Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

not sure if my pc is infected


  • Please log in to reply

#1
teotrudi

teotrudi

    New Member

  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 9.24.32, on 07/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Matteo Sansone\Desktop\HijackThis.exe
C:\Programmi\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Programmi\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174936852373
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76F83C4-E802-4ABB-B582-5BDA9CE97596}: NameServer = 85.37.17.42 85.38.28.87
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe



StartupList report, 07/06/2007, 9.29.42
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Matteo Sansone\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\eMule\emule.exe
C:\Documents and Settings\Matteo Sansone\Desktop\HijackThis.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica]
Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
Exif Launcher.lnk = C:\Programmi\FinePixViewer\QuickDCF.exe
Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

High Definition Audio Property Page Shortcut = HDAShCut.exe
SoundMAXPnP = C:\Programmi\Analog Devices\Core\smax4pnp.exe
SoundMAX = "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
CnxTrApp = rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Adobe Photo Downloader = "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
NeroFilterCheck = C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
REGSHAVE = C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
PCSuiteTrayApplication = C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Programmi\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.micros...b?1174936852373

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Programmi\Spyware Doctor\vcl100.bpl||C:\Programmi\Spyware Doctor\rtl100.bpl||C:\Programmi\Spyware Doctor\PCToolsComponents.bpl||C:\Programmi\Spyware Doctor\SysAccess.dll||C:\Programmi\Spyware Doctor\ikdll.dll||C:\Programmi\Spyware Doctor\cdialogs.dll||C:\Programmi\Spyware Doctor\sdloader.exe||C:\Programmi\Spyware Doctor


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: %system%\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 6.034 bytes
Report generated in 0,235 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

Advertisements


#2
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello teotrudi and Welcome to Geeks To Go!

It is likely that you have a variant of the Vundo trojan that hides itself from HijackThis.exe so if we rename HijackThis, the entries should become visible.

I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List
* HijackThis log (new)

  • 0

#3
teotrudi

teotrudi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello Kenny94 and tanks so much...

I opened HijackThis,clicked Config,cliked Misc Tools,cliked "Open Uninstall Manager",but whenever i click on "save list" the application shut down!!!!!!!(sorry for my english..)!!

What i have to do???? :whistling: :blink:

Thanks
  • 0

#4
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello teotrudi

Just rename HijackThis and post it.
  • 0

#5
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Go to the C:\Program Files\HijackThis folder. Right click on the HijackThis.exe file and select "Rename". Rename it geek.exe.
And post it here.
  • 0

#6
teotrudi

teotrudi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello Kenny94!!!

This is the message when i try to upload "hijackthis"renamed.....

"Upload failed. You are not permitted to upload this type of file"

Help me please....
  • 0

#7
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Lets run VundoFix for now, and we will deal with wareout infection next.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

In your next reply, please include these log(s):
* vundofix.txt
* HijackThis log (new)
  • 0

#8
teotrudi

teotrudi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here are the logs required...


VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 18.26.23 09/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\ssqopml.dll
C:\WINDOWS\system32\vtutust.dll
C:\WINDOWS\system32\yycdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\ddcyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqopml.dll
C:\WINDOWS\system32\ssqopml.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vtutust.dll
C:\WINDOWS\system32\vtutust.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqopml.dll
C:\WINDOWS\system32\ssqopml.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 18.42.38, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matteo Sansone\Desktop\geek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26EDEBFA-340C-416E-AEE2-F830539301C3} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Programmi\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174936852373
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76F83C4-E802-4ABB-B582-5BDA9CE97596}: NameServer = 85.37.17.42 85.38.28.87
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
  • 0

#9
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hi teotrudi

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: (no name) - {26EDEBFA-340C-416E-AEE2-F830539301C3} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76F83C4-E802-4ABB-B582-5BDA9CE97596}: NameServer = 85.37.17.42 85.38.28.87

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".



Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

Next

Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection services will require them.

These instructions are basically for home users.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Next
Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include these log(s):

* (report.txt)
* combofix's log
* HijackThis log (new)



Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.
  • 0

#10
teotrudi

teotrudi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Kenny94!! Thanks for the instruction,i not encountered any problems while follows those.

Here are logs required.....


Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"SoundMAXPnP"="C:\\Programmi\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Programmi\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"CnxTrApp"="rundll32.exe \"C:\\Programmi\\Aethra\\ADSL EB1070 USB\\CnxTrApp.dll\",AppEntry -REG \"Aethra\\ADSL EB1070 USB\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Adobe Photo Downloader"="\"C:\\Programmi\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"NeroFilterCheck"="C:\\Programmi\\File comuni\\Ahead\\Lib\\NeroCheck.exe"
"REGSHAVE"="C:\\Programmi\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"PCSuiteTrayApplication"="C:\\Programmi\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programmi\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


ComboFix 07-06-09.5 - C:\Documents and Settings\Matteo Sansone\Desktop\ComboFix.exe
"Matteo Sansone" - 2007-06-10 17:55:51 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-10 17:51 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-10 17:39 10,055 --a------ C:\dnsbak.reg
2007-06-09 18:26 104,960 --a------ C:\VundoFix.exe
2007-06-09 18:26 <DIR> d-------- C:\VundoFix Backups
2007-06-07 08:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Spybot - Search & Destroy
2007-06-07 08:38 <DIR> d-------- C:\DOCUME~1\MATTEO~1\DATIAP~1\Lavasoft
2007-06-07 08:37 <DIR> d-------- C:\Programmi\Lavasoft
2007-06-07 08:34 532,480 --a------ C:\cwshredder.exe
2007-06-06 21:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-06 21:43 20,002,296 --a------ C:\sdsetup.exe
2007-06-06 21:29 342,656 --a------ C:\remover.exe
2007-06-04 14:06 <DIR> d-------- C:\Programmi\XVideoConverter
2007-06-04 13:59 6,450,238 --a------ C:\XVideoConverter.exe
2007-06-04 00:09 <DIR> d-------- C:\Programmi\VideoFramer
2007-06-04 00:09 <DIR> d-------- C:\Programmi\Ultra Video Splitter
2007-06-04 00:09 <DIR> d-------- C:\Programmi\Speed Video Splitter
2007-06-04 00:09 <DIR> d-------- C:\Programmi\Fx Splitter
2007-06-04 00:09 <DIR> d-------- C:\Programmi\File comuni\FlickerFree
2007-06-04 00:09 <DIR> d-------- C:\Programmi\AVSMedia
2007-06-04 00:09 <DIR> d-------- C:\Programmi\Absolute Video Splitter Joiner
2007-06-04 00:09 <DIR> d-------- C:\Programmi\123 Video Converter
2007-06-03 23:54 786,432 --ah----- C:\DOCUME~1\ADMINI~1.MAT\NTUSER.DAT
2007-06-03 23:54 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAT\Modelli
2007-06-03 23:54 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAT\Impostazioni locali
2007-06-03 23:54 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAT\Dati applicazioni
2007-06-03 18:30 <DIR> d-------- C:\Programmi\Ultra Video Splitter(2)
2007-06-03 16:46 <DIR> d-------- C:\DOCUME~1\MATTEO~1\DATIAP~1\AVSMedia
2007-06-03 15:43 6,029,312 --a------ C:\DOCUME~1\MATTEO~1\ntuser.dat
2007-06-03 15:43 237,568 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-06-03 15:43 <DIR> d-------- C:\Programmi\HT Video Editor 6.1 Shareware
2007-06-03 15:42 19,789,219 --a------ C:\htvideoeditor61shareeng.exe
2007-06-03 13:49 <DIR> d-------- C:\Programmi\Easy Video Splitter
2007-06-03 13:48 1,200,623 --a------ C:\ezsplitter.exe
2007-06-03 13:07 <DIR> d-------- C:\Programmi\HT Video Splitter & Joiner 2.0 Shareware
2007-06-03 12:01 7,285,789 --a------ C:\WINDOWS\Splitter.Dll
2007-06-03 12:01 65,969 --a------ C:\WINDOWS\pthreadGC2.Dll
2007-06-03 10:00 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe
2007-06-03 09:59 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll
2007-06-03 09:59 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2007-06-03 09:59 <DIR> d-------- C:\Programmi\Samsung
2007-06-02 18:18 <DIR> d-------- C:\Programmi\File comuni\Teleca Shared
2007-06-02 18:09 17,852,478 --a------ C:\Nokia_Lifeblog_1_80_15_it.exe
2007-06-02 18:04 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-02 18:04 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-02 18:04 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-06-02 18:04 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-06-02 18:04 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-06-02 18:04 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-06-02 18:04 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-06-02 18:04 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-06-02 18:04 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-02 18:04 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-02 18:04 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-02 18:04 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-02 18:04 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-02 18:04 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-02 18:00 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-02 17:59 288,104 --a------ C:\dxwebsetup.exe
2007-06-01 22:06 <DIR> d-------- C:\DOCUME~1\MATTEO~1\DATIAP~1\FUJIFILM
2007-05-31 08:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 08:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 08:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 08:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-29 14:32 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-05-29 14:32 3,550,409 --a------ C:\ffdshow_rev529_20061113_clsid.exe
2007-05-29 14:32 <DIR> d-------- C:\Programmi\ffdshow
2007-05-28 17:47 1,507,504 --a------ C:\VodeiSetup210.exe
2007-05-28 15:17 40,960 --a------ C:\WINDOWS\system32\FXDV1to2.dll
2007-05-28 15:17 36,864 --a------ C:\WINDOWS\system32\ogg.dll
2007-05-28 15:17 36,734 --a------ C:\WINDOWS\system32\OggDSuninst.exe
2007-05-28 15:17 237,568 --a------ C:\WINDOWS\system32\OggDS.dll
2007-05-28 15:17 1,060,864 --a------ C:\WINDOWS\system32\vorbis.dll
2007-05-28 15:16 909,312 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-05-28 15:04 19,817,680 --a------ C:\FxS6SATV.EXE
2007-05-28 14:50 <DIR> d-------- C:\Programmi\SiteEntry
2007-05-28 14:45 12,601,399 --a------ C:\splitmovie.exe
2007-05-28 14:44 <DIR> d-------- C:\Programmi\File comuni\Solveig Multimedia
2007-05-28 14:44 <DIR> d-------- C:\Programmi\File comuni\Elecard
2007-05-28 14:10 3,210,823 --a------ C:\spdvs.exe
2007-05-28 14:03 5,628,563 --a------ C:\uvsplitter.exe
2007-05-28 13:55 1,853,708 --a------ C:\supersplitter.exe
2007-05-28 13:55 <DIR> d-------- C:\Programmi\Witcobber
2007-05-28 13:06 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\DATIAP~1\TEMP
2007-05-28 11:19 <DIR> d-------- C:\Programmi\Solveig Multimedia
2007-05-28 11:12 <DIR> d-------- C:\Programmi\Movie Splitter
2007-05-22 20:49 <DIR> d-------- C:\Programmi\MSXML 4.0
2007-05-22 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\PC Suite
2007-05-22 19:12 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-05-22 19:12 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-05-22 19:12 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-05-22 19:12 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-05-22 19:12 <DIR> d-------- C:\Programmi\PC Connectivity Solution
2007-05-22 19:12 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2007-05-22 19:12 <DIR> d-------- C:\Programmi\File comuni\Nokia
2007-05-22 19:12 <DIR> d-------- C:\Programmi\DIFX
2007-05-22 19:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Installations
2007-05-22 18:53 8,096 --------- C:\WINDOWS\system32\drivers\MASPINT.SYS
2007-05-22 18:53 4,030 --------- C:\WINDOWS\system\WINASPI.DLL
2007-05-22 18:53 30,208 --------- C:\WINDOWS\system32\WNASPI32.DLL
2007-05-22 18:53 2,486 --------- C:\WINDOWS\system\AS16POST.BIN


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 15:46:22 -------- d-----w C:\Programmi\eMule
2007-06-04 12:20:40 -------- d-----w C:\Programmi\DivX
2007-06-03 13:43:42 -------- d--h--w C:\Programmi\InstallShield Installation Information
2007-06-02 16:18:20 -------- d-----w C:\Programmi\Common Files
2007-05-31 06:44:54 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-27 08:04:42 47,592 ----a-w C:\WINDOWS\system32\perfc010.dat
2007-05-27 08:04:42 345,010 ----a-w C:\WINDOWS\system32\perfh010.dat
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-29 14:23:29 -------- d-----w C:\DOCUME~1\MATTEO~1\DATIAP~1\DivX
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:14:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 19:41:31 -------- d-----w C:\Programmi\XviD
2007-04-14 12:25:28 -------- d-----w C:\Programmi\Crystal Player
2007-04-14 11:33:03 25,823,304 ----a-w C:\wmp11-windowsxp-x86-it-it.exe
2007-04-12 16:56:35 23,510,720 ----a-w C:\dotnetfx.exe
2007-04-12 16:49:25 -------- d-----w C:\Programmi\MetMedic
2007-04-09 16:42:29 14,764,808 ----a-w C:\DivXInstaller.exe
2007-04-09 15:21:13 1,106,121 ----a-w C:\wrar362it.exe
2007-04-09 14:59:56 13,146,280 ----a-w C:\setupita.exe
2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-03-26 18:44:33 0 --sha-r C:\MSDOS.SYS
2007-03-26 18:44:33 0 --sha-r C:\IO.SYS
2007-03-26 18:44:33 0 ----a-w C:\CONFIG.SYS
2007-03-26 18:44:33 0 ----a-w C:\AUTOEXEC.BAT
2007-03-26 18:42:27 21,840 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-20 09:37:46 831,048 ----a-w C:\WINDOWS\system32\WudfUpdate_01005.dll
2007-03-17 13:44:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-12 11:51:08 972,336 ----a-w C:\WINDOWS\UNNeroMediaHome.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Programmi\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2005-05-20 11:11]
"SoundMAX"="C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
"CnxTrApp"="C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll" [2004-04-20 17:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 17:42]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 18:41]
"NeroFilterCheck"="C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"REGSHAVE"="C:\Programmi\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"PCSuiteTrayApplication"="C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:39]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 18:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 17:56:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmprfITA.prx
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr8.prx
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\xpsp1hfm.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif

scan completed successfully
hidden files: 20

**************************************************************************

Completion time: 2007-06-10 17:56:34
C:\ComboFix-quarantined-files.txt ... 2007-06-10 17:56

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 17.44.57, on 10/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\FinePixViewer\QuickDCF.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matteo Sansone\Desktop\geek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Programmi\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174936852373
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76F83C4-E802-4ABB-B582-5BDA9CE97596}: NameServer = 85.37.17.42 85.38.28.87
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe


Please tell me if everything is ok....THANKS!!!!!
  • 0

#11
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello teotrudi

Please tell me if everything is ok....THANKS!!!!!


You log is looking better. :whistling:

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O17 - HKLM\System\CCS\Services\Tcpip\..\{C76F83C4-E802-4ABB-B582-5BDA9CE97596}: NameServer = 85.37.17.42 85.38.28.87

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Next
Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Save the log information. And paste this info along with your HijackThis log.
In your next reply, please include these log(s):

* SUPERAntiSpyware Scan Log
* HijackThis log (new)



Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.
  • 0

#12
teotrudi

teotrudi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Kenny94!!! I did it... :help:

I have a little problem...my default internet connections and my LAN(i have only one pc.......)work with the same hardware and sometimes i can t use internet explorer!!!! :whistling: the LAN connect my pc automatically when i boot or reboot it..... :blink:

Here are Logs require....

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/13/2007 at 08:16 PM

Application Version : 3.8.1002

Core Rules Database Version : 3253
Trace Rules Database Version: 1264

Scan type : Complete Scan
Total Scan Time : 00:46:17

Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 5516
Registry threats detected : 13
File items scanned : 39968
File threats detected : 5

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{AA77A38C-592B-437F-83CB-0B22BE72887C}
HKCR\CLSID\{AA77A38C-592B-437F-83CB-0B22BE72887C}
HKCR\CLSID\{AA77A38C-592B-437F-83CB-0B22BE72887C}\InprocServer32
HKCR\CLSID\{AA77A38C-592B-437F-83CB-0B22BE72887C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGG.DLL

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0E4C0FEC-3765-4B9C-8C2D-436999AFE598}\RP95\A0024002.DLL
C:\VUNDOFIX BACKUPS\VTUTUST.DLL.BAD

Trojan.Downloader-Gen/SwampDonk
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0E4C0FEC-3765-4B9C-8C2D-436999AFE598}\RP95\A0024016.DLL
C:\VUNDOFIX BACKUPS\SSQOPML.DLL.BAD

Logfile of HijackThis v1.99.1
Scan saved at 20.59.17, on 13/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Documents and Settings\Matteo Sansone\Desktop\geek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Programmi\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174936852373
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76F83C4-E802-4ABB-B582-5BDA9CE97596}: NameServer = 85.37.17.42 85.38.28.87
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
  • 0

#13
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello teotrudi

I have a little problem...my default internet connections and my LAN(i have only one pc.......)work with the same hardware and sometimes i can t use internet explorer!!!! the LAN connect my pc automatically when i boot or reboot it.....

I really don't know why teotrudi, but lets run a scan and see if it's malware related. By the way,,,, I was wrong you did not have a wareout infection... :whistling:


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
In your next reply, please include these log(s):

* ActiveScan report
* HijackThis log (new)



Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.
  • 0

#14
teotrudi

teotrudi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Kenny94!!!


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix.exe[nircmd.exe]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Matteo Sansone\Cookies\matteo [email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Matteo Sansone\Cookies\matteo [email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Matteo Sansone\Cookies\matteo [email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Matteo Sansone\Cookies\matteo [email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Matteo Sansone\Cookies\matteo [email protected][2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Matteo Sansone\Cookies\matteo [email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Matteo Sansone\Cookies\matteo [email protected][2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Hacktool:Hacktool/KillProc.A Not disinfected C:\Programmi\Alice ti aiuta\vendors\AliceRE\content\template\driven_dev\BroadBandAsst\scripts\Alice_ti_aiuta_lth.exe[nopey.exe]
Virus:Malware Generic Not disinfected C:\Programmi\nero\Nero 7 Premium v7.8.5.0 Multi+[FULL][www.NewPCT.com]By neo30\Nero-7.8.5.0_all_trial.exe[Toolbar.exe]
Hacktool:Hacktool/KillProc.A Not disinfected C:\Programmi\Telecom Italia\AdslWizzy\ClientATA\Alice_ti_aiuta_kit.exe[nopey.exe]
Dialer:Dialer.KHJ Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\winccf32.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Logfile of HijackThis v1.99.1
Scan saved at 16.35.01, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\Nero\Nero 7\Core\nero.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\HT Video Editor 6.1 Shareware\HTVideoEditor.exe
C:\Programmi\Nero\Nero 7\Core\nero.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\Windows Media Player\mplayer2.exe
C:\Documents and Settings\Matteo Sansone\Desktop\geek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Programmi\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174936852373
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76F83C4-E802-4ABB-B582-5BDA9CE97596}: NameServer = 85.37.17.42 85.38.28.87
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
  • 0

#15
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hi teotrudi

ActiveScan is showing the tools we download it and cookies.


Congratulations, your log looks clean!


You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop

Some final items:

Important, we need to flush out all System Restore points.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP