Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

www.specialgoods....

Started by andman , Jun 02 2005 05:03 PM

  • Please log in to reply

#1
andman
Posted 02 June 2005 - 05:03 PM

andman

    Member

  • Member
  • PipPip
  • 12 posts
Please help me, im'n not very good with this kind of problems. I just know that many paeople got this kind of virus/spyware.... here I put my log, please tell me what to do... many thanks!!!


Logfile of HijackThis v1.99.1
Scan saved at 0.50.59, on 03/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\soundman.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgo...info/ad/ad0411/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzerox001g] c:\windows\xxx2.exe r
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [zzzerox005] c:\windows\xxx.exe r
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Scheduler.lnk = C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://69.1.71.212/it/wmdsms47x.exe
O16 - DPF: {0DCABC94-5086-4E08-A4C9-BF284A614E81} (WwwPlugin Class) - http://espana.netven...f/WwwPlugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programmi\Kerio\Personal Firewall\persfw.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
  • 0

Advertisements

#2
rstones12
Posted 07 June 2005 - 02:45 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
andman,

Welcome to the GTG Forums, I will be reviewing your HJT log.
Please read "ALL" of the instructions before proceeding:

You may want to print out these instructions for a reference.

First Download CWShredder
And save it to your desktop.
Close all open browser windows and any other open windows.

Install CWShredder, then:

Open CWShredder and click Check for Updates
Then click "FIX"
Once the the program has finished running, click exit.

Next download Silent Runners
  • Please click this link to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
  • Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Also include a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#3
andman
Posted 07 June 2005 - 05:47 PM

andman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Many thanks for your help but last days, waiting for your answer, some antivirus I used was able to recognize and delete "param32.dll" infected file which seemed to be the real problem and infact the main problems seem to be disappeared.
Now, before making all that you suggested, I put a new updated log, please take a look and tell me if the problem is actually still alive...


Logfile of HijackThis v1.99.1
Scan saved at 1.43.44, on 08/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\soundman.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\MSN\MSNCoreFiles\msn6.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzerox001g] c:\windows\xxx2.exe r
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [zzzerox005] c:\windows\xxx.exe r
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Scheduler.lnk = C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://69.1.71.212/it/wmdsms47x.exe
O16 - DPF: {0DCABC94-5086-4E08-A4C9-BF284A614E81} (WwwPlugin Class) - http://espana.netven...f/WwwPlugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programmi\Kerio\Personal Firewall\persfw.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE



many thanks,
Andman
  • 0

#4
rstones12
Posted 07 June 2005 - 06:23 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
andman,
Thanks for the log, however I need you to run SilentRunners, there are other files that are included with specialgoods.

Download Silent Runners
  • Please click this link to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
  • Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Also include a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#5
andman
Posted 08 June 2005 - 04:33 PM

andman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi again,
here I put the two new files, first Silent Runners result and after a new HIJ log.

SILENT RUNNERS:
"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"IncrediMail" = "C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"EssSpkPhone" = "essspk.exe" [null data]
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"SpeedTouch USB Diagnostics" = ""C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON multimedia"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"zzzerox001g" = "c:\windows\xxx2.exe r" [file not found]
"AdaptecDirectCD" = "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" ["Roxio"]
"CloneCDElbyCDFL" = ""C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL" ["Elaborate Bytes AG"]
"zzzerox005" = "c:\windows\xxx.exe r" [file not found]
"AdslTaskBar" = "rundll32.exe stmctrl.dll,TaskBar" [MS]
"iTunesHelper" = "C:\Programmi\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Programmi\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"EPSON Stylus C44 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"" ["SEIKO EPSON CORPORATION"]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = "C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe" [empty string]
"Default" = (no data)
"TkBellExe" = ""C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
"gcasServ" = ""C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0000CC75-ACF3-4cac-A0A9-DD3868E06852}\(Default) = "DAPHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\DAP\DAPBHO.dll" ["Speedbit Ltd."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Estensione panoramica video del Pannello di controllo"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\ICQ\ICQShExt.dll" ["ICQ"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\File comuni\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmyst.scr" [MS]


Startup items in "Andrea" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
"InterVideo WinCinema Manager" -> shortcut to: "C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
"Scheduler" -> shortcut to: "C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE" ["TelSignal Co., Ltd."]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll" [file not found]

"{62999427-33FC-4BAF-9C9C-BCE6BD127F08}"
-> {CLSID}\(Default) = "DAP Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\DAP\DAPIEBar.dll" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{669695BC-A811-4A9D-8CDF-BA8C795F261C}\
"ButtonText" = "Run DAP"
"Exec" = "C:\PROGRA~1\DAP\DAP.EXE" ["Speedbit Ltd."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["C-Dilla Ltd"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTSVCCDA.EXE" ["Creative Technology Ltd"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
GEARSecurity, GEARSecurity, "C:\WINDOWS\System32\GEARSEC.EXE" ["GEAR Software"]
iPod Service, iPodService, "C:\Programmi\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Kerio Personal Firewall, PersFw, "C:\Programmi\Kerio\Personal Firewall\persfw.exe" ["Kerio Technologies"]
Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
Machine Debug Manager, MDM, ""C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
ScsiAccess, ScsiAccess, "C:\WINDOWS\System32\ScsiAccess.EXE" [null data]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


HIJ LOG:

Logfile of HijackThis v1.99.1
Scan saved at 0.32.06, on 09/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\soundman.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzerox001g] c:\windows\xxx2.exe r
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [zzzerox005] c:\windows\xxx.exe r
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Scheduler.lnk = C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://69.1.71.212/it/wmdsms47x.exe
O16 - DPF: {0DCABC94-5086-4E08-A4C9-BF284A614E81} (WwwPlugin Class) - http://espana.netven...f/WwwPlugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programmi\Kerio\Personal Firewall\persfw.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE



Wait for your indications,
many thanks,
andman
  • 0

#6
rstones12
Posted 08 June 2005 - 04:58 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
andman,

Thanks for the logs.
A few things to we need to clean up.

Download CleanUp
Install the program, dont run it yet, we will later.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Now scan with HJT and place a checkmark next to each of the following items:

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll (file missing)

O4 - HKLM\..\Run: [zzzerox001g] c:\windows\xxx2.exe r
O4 - HKLM\..\Run: [zzzerox005] c:\windows\xxx.exe r

O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://69.1.71.212/it/wmdsms47x.exe

O16 - DPF: {0DCABC94-5086-4E08-A4C9-BF284A614E81} (WwwPlugin Class) - http://espana.netven...f/WwwPlugin.cab

Close all browsers and open windows except HJT, then click the Fix Checked button. Close HJT.

Now using Windows Explorer find and remove the following folders/files:
C:\windows\xxx2.exe <-- File
C:\windows\xxx.exe <-- File

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot and post back a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#7
andman
Posted 09 June 2005 - 07:11 PM

andman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,
first, many thanks for your help.
Here I put my latest log. I made all that you suggested but I could not delete ('cause I did not find them within my C:/) the files :
C:\windows\xxx2.exe <-- File
C:\windows\xxx.exe <-- File

Except this, I made all you said, here you have last log:

Logfile of HijackThis v1.99.1
Scan saved at 3.01.42, on 10/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\soundman.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Scheduler.lnk = C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programmi\Kerio\Personal Firewall\persfw.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

Do you think the situation is now quite good?
I admit that, in general, it seems to me that it "works" too much... it is often slow.. I guess there is still too much garbage inside!!

wait for your last suggestions...
Andman
  • 0

#8
rstones12
Posted 09 June 2005 - 10:44 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
andman,

We need to do a few things...

First Download CWShredder
And save it to your desktop.
Close all open browser windows and any other open windows.

Install CWShredder, then:

Open CWShredder and click Check for Updates
Then click "FIX"
Once the the program has finished running, click exit.

Next....

Please run this online scan, allow it to delete anything it finds:
You may have to select the auto-fix option prior to scanning, it should be a selection box on the screen.

Panda ActiveScan

Post back the results of the scan, by copying and pasting them into the thread.

Also post back a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#9
andman
Posted 11 June 2005 - 05:16 AM

andman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,
here I put the result of Panda Activescan, what do I have to do with Infected files?



Incident Status Location

Adware:Adware/Hotoffers No disinfected C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\RUHOX869\dropper[1].exe
Virus:Trj/Downloader.BCK Disinfected C:\Programmi\Microsoft AntiSpyware\Quarantine\157E6685-3B5A-4D52-9763-2B9EDF\1CCE73BE-AC1A-4D41-A53A-00438E
Adware:Adware/IGetNet No disinfected C:\WINDOWS\system\Install_All.DLL
Adware:Adware/IGetNet No disinfected C:\WINDOWS\system\rules.dat
And here the new log:

Logfile of HijackThis v1.99.1
Scan saved at 0.56.26, on 11/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\soundman.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Scheduler.lnk = C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programmi\Kerio\Personal Firewall\persfw.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

Let me know,
many thanks,
Andrea
  • 0

#10
rstones12
Posted 11 June 2005 - 11:36 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
andman,

Please read "ALL" of the instructions before proceeding:

You may want to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop


Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Next scan with HJT and place a checkmark next to the following item:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all open windows except HJT, then click the Fix Checked button.
Close HJT.

Using Windows Explorer find and remove the following folders/files:

C:\WINDOWS\web\related.htm <-- File


Then please run Ewido, and run a full scan. Save the logfile from the scan.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan by using Add Reply

Thanks,
rstones12
  • 0

Advertisements

#11
andman
Posted 14 June 2005 - 12:10 AM

andman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi again,
many many thanks for the help you're giving me...

Here you have EWIDO scan result (it's in italian I hope you have no problem):

ewido security suite - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 7.56.01, 14/06/2005
+ Report-Checksum: 1FEDF665

+ Data del database: 13/06/2005
+ Versione del motore di scansione: v3.0

+ Durata: 88 min
+ Files Controllati: 126154
+ Velocità: 23.88 Files/Secondo
+ Files Infetti: 31
+ Files Eliminati: 31
+ Files posti in quarantena: 31
+ Files che non possono essere aperti: 0
+ Files, che non possono essere ripuliti: 0

+ Binder: Si
+ Crypter: Si
+ Archivi: Si

+ Oggetti Controllati:
C:\

+ Risultati scansione:
C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\andrea@advertising[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\andrea@atdmt[2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\andrea@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\andrea@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\andrea@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\andrea@fastclick[2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\andrea@sexlist[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Cookies\andrea@xiti[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\RUHOX869\dropper[1].exe -> Spyware.Serpo.j -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@cgi-bin[4].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@cgi-bin[5].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@cgi-bin[6].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@com[2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@fastclick[2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@hitbox[2].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@overture[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Documents and Settings\microsoft\Cookies\microsoft@xiti[1].txt -> Spyware.Tracking-Cookie -> Pulito con Backup
C:\Downloaded Program Files\gratis.exe -> Dialer.Generic -> Pulito con Backup
C:\Downloaded Program Files\ingresso.exe -> Dialer.Generic -> Pulito con Backup
C:\WINDOWS\system\Install_All.DLL -> Spyware.IGetNet.b -> Pulito con Backup


::Fine Rapporto


And here I put a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8.05.10, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\soundman.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Scheduler.lnk = C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D39D322-EBE1-4C04-A9B0-59809B99B353}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programmi\Kerio\Personal Firewall\persfw.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE


Many thanks,
andman
  • 0

#12
rstones12
Posted 14 June 2005 - 02:30 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
andman,

Please do the following:

Scan with:
Spybot S&D 1.4
Ad-Aware SE 1.06
Remove anything they find.

If you dont have these current versions please follow the links below on how to set them up.
Make sure to uninstall the previous versions first.

Spybot Set Up

Ad-Aware SE Setup

Let me know if you find any reference to IGetNet, when running these scans.

Then post back a new HJT log by using Add Reply

Thanks,
rstones12

Edited by rstones12, 14 June 2005 - 02:31 AM.

  • 0

#13
andman
Posted 15 June 2005 - 04:15 PM

andman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,
I made all you said and here are the results.
Concerning Spybot it seemed to me that it found and delete actually some IGetNet items but within all RED lines that it foud it was not able to delete something called "DOWNLOAD ACCLERATOR PLUS ADS" (while trying to delete it, it always blocked so I had to stop it).

Concerning Adaware here I put the text file:

Ad-Aware SE Build 1.06r1
Logfile Created on:mercoled́ 15 giugno 2005 2.27.41
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):3 total references
CarpeDiem(TAC index:5):2 total references
eAcceleration(TAC index:7):1 total references
IEHijacker.Hotoffers(TAC index:7):1 total references
IGetNet(TAC index:8):4 total references
istbar(TAC index:7):3 total references
Tracking Cookie(TAC index:3):56 total references
Win32.Trojan.DesktopHijack(TAC index:6):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R47 24.05.2005
Internal build : 55
File location : C:\Programmi\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 476246 Bytes
Total size : 1439523 Bytes
Signature data size : 1408291 Bytes
Reference data size : 30720 Bytes
Signatures total : 40174
CSI Fingerprints total : 886
CSI data size : 30371 Bytes
Target categories : 15
Target families : 679

15-06-2005 2.20.12 Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R50 13.06.2005
Internal build : 58
File location : C:\Programmi\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 481146 Bytes
Total size : 1456012 Bytes
Signature data size : 1427935 Bytes
Reference data size : 27565 Bytes
Signatures total : 40456
CSI Fingerprints total : 904
CSI data size : 31134 Bytes
Target categories : 15
Target families : 692


15-06-2005 2.20.32 Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:43 %
Total physical memory:228848 kb
Available physical memory:97968 kb
Total page file size:953484 kb
Available on page file:740088 kb
Total virtual memory:2097024 kb
Available virtual memory:2043748 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Move deleted files to Recycle Bin
Set : Safe mode (always request confirmation)
Set : Don't log streams smaller than 0 Bytes
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


15-06-2005 2.27.41 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 488
ThreadCreationTime : 14-06-2005 17.18.21
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 14-06-2005 17.18.23
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 568
ThreadCreationTime : 14-06-2005 17.18.28
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 612
ThreadCreationTime : 14-06-2005 17.18.29
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applicazione Servizi e Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 624
ThreadCreationTime : 14-06-2005 17.18.30
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 796
ThreadCreationTime : 14-06-2005 17.18.33
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 840
ThreadCreationTime : 14-06-2005 17.18.33
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 952
ThreadCreationTime : 14-06-2005 17.18.35
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 964
ThreadCreationTime : 14-06-2005 17.18.35
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1060
ThreadCreationTime : 14-06-2005 17.18.38
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1160
ThreadCreationTime : 14-06-2005 17.18.38
BasePriority : Normal
FileVersion : 7,0,0,312
ProductVersion : 7.0.0.312
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:12 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1172
ThreadCreationTime : 14-06-2005 17.18.39
BasePriority : Normal
FileVersion : 7,0,0,301
ProductVersion : 7.0.0.301
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2004, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:13 [cdac11ba.exe]
FilePath : C:\WINDOWS\System32\drivers\
ProcessID : 1188
ThreadCreationTime : 14-06-2005 17.18.39
BasePriority : Normal
FileVersion : 4.11.050
ProductVersion : 4.11.050 Windows NT 2001/07/12
ProductName : SafeCast Windows NT
CompanyName : C-Dilla Ltd
FileDescription : C-Dilla RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright © Macrovision 1993-2001
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:14 [ctsvccda.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1208
ThreadCreationTime : 14-06-2005 17.18.39
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:15 [sagent2.exe]
FilePath : C:\Programmi\File comuni\EPSON\EBAPI\
ProcessID : 1236
ThreadCreationTime : 14-06-2005 17.18.39
BasePriority : Normal
FileVersion : 2, 3, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright © SEIKO EPSON CORP. 2000-2001
OriginalFilename : SAgent2.exe

#:16 [ewidoctrl.exe]
FilePath : C:\Programmi\ewido\security suite\
ProcessID : 1256
ThreadCreationTime : 14-06-2005 17.18.40
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:17 [gearsec.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1328
ThreadCreationTime : 14-06-2005 17.18.41
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : gearsec
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
LegalCopyright : Copyright © 2001 GEAR Software
OriginalFilename : gearsec.exe

#:18 [kodakccs.exe]
FilePath : C:\WINDOWS\system32\drivers\
ProcessID : 1344
ThreadCreationTime : 14-06-2005 17.18.41
BasePriority : Normal
FileVersion : 1.1.4900.0
ProductVersion : 4.3.1.0
ProductName : Kodak DC File System Driver (Win32)
CompanyName : Eastman Kodak Company
FileDescription : Kodak DC Ring 3 Conduit (Win32)
InternalName : DcFsSvc.exe
LegalCopyright : Copyright © Eastman Kodak Co. 2000-2003
OriginalFilename : DcFsSvc.exe

#:19 [mdm.exe]
FilePath : C:\Programmi\File comuni\Microsoft Shared\VS7Debug\
ProcessID : 1360
ThreadCreationTime : 14-06-2005 17.18.41
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:20 [persfw.exe]
FilePath : C:\Programmi\Kerio\Personal Firewall\
ProcessID : 1396
ThreadCreationTime : 14-06-2005 17.18.42
BasePriority : Normal
FileVersion : 2, 1, 4, 0
ProductVersion : 2, 1, 4, 0
ProductName : Kerio Personal Firewall
CompanyName : Kerio Technologies
FileDescription : Kerio Personal Firewall Engine
InternalName : PERSFW
LegalCopyright : Copyright © 2002
OriginalFilename : PERSFW.exe

#:21 [scsiaccess.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1452
ThreadCreationTime : 14-06-2005 17.18.42
BasePriority : Normal


#:22 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1476
ThreadCreationTime : 14-06-2005 17.18.42
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:23 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1508
ThreadCreationTime : 14-06-2005 17.18.42
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:24 [fxssvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1572
ThreadCreationTime : 14-06-2005 17.18.43
BasePriority : Normal
FileVersion : 5.2.1776.1023
ProductVersion : 5.2.1776.1023
ProductName : Microsoft® Fax Server
CompanyName : Microsoft Corporation
FileDescription : Servizio Fax
InternalName : FXSSVC.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : FXSSVC.EXE

#:25 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 180
ThreadCreationTime : 14-06-2005 17.19.03
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Esplora risorse
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : EXPLORER.EXE

#:26 [essspk.exe]
FilePath : C:\WINDOWS\
ProcessID : 272
ThreadCreationTime : 14-06-2005 17.19.10
BasePriority : Normal


#:27 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 280
ThreadCreationTime : 14-06-2005 17.19.10
BasePriority : Normal
FileVersion : 5.0
ProductVersion : 5.0
ProductName : Avance Sound Manager
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright © 2001 Avance Logic, Inc.
OriginalFilename : ALSMTray.exe
Comments : Avance AC97 Audio Sound Manager

#:28 [dragdiag.exe]
FilePath : C:\Programmi\Alcatel\SpeedTouch USB\
ProcessID : 296
ThreadCreationTime : 14-06-2005 17.19.11
BasePriority : Normal
FileVersion : 201.2.0.0
ProductVersion : 201.2.0.0
ProductName : SpeedTouch USB
CompanyName : THOMSON multimedia
FileDescription : SpeedTouch Statistics
LegalCopyright : Copyright© THOMSON multimedia 1999-2002

#:29 [directcd.exe]
FilePath : C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\
ProcessID : 532
ThreadCreationTime : 14-06-2005 17.19.13
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001,2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:30 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 588
ThreadCreationTime : 14-06-2005 17.19.14
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Modulo di esecuzione DLL come applicazioni
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : RUNDLL.EXE

#:31 [ituneshelper.exe]
FilePath : C:\Programmi\iTunes\
ProcessID : 756
ThreadCreationTime : 14-06-2005 17.19.14
BasePriority : Normal
FileVersion : 4.1.1.54
ProductVersion : 4.1.1.54
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © Apple Computer, Inc. 2003
OriginalFilename : iTunesHelper.exe

#:32 [ipodservice.exe]
FilePath : C:\Programmi\iPod\bin\
ProcessID : 868
ThreadCreationTime : 14-06-2005 17.19.15
BasePriority : Normal
FileVersion : 4.1.1.54
ProductVersion : 4.1.1.54
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © Apple Computer, Inc. 2003
OriginalFilename : iPodService.exe

#:33 [cthelper.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 960
ThreadCreationTime : 14-06-2005 17.19.15
BasePriority : Normal
FileVersion : 1, 1, 0, 2
ProductVersion : 1, 1, 0, 2
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper MFC Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002-03
OriginalFilename : CtHelper.EXE

#:34 [realsched.exe]
FilePath : C:\Programmi\File comuni\Real\Update_OB\
ProcessID : 1084
ThreadCreationTime : 14-06-2005 17.19.16
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:35 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1500
ThreadCreationTime : 14-06-2005 17.19.17
BasePriority : Normal
FileVersion : 7,0,0,323
ProductVersion : 7.0.0.323
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:36 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1720
ThreadCreationTime : 14-06-2005 17.19.17
BasePriority : Normal
FileVersion : 7,0,0,320
ProductVersion : 7.0.0.320
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:37 [gcasserv.exe]
FilePath : C:\Programmi\Microsoft AntiSpyware\
ProcessID : 1752
ThreadCreationTime : 14-06-2005 17.19.18
BasePriority : Idle
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:38 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1768
ThreadCreationTime : 14-06-2005 17.19.19
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:39 [gcasdtserv.exe]
FilePath : C:\Programmi\Microsoft AntiSpyware\
ProcessID : 1944
ThreadCreationTime : 14-06-2005 17.19.21
BasePriority : Normal
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:40 [wincinemamgr.exe]
FilePath : C:\Programmi\InterVideo\Common\Bin\
ProcessID : 1012
ThreadCreationTime : 14-06-2005 17.19.24
BasePriority : Normal
FileVersion : 1.0
ProductVersion : 1, 0, 0, 1
ProductName : WinCinema Manager for InterVideo WinCinema products
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
LegalCopyright : Copyright © 2000 InterVideo Inc.
OriginalFilename : WinCinemaMgr.EXE

#:41 [tsschl.exe]
FilePath : C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\
ProcessID : 2336
ThreadCreationTime : 14-06-2005 17.19.53
BasePriority : Normal
FileVersion : 6.06
ProductVersion : 6.06.980
ProductName : TelSignal TV/FM Tuner
CompanyName : TelSignal Co., Ltd.
FileDescription : TV/FM Scheduler
InternalName : TVSCHL.EXE
LegalCopyright : TelSignal Co., Ltd.
OriginalFilename : TVSCHL.EXE

#:42 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2536
ThreadCreationTime : 14-06-2005 17.20.18
BasePriority : Normal
FileVersion : 5.4.3790.17 built by: lab04_n
ProductVersion : 5.4.3790.17
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Client dell'aggiornamento automatico di Windows Update
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : wuauclt.exe

#:43 [dap.exe]
FilePath : C:\PROGRA~1\DAP\
ProcessID : 4056
ThreadCreationTime : 14-06-2005 23.02.00
BasePriority : Normal
FileVersion : 7, 4, 0, 1
ProductVersion : 7, 4, 0, 1
ProductName : Download Accelerator Plus
CompanyName : Speedbit Ltd.
FileDescription : Download Accelerator Plus
InternalName : DAP
LegalCopyright : Copyright © 1999 - 2005 Speedbit Ltd.
OriginalFilename : DAP.EXE
Comments : 59

#:44 [ad-aware.exe]
FilePath : C:\Programmi\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2960
ThreadCreationTime : 15-06-2005 0.19.38
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CarpeDiem Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{d1b80ebf-1a26-4fec-b0b9-dcb934c6507e}

CarpeDiem Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{a41c6220-6f42-4646-b119-fbe6f4d38e3c}

eAcceleration Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : directory\shellex\contextmenuhandlers\eac_virusscanner

IEHijacker.Hotoffers Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c7edab2d-d7f9-11d8-ba48-c79b0c409d70}

Win32.Trojan.DesktopHijack Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{d56a1203-1452-eba1-7294-ee3377770000}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2025429265-1454471165-1417001333-1008\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

istbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment : "disp"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion
Value : disp

Win32.Trojan.DesktopHijack Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment : "{D56A1203-1452-EBA1-7294-EE3377770000}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
Value : {D56A1203-1452-EBA1-7294-EE3377770000}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 10
Objects found so far: 10


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@kelkoo[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@serving-sys[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:12
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/cgi-bin/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@spinbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@centrport[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@versiontracker[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@paycounter[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:9
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[8].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/cgi-bin

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:44
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@247realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/cgi-bin

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:35
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:16
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@maxserving[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@bravenet[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@adtech[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@estat[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@gator[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@tripod[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[4].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/cgi-bin

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[5].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value : Cookie:[email protected]/cgi-bin/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[6].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/cgi-bin/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@0[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/HTM/425/0

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/cgi-bin

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@domainsponsor[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@webads[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/cgi-bin

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@fortunecity[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@bluestreak[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@findwhat[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@list[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@0[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:[email protected]/HTM/425/0

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrea@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/cgi-bin

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 46
Objects found so far: 56



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@2o7[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@adtech[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@adtech[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@adviva[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@adviva[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@cgi-bin[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@cgi-bin[3].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@cgi-bin[3].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@euniverseads[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@euniverseads[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@findwhat[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@findwhat[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@kelkoo[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@kelkoo[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@kelkoo[3].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@kelkoo[3].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : microsoft@webads[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\microsoft\Cookies\microsoft@webads[1].txt

IGetNet Object Recognized!
Type : File
Data : BHO001.DLL
TAC Rating : 8
Category : Data Miner
Comment :
Object : C:\WINDOWS\system\
FileVersion : 6.00.0005
ProductVersion : 6.00.0005
ProductName : Natural Language Navigation
CompanyName : iGetNet.com
FileDescription : Natural Language Navigation
InternalName : BHO001
OriginalFilename : BHO001.dll
Comments : Natural Language Navigation


IGetNet Object Recognized!
Type : File
Data : RSP001.DLL
TAC Rating : 8
Category : Data Miner
Comment :
Object : C:\WINDOWS\system\
FileVersion : 6.00.0005
ProductVersion : 6.00.0005
ProductName : Natural Language Navigation
CompanyName : iGetNet.com
FileDescription : Natural Language Navigation
InternalName : Rsp001
OriginalFilename : Rsp001.dll
Comments : Natural Language Navigation


IGetNet Object Recognized!
Type : File
Data : Update_com.DLL
TAC Rating : 8
Category : Data Miner
Comment :
Object : C:\WINDOWS\system\
FileVersion : 6.00.0005
ProductVersion : 6.00.0005
ProductName : Natural Language Navigation
CompanyName : iGetNet.com
FileDescription : Natural Language Navigation
InternalName : Rsp001
OriginalFilename : Rsp001.dll
Comments : Natural Language Navigation


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 69


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 69




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : aspfile\persistenthandler

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

IGetNet Object Recognized!
Type : File
Data : rules.dat
TAC Rating : 8
Category : Data Miner
Comment :
Object : C:\WINDOWS\system\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 72

2.47.45 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00.20.04.141
Objects scanned:186828
Objects identified:72
Objects ignored:0
New critical objects:72



Finally I even add the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 0.04.12, on 16/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\soundman.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inwind.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Scheduler.lnk = C:\Programmi\TRUST\TRUST USB2 DIGITAL PCTV & MOVIE EDITOR APPLICATION\TSSCHL.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
  • 0

#14
rstones12
Posted 15 June 2005 - 06:02 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
andman,

When you ran Ad-Aware SE and Spybot, did you remove the entries that you found??

Thanks,
rstones12
  • 0

#15
andman
Posted 16 June 2005 - 08:03 AM

andman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Yes I deleted it all... or I thought so!!

Except for "DOWNLOAD ACCLERATOR PLUS ADS" which Spybot signed as RED but could not delete.

Don't you think I made them run the right way? Do I have to run them again?

let me know,
many thanks,
andman
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP