high risk, I'm prepared to format c:/ , but if it is possible, I prefer to solve the problem in another way.
Thanks for help


DDS (Ver_09-06-26.01) - NTFSx86
Run by Monika at 23.23.15,01 on 05/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1014.466 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Programmi\Creative\Shared Files\CAMTRAY.EXE
C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\msconfigs.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\Monika\IMPOST~1\Temp\RtkBtMnt.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Contacts\wlcomm.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Monika\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.it/
uSearch Page = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/sp/*http://it.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://it.intl.acer.yahoo.com/
uSearchURL,(Default) = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/su/*http://it.yahoo.com
uURLSearchHooks: Yahoo! Toolbar con blocco Pop-Up: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programmi\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programmi\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Guida per l'accesso a Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar con blocco Pop-Up: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\programmi\skype\phone\Skype.exe" /nosplash /minimized
uRun: [msnmsgr] "c:\programmi\windows live\messenger\msnmsgr.exe" /background
mRun: [IAAnotif] "c:\programmi\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\programmi\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\programmi\realtek\installshield\AzMixerSel.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [eLockMonitor] c:\acer\empowering technology\elock\monitor\LaunchMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 1
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Creative WebCam Tray] c:\programmi\creative\shared files\CAMTRAY.EXE
mRun: [QuickTime Task] "c:\programmi\quicktime\qttask.exe" -atboottime
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows UDP Control Center] msconfigs.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\fileco~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: E&xportálás Microsoft Excel formátumba - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programmi\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://map.index.hu/MGViewer/ActiveX/mgaxctrl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programmi\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-12 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-12 108552]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2002-7-19 6656]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-12 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-12 298776]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2008-4-17 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2008-4-17 78208]
R2 VMCService;Vodafone Mobile Connect Service;c:\programmi\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-5-28 14336]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\programmi\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-4-17 32512]
S3 V0090VID;Creative WebCam Vista Plus;c:\windows\system32\drivers\V0090Vid.sys [2009-5-28 138112]

=============== Created Last 30 ================

2009-07-04 21:13 42,546 ---sh--- c:\windows\msconfigs.exe
2009-07-03 14:12 <DIR> --d----- c:\programmi\Microsoft
2009-06-19 11:57 1,024 a------- c:\windows\system32\PDF2TXT.DAT
2009-06-11 14:54 <DIR> --d----- c:\programmi\YouTube Downloader
2009-06-11 10:49 <DIR> --d----- C:\downloads
2009-06-11 10:49 <DIR> --d----- c:\docume~1\monika\datiap~1\FMZilla
2009-06-11 10:48 <DIR> --d----- c:\programmi\Free Music Zilla

==================== Find3M ====================

2009-07-03 15:06 968 a------- c:\programmi\MSN Virus Removal Log 03_07_2009 15.06.11.txt
2009-07-02 19:35 41,522 a------- c:\programmi\dllcache.exe.back
2009-06-29 12:13 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 12:13 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-21 15:36 527,588 a------- c:\windows\system32\perfh010.dat
2009-05-21 15:36 106,506 a------- c:\windows\system32\perfc010.dat
2009-05-21 14:21 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-12 15:54 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-11 16:29 0 ----h--- c:\docume~1\alluse~1\datiap~1\PKP_DLdu.DAT
2009-05-07 17:32 347,648 a------- c:\windows\system32\localspl.dll
2009-05-07 17:32 347,648 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 06:45 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 06:45 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 11:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 11:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 07:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 07:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-19 21:47 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-19 21:47 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 16:52 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 16:52 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2007-04-21 02:56 20,480 a------- c:\programmi\runxmlpl.exe.back

============= FINISH: 23.23.34,29 ===============

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Please include the C:\ComboFix.txt in your next reply for further review.

[nagymonika]

Hello again, thanks for tetonbob's answer. I followed instructions. Please, find attached the requested file, I hope I did all well...
Monika


ComboFix 09-07-09.08 - Monika 10/07/2009 14.57.44.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1014.427 [GMT 2:00]
Eseguito da: c:\documents and settings\Monika\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\WinPCap
c:\programmi\WinPCap\daemon_mgm.exe
c:\programmi\WinPCap\npf_mgm.exe
c:\programmi\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\Temp\log.txt

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Creati Da 2009-06-10 al 2009-07-10 )))))))))))))))))))))))))))))))))))
.

2009-07-06 18:22 . 2009-06-29 10:13 327688 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgldx86.sys
2009-07-06 18:22 . 2009-06-29 10:13 2052376 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgcorex.dll
2009-07-06 18:22 . 2009-06-29 10:13 906520 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgemc.exe
2009-07-06 18:22 . 2009-06-29 10:13 2167576 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgresf.dll
2009-07-06 18:22 . 2009-06-29 10:13 3402008 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgui.exe
2009-07-06 18:22 . 2009-06-29 10:13 1204504 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgabout.dll
2009-07-06 18:22 . 2009-06-29 10:13 337176 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avglogx.dll
2009-07-06 18:22 . 2009-06-29 10:13 829208 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgcfgx.dll
2009-07-06 18:22 . 2009-06-29 10:13 3298072 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\setup.exe
2009-07-06 18:21 . 2009-06-29 10:10 1085208 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.exe
2009-07-06 18:21 . 2009-06-29 10:10 1454360 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.dll
2009-07-04 19:13 . 2009-07-04 00:38 42546 --sh--w- c:\windows\msconfigs.exe
2009-07-03 12:12 . 2009-07-03 12:12 -------- d-----w- c:\programmi\Microsoft
2009-07-03 12:11 . 2009-07-03 12:12 -------- d-----w- c:\programmi\Windows Live
2009-06-19 09:57 . 2009-06-19 09:57 1024 ----a-w- c:\windows\system32\PDF2TXT.DAT
2009-06-19 09:47 . 2009-07-05 10:31 -------- d-----w- c:\documents and settings\Monika\Impostazioni locali\Dati applicazioni\PDF Annotator
2009-06-11 12:54 . 2009-06-11 12:54 -------- d-----w- c:\programmi\YouTube Downloader
2009-06-11 08:49 . 2009-06-11 08:49 -------- d-----w- C:\downloads
2009-06-11 08:49 . 2009-06-11 08:49 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\FMZilla
2009-06-11 08:48 . 2009-07-01 13:01 -------- d-----w- c:\programmi\Free Music Zilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 13:06 . 2009-05-14 13:39 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\Skype
2009-07-10 13:05 . 2009-05-14 13:47 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\skypePM
2009-07-10 12:19 . 2007-08-09 17:56 -------- d-----w- c:\programmi\Microsoft SQL Server
2009-07-06 18:23 . 2009-05-11 16:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg8
2009-07-06 18:22 . 2009-05-12 13:54 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 18:32 . 2008-04-19 10:57 -------- d-----w- C:\Programmi Monika
2009-07-05 11:56 . 2007-08-09 17:49 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-07-05 10:33 . 2007-08-09 17:55 104720 ----a-w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-07-05 10:26 . 2007-08-09 17:51 -------- d-----w- c:\programmi\Microsoft.NET
2009-07-05 10:21 . 2008-04-19 13:57 -------- d-----w- c:\programmi\Macromedia
2009-07-05 10:21 . 2008-04-19 13:57 -------- d-----w- c:\programmi\File comuni\Macromedia
2009-07-05 10:13 . 2009-05-16 13:49 -------- d-----w- c:\programmi\Google
2009-07-05 10:12 . 2008-04-19 14:19 -------- d-----w- c:\programmi\Creative
2009-07-05 10:11 . 2008-04-19 13:46 -------- d-----w- c:\programmi\Ahead
2009-07-03 13:06 . 2009-07-03 13:06 968 ----a-w- c:\programmi\MSN Virus Removal Log 03_07_2009 15.06.11.txt
2009-07-02 17:35 . 2009-07-03 13:05 41522 ----a-w- c:\programmi\dllcache.exe.back
2009-06-29 10:13 . 2009-05-12 13:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 10:13 . 2009-05-12 13:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-28 12:49 . 2008-04-19 16:25 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\dvdcss
2009-06-24 09:02 . 2007-08-09 17:42 -------- d-----w- c:\programmi\File comuni\Adobe
2009-05-28 20:31 . 2008-04-17 17:16 -------- d-----w- c:\programmi\Launch Manager
2009-05-21 13:36 . 2007-08-10 06:56 527588 ----a-w- c:\windows\system32\perfh010.dat
2009-05-21 13:36 . 2007-08-10 06:56 106506 ----a-w- c:\windows\system32\perfc010.dat
2009-05-21 12:21 . 2004-09-07 17:39 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-15 15:02 . 2009-05-15 15:02 -------- d-----w- c:\programmi\Microsoft CAPICOM 2.1.0.2
2009-05-14 14:19 . 2009-05-14 14:19 -------- d-----w- c:\programmi\Windows Live SkyDrive
2009-05-14 14:11 . 2009-05-14 14:11 -------- d-----w- c:\programmi\File comuni\Windows Live
2009-05-14 13:47 . 2009-05-14 13:47 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-14 13:38 . 2009-05-14 13:38 -------- d-----w- c:\programmi\File comuni\Skype
2009-05-14 13:38 . 2009-05-14 13:38 -------- d-----r- c:\programmi\Skype
2009-05-14 13:38 . 2009-05-14 13:38 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype
2009-05-12 13:54 . 2009-05-12 13:54 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-12 13:54 . 2009-05-12 13:54 -------- d-----w- c:\programmi\AVG
2009-05-12 13:33 . 2004-09-07 17:13 -------- d-----w- c:\programmi\Servizi in linea
2009-05-11 15:02 . 2009-05-11 15:02 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\Apple Computer
2009-05-11 15:02 . 2008-08-18 18:47 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2009-05-11 14:30 . 2008-04-17 17:12 -------- d-----w- c:\programmi\Yahoo!
2009-05-11 14:29 . 2008-08-18 18:50 -------- d-----w- c:\programmi\File comuni\Nikon
2009-05-11 14:29 . 2008-08-18 18:48 0 ---h--w- c:\documents and settings\All Users\Dati applicazioni\PKP_DLdu.DAT
2009-05-11 14:29 . 2008-08-18 18:50 -------- d-----w- c:\programmi\Nikon
2009-05-11 14:24 . 2007-08-09 18:04 -------- d-----w- c:\programmi\File comuni\Symantec Shared
2009-05-11 14:24 . 2007-08-09 18:04 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Symantec
2009-05-07 15:32 . 2004-08-19 18:00 347648 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:45 . 2007-04-18 12:32 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:44 . 2004-08-19 18:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-19 19:47 . 2007-03-08 15:33 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:52 . 2004-08-19 18:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-04-21 00:56 . 2009-07-03 13:05 20480 ----a-w- c:\programmi\runxmlpl.exe.back
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-19 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-07-04 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-14 850704]
"Creative WebCam Tray"="c:\programmi\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 245760]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2007-10-19 286720]
"MobileConnect"="c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-05-28 2059776]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-28 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-4-17 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 10:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\Free Music Zilla\\FMZilla.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/05/2009 15.54.20 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/05/2009 15.54.26 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/05/2009 15.54.04 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/05/2009 15.54.04 298776]
R2 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [28/05/2008 14.11.56 14336]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [14/04/2006 10.07.20 28933976]
S3 V0090VID;Creative WebCam Vista Plus;c:\windows\system32\drivers\V0090Vid.sys [28/05/2009 9.28.44 138112]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-eLockMonitor - c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://it.intl.acer.yahoo.com/
uSearchURL,(Default) = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/su/*http://it.yahoo.com
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportálás Microsoft Excel formátumba - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 15:04
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3828)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\MFC71U.DLL
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\AVG\AVG8\avgtray.exe
c:\programmi\Intel\Wireless\Bin\EvtEng.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\programmi\AVG\AVG8\avgcsrvx.exe
c:\programmi\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\programmi\File comuni\LightScribe\LSSrvc.exe
c:\programmi\Intel\Wireless\Bin\RegSrvc.exe
c:\programmi\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\igfxext.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\programmi\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\programmi\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Ora fine scansione: 2009-07-10 15.08.00 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-07-10 13:07

Pre-Run: 36.583.043.072 byte disponibili
Post-Run: 37.239.898.112 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

228 --- E O F --- 2009-07-10 12:19

[tetonbob]

Good work, next steps...

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  c:\programmi\dllcache.exe.back
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply, or simply provide the link to the results page.
  
• Please repeat for the following files:
  
  • 
    c:\Programmi\runxmlpl.exe.back
    c:\windows\msconfigs.exe
    

[nagymonika]

Dear tetonbob, thanks for prompt answer. Here are the requested results:

http://www.virustotal.com/it/analisi...fa4-1247242991

http://www.virustotal.com/it/analisi...737-1247243246

http://www.virustotal.com/it/analisi...fa6-1247243395

One question: do I have to reactivate my AVG?

And... thanks for keeping balance!

[tetonbob]

Hi Monika -

Re-enable AVG after this next set of instructions

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Code:

   http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/391965-got-win32-agent-aw-msn.html#post2232718
   Collect::
   c:\programmi\dllcache.exe.back 
   c:\windows\msconfigs.exe 
   Registry::
   [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
   "DisableMonitoring"=dword:00000000

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   **Note**
   
   When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
   • Ensure you are connected to the internet and click OK on the message box.
   
   Please let me know if the file was successfully submitted . Thanks.
   
   ------------------------------------------------------
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

[nagymonika]

Dear tetonbob, done. AVG re-activated. Waiting for new instructions.



ComboFix 09-07-09.08 - Monika 10/07/2009 18.43.14.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1014.422 [GMT 2:00]
Eseguito da: c:\documents and settings\Monika\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Monika\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\programmi\dllcache.exe.back
file zipped: c:\windows\msconfigs.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\dllcache.exe.back
c:\windows\msconfigs.exe

.
((((((((((((((((((((((((( Files Creati Da 2009-06-10 al 2009-07-10 )))))))))))))))))))))))))))))))))))
.

2009-07-06 18:22 . 2009-06-29 10:13 327688 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgldx86.sys
2009-07-06 18:22 . 2009-06-29 10:13 2052376 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgcorex.dll
2009-07-06 18:22 . 2009-06-29 10:13 906520 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgemc.exe
2009-07-06 18:22 . 2009-06-29 10:13 2167576 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgresf.dll
2009-07-06 18:22 . 2009-06-29 10:13 3402008 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgui.exe
2009-07-06 18:22 . 2009-06-29 10:13 1204504 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgabout.dll
2009-07-06 18:22 . 2009-06-29 10:13 337176 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avglogx.dll
2009-07-06 18:22 . 2009-06-29 10:13 829208 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgcfgx.dll
2009-07-06 18:22 . 2009-06-29 10:13 3298072 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\setup.exe
2009-07-06 18:21 . 2009-06-29 10:10 1085208 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.exe
2009-07-06 18:21 . 2009-06-29 10:10 1454360 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.dll
2009-07-03 12:12 . 2009-07-03 12:12 -------- d-----w- c:\programmi\Microsoft
2009-07-03 12:11 . 2009-07-03 12:12 -------- d-----w- c:\programmi\Windows Live
2009-06-19 09:57 . 2009-06-19 09:57 1024 ----a-w- c:\windows\system32\PDF2TXT.DAT
2009-06-19 09:47 . 2009-07-05 10:31 -------- d-----w- c:\documents and settings\Monika\Impostazioni locali\Dati applicazioni\PDF Annotator
2009-06-11 12:54 . 2009-06-11 12:54 -------- d-----w- c:\programmi\YouTube Downloader
2009-06-11 08:49 . 2009-06-11 08:49 -------- d-----w- C:\downloads
2009-06-11 08:49 . 2009-06-11 08:49 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\FMZilla
2009-06-11 08:48 . 2009-07-01 13:01 -------- d-----w- c:\programmi\Free Music Zilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 16:39 . 2009-05-14 13:39 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\Skype
2009-07-10 16:39 . 2009-05-14 13:47 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\skypePM
2009-07-10 12:19 . 2007-08-09 17:56 -------- d-----w- c:\programmi\Microsoft SQL Server
2009-07-06 18:23 . 2009-05-11 16:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg8
2009-07-06 18:22 . 2009-05-12 13:54 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 18:32 . 2008-04-19 10:57 -------- d-----w- C:\Programmi Monika
2009-07-05 11:56 . 2007-08-09 17:49 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-07-05 10:33 . 2007-08-09 17:55 104720 ----a-w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-07-05 10:26 . 2007-08-09 17:51 -------- d-----w- c:\programmi\Microsoft.NET
2009-07-05 10:21 . 2008-04-19 13:57 -------- d-----w- c:\programmi\Macromedia
2009-07-05 10:21 . 2008-04-19 13:57 -------- d-----w- c:\programmi\File comuni\Macromedia
2009-07-05 10:13 . 2009-05-16 13:49 -------- d-----w- c:\programmi\Google
2009-07-05 10:12 . 2008-04-19 14:19 -------- d-----w- c:\programmi\Creative
2009-07-05 10:11 . 2008-04-19 13:46 -------- d-----w- c:\programmi\Ahead
2009-07-03 13:06 . 2009-07-03 13:06 968 ----a-w- c:\programmi\MSN Virus Removal Log 03_07_2009 15.06.11.txt
2009-06-29 10:13 . 2009-05-12 13:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 10:13 . 2009-05-12 13:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-28 12:49 . 2008-04-19 16:25 -------- d-----w- c:\documents and settings\Monika\Dati applicazioni\dvdcss
2009-06-24 09:02 . 2007-08-09 17:42 -------- d-----w- c:\programmi\File comuni\Adobe
2009-05-28 20:31 . 2008-04-17 17:16 -------- d-----w- c:\programmi\Launch Manager
2009-05-21 13:36 . 2007-08-10 06:56 527588 ----a-w- c:\windows\system32\perfh010.dat
2009-05-21 13:36 . 2007-08-10 06:56 106506 ----a-w- c:\windows\system32\perfc010.dat
2009-05-21 12:21 . 2004-09-07 17:39 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-15 15:02 . 2009-05-15 15:02 -------- d-----w- c:\programmi\Microsoft CAPICOM 2.1.0.2
2009-05-14 14:19 . 2009-05-14 14:19 -------- d-----w- c:\programmi\Windows Live SkyDrive
2009-05-14 14:11 . 2009-05-14 14:11 -------- d-----w- c:\programmi\File comuni\Windows Live
2009-05-14 13:47 . 2009-05-14 13:47 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-14 13:38 . 2009-05-14 13:38 -------- d-----w- c:\programmi\File comuni\Skype
2009-05-14 13:38 . 2009-05-14 13:38 -------- d-----r- c:\programmi\Skype
2009-05-14 13:38 . 2009-05-14 13:38 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype
2009-05-12 13:54 . 2009-05-12 13:54 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-12 13:54 . 2009-05-12 13:54 -------- d-----w- c:\programmi\AVG
2009-05-12 13:33 . 2004-09-07 17:13 -------- d-----w- c:\programmi\Servizi in linea
2009-05-11 14:29 . 2008-08-18 18:48 0 ---h--w- c:\documents and settings\All Users\Dati applicazioni\PKP_DLdu.DAT
2009-05-07 15:32 . 2004-08-19 18:00 347648 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:45 . 2007-04-18 12:32 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:44 . 2004-08-19 18:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-19 19:47 . 2007-03-08 15:33 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:52 . 2004-08-19 18:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-04-21 00:56 . 2009-07-03 13:05 20480 ----a-w- c:\programmi\runxmlpl.exe.back
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-19 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-07-04 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-14 850704]
"Creative WebCam Tray"="c:\programmi\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 245760]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2007-10-19 286720]
"MobileConnect"="c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-05-28 2059776]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-28 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-4-17 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 10:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\Free Music Zilla\\FMZilla.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/05/2009 15.54.20 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/05/2009 15.54.26 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/05/2009 15.54.04 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/05/2009 15.54.04 298776]
R2 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [28/05/2008 14.11.56 14336]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [14/04/2006 10.07.20 28933976]
S3 V0090VID;Creative WebCam Vista Plus;c:\windows\system32\drivers\V0090Vid.sys [28/05/2009 9.28.44 138112]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://it.intl.acer.yahoo.com/
uSearchURL,(Default) = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/su/*http://it.yahoo.com
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportálás Microsoft Excel formátumba - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 18:47
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\igfxdev.dll
.
Ora fine scansione: 2009-07-10 18.48.14
ComboFix-quarantined-files.txt 2009-07-10 16:48
ComboFix2.txt 2009-07-10 13:08

Pre-Run: 37.242.720.256 byte disponibili
Post-Run: 37.242.322.944 byte disponibili

172 --- E O F --- 2009-07-10 12:19
Caricamento effettuato con successo

[tetonbob]

Next steps....

=====================================================

Please perform this online scan to help look for remnants.

This scan requires Sun Java

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE)."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

• After the install is complete.....

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------


How is the machine behaving now?

[nagymonika]

Dear tetonbob, sorry for delay, I was not notified about your answer.
I followed instructions, I attach the results. My machine seams clean. I run avg as well an it didn't find anything. (except that I checked "Scan for Tracking Cookies" in Resident Shield settings, and every time I open Internet Browser window it notifies me a potentially dangerous allert... is it important?)
Do I have to do something else to my machine (except being more careful with stupid links in msn)?
I'll be away for a week, I'll try to check my messages but I'm not sure it'll be possible. If at my return something really important will happen, can I contact you even if over 3 days?
Do I have to say something personal? I think it is useless, you know how precious your job is. Thank you. Monika

[tetonbob]

Cookies come onto a machine every time you visit a website.

Now some of those are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits.

Most of those cookies are third party cookies that can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click Exceptions, identify the site you want to block, and click on Block.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

This won't prevent all bad cookies from being installed, but will reduce the amount.

Also there is another program you can use.

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.

You can read more about cookies at the Cookie Concept

You can tidy up with this tool:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[tetonbob]

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help