rdriv.sys again

**andrea11** · 10-17-2005, 02:36 PM

Hello,
I have a win2000 pc with the rdriv.sys problem. I had not a firewall on that pc, stupid me. I have now downloaded zone alarm to be installed as soon as that pc will be clean again. if you have a better firewall to suggest me you are welcome.
I have treid to clean the pc on my own reading the old posts and using killbox and ewido but unsuccesfully I am so posting the hijack this log.
Thanks for the nice and kind assistance you all provide!

Logfile of HijackThis v1.99.1
Scan saved at 20:48:08, on 17/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\a_pro\z_pro\hijacked\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acuoreaperto.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\NortonAntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\NortonAntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Srv32Win] C:\Programmi\svchost.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Spamihilator] "C:\o_pro\antispam\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Stop Dialers.lnk = C:\o_pro\StopDialers\StopDialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\MicrosoftOffice\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: ZyAIR G-100 Wireless LAN Utility.lnk = C:\o_pro\ZyAIR G-100\Startup.exe
O4 - Global Startup: Collegamento a html2pop3.exe.lnk = C:\a_pro\z_pro\html2pop3222win32\html2pop3.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mp3: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...63/mcfscan.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\a_pro\tools\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\NortonAntiVirus\navapsvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: NTsystem (System) - Unknown owner - C:\WINNT\ntsys32.exe

MicroBell · 10-18-2005, 01:01 AM

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip
*Unzip it to your desktop.
* Ewido Security Suite
*Install ewido security suite
*Launch ewido, there should be a big E icon on your desktop, double-click it.
*The program will prompt you to update click the OK button
*The program will now go to the main screen
*You will need to update ewido to the latest definition files.
*On the left hand side of the main screen click update
*Click on Start
*The update will start and a progress bar will show the updates being installed.
*After the updates are installed exit Ewido.

*Cleanup
Download and install it

* KillBox
Download and unzip the Killbox.exe to your desktop.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: NTsystem (System)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen.

2.) Double-click the Ewido Security Suite icon to run the program. Set the program up as follows:
*Click on scanner
*Make sure the following boxes are checked before scanning:
*Binder
*Crypter
*Archives
*Click on Start Scan
*Let the program scan the machine
While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK
*Once the scan has completed, there will be a button located on the bottom of the screen named Save report
*Click Save report
*Save the report to your desktop.

3.) Run Cleanup! by double-clicking the Cleanup! icon on your desktop.

4.) Run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O4 - HKLM\..\Run: [Srv32Win] C:\Programmi\svchost.exe
O23 - Service: NTsystem (System) - Unknown owner - C:\WINNT\ntsys32.exe

Close HiJackThis.

5.) Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINNT\ntsys32.exe
C:\Programmi\svchost.exe
C:\WINNT\system32\rdriv.sys

After computer has restarted continue with the rest of the instructions:

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run this online virus scan:
Panda ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

**andrea11** · 10-22-2005, 10:04 AM

Thank you for the help.

This is the ewido report:
---------------------------------------------------------
ewido security suite - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 13:30:38, 22/10/2005
+ Report-Checksum: 56A54A61

+ Risultati scansione:

C:\Documents and Settings\Ornella\Cookies\ornella@112.2o7[1].txt -> Spyware.Cookie.2o7 : Pulito con Backup
C:\Documents and Settings\Ornella\Cookies\ornella@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Pulito con Backup
C:\Documents and Settings\Ornella\Cookies\ornella@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Pulito con Backup

::Fine Rapporto

This is the panda spyxposer report (the activescan was not there and spyxposer was at its place):

Incident Status Location

Adware:adware/quicksearch Reported C:\WINNT\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/gator Reported C:\PROGRAMMI\FILE COMUNI\GMT
Virus:Trj/Qhost.gen Reported C:\WINNT\system32\drivers\etc\hosts
Virus:Trj/Qhost.gen Reported C:\WINNT\system32\drivers\etc\1.hosts
Virus:W32/Sdbot.FAW.worm Reported C:\WINNT\system32\updates.pif
Spyware:Cookie/Belnk Reported C:\WINNT\system32\Perflib_Perfdata_60c.dat
Spyware:Spyware/RealtimeSpy Reported C:\WINNT\RTSk16.dll
Adware:Adware/Gator Reported C:\Programmi\Butterfly Oasis Screensaver\BO1Uninstaller.exe
And finally the hijackthis report I have just run:
Logfile of HijackThis v1.99.1
Scan saved at 17:57:53, on 22/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\a_pro\tools\ewido\security suite\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\NortonAntiVirus\navapsvc.exe
C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\a_pro\firewall\ZoneAlarm\zlclient.exe
C:\o_pro\antispam\Spamihilator\spamihilator.exe
C:\WINNT\system32\ctfmon.exe
C:\a_pro\z_pro\html2pop3222win32\html2pop3.exe
C:\o_pro\StopDialers\StopDialer.exe
C:\o_pro\ZyAIR G-100\OdHost.exe
C:\o_pro\ZyAIR G-100\WL54CFG.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\a_pro\z_pro\hijacked\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.acuoreaperto.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Programmi\NortonAntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Programmi\NortonAntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

/Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\a_pro\firewall\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Spamihilator]

"C:\o_pro\antispam\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Stop Dialers.lnk = C:\o_pro\StopDialers\StopDialer.exe
O4 - Global Startup: Microsoft Office.lnk =

C:\Programmi\MicrosoftOffice\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =

C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: ZyAIR G-100 Wireless LAN Utility.lnk = C:\o_pro\ZyAIR

G-100\Startup.exe
O4 - Global Startup: Collegamento a html2pop3.exe.lnk =

C:\a_pro\z_pro\html2pop3222win32\html2pop3.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mp3: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing)

- http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) -

http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)

- http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/is...n/2,0,0,4463/m

cfscan.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd -

C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) -

VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON

CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks -

C:\a_pro\tools\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec

Corporation - C:\Programmi\NortonAntiVirus\navapsvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner -

C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINNT\system32\ZONELABS\vsmon.exe

I have installed Zonealarm firewall 5.5 (5.5.094.000) due to the fact I was not able to run the version 6 on my pc.

What should I do now?

thanks again a lot for your support
andrea

MicroBell · 10-22-2005, 08:11 PM

Download Hoster http://www.greyknight17.com/spy/Hoster.exe

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Run the Cleanup utility again using the same instructions as before. Then reboot into safe mode.

Run the Hoster program and select "Restore Orginal Hosts File"

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINNT\DOWNLOADED PROGRAM FILES\Install.inf
C:\PROGRAMMI\FILE COMUNI\GMT
C:\WINNT\system32\drivers\etc\1.hosts
C:\WINNT\system32\updates.pif
C:\WINNT\system32\Perflib_Perfdata_60c.dat
C:\WINNT\RTSk16.dll
C:\Programmi\Butterfly Oasis Screensaver\BO1Uninstaller.exe

Once you reboot..run another Panda scan and post it's log.

**andrea11** · 10-23-2005, 04:17 AM

thanks again,
this is the report from spyxposer:

Incident Status Location

Adware:adware/gator Reported C:\DOCUMENTS AND SETTINGS\ALL USERS\MENU AVVIO\PROGRAMMI\GAIN Publishing

during the Panda scan norton antivirus detected a virus in
winnt\system32\svkp.sys

to proceed I temporarly deactivated norton autoprotect.

what should I do now?

one question more will be zonealarm version 5.5 ok as firewall?

I can't get the version 6 running smoothly on my pc and if the 5.5 is not good enough could you please suggest me an other firewall?

thanks a lot for the support
andrea

MicroBell · 10-23-2005, 02:12 PM

Open add/remove programs and remove anything that says Gator or Gain IF listed

C:\DOCUMENTS AND SETTINGS\ALL USERS\MENU AVVIO\PROGRAMMI\GAIN Publishing <--delete that folder

C:\WINNT\system32\svkp.sys <--delete that file..

As you picked up another Rbot infection..I need to look deeper in the system. BTW Zonealarm 5 is fine.

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log

**andrea11** · 10-23-2005, 04:23 PM

Thanks again first of all.
So I looked for Gator or Gain in add/remove program but there was nothing there.
then I removed the folder
C:\DOCUMENTS AND SETTINGS\ALL USERS\MENU AVVIO\PROGRAMMI\GAIN
when I did that microsoft office started some installation maintenance and asked me the disk, I cancelled the operation and the pc stuck. I had to switch it off and on again.
Then I tried to remove
C:\WINNT\system32\svkp.sys
but the file was in use. So I wen to safe mode and I was able to delete it.
Now here you have the two requested logs:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 15/10/2005 23:42:32 817 C:\log.txt
PEC2 15/10/2005 23:42:32 817 C:\log.txt
UPX! 15/10/2005 23:41:44 213 C:\win.txt
PEC2 15/10/2005 23:41:44 213 C:\win.txt
UPX! 15/10/2005 23:32:26 95 C:\start.txt
UPX! 15/10/2005 23:42:06 28 C:\windows.txt
qoologic 23/10/2005 23:50:12 202953 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 09/05/2005 13:00:24 277282 C:\WINNT\drsetup.exe

Checking %System% folder...
UPX! 17/09/2001 13:20:02 9216 C:\WINNT\SYSTEM32\cpuinf32.dll
winsync 08/05/2001 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
Umonitor 19/06/2003 20:05:04 545552 C:\WINNT\SYSTEM32\RASDLG.DLL

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
23/10/2005 23:51:58 H 1457484 C:\WINNT\ShellIconCache
04/10/2005 12:42:00 H 2048 C:\WINNT\system32\bqsfczfu.exe
23/10/2005 23:46:28 H 889 C:\WINNT\system32\vsconfig.xml
22/10/2005 16:55:42 H 4212 C:\WINNT\system32\zllictbl.dat
24/10/2005 00:01:10 H 1024 C:\WINNT\system32\config\software.LOG
23/10/2005 23:52:20 H 1024 C:\WINNT\system32\config\default.LOG
23/10/2005 23:55:02 H 1024 C:\WINNT\system32\config\SECURITY.LOG
23/10/2005 23:57:04 H 1024 C:\WINNT\system32\config\SAM.LOG
22/10/2005 15:28:32 HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
22/10/2005 15:28:32 HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\eb0c73f5-20e7-40f4-8d94-d00d5c9252b3
01/09/2005 07:09:24 H 14117 C:\WINNT\Web\printers.htt
23/10/2005 23:52:10 S 64 C:\WINNT\CSC\00000001
22/10/2005 16:39:18 S 64 C:\WINNT\CSC\00000002
23/10/2005 23:52:12 H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 19/06/2003 20:05:04 303888 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 08/05/2001 32016 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 19/06/2003 20:05:04 243472 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 08/05/2001 130320 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 08/05/2001 120592 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 08/05/2001 36624 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 08/05/2001 122640 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 08/05/2001 308496 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 08/05/2001 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 08/05/2001 41744 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 08/05/2001 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 08/05/2001 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 20/02/2001 13:09:54 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 30/10/2001 08:10:00 326144 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 19/06/2003 20:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 19/06/2003 20:05:04 93456 C:\WINNT\SYSTEM32\powercfg.cpl
19/08/2003 08:20:04 180224 C:\WINNT\SYSTEM32\ac3filter.cpl
Ahead Software AG 23/12/2003 15:40:52 57344 C:\WINNT\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 19/06/2003 20:05:04 128784 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 08/05/2001 69392 C:\WINNT\SYSTEM32\access.cpl
Logitech Inc. 20/06/2002 12:25:14 90112 C:\WINNT\SYSTEM32\CamCpl.cpl
RealNetworks, Inc. 13/06/2003 21:34:38 24064 C:\WINNT\SYSTEM32\prefscpl.cpl
Microsoft Corporation 26/05/2005 04:16:32 174872 C:\WINNT\SYSTEM32\wuaucpl.cpl
19/11/1999 13:54:12 155648 C:\WINNT\SYSTEM32\PPPoEService.cpl
Microsoft Corporation 19/06/2003 20:05:04 83728 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 30/08/2002 19:28:48 293376 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 08/05/2001 41744 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 26/05/2005 04:16:32 174872 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 30/08/2002 19:28:48 293376 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 07/10/1999 01:30:58 94720 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
28/03/2005 20:14:16 530 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Collegamento a html2pop3.exe.lnk
28/03/2005 20:14:12 533 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\EPSON Status Monitor 3 Environment Check 2.lnk
28/03/2005 20:14:10 1498 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
28/03/2005 20:14:14 434 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\ZyAIR G-100 Wireless LAN Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
21/10/2005 12:37:24 21 C:\Documents and Settings\All Users\Dati applicazioni\emopts.dat
21/10/2005 15:07:10 H 6214 C:\Documents and Settings\All Users\Dati applicazioni\sys001.log
21/10/2005 15:07:10 H 10927 C:\Documents and Settings\All Users\Dati applicazioni\sys002.log
21/10/2005 15:07:10 H 4714 C:\Documents and Settings\All Users\Dati applicazioni\sys003.log
21/10/2005 15:07:10 H 7143 C:\Documents and Settings\All Users\Dati applicazioni\sys004.log
21/10/2005 15:07:10 H 1149 C:\Documents and Settings\All Users\Dati applicazioni\sys008.log
19/10/2005 00:12:44 2357 C:\Documents and Settings\All Users\Dati applicazioni\sys009.log

Checking files in %USERPROFILE%\Startup folder...
28/03/2005 20:14:20 447 C:\Documents and Settings\Ornella\Menu Avvio\Programmi\Esecuzione automatica\Stop Dialers.lnk

Checking files in %USERPROFILE%\Application Data folder...
26/08/2003 18:36:12 14144 C:\Documents and Settings\Ornella\Dati applicazioni\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\NortonAntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\o_pro\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Programmi\WS_FTP Pro\wsftpsi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\NortonAntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\o_pro\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Programmi\WS_FTP Pro\wsftpsi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\o_pro\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Programmi\NortonAntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Suggerimenti = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINNT\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programmi\NortonAntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
SearchBand = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
Controllo ActiveX ricerca file e cartelle = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = Co&llegamenti : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programmi\NortonAntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = Co&llegamenti : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NAV Agent C:\PROGRA~1\NORTON~1\navapw32.exe
Synchronization Manager mobsync.exe /logon
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
Zone Labs Client C:\a_pro\firewall\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Spamihilator "C:\o_pro\antispam\Spamihilator\spamihilator.exe"
ctfmon.exe ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0
CDRAutoRun 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 24/10/2005 00:05:42

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"Synchronization Manager"="mobsync.exe /logon"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Zone Labs Client"="C:\\a_pro\\firewall\\ZoneAlarm\\zlclient.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINNT\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINNT\system32\shell32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Programmi\NortonAntiVirus\NavShExt.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\o_pro\WinRAR\rarext.dll

Subkey --- WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B}
C:\Programmi\WS_FTP Pro\wsftpsi.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINNT\System32\docprop2.dll

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINNT\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINNT\System32\docprop2.dll

==============================
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica

Microsoft Office.lnk
EPSON Status Monitor 3 Environment Check 2.lnk
ZyAIR G-100 Wireless LAN Utility.lnk
Collegamento a html2pop3.exe.lnk
==============================
C:\Documents and Settings\Ornella\Menu Avvio\Programmi\Esecuzione automatica

Microsoft Office.lnk
EPSON Status Monitor 3 Environment Check 2.lnk
ZyAIR G-100 Wireless LAN Utility.lnk
Collegamento a html2pop3.exe.lnk
Stop Dialers.lnk
==============================
C:\WINNT\system32 cpl files

appwiz.cpl Microsoft Corporation
fax.cpl Microsoft Corporation
DESK.CPL Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
INPUT.CPL Microsoft Corporation
joy.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
ac3filter.cpl
ImageDrive.cpl Ahead Software AG
SYSDM.CPL Microsoft Corporation
access.cpl Microsoft Corporation
CamCpl.cpl Logitech Inc.
prefscpl.cpl RealNetworks, Inc.
wuaucpl.cpl Microsoft Corporation
PPPoEService.cpl
sticpl.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation

Thanks a lot for your nice support

andrea

MicroBell · 10-23-2005, 07:38 PM

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Download, install, and update Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into safe mode.....

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINNT\system32\bqsfczfu.exe
C:\Documents and Settings\All Users\Dati applicazioni\emopts.dat

On the reboot....boot directly back to safe mode.

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Reboot back to normal mode and run another Panda scan. Post that log and the Ewido log.

**andrea11** · 10-24-2005, 04:02 AM

Thank you for the support and the patience.
Here you have the ewido log:

---------------------------------------------------------
ewido security suite - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 08:19:09, 24/10/2005
+ Report-Checksum: 6E9AA6BC

+ Risultati scansione:

C:\Documents and Settings\Ornella\Cookies\ornella@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Pulito con Backup

::Fine Rapporto

when then I run panda spyxposer norton detected the following virus:
hacktool.rootkit in C:\recycled\dc3.sys

here you have the cpyxposer report:

Incident Status Location

Spyware:Cookie/Imrworldwide Reported C:\Documents and Settings\Ornella\Cookies\ornella@cgi-bin[1].txt

what should be the next step?
thanks again
andrea

MicroBell · 10-24-2005, 08:47 PM

Empty your recycle bin...and that should take care of the Norton message. The other logs look good. Post another hijackthis and WinPFind log. Are you having any other issues? Rdriv seams to be gone!

**andrea11** · 10-25-2005, 03:02 AM

thank you a lot! I will not be able to post the new logs up to next week end. I will do most probably Saturday. Thanks again for your great service.
andrea

**andrea11** · 10-29-2005, 03:00 PM

hello,
here you have my two requested logs:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 15/10/2005 23:42:32 817 C:\log.txt
PEC2 15/10/2005 23:42:32 817 C:\log.txt
UPX! 15/10/2005 23:41:44 213 C:\win.txt
PEC2 15/10/2005 23:41:44 213 C:\win.txt
UPX! 15/10/2005 23:32:26 95 C:\start.txt
UPX! 15/10/2005 23:42:06 28 C:\windows.txt
qoologic 23/10/2005 23:50:12 202953 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 09/05/2005 13:00:24 277282 C:\WINNT\drsetup.exe

Checking %System% folder...
PECompact2 05/10/2005 09:36:30 2298208 C:\WINNT\SYSTEM32\MRT.exe
aspack 05/10/2005 09:36:30 2298208 C:\WINNT\SYSTEM32\MRT.exe
UPX! 17/09/2001 13:20:02 9216 C:\WINNT\SYSTEM32\cpuinf32.dll
winsync 08/05/2001 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
Umonitor 19/06/2003 20:05:04 545552 C:\WINNT\SYSTEM32\RASDLG.DLL

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
29/09/2005 22:57:58 H 103376 C:\WINNT\test.tmp
29/10/2005 22:27:44 H 1851202 C:\WINNT\ShellIconCache
29/10/2005 21:57:26 H 889 C:\WINNT\system32\vsconfig.xml
22/10/2005 16:55:42 H 4212 C:\WINNT\system32\zllictbl.dat
29/10/2005 22:36:38 H 1024 C:\WINNT\system32\config\software.LOG
29/10/2005 22:28:02 H 1024 C:\WINNT\system32\config\default.LOG
29/10/2005 22:32:06 H 1024 C:\WINNT\system32\config\SECURITY.LOG
29/10/2005 22:34:08 H 1024 C:\WINNT\system32\config\SAM.LOG
22/10/2005 15:28:32 HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
22/10/2005 15:28:32 HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\eb0c73f5-20e7-40f4-8d94-d00d5c9252b3
01/09/2005 07:09:24 H 14117 C:\WINNT\Web\printers.htt
29/10/2005 22:30:28 S 64 C:\WINNT\CSC\00000001
22/10/2005 16:39:18 S 64 C:\WINNT\CSC\00000002
29/10/2005 22:30:28 H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 19/06/2003 20:05:04 303888 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 08/05/2001 32016 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 19/06/2003 20:05:04 243472 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 08/05/2001 130320 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 08/05/2001 120592 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 08/05/2001 36624 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 08/05/2001 122640 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 08/05/2001 308496 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 08/05/2001 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 08/05/2001 41744 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 08/05/2001 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 08/05/2001 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 20/02/2001 13:09:54 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 30/10/2001 08:10:00 326144 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 19/06/2003 20:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 19/06/2003 20:05:04 93456 C:\WINNT\SYSTEM32\powercfg.cpl
19/08/2003 08:20:04 180224 C:\WINNT\SYSTEM32\ac3filter.cpl
Ahead Software AG 23/12/2003 15:40:52 57344 C:\WINNT\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 19/06/2003 20:05:04 128784 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 08/05/2001 69392 C:\WINNT\SYSTEM32\access.cpl
Logitech Inc. 20/06/2002 12:25:14 90112 C:\WINNT\SYSTEM32\CamCpl.cpl
RealNetworks, Inc. 13/06/2003 21:34:38 24064 C:\WINNT\SYSTEM32\prefscpl.cpl
Microsoft Corporation 26/05/2005 04:16:32 174872 C:\WINNT\SYSTEM32\wuaucpl.cpl
19/11/1999 13:54:12 155648 C:\WINNT\SYSTEM32\PPPoEService.cpl
Microsoft Corporation 19/06/2003 20:05:04 83728 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 30/08/2002 19:28:48 293376 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 08/05/2001 41744 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 26/05/2005 04:16:32 174872 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 30/08/2002 19:28:48 293376 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 07/10/1999 01:30:58 94720 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
28/03/2005 20:14:16 530 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Collegamento a html2pop3.exe.lnk
28/03/2005 20:14:12 533 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\EPSON Status Monitor 3 Environment Check 2.lnk
28/03/2005 20:14:10 1498 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
28/03/2005 20:14:14 434 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\ZyAIR G-100 Wireless LAN Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
27/10/2005 09:48:22 21 C:\Documents and Settings\All Users\Dati applicazioni\emopts.dat
27/10/2005 09:35:30 27 C:\Documents and Settings\All Users\Dati applicazioni\ul.nfo

Checking files in %USERPROFILE%\Startup folder...
28/03/2005 20:14:20 447 C:\Documents and Settings\Ornella\Menu Avvio\Programmi\Esecuzione automatica\Stop Dialers.lnk

Checking files in %USERPROFILE%\Application Data folder...
26/08/2003 18:36:12 14144 C:\Documents and Settings\Ornella\Dati applicazioni\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\NortonAntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\o_pro\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Programmi\WS_FTP Pro\wsftpsi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\NortonAntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\o_pro\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Programmi\WS_FTP Pro\wsftpsi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\o_pro\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Programmi\NortonAntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Suggerimenti = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINNT\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programmi\NortonAntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Ricerche :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
SearchBand = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
Controllo ActiveX ricerca file e cartelle = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = Co&llegamenti : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programmi\NortonAntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = Co&llegamenti : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NAV Agent C:\PROGRA~1\NORTON~1\navapw32.exe
Synchronization Manager mobsync.exe /logon
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
Zone Labs Client C:\a_pro\firewall\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Spamihilator "C:\o_pro\antispam\Spamihilator\spamihilator.exe"
ctfmon.exe ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0
CDRAutoRun 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 29/10/2005 22:39:42

Logfile of HijackThis v1.99.1
Scan saved at 22:40:53, on 29/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\a_pro\z_pro\hijacked\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acuoreaperto.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\NortonAntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\NortonAntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\a_pro\firewall\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\o_pro\antispam\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Stop Dialers.lnk = C:\o_pro\StopDialers\StopDialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\MicrosoftOffice\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: ZyAIR G-100 Wireless LAN Utility.lnk = C:\o_pro\ZyAIR G-100\Startup.exe
O4 - Global Startup: Collegamento a html2pop3.exe.lnk = C:\a_pro\z_pro\html2pop3222win32\html2pop3.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mp3: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...63/mcfscan.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\a_pro\tools\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\NortonAntiVirus\navapsvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

thanks and regards
andrea

MicroBell · 10-29-2005, 05:12 PM

Your logs look good. Any more problems? If you can..please use a Utility like Winzip and ZIP up this file...

C:\Documents and Settings\All Users\Dati applicazioni\emopts.dat

Attach it to your next post...as I want to look at it's code.

**andrea11** · 10-31-2005, 03:26 AM

Thank you so much.
the pc is workingly perfectly now.
Here you have the last log you asked me:

TFlag=0
SMTPEmailCount=0
POPEmailCount=29

This was really a great service.
Thanks again.
andrea

MicroBell · 11-01-2005, 02:17 AM

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.

Reset hidden/system files and folders

Windows XP
===============

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Windows 2000
===============

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Select the Advanced settings box option.
Select the Hidden files Folders.
Deselect the Show all files option.
Click Yes to confirm.
Click OK.

Windows ME
===============

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Windows 95/98/98SE
===============

Open My Computer.
Select the View
Select the Folder Options option.
Select the View tab. option.
Select the Advance Advanced settings box option.
Select the Hidden files folder.
Deselect the Show all files option
Click Apply to confirm.
Click OK.

Create a new System Restore point

Windows XP
===============

Click Start >> Run - type SYSDM.CPL & press Enter
Select the System Restore Tab
Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
Then untick the same checkbox & click OK
This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

Click the Start tab.
Select the Settings option.
Select the Control Panel option.
Double Click the System icon Performance tab option.
Select File System
Select the Troubleshooting tab
Check the Disable System Restore box
Click Apply to confirm.
Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

Click the Start button.
Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
Choose Create a restore point, and then click Next.
In the Restore point description box, type a name for your restore point, and then click Next.
Click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
Tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.

Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:

In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

Please respond to this thread one more time so we can mark this thread as resolved.

**andrea11** · 11-01-2005, 06:52 AM

thanks a lot MicroBell!
is this issue is solved now. I have received a great, complete, fast, accurate, detailed and easy to understand assistance.
I am very happy for this support.
andrea

10-17-2005, 02:36 PM	#1 (permalink)
andrea11 I helped the forums. Join Date: Oct 2005 Posts: 12 OS: XP SP2	rdriv.sys again Hello, I have a win2000 pc with the rdriv.sys problem. I had not a firewall on that pc, stupid me. I have now downloaded zone alarm to be installed as soon as that pc will be clean again. if you have a better firewall to suggest me you are welcome. I have treid to clean the pc on my own reading the old posts and using killbox and ewido but unsuccesfully I am so posting the hijack this log. Thanks for the nice and kind assistance you all provide! Logfile of HijackThis v1.99.1 Scan saved at 20:48:08, on 17/10/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\userinit.exe C:\WINNT\Explorer.EXE C:\a_pro\z_pro\hijacked\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acuoreaperto.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\NortonAntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\NortonAntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Srv32Win] C:\Programmi\svchost.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [Spamihilator] "C:\o_pro\antispam\Spamihilator\spamihilator.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: Stop Dialers.lnk = C:\o_pro\StopDialers\StopDialer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\MicrosoftOffice\Office10\OSA.EXE O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: ZyAIR G-100 Wireless LAN Utility.lnk = C:\o_pro\ZyAIR G-100\Startup.exe O4 - Global Startup: Collegamento a html2pop3.exe.lnk = C:\a_pro\z_pro\html2pop3222win32\html2pop3.exe O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O12 - Plugin for .mp3: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin4.dll O12 - Plugin for .mpeg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...63/mcfscan.cab O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\a_pro\tools\ewido\security suite\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\NortonAntiVirus\navapsvc.exe O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe O23 - Service: NTsystem (System) - Unknown owner - C:\WINNT\ntsys32.exe

10-18-2005, 01:01 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Please follow all instructions as specified. Print these instructions to ensure all are followed. Please download the following programs, but do not run them yet: * rdrivRem.zip Unzip it to your desktop. Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start* The update will start and a progress bar will show the updates being installed. After the updates are installed exit Ewido. *Cleanup Download and install it * KillBox Download and unzip the Killbox.exe to your desktop. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called: NTsystem (System) When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows 1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. 2.) Double-click the Ewido Security Suite icon to run the program. Set the program up as follows: Click on scanner* Make sure the following boxes are checked before scanning: Binder Crypter Archives Click on Start Scan* Let the program scan the machine While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report Save the report to your desktop. 3.) Run Cleanup! by double-clicking the Cleanup! icon on your desktop. 4.) Run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED: O4 - HKLM\..\Run: [Srv32Win] C:\Programmi\svchost.exe O23 - Service: NTsystem (System) - Unknown owner - C:\WINNT\ntsys32.exe Close HiJackThis. 5.) Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINNT\ntsys32.exe C:\Programmi\svchost.exe C:\WINNT\system32\rdriv.sys After computer has restarted continue with the rest of the instructions: 6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out. Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc. 7.) Run this online virus scan: Panda ActiveScan Save the results from ActiveScan. I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

10-22-2005, 08:11 PM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Download Hoster http://www.greyknight17.com/spy/Hoster.exe Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Run the Cleanup utility again using the same instructions as before. Then reboot into safe mode. Run the Hoster program and select "Restore Orginal Hosts File" Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINNT\DOWNLOADED PROGRAM FILES\Install.inf C:\PROGRAMMI\FILE COMUNI\GMT C:\WINNT\system32\drivers\etc\1.hosts C:\WINNT\system32\updates.pif C:\WINNT\system32\Perflib_Perfdata_60c.dat C:\WINNT\RTSk16.dll C:\Programmi\Butterfly Oasis Screensaver\BO1Uninstaller.exe Once you reboot..run another Panda scan and post it's log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

10-23-2005, 02:12 PM	#6 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Open add/remove programs and remove anything that says Gator or Gain IF listed C:\DOCUMENTS AND SETTINGS\ALL USERS\MENU AVVIO\PROGRAMMI\GAIN Publishing <--delete that folder C:\WINNT\system32\svkp.sys <--delete that file.. As you picked up another Rbot infection..I need to look deeper in the system. BTW Zonealarm 5 is fine. Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet! Reboot into Safe Mode Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.! Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. 1. Go to the WinPFind folder 2. Locate WinPFind.txt 3. Please post those results in your next post! REBOOT to normal mode. Double Click on "Track qoo.vbs" Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless! Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind! So I need the following tool logs.. WinPFind.txt log Track qoo.vbs log __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 10-23-2005 at 02:13 PM.

10-23-2005, 07:38 PM	#8 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Download, install, and update Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido Reboot into safe mode..... Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINNT\system32\bqsfczfu.exe C:\Documents and Settings\All Users\Dati applicazioni\emopts.dat On the reboot....boot directly back to safe mode. Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido Reboot back to normal mode and run another Panda scan. Post that log and the Ewido log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

10-22-2005, 10:04 AM	#3 (permalink)
andrea11 I helped the forums. Join Date: Oct 2005 Posts: 12 OS: XP SP2	Thank you for the help. This is the ewido report: --------------------------------------------------------- ewido security suite - Rapporto Scansione --------------------------------------------------------- + Creato il: 13:30:38, 22/10/2005 + Report-Checksum: 56A54A61 + Risultati scansione: C:\Documents and Settings\Ornella\Cookies\ornella@112.2o7[1].txt -> Spyware.Cookie.2o7 : Pulito con Backup C:\Documents and Settings\Ornella\Cookies\ornella@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Pulito con Backup C:\Documents and Settings\Ornella\Cookies\ornella@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Pulito con Backup ::Fine Rapporto This is the panda spyxposer report (the activescan was not there and spyxposer was at its place): Incident Status Location Adware:adware/quicksearch Reported C:\WINNT\DOWNLOADED PROGRAM FILES\Install.inf Adware:adware/gator Reported C:\PROGRAMMI\FILE COMUNI\GMT Virus:Trj/Qhost.gen Reported C:\WINNT\system32\drivers\etc\hosts Virus:Trj/Qhost.gen Reported C:\WINNT\system32\drivers\etc\1.hosts Virus:W32/Sdbot.FAW.worm Reported C:\WINNT\system32\updates.pif Spyware:Cookie/Belnk Reported C:\WINNT\system32\Perflib_Perfdata_60c.dat Spyware:Spyware/RealtimeSpy Reported C:\WINNT\RTSk16.dll Adware:Adware/Gator Reported C:\Programmi\Butterfly Oasis Screensaver\BO1Uninstaller.exe And finally the hijackthis report I have just run: Logfile of HijackThis v1.99.1 Scan saved at 17:57:53, on 22/10/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\WINNT\System32\DRIVERS\CDANTSRV.EXE C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe C:\a_pro\tools\ewido\security suite\ewidoctrl.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\Programmi\NortonAntiVirus\navapsvc.exe C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\NORTON~1\navapw32.exe C:\a_pro\firewall\ZoneAlarm\zlclient.exe C:\o_pro\antispam\Spamihilator\spamihilator.exe C:\WINNT\system32\ctfmon.exe C:\a_pro\z_pro\html2pop3222win32\html2pop3.exe C:\o_pro\StopDialers\StopDialer.exe C:\o_pro\ZyAIR G-100\OdHost.exe C:\o_pro\ZyAIR G-100\WL54CFG.exe C:\Programmi\Internet Explorer\IEXPLORE.EXE C:\Programmi\Internet Explorer\IEXPLORE.EXE C:\a_pro\z_pro\hijacked\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acuoreaperto.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\NortonAntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\NortonAntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Zone Labs Client] C:\a_pro\firewall\ZoneAlarm\zlclient.exe O4 - HKCU\..\Run: [Spamihilator] "C:\o_pro\antispam\Spamihilator\spamihilator.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: Stop Dialers.lnk = C:\o_pro\StopDialers\StopDialer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\MicrosoftOffice\Office10\OSA.EXE O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: ZyAIR G-100 Wireless LAN Utility.lnk = C:\o_pro\ZyAIR G-100\Startup.exe O4 - Global Startup: Collegamento a html2pop3.exe.lnk = C:\a_pro\z_pro\html2pop3222win32\html2pop3.exe O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O12 - Plugin for .mp3: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin4.dll O12 - Plugin for .mpeg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...n/2,0,0,4463/m cfscan.cab O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\a_pro\tools\ewido\security suite\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\NortonAntiVirus\navapsvc.exe O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe I have installed Zonealarm firewall 5.5 (5.5.094.000) due to the fact I was not able to run the version 6 on my pc. What should I do now? thanks again a lot for your support andrea

10-23-2005, 04:17 AM	#5 (permalink)
andrea11 I helped the forums. Join Date: Oct 2005 Posts: 12 OS: XP SP2	thanks again, this is the report from spyxposer: Incident Status Location Adware:adware/gator Reported C:\DOCUMENTS AND SETTINGS\ALL USERS\MENU AVVIO\PROGRAMMI\GAIN Publishing during the Panda scan norton antivirus detected a virus in winnt\system32\svkp.sys to proceed I temporarly deactivated norton autoprotect. what should I do now? one question more will be zonealarm version 5.5 ok as firewall? I can't get the version 6 running smoothly on my pc and if the 5.5 is not good enough could you please suggest me an other firewall? thanks a lot for the support andrea

10-24-2005, 04:02 AM	#9 (permalink)
andrea11 I helped the forums. Join Date: Oct 2005 Posts: 12 OS: XP SP2	Thank you for the support and the patience. Here you have the ewido log: --------------------------------------------------------- ewido security suite - Rapporto Scansione --------------------------------------------------------- + Creato il: 08:19:09, 24/10/2005 + Report-Checksum: 6E9AA6BC + Risultati scansione: C:\Documents and Settings\Ornella\Cookies\ornella@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Pulito con Backup ::Fine Rapporto when then I run panda spyxposer norton detected the following virus: hacktool.rootkit in C:\recycled\dc3.sys here you have the cpyxposer report: Incident Status Location Spyware:Cookie/Imrworldwide Reported C:\Documents and Settings\Ornella\Cookies\ornella@cgi-bin[1].txt what should be the next step? thanks again andrea

10-24-2005, 08:47 PM	#10 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Empty your recycle bin...and that should take care of the Norton message. The other logs look good. Post another hijackthis and WinPFind log. Are you having any other issues? Rdriv seams to be gone! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

10-25-2005, 03:02 AM	#11 (permalink)
andrea11 I helped the forums. Join Date: Oct 2005 Posts: 12 OS: XP SP2	thank you a lot! I will not be able to post the new logs up to next week end. I will do most probably Saturday. Thanks again for your great service. andrea

10-29-2005, 05:12 PM	#13 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Your logs look good. Any more problems? If you can..please use a Utility like Winzip and ZIP up this file... C:\Documents and Settings\All Users\Dati applicazioni\emopts.dat Attach it to your next post...as I want to look at it's code. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

10-31-2005, 03:26 AM	#14 (permalink)
andrea11 I helped the forums. Join Date: Oct 2005 Posts: 12 OS: XP SP2	Thank you so much. the pc is workingly perfectly now. Here you have the last log you asked me: TFlag=0 SMTPEmailCount=0 POPEmailCount=29 This was really a great service. Thanks again. andrea

11-01-2005, 02:17 AM	#15 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below. Reset hidden/system files and folders Windows XP =============== Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Windows 2000 =============== Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Select the Advanced settings box option. Select the Hidden files Folders. Deselect the Show all files option. Click Yes to confirm. Click OK. Windows ME =============== Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Windows 95/98/98SE =============== Open My Computer. Select the View Select the Folder Options option. Select the View tab. option. Select the Advance Advanced settings box option. Select the Hidden files folder. Deselect the Show all files option Click Apply to confirm. Click OK. Create a new System Restore point Windows XP =============== Click Start >> Run - type SYSDM.CPL & press Enter Select the System Restore Tab Tick on the checkbox - "Turn off System Restore on all drives" Click Apply Then untick the same checkbox & click OK This deletes ALL restore points that had the infection and creates a clean one Windows ME =============== Click the Start tab. Select the Settings option. Select the Control Panel option. Double Click the System icon Performance tab option. Select File System Select the Troubleshooting tab Check the Disable System Restore box Click Apply to confirm. Click OK. Reboot the PC and repeat the above procedure again When you get to this option Uncheck the Disable System Restore box For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below. Click the Start button. Point to Programs, point to Accessories, point to System Tools, and then click System Restore. Choose Create a restore point, and then click Next. In the Restore point description box, type a name for your restore point, and then click Next. Click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system. Recommended Protection Programs Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. WinPatrol to monitor any changes that programs make to the registry. If you do not have a firewall, here are 4 free ones available for personal use: ZoneAlarm Sygate Personal Firewall Kerio Personal Firewall OutPost Firewall In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use: Grisoft AVG Anti-Virus System Alwil Avast 4 Home Edition Softwin BitDefender Free Edition Version 7 In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place. Please respond to this thread one more time so we can mark this thread as resolved. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

11-01-2005, 06:52 AM	#16 (permalink)
andrea11 I helped the forums. Join Date: Oct 2005 Posts: 12 OS: XP SP2	thanks a lot MicroBell! is this issue is solved now. I have received a great, complete, fast, accurate, detailed and easy to understand assistance. I am very happy for this support. andrea