Hopefully the below indicates you have a HP computer?
O4 - HKLM\..\Run: [zzzHPSETUP] H:\Setup.exe
yes i do actually, and i did think of that, but this item never showed up before in my previous HJT logs and also I found it mentioned as 'unknown' on some websites, so thats why i wasnt sure...
BUT its also true that i did a live chat with some HP tech some time ago, so maybe that entry is due to the HP chat install? will check with them...
Also looks like you need to Uninstall and Reinstall SpywareGuard if you intend to keep it?
ok thanks, i just did this
Also here is the
combofix log:
Administrator - 06-09-24 0.00.50,10 Service Pack 2
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\hp\Documenti\Downloads"
((((((((((((((((((((((((((((((( Files Created from 2006-08-24 to 2006-09-24 ))))))))))))))))))))))))))))))))))
2006-09-23 22:34 2,984 --a------ C:\WINDOWSvundofix.reg
2006-09-22 15:53 23,482 --a------ C:\WINDOWS\system32\awtsq.exe
2006-09-22 12:34 8,976 --a------ C:\WINDOWS\system32\pmkhgdc.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-23 23:58 -------- d-------- C:\Programmi\SpywareGuard
2006-09-23 23:23 -------- d-------- C:\Programmi\HijackThis
2006-09-23 18:56 -------- d---s---- C:\Documents and Settings\Administrator\Dati applicazioni\Microsoft
2006-09-23 18:03 -------- d-------- C:\Programmi\Ewido anti-spyware 4.0
2006-09-22 20:21 -------- d-------- C:\Programmi\Internet Explorer
2006-09-22 19:52 -------- d-------- C:\Programmi\Java
2006-09-22 19:51 -------- d-------- C:\Programmi\File comuni\Java
2006-09-22 19:51 -------- d-------- C:\Programmi\File comuni
2006-09-22 18:53 -------- d-------- C:\Programmi\WinZip
2006-09-22 18:51 -------- d-------- C:\Programmi\File comuni\System
2006-09-22 18:19 -------- d-------- C:\Programmi\CWShredder
2006-09-22 16:56 -------- d-------- C:\Programmi\SpywareBlaster
2006-09-22 16:56 -------- d-------- C:\Documents and Settings\Administrator\Dati applicazioni\AVG7
2006-09-22 16:10 -------- d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Cartella di caricamento Share-to-Web
2006-09-22 16:03 -------- d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Lavasoft
2006-09-20 18:18 -------- d-------- C:\Programmi\eMule
2006-09-19 22:12 -------- d-------- C:\Programmi\WinRAR
2006-09-17 00:17 -------- d-------- C:\Programmi\Dir Lister
2006-09-01 09:30 -------- d-------- C:\Programmi\Adobe
2006-09-01 01:20 -------- d-------- C:\Programmi\Winamp
2006-08-31 18:15 -------- d--h----- C:\Programmi\Zero G Registry
2006-08-31 18:15 -------- d-------- C:\Programmi\JAlbum
2006-08-31 12:08 -------- d-------- C:\Programmi\ArcSoft
2006-08-21 14:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-18 11:35 -------- d-------- C:\Programmi\FLVPlayer
2006-08-18 10:48 -------- d-------- C:\Programmi\ffdshow
2006-08-17 21:58 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-17 21:58 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 15:25 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:27 72704 --a------ C:\WINDOWS\system32\hlink.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AlcxMonitor"="ALCXMNTR.EXE"
"zzzHPSETUP"="H:\\Setup.exe"
"Share-to-Web Namespace Daemon"="C:\\Programmi\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime"
"EPSON Stylus D68 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAAE.EXE /P23 \"EPSON Stylus D68 Series\" /O6 \"USB002\" /M \"Stylus D68\""
"SunJavaUpdateSched"="C:\\Programmi\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"!ewido"="\"C:\\Programmi\\Ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c4,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20060923-230431-898
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
backup-20060923-230431-512
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
backup-20060923-190706-835
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
backup-20060922-174509-746
R3 - Default URLSearchHook is missing
backup-20060922-174509-726
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
backup-20060922-174509-715
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
backup-20060922-174509-538
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
backup-20060922-174509-506
O2 - BHO: (no name) - {0C8157F3-EA92-40FF-92C0-9B46012C307B} - C:\WINDOWS\system32\EPP257.dll
Completion time: 24/09/2006 0:01:27.14
ComboFix.txt
--------------------------------------------------------------------------
finally i ran the
F-Secure Online Scanner as you suggested and here is the report:
--------------------------------------------------------------------------
Scanning Report
Sunday, September 24, 2006 00:16:29 - 00:42:41
Computer name: DESKTOP-ISA
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ F:\
--------------------------------------------------------------------------------
Result: 4 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 17646
System: 3617
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{31F69223-BB6B-46EA-A0A8-CB1EAC91F4E2}.BIN
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-22
F-Secure Libra: 2.4.1, 2006-09-22
F-Secure Orion: 1.2.37, 2006-09-21
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-14
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics
--------------------------------------------------------------------------------
this is all for now, its getting late here and i'd better go. i'll be looking fwd to your reply tomorrow, thanks so much again for your attention
isabella