Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

About:blank[RESOLVED]

Started by fausto , May 23 2005 09:26 AM

  • This topic is locked This topic is locked

#1
fausto
Posted 23 May 2005 - 09:26 AM

fausto

    Member

  • Member
  • PipPip
  • 13 posts
Here is the log... besides all the reg entries concerning IE, there are some processes which are definitely malware since they change name at each boot or every time I attempt to clean'em up with Ad-Aware, or SpyBot or Hijack this...

such as:
C:\WINDOWS\javang32.exe
C:\WINDOWS\msjy32.exe

also
adqzb.dll
changes name every time....


Thank you in advance for your help!

Logfile of HijackThis v1.99.1
Scan saved at 17.12.31, on 23/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Programmi\Asso2000\IR\irmon2k.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\WINDOWS\javang32.exe
C:\WINDOWS\msjy32.exe
C:\AboutBuster\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\adqzb.dll/sp.html#49977
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\adqzb.dll/sp.html#49977
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\adqzb.dll/sp.html#49977
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\adqzb.dll/sp.html#49977
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\adqzb.dll/sp.html#49977
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\adqzb.dll/sp.html#49977
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SIDeA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.sidea.it.priv:80;https=proxy.sidea.it.priv:80;ftp=proxy.sidea.it.priv:80;gopher=proxy.sidea.it.priv:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Class - {D8010B5A-E220-B876-B855-D2861F450A0C} - C:\WINDOWS\system32\mfcvj32.dll
O2 - BHO: Class - {D9FF992E-4A44-2FA1-F300-BC901D12966E} - C:\WINDOWS\msfp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [javang32.exe] C:\WINDOWS\javang32.exe
O4 - HKLM\..\RunOnce: [msjy32.exe] C:\WINDOWS\msjy32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: IrDA virtuale (per Asso SGA).lnk = C:\Programmi\Asso2000\IR\irmon2k.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
O4 - Global Startup: Finestra di stato di Canon iR1200-1300.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sidea.it.priv
O17 - HKLM\Software\..\Telephony: DomainName = sidea.it.priv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sidea.it.priv
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addxm.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Provvedere al Servizio Sicurezza (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
Kristy
Posted 27 May 2005 - 05:04 PM

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Welcome to Geeks to Go, fausto!

I'm working on your log, as soon as another staff member reviews it I'll post a reply. :tazz: Thank you for your patience.

~Kristy
  • 0

#3
Kristy
Posted 27 May 2005 - 08:07 PM

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Welcome to Geeks to Go, fausto! I’m Kristy and I will be helping you.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck

~Kristy
  • 0

#4
fausto
Posted 31 May 2005 - 09:53 AM

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi, Kristy, and (obviously) thank you for the help.

here are the logs

About buster (this is the second log, since it was overwritten on the first ;) )

Scanned at: 15.45.13 on: 31/05/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 28

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 28

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 15.49.13 on: 31/05/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 28

No ADS found on system
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 28

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


here is the other one:


(5/31/05 15.53.30) SPSeHjFix started v1.1.2
(5/31/05 15.53.30) OS: WinXP Service Pack 1 (5.1.2600)
(5/31/05 15.53.30) Language: italiano
(5/31/05 15.53.30) Win-Path: C:\windows
(5/31/05 15.53.30) System-Path: C:\windows\System32
(5/31/05 15.53.30) Temp-Path: C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\
(5/31/05 15.53.43) Disinfection started
(5/31/05 15.53.43) Bad-Dll(IEP): (not found)
(5/31/05 15.53.43) Bad-Dll(IEP) in BHO: (not found)
(5/31/05 15.53.43) UBF: 4 - UBB: 1 - UBR: 10
(5/31/05 15.53.43) UBF: 4 - UBB: 1 - UBR: 10
(5/31/05 15.53.43) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(5/31/05 15.53.43) Stealth-String not found
(5/31/05 15.53.43) Not infected->END


as for the AVirus I ran the Symantec sice I have it constantly updated on the PC and it gave no viruses found

and finally the HiJackThis...

Logfile of HijackThis v1.99.1
Scan saved at 17.07.11, on 31/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\windows\LTSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\windows\System32\ctfmon.exe
C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Programmi\Asso2000\IR\irmon2k.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Programmi\Netscape\Netscape\Netscp.exe
C:\AboutBuster\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\windows\system32\awrul.dll/sp.html#49977
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\windows\system32\awrul.dll/sp.html#49977
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SIDeA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.sidea.it.priv:80;https=proxy.sidea.it.priv:80;ftp=proxy.sidea.it.priv:80;gopher=proxy.sidea.it.priv:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe
O4 - Startup: IrDA virtuale (per Asso SGA).lnk = C:\Programmi\Asso2000\IR\irmon2k.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
O4 - Global Startup: Finestra di stato di Canon iR1200-1300.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sidea.it.priv
O17 - HKLM\Software\..\Telephony: DomainName = sidea.it.priv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sidea.it.priv
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Provvedere al Servizio Sicurezza (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe

I "fixed"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\windows\system32\awrul.dll/sp.html#49977
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\windows\system32\awrul.dll/sp.html#49977

(the dll was not present in the directory) and the new log is:

Logfile of HijackThis v1.99.1
Scan saved at 17.11.49, on 31/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\windows\LTSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\windows\System32\ctfmon.exe
C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Programmi\Asso2000\IR\irmon2k.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Programmi\Netscape\Netscape\Netscp.exe
C:\AboutBuster\HijackThis.exe
C:\windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SIDeA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.sidea.it.priv:80;https=proxy.sidea.it.priv:80;ftp=proxy.sidea.it.priv:80;gopher=proxy.sidea.it.priv:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe
O4 - Startup: IrDA virtuale (per Asso SGA).lnk = C:\Programmi\Asso2000\IR\irmon2k.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
O4 - Global Startup: Finestra di stato di Canon iR1200-1300.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sidea.it.priv
O17 - HKLM\Software\..\Telephony: DomainName = sidea.it.priv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sidea.it.priv
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Provvedere al Servizio Sicurezza (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe



After that, though, AD Aware gave this log


Ad-Aware SE Build 1.05
Logfile Created on:martedì 31 maggio 2005 17.12.45
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R47 24.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):11 total references
MRU List(TAC index:0):18 total references
Other(TAC index:5):1 total references
Possible Browser Hijack attempt(TAC index:3):3 total references
Win32.Trojan.Agent.bi(TAC index:6):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R47 24.05.2005
Internal build : 55
File location : C:\Programmi\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 476246 Bytes
Total size : 1439523 Bytes
Signature data size : 1408291 Bytes
Reference data size : 30720 Bytes
Signatures total : 40174
Fingerprints total : 886
Fingerprints size : 30371 Bytes
Target categories : 15
Target families : 679


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:37 %
Total physical memory:522736 kb
Available physical memory:191000 kb
Total page file size:1279368 kb
Available on page file:1065692 kb
Total virtual memory:2097024 kb
Available virtual memory:2048544 kb
OS:Microsoft Windows XP Professional Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


31-05-2005 17.12.45 - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 364
ThreadCreationTime : 31-05-2005 13.59.18
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\windows\system32\
ProcessID : 416
ThreadCreationTime : 31-05-2005 13.59.24
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\windows\system32\
ProcessID : 440
ThreadCreationTime : 31-05-2005 13.59.25
BasePriority : High


#:4 [services.exe]
FilePath : C:\windows\system32\
ProcessID : 484
ThreadCreationTime : 31-05-2005 13.59.25
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applicazione Servizi e Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\windows\system32\
ProcessID : 496
ThreadCreationTime : 31-05-2005 13.59.25
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\windows\system32\
ProcessID : 660
ThreadCreationTime : 31-05-2005 13.59.26
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 684
ThreadCreationTime : 31-05-2005 13.59.26
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 828
ThreadCreationTime : 31-05-2005 13.59.27
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 852
ThreadCreationTime : 31-05-2005 13.59.27
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\windows\system32\
ProcessID : 984
ThreadCreationTime : 31-05-2005 13.59.27
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [alg.exe]
FilePath : C:\windows\System32\
ProcessID : 1120
ThreadCreationTime : 31-05-2005 13.59.30
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:12 [defwatch.exe]
FilePath : C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\
ProcessID : 1136
ThreadCreationTime : 31-05-2005 13.59.30
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec Corporation
OriginalFilename : DefWatch.exe

#:13 [gearsec.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1176
ThreadCreationTime : 31-05-2005 13.59.30
BasePriority : Normal
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
ProductName : gearsec
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
LegalCopyright : Copyright © 2001-2003 GEAR Software
OriginalFilename : gearsec.exe

#:14 [inetinfo.exe]
FilePath : C:\WINDOWS\System32\inetsrv\
ProcessID : 1192
ThreadCreationTime : 31-05-2005 13.59.30
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Internet Information Services
CompanyName : Microsoft Corporation
FileDescription : Internet Information Services
InternalName : INETINFO.EXE
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : INETINFO.EXE

#:15 [rtvscan.exe]
FilePath : C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\
ProcessID : 1232
ThreadCreationTime : 31-05-2005 13.59.30
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2002

#:16 [nvsvc32.exe]
FilePath : C:\windows\System32\
ProcessID : 1316
ThreadCreationTime : 31-05-2005 13.59.31
BasePriority : Normal
FileVersion : 6.13.10.3100
ProductVersion : 6.13.10.3100
ProductName : NVIDIA Driver Helper Service, Version 31.00
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 31.00
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:17 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 1380
ThreadCreationTime : 31-05-2005 13.59.31
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:18 [explorer.exe]
FilePath : C:\windows\
ProcessID : 1804
ThreadCreationTime : 31-05-2005 13.59.38
BasePriority : Normal
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Esplora risorse
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : EXPLORER.EXE

#:19 [syntplpr.exe]
FilePath : C:\Programmi\Synaptics\SynTP\
ProcessID : 236
ThreadCreationTime : 31-05-2005 13.59.39
BasePriority : Normal
FileVersion : 5.7.1 02Aug01
ProductVersion : 5.7.1 02Aug01
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright © Synaptics, Inc. 1996-2001
OriginalFilename : SynTPLpr.exe

#:20 [ltsmmsg.exe]
FilePath : C:\windows\
ProcessID : 320
ThreadCreationTime : 31-05-2005 13.59.39
BasePriority : Normal
FileVersion : 3.1.97 3.1.97 08/02/2001 14:13:11
ProductVersion : 3.1.97 3.1.97 08/02/2001 14:13:11
ProductName : Lucent SoftModem Messaging Applet
CompanyName : Lucent Technologies
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Lucent Technologies 1998-2000
OriginalFilename : smdmstat.exe

#:21 [launchap.exe]
FilePath : C:\Program Files\Launch Manager\
ProcessID : 300
ThreadCreationTime : 31-05-2005 13.59.39
BasePriority : Normal
FileVersion : 1.00
ProductVersion : 1.00
ProductName : LAUNCHAP Application
FileDescription : LAUNCHAP
InternalName : LAUNCHAP
LegalCopyright : Copyright 1999 - 2000
OriginalFilename : LAUNCHAP.EXE

#:22 [hotkeyapp.exe]
FilePath : C:\Program Files\Launch Manager\
ProcessID : 348
ThreadCreationTime : 31-05-2005 13.59.39
BasePriority : Normal


#:23 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\
ProcessID : 256
ThreadCreationTime : 31-05-2005 13.59.39
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2002

#:24 [logitray.exe]
FilePath : C:\Programmi\Logitech\Video\
ProcessID : 396
ThreadCreationTime : 31-05-2005 13.59.40
BasePriority : Normal
FileVersion : 8.2.0.1192
ProductVersion : 8.2.0.1192
ProductName : Logitech QuickCam
CompanyName : Logitech Inc.
FileDescription : ImageStudio Tray Application
InternalName : LogiTray.exe
LegalCopyright : © 1996-2004 Logitech. All rights reserved.
OriginalFilename : LogiTray.exe

#:25 [ctfmon.exe]
FilePath : C:\windows\System32\
ProcessID : 112
ThreadCreationTime : 31-05-2005 13.59.40
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:26 [config.exe]
FilePath : C:\Programmi\NETGEAR\MA401 Wireless PC Card\
ProcessID : 712
ThreadCreationTime : 31-05-2005 13.59.41
BasePriority : Normal
FileVersion : 4.06.4.7
CompanyName : Neesus Datacom Inc.
FileDescription : Configuration Utility for Intersil driver
LegalCopyright : © Neesus Datacom Inc., 1997-2000
OriginalFilename : Config.exe

#:27 [capm2lak.exe]
FilePath : C:\WINDOWS\system32\spool\drivers\w32x86\3\
ProcessID : 808
ThreadCreationTime : 31-05-2005 13.59.41
BasePriority : Normal
FileVersion : 1.00.0.010
ProductVersion : 1.00.0.010
ProductName : Canon Advanced Printing Technology
CompanyName : CANON INC.
FileDescription : CAPM2 PSW Launcher
InternalName : CAPM2LAK
LegalCopyright : Copyright CANON INC. 1998-2002
OriginalFilename : CAPM2LAK.EXE

#:28 [irmon2k.exe]
FilePath : C:\Programmi\Asso2000\IR\
ProcessID : 864
ThreadCreationTime : 31-05-2005 13.59.41
BasePriority : Normal
FileVersion : 2.0.0.35-alpha7
ProductVersion : 2.0.0-alpha7
ProductName : IrCOMM2k
CompanyName : Jan Kiszka
FileDescription : Virtual Infrared COM Port, Service Program
InternalName : irmon2k.exe
LegalCopyright : Copyright © 2001-2003 Jan Kiszka
OriginalFilename : irmon2k.exe

#:29 [fxsvr2.exe]
FilePath : C:\Programmi\Logitech\Video\
ProcessID : 1396
ThreadCreationTime : 31-05-2005 13.59.48
BasePriority : Normal
FileVersion : 8.2.0.1192
ProductVersion : 8.2.0.1192
ProductName : Logitech QuickCam
CompanyName : Logitech Inc.
FileDescription : QuickCam Framework Server
InternalName : FxSvr.EXE
LegalCopyright : © 1996-2004 Logitech. All rights reserved.
OriginalFilename : FxSvr.EXE

#:30 [capm2swk.exe]
FilePath : C:\WINDOWS\system32\spool\drivers\w32x86\3\
ProcessID : 2116
ThreadCreationTime : 31-05-2005 13.59.51
BasePriority : Normal
FileVersion : 1.00.0.010
ProductVersion : 1.00.0.010
ProductName : Canon Advanced Printing Technology
CompanyName : CANON INC.
FileDescription : Canon Advanced Printing Technology Printer Status Window
InternalName : CAPM2SWK
LegalCopyright : Copyright CANON INC. 1998-2002
OriginalFilename : CAPM2SWK.EXE

#:31 [netscp.exe]
FilePath : C:\Programmi\Netscape\Netscape\
ProcessID : 2372
ThreadCreationTime : 31-05-2005 14.00.04
BasePriority : Normal


#:32 [hijackthis.exe]
FilePath : C:\AboutBuster\
ProcessID : 1276
ThreadCreationTime : 31-05-2005 15.07.01
BasePriority : Normal
FileVersion : 1.99.0001
ProductVersion : 1.99.0001
ProductName : HijackThis
CompanyName : Soeperman Enterprises Ltd.
FileDescription : HijackThis
InternalName : HijackThis
LegalCopyright : Freeware
OriginalFilename : HijackThis.exe
Comments : Version history is in Help section

#:33 [notepad.exe]
FilePath : C:\windows\system32\
ProcessID : 2316
ThreadCreationTime : 31-05-2005 15.10.06
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Blocco note
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : NOTEPAD.EXE

#:34 [notepad.exe]
FilePath : C:\windows\system32\
ProcessID : 3560
ThreadCreationTime : 31-05-2005 15.11.49
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Blocco note
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : NOTEPAD.EXE

#:35 [ad-aware.exe]
FilePath : C:\Programmi\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3812
ThreadCreationTime : 31-05-2005 15.12.33
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.Agent.bi Object Recognized!
Type : File
Data : d3yv32.exe
Category : Malware
Comment :
Object : C:\windows\



CoolWebSearch Object Recognized!
Type : File
Data : vehii.dll
Category : Malware
Comment :
Object : C:\windows\



Disk Scan Result for C:\windows
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

CoolWebSearch Object Recognized!
Type : File
Data : vsydp.dat
Category : Malware
Comment :
Object : C:\windows\System32\



CoolWebSearch Object Recognized!
Type : File
Data : zqcci.dat
Category : Malware
Comment :
Object : C:\windows\System32\



Disk Scan Result for C:\windows\System32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Disk Scan Result for C:\DOCUME~1\Distante\IMPOST~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Only sex website.url
Category : Misc
Comment : Problematic URL discovered: http://www.onlysex.ws/
Object : C:\Documents and Settings\Distante\Preferiti\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\Documents and Settings\Distante\Preferiti\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Seven days of free [bleep].url
Category : Misc
Comment : Problematic URL discovered: http://www.7days.ws/
Object : C:\Documents and Settings\Distante\Preferiti\



MRU List Object Recognized!
Location: : C:\Documents and Settings\Distante\Dati applicazioni\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Distante\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\office\8.0\excel\recent file list
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : software\microsoft\office\8.0\publisher\recent file list
Description : list of recent files used by microsoft publisher


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-182280796-466822058-305008010-1012\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {E68FF21A-1D01-4C00-EDC8-A80470B5A15F}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft
Value : set

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : File
Data : apijm32.dll
Category : Malware
Comment :
Object : C:\windows\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 8
Objects found so far: 34

17.15.38 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00.02.53.89
Objects scanned:68953
Objects identified:16
Objects ignored:0
New critical objects:16



I removed all this , booted again, updated Adaware, found other objects, removed them, booted once more ( ;) ) and now both hiJack and Adaware seem to find no problems....

hope it is true!

anyway... if you have some suggestions, please "help yourself!" and if not... thanx again. :tazz:

fausto
  • 0

#5
Kristy
Posted 31 May 2005 - 05:09 PM

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello fausto,

CWS is gone, looks like we're almost done. :tazz:

Do a system scan with HijackThis. Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.

R3 - Default URLSearchHook is missing

Now click fix checked.

I would like you to run some online scans to make sure that the virus/trojan that showed up in your ad-aware log is gone. Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;)

~Kristy
  • 0

#6
fausto
Posted 01 June 2005 - 07:06 AM

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Kristy...
I followed you suggestions and... well....

actually trend antivirus on line found 69 (!!!) infected files (and I removed them), while The Cleaner quarantined two.

the log of The Cleaner:


Filename Trojan Action
-------- ------ ------
c:\system volume information\_restore{f3481446-7d34-44f1-923c-7b0babd06632}\rp274\a0053588.exe Agent Quarantined
c:\system volume information\_restore{f3481446-7d34-44f1-923c-7b0babd06632}\rp274\a0053601.exe Agent Quarantined


and the log of hijack:

Logfile of HijackThis v1.99.1
Scan saved at 14.46.10, on 01/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\windows\LTSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\windows\System32\ctfmon.exe
C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Programmi\Asso2000\IR\irmon2k.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\AboutBuster\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SIDeA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.sidea.it.priv:80;https=proxy.sidea.it.priv:80;ftp=proxy.sidea.it.priv:80;gopher=proxy.sidea.it.priv:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: IrDA virtuale (per Asso SGA).lnk = C:\Programmi\Asso2000\IR\irmon2k.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
O4 - Global Startup: Finestra di stato di Canon iR1200-1300.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sidea.it.priv
O17 - HKLM\Software\..\Telephony: DomainName = sidea.it.priv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sidea.it.priv
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Provvedere al Servizio Sicurezza (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe


the system seems to run correctly...

but is it really????

regards,
fausto
  • 0

#7
Kristy
Posted 01 June 2005 - 10:05 AM

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello fausto,

Congratulations! Your log is clean!

Run the scans again just to make sure all the problems are gone. If the scans come up clean, move on to my prevention tips below. If they don’t, then post back and let me know.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

~Kristy
  • 0

#8
fausto
Posted 02 June 2005 - 06:39 AM

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Kristy,
I did as you suggested and it seems all is ok.
I'll follw the advice for the future.

For now... thanx for your time and help!

fausto
  • 0

#9
therock247uk
Posted 02 June 2005 - 06:18 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP