Hello Flrman1,
I followed your instructions, but without success.I mean, ewido catched xxxtmp.exe (idd reated) items and cleaned them, but they keeping to be created, so I think that the "real" origin of the malware was not discovered and cleaned up.
Anyway, here the logs you requested:
=======================
(1) EWIDO report after Complete Scan (in safe-mode)
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 12.51.32 17/07/2006
+ Scan result:
C:\WINDOWS\Temp\idd102.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd10B.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd113.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd11A.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd177.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd9E.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC2.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddCC.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddCE.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddD3.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddD9.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddE6.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddEB.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddEC.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddED.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddFB.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\8PQ30P6N\srvuxn[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\9CDP3PXR\srvkzj[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\GPSJSJC7\srvais[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\KJANWTGR\srvmko[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\S353UENP\srvhlp[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\ZBDHT9LI\srvekg[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win19.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win95.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winCB.tmp -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winCC.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winDF.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winF3.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\isinst.exe -> Downloader.IstBar.ow : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\C1U7G5YB\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\GPSJSJC7\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\MQULTT4Y\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\S353UENP\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Downloads\XPCrack\WTK_Dp\WTK_Dp\UltimateWindows\RockXP v3\RockXP30.exe/RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
C:\Downloads\XPCrack\WTK_Dp\WTK_Dp\UltimateWindows\RockXP v3\RockXP30.exe/keyms.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
C:\Downloads\XPCrack\WTK_Dp\WTK_Dp\UltimateWindows\RockXP v3\RockXP30.exe/xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\
[email protected][2].txt -> TrackingCookie.Dbbsrv : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\
[email protected][1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\
[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Profiles\default\vn2rgl81.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\
[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\
[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
::Report end
========================
(2) HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 12.58.02, on 17/07/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\OfficeScan NT\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\Programmi\OfficeScan NT\tmlisten.exe
C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\File comuni\System\MSSearch\Bin\mssearch.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\Programmi\OfficeScan NT\pccntmon.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\TEMP\VICEB6.EXE
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HijackThis\HijackThis.exe
C:\Documentum\product\5.2\bin\mthdsvr.exe
C:\WINDOWS\System32\svchost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://server2003:8090/CLASSLIFE/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Premium Clock] C:\Programmi\Premium Clock\Premium.exe /autorun
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: WinMySQLadmin.lnk = C:\FoxServ\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: Documentum Content Transfer 5.2.5 SP -
http://dcmt-00:8090/...ContentXfer.cabO16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) -
https://officescan/o...ll/WinNTChk.cabO16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) -
https://officescan/o...ll/setupini.cabO16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) -
https://officescan/o...stall/setup.cabO16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) -
https://officescan/o...html/AtxEnc.cabO16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) -
https://officescan/o.../RemoveCtrl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1140250383706O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: winqlr32 - C:\WINDOWS\SYSTEM32\winqlr32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: Apache Tomcat 4.1-Calendar - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Documentum DocBroker Service Docbroker (DmDocbroker) - Unknown owner - C:\Documentum\product\5.2\bin\dmdocbroker.exe
O23 - Service: Documentum Java Method Server (DmJavaMethodServer) - Alexandria Software Consulting - C:\Program Files\Documentum\tomcat\4.1.27\bin\tomcat.exe
O23 - Service: Documentum Docbase Service CLASSLIFE (DmServerCLASSLIFE) - Unknown owner - C:\Documentum\product\5.2\bin\dmserver_v4.exe
O23 - Service: Documentum Docbase Service GESDOCNEWS (DmServerGESDOCNEWS) - Unknown owner - C:\Documentum\product\5.2\bin\dmserver_v4.exe
O23 - Service: EncoderServer - Unknown owner - C:\encoderServer\wrapper_win32_3.1.2\bin\wrapper.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerLISTENER2 - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDCMTDB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\OfficeScan NT\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
===================
(3) HijackThis 'Save List'
Ad-Aware SE Personal
Adobe Download Manager 2.0 (solo rimozione)
Adobe Reader 7.0.7
Agere Systems AC'97 Modem
Aggiornamento della protezione per Windows Server 2003 (KB916281)
Apache Tomcat 4.1 (remove only)
Broadcom 440x 10/100 Integrated Controller
Codec Pack - All In 1 6.0.2.7
Connect Daily Web Calendar
DameWare Mini Remote Control
Debugging Tools for Windows
DJ Java Decompiler v.3.7.7.81
Documentum Administrator
Documentum Application Builder 5.2.5
Documentum Application Installer 5.2.5
Documentum Content Server 5.2
Documentum DAM Services
Documentum DFC Runtime Environment
Documentum Webtop
ewido anti-spyware 4.0
HijackThis 1.99.1
Intel® Extreme Graphics 2 Driver
IntelliJ IDEA 4.0
JAJC (remove only)
Jasc Paint Shop Pro 9
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK, SE v1.4.2_05
K-Lite Codec Pack 2.50 Full
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft Office 2000 SR-1 Premium
Microsoft Office 2003 - Componenti Web
Microsoft Office Basic Edition 2003
Microsoft Office Professional Edition 2003
Microsoft Script Debugger
Microsoft SQL Server 2000
Nero Suite
NeroVision Express 3 SE
Netscape (7.1)
PL/SQL Developer
Realtek AC'97 Audio
Spark 1.1.3
TopStyle (Version 3)
TortoiseCVS 1.8.13
Trend Micro OfficeScan Client
Universe Online WebControls for Java Setup
VMware Workstation
VNC Free Edition 4.1.1
Wildfire 2.5.1
Windows Server 2003 Service Pack 1
Windows System Updates {C34F4667-ADD4-4EAF-98D6-DCE034FB5CCF}
Windows System Updates {C521F31F-9E0E-45ED-89E4-BFBDB18E13A1}
Windows System Updates {ECDF2F0C-9B27-4C9F-B4F7-D917F14589A1}
WinRAR gestione archivi
WinZip