User Tag List

Weird Behaviour

This is a discussion on Weird Behaviour within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi. I'm home for Xmas holidays, and trying to do some work with my parent's machine. I've just installed MS


 
 
Thread Tools Search this Thread
Old 12-21-2006, 03:23 AM   #1
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP



Hi.

I'm home for Xmas holidays, and trying to do some work with my parent's machine.

I've just installed MS Live Messenger and noticed a very strange behaviour. Quite often (but not every time), once I start windows, my computer doesn't let me run many applications. Basically all those ones internet related. For instance I cannot run the dial-up thing to connect to the internet or I can't run IE. But I can run Word, I can open folders. I cannot open my computer's properties but I can browse C:\. This is very strange. I checked CPU usage and it's 0%. So I don't really know what it is.

This machine is running SP1, and following the instructions I didn't update (also because I have 56k dial-up connection). I installed ad-aware but no antivirus (and can't download, it's too big, I guess over 30Mb).

Can you please help, I guess there's some weird thing underneath.

Thanks a lot in advance.

----- My HJThis log

Logfile of HijackThis v1.99.1
Scan saved at 11.16.09, on 21/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Classic PhoneTools\CapFax.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [CapFax] C:\Programmi\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Porta Symantec Fax Starter Edition.lnk = C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - https://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2D5DEF3-3231-42B8-8E1B-0890BBA4C986}: NameServer = 193.70.152.25 193.70.192.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Controllo Browser Locale (cbrwlcl) - Unknown owner - C:\WINDOWS\downlo~1\j0u6ge\f7bj6b0.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
carbonem is offline  
Sponsored Links
Advertisement
 
Old 12-23-2006, 09:04 PM   #2
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hello carbonem,

The issue of no installed Anti-Virus program must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer and we'd be wasting our time trying to clean this system without an AV onboard.

Let's begin with fixing what I see first.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

It will be well worth your time to download the following tool as it will assist us in removing the infection I am able to see in your log.

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------

Click Start>Run and copy paste the following bolded text (one at a time) into the run box and click OK:

sc stop "Controllo Browser Locale"

sc delete cbrwlcl

------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry:

R3 - Default URLSearchHook is missing

Click 'Fix Checked' and close HijackThis.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

I have 56k dial up as well and have managed to download, install and update an AV usually within a 2 hour time period.

Please download and install this excellent and FREE anti-virus program:

Please download Active Virus Shield 13.6MB (powered by Kaspersky) and save it to your desktop.
  • Please remember to register for your Activation Code using a legitimate email address.
  • Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:





  • Then please update the program and run a systemwide scan by selecting My Computer. Allow it to neutralize all that it finds.
  • When done, launch Active Virus Shield's main window.





  • Click the Scan button on the left, and then click Detected.

  • In the ensuing window, click the Save As button to save a copy of the log.
  • Copy and paste that log in your next reply.
Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

-------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Active Virus Shield report
Panda results
New HijackThis log
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-26-2006, 06:24 AM   #3
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


Hi. Thanks a lot for your reply.

Since my last post I removed some programs installed, and that delay when starting up went away. Nevertheless, I see the computer is infected so I followed your advice.

- First of all, I installed AVG Anti-spyware. You are saying to keep it, but it's a 30 days license. Will it work anyway afterwards or I should remove it?

I did the scan in safe mode, after executing those 2 command lines you said. The program crashed 2 times while/after scan. At the second run it finished with a crash but I still managed to save the report and delete infections before clicking on the "Don't send" button from windows (usual notification after crash).

I did a scan again and it found few more things. Therefore I post two reports.

I also did the other scans with antivirus and panda.

I will post each report in a different reply.

Thanks a lot and Merry Xmas (even though it was yesterday)
carbonem is offline  
Sponsored Links
Advertisement
 
Old 12-26-2006, 06:25 AM   #4
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


---------------------------------------------------------
AVG Anti-Spyware - Rapporto scansione
---------------------------------------------------------

+ Creato alle: 15.08.38 24/12/2006

+ Risultato scansione:



HKLM\SOFTWARE\180solutions -> Adware.180Solutions : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.2o7 : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.2o7 : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.2o7 : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.2o7 : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Adbrite : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Atdmt : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Doubleclick : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Euroclick : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Fastclick : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Fastclick : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Hitbox : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Hitbox : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Itrack : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Overture : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Questionmarket : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Serving-sys : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Tradedoubler : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Trafic : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Tribalfusion : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Yadro : Nessuna operazione eseguita.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Yieldmanager : Nessuna operazione eseguita.
C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP292\A0259294.exe -> Trojan.Dialer.bn : Nessuna operazione eseguita.
C:\WINDOWS\Downloaded Program Files\603758.exe -> Trojan.Dialer.bn : Nessuna operazione eseguita.
C:\WINDOWS\system32\ITqcVsEw.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\WINDOWS\system32\KoTBnEMlqYc.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\WINDOWS\system32\WJEShgVAsPQ.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\WINDOWS\system32\apxoXYql.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\WINDOWS\system32\bSHLjmNMmRH.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\WINDOWS\lFNBbKMdouQ.exe -> Trojan.Dialer.fg : Nessuna operazione eseguita.
C:\WINDOWS\uPlnenqADdK.exe -> Trojan.Dialer.fg : Nessuna operazione eseguita.
C:\WINDOWS\wFpKKvXyNbK.exe -> Trojan.Dialer.fg : Nessuna operazione eseguita.


::Fine rapporto
carbonem is offline  
Old 12-26-2006, 06:26 AM   #5
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


---------------------------------------------------------
AVG Anti-Spyware - Rapporto scansione
---------------------------------------------------------

+ Creato alle: 15.39.38 24/12/2006

+ Risultato scansione:



C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP319\A0277772.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP319\A0277773.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP319\A0277774.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP319\A0277775.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP319\A0277776.dll -> Trojan.Dialer.co : Nessuna operazione eseguita.
C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP319\A0277769.exe -> Trojan.Dialer.fg : Nessuna operazione eseguita.
C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP319\A0277770.exe -> Trojan.Dialer.fg : Nessuna operazione eseguita.
C:\System Volume Information\_restore{80F0D7E8-2A90-431E-8415-A70B52AAC2EC}\RP319\A0277771.exe -> Trojan.Dialer.fg : Nessuna operazione eseguita.


::Fine rapporto
carbonem is offline  
Old 12-26-2006, 06:26 AM   #6
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


Protection
----------
Total scanned: 232710
Detected: 1
Untreated: 0
Start time: 26/12/2006 10.47.36
Duration: 01.21.15


Detected
--------
Status Object
------ ------
not found: malware Exploit.HTML.CodeBaseExec (modification) File: C:\Documents and Settings\Uso Privato\Impostazioni locali\Temp\Temporary Internet Files\Content.IE5\JOO8S19R\2_calendari[1].htm


Events
------
Time Event
---- -----
26/12/2006 10.02.32 A full computer scan has never been performed. Please complete a full scan as soon as possible. The initial scan may be time consuming, but you may pause and resume the scan at any time.
26/12/2006 10.05.45 Active Virus Shield is not activated.
26/12/2006 10.05.46 A full computer scan has never been performed. Please complete a full scan as soon as possible. The initial scan may be time consuming, but you may pause and resume the scan at any time.
26/12/2006 10.06.16 Update error: cannot establish connection.
26/12/2006 10.06.16 The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
26/12/2006 10.06.23 Update error: cannot establish connection.
26/12/2006 10.06.23 The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
26/12/2006 10.09.08 Real-time protection is disabled.
26/12/2006 10.10.59 Update error: cannot establish connection.
26/12/2006 10.10.59 The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
26/12/2006 10.42.11 Please restart your computer to complete the installation of new or updated protection components.
26/12/2006 10.42.12 Please restart your computer to complete the installation of new or updated protection components.
26/12/2006 10.42.17 Update completed successfully.
26/12/2006 10.47.19 A full computer scan has never been performed. Please complete a full scan as soon as possible. The initial scan may be time consuming, but you may pause and resume the scan at any time.
26/12/2006 10.50.21 Update completed successfully.
26/12/2006 11.20.15 File C:\Documents and Settings\Uso Privato\Impostazioni locali\Temp\Temporary Internet Files\Content.IE5\JOO8S19R\2_calendari[1].htm: detected new variant of malware Exploit.HTML.CodeBaseExec
26/12/2006 11.20.15 Security threats have been detected. You are advised to neutralize them immediately.
26/12/2006 11.20.16 File C:\Documents and Settings\Uso Privato\Impostazioni locali\Temp\Temporary Internet Files\Content.IE5\JOO8S19R\2_calendari[1].htm: is not disinfected, postponed


Reports
-------
Task Status Start Finish Size
---- ------ ----- ------ ----
File Anti-Virus running 26/12/2006 10.47.36 178 KB
Mail Anti-Virus running 26/12/2006 10.47.36 0 bytes
Update completed 26/12/2006 10.49.56 26/12/2006 10.50.21 10.1 KB
Scan Startup Objects completed 26/12/2006 10.50.01 26/12/2006 10.52.02 616.7 KB
Update completed 26/12/2006 10.50.36 26/12/2006 10.50.51 8.7 KB
Scan My Computer completed 26/12/2006 10.52.41 26/12/2006 11.59.46 50 MB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
carbonem is offline  
Old 12-26-2006, 06:27 AM   #7
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


PANDA REPORT


Incident Status Location

Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Uso Privato\Impostazioni locali\Temp\Cookies\uso [email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Uso Privato\Impostazioni locali\Temp\Cookies\uso [email protected][1].txt
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Uso Privato\Impostazioni locali\Temp\Temporary Internet Files\Content.IE5\JOO8S19R\CAKZAF27.HTM
Dialer:Dialer.GZZ Not disinfected C:\WINDOWS\Downloaded Program Files\86cee\mzqvg5wl.zip
Dialer:Dialer.GZZ Not disinfected C:\WINDOWS\Downloaded Program Files\tx2z6b\ftcn18a.zip
Adware:Adware/WurldMedia Not disinfected C:\WINDOWS\system32\JGiGquXGkv.dll
Adware:Adware/DeepDive Not disinfected C:\WINDOWS\system32\sRaTtaSnRD.dll
Adware:Adware/DeepDive Not disinfected C:\WINDOWS\system32\uSpMYMAbIa.dll
carbonem is offline  
Old 12-26-2006, 06:28 AM   #8
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


Logfile of HijackThis v1.99.1
Scan saved at 14.15.01, on 26/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Classic PhoneTools\CapFax.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [CapFax] C:\Programmi\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [aol] "C:\Programmi\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Porta Symantec Fax Starter Edition.lnk = C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - https://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Programmi\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
carbonem is offline  
Old 12-27-2006, 06:22 PM   #9
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hello carbonem and Merry Christmas to you as well.

Quote:
I installed AVG Anti-spyware. You are saying to keep it, but it's a 30 days license. Will it work anyway afterwards or I should remove it?
Keep the program. After the 30 day trial, you will lose it's 'active protection', but will still be able to update it's database as well as scan and clean your system with it.

My Italian is a bit rusty but if I remember correctly, the following means that no action was taken with AVG A-S:

Nessuna operazione eseguita

I know you said the program crashed a couple times during the cleanings, so I need to know if that was your final scan, or if a subsequent scan did clean those for you.

If that was your final scan, I'll need you to run it again.

----------------------------

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Reboot into Safe Mode.

***************************************************

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Click Start>Run and copy/paste the following text into the Run box and and click OK:

regsvr32 /u occache.dll

----------------------

Using 'My Computer', navigate to and delete the following Files and Folders if they still exist.

C:\Documents and Settings\Uso Privato\ Impostazioni
C:\WINDOWS\Downloaded Program Files\ 86cee
C:\WINDOWS\Downloaded Program Files\ tx2z6b
C:\WINDOWS\system32\ JGiGquXGkv.dll
C:\WINDOWS\system32\ sRaTtaSnRD.dll
C:\WINDOWS\system32\ uSpMYMAbIa.dll


----------------------

Now, click Start>Run and copy/paste the following text into the Run box and click OK:

regsvr32 occache.dll

-----------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------


Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Post the ComboFix.txt in your next reply.

-------------------------------------

Run another online scan at Panda and save the results.

Please include the following in your next reply:

AVG A-S report
Panda results
ComboFix.txt
New HijackThis log
Update on how the system is behaving
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-28-2006, 01:46 PM   #10
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


Hi.

Thanks a lot for your useful comments.

I did fix all the problems before w AVG, but after saving the report. I'm sorry about that, I just got confused because of the crash.

Anyway, I ran again AVG before everything you say in your second post. I got a report that I post below. Then I followed your instructions but got nothing wrong with the other scan so the AVG report you see is about my first scan today (the other one was absolutely empty).


One little thing I noticed: I had to run the AVG scan you say (after deleting those files) three times. The first two scans caused a Safe Mode Windows crash (blue screen + reboot).


I also did the combofix. I post below the report. And HThis as well.
Various reports various replies.


Thanks a lot again.

Marco
carbonem is offline  
Old 12-28-2006, 01:47 PM   #11
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


BTW, sorry about the Italian bits :P

---------------------------------------------------------
AVG Anti-Spyware - Rapporto scansione
---------------------------------------------------------

+ Creato alle: 11.28.36 28/12/2006

+ Risultato scansione:



C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.2o7 : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Adrevolver : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Advertising : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Atdmt : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Com : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Doubleclick : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Liveperson : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso priva[email protected][1].txt -> TrackingCookie.Pointroll : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][1].txt -> TrackingCookie.Serving-sys : Ripulito.
C:\Documents and Settings\Uso Privato\Cookies\uso [email protected][2].txt -> TrackingCookie.Zedo : Ripulito.


::Fine rapporto
carbonem is offline  
Old 12-28-2006, 01:48 PM   #12
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


"Uso Privato" - 06-12-28 21.26.36,81 Service Pack 1
ComboFix 06-12-28.3W-BetaE2 - Running from: "C:\Documents and Settings\Uso Privato\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\INSTALL.LOG
f:\autorun.inf" . . . . failed to delete


((((((((((((((((((((((((((((((( Files Created from 2006-11-28 to 2006-12-28 ))))))))))))))))))))))))))))))))))


2006-12-28 21:29 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-26 12:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-26 10:02 <DIR> d-------- C:\Programmi\AOL
2006-12-26 10:02 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\AOL
2006-12-25 11:42 <DIR> d-------- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ITA$
2006-12-24 11:53 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2006-12-24 11:53 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2006-12-24 11:53 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2006-12-24 11:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-24 11:42 <DIR> d-------- C:\Programmi\Grisoft
2006-12-22 15:00 <DIR> d-------- C:\DOCUME~1\USOPRI~1\DATIAP~1\Leadertech
2006-12-22 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Adobe
2006-12-22 09:30 <DIR> d-------- C:\Programmi\Hattrick Coach Professional
2006-12-21 13:22 98,304 --a------ C:\WINDOWS\system32\odbcint.dll
2006-12-21 13:22 73,728 --a------ C:\WINDOWS\system32\DBnetlib.dll
2006-12-21 13:22 73,728 --a------ C:\WINDOWS\system32\cliconfg.dll
2006-12-21 13:22 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2006-12-21 13:22 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2006-12-21 13:22 51,712 --a------ C:\WINDOWS\system32\msxml3r.dll
2006-12-21 13:22 401,408 --a------ C:\WINDOWS\system32\SQLSRV32.dll
2006-12-21 13:22 4,656 --a------ C:\WINDOWS\system32\ds16gt.dll
2006-12-21 13:22 36,864 --a------ C:\WINDOWS\system32\mscpxl32.dll
2006-12-21 13:22 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe
2006-12-21 13:22 28,672 --a------ C:\WINDOWS\system32\DBnmpntw.dll
2006-12-21 13:22 28,672 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2006-12-21 13:22 26,224 --a------ C:\WINDOWS\system32\odbc16gt.dll
2006-12-21 13:22 24,576 --a------ C:\WINDOWS\system32\odbcbcp.dll
2006-12-21 13:22 24,576 --a------ C:\WINDOWS\system32\msorc32r.dll
2006-12-21 13:22 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll
2006-12-21 13:22 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll
2006-12-21 13:22 24,576 --a------ C:\WINDOWS\system32\dbmsadsn.dll
2006-12-21 13:22 20,480 --a------ C:\WINDOWS\system32\cliconfg.exe
2006-12-21 13:22 180,800 --a------ C:\WINDOWS\system32\sqlunirl.dll
2006-12-21 13:22 16,384 --a------ C:\WINDOWS\system32\odbc32gt.dll
2006-12-21 13:22 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll
2006-12-21 13:22 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll
2006-12-21 13:22 147,456 --a------ C:\WINDOWS\system32\msdart.dll
2006-12-21 13:22 139,264 --a------ C:\WINDOWS\system32\msorcl32.dll
2006-12-21 13:22 102,400 --a------ C:\WINDOWS\system32\odbccp32.dll
2006-12-21 11:13 <DIR> d-------- C:\HJT
2006-12-20 13:00 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dati applicazioni
2006-12-20 13:00 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Avvio
2006-12-20 13:00 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Risorse di stampa
2006-12-20 13:00 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Risorse di rete
2006-12-20 13:00 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Modelli
2006-12-20 13:00 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Impostazioni locali
2006-12-20 13:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Preferiti
2006-12-20 13:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Documenti
2006-12-19 12:15 <DIR> d-------- C:\Programmi\MSN Messenger


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-26 13:25 -------- d-------- C:\Programmi\google
2006-12-26 13:18 -------- d-------- C:\Programmi\classic phonetools
2006-12-26 13:05 -------- d-------- C:\Programmi\picasa2
2006-12-23 11:10 -------- d-------- C:\Programmi\stopdialers
2006-12-23 11:04 -------- d-------- C:\Programmi\canon
2006-12-23 11:00 -------- d--h----- C:\Programmi\installshield installation information
2006-12-22 15:00 -------- d-------- C:\Documents and Settings\Uso Privato\Dati applicazioni\leadertech
2006-12-22 14:44 -------- d-------- C:\Documents and Settings\Uso Privato\Dati applicazioni\adobe
2006-12-22 14:42 64 --a------ C:\Documents and Settings\Uso Privato\Dati applicazioni\dm.ini
2006-12-22 14:42 1361 --a------ C:\Documents and Settings\Uso Privato\Dati applicazioni\adobedlm.log
2006-11-08 17:11 -------- d-------- C:\Documents and Settings\Uso Privato\Dati applicazioni\datalayer


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Programmi\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Steam"=""
"PcSync"="C:\\Programmi\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"SpybotSD TeaTimer"="C:\\Programmi\\Spybot - Search & Destroy\\TeaTimer.exe"
"swg"="C:\\Programmi\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"EPSON Stylus C64 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C64 Series\" /O6 \"USB001\" /M \"Stylus C64\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
00
"CapFax"="C:\\Programmi\\Classic PhoneTools\\CapFax.EXE"
"ATIPTA"="C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Picasa Media Detector"="C:\\Programmi\\Picasa2\\PicasaMediaDetector.exe"
"SunJavaUpdateSched"="C:\\Programmi\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"DataLayer"="C:\\Programmi\\File comuni\\PCSuite\\DataLayer\\DataLayer.exe"
"PCSuiteTrayApplication"="C:\\Programmi\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"Adobe Photo Downloader"="\"C:\\Programmi\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"!AVG Anti-Spyware"="\"C:\\Programmi\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"aol"="\"C:\\Programmi\\AOL\\Active Virus Shield\\avp.exe\""
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061224-125702-555
R3 - Default URLSearchHook is missing
Completion time: 06-12-28 21:33:25.56
carbonem is offline  
Old 12-28-2006, 01:49 PM   #13
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


Logfile of HijackThis v1.99.1
Scan saved at 21.42.21, on 28/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Classic PhoneTools\CapFax.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [CapFax] C:\Programmi\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [aol] "C:\Programmi\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Porta Symantec Fax Starter Edition.lnk = C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - https://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Programmi\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
carbonem is offline  
Old 12-28-2006, 08:52 PM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hello Marco,

I'm not seeing anything in these logs--how is the system behaving?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-29-2006, 03:42 AM   #15
Registered Member
 
Join Date: Sep 2006
Posts: 38
OS: Win XP


Dear Ried,

I believe that the system is pretty stable now.

I don't see any strange behaviour, it is working pretty well.

So I believe it is now clean.

Thanks a lot for your help and Happy New 2007!!!!

M
carbonem is offline  
Old 12-29-2006, 08:30 AM   #16
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


That is good to hear, and Happy 2007 to you as well.

We have a bit of final touches as well as suggestions for improving protection for this system.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
  • Now navigate to C:\ie-spyad. Double click to open it.
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list, by typing 2
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 07:38 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts