Needless to say the PC has XP Sp2 with all patches and fixes installed, and I didn't find any real help to solve this, apparently easy to remove, infection.
Every step from your basic guide has been followed.
One month ago the virus name was W32/Sdbot.worm.gen.h, and was infecting ftp.exe, now has mutated and is infecting cmd.exe
I perfectly know that from the following hijackthis log there's nothing strange except from the 017 line, I can't delete permanently the line, if I reconnect to the Internet the line re-appears, I did a Traceroute on the IP 62.94.0.1/2 and seems related with an ISP related to my ISP...
any help would be VERY appreciated !
Logfile of HijackThis v1.99.1
Scan saved at 13.13.30, on 31/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmi\ewido\security suite\ewidoctrl.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Programmi\Network Associates\Common Framework\FrameworkService.exe
E:\Programmi\Network Associates\VirusScan\Mcshield.exe
E:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
E:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Programmi\Network Associates\VirusScan\SHSTAT.EXE
E:\Programmi\Network Associates\Common Framework\UpdaterUI.exe
E:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe
E:\Programmi\D-Tools\daemon.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programmi\Free Download Manager\fdm.exe
E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
E:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Programmi\FreePOPs\freepopsd.exe
E:\Programmi\WinDates\WinDates.exe
E:\WINDOWS\system32\WISPTIS.EXE
E:\WINDOWS\System32\dllhost.exe
E:\WINDOWS\system32\inetsrv\DavCData.exe
C:\BACKUP\dunmon\DUNMon.exe
E:\Programmi\Microsoft Office\OFFICE11\EXCEL.EXE
E:\Programmi\Mozilla Firefox\firefox.exe
E:\Programmi\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - E:\Programmi\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "E:\Programmi\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Programmi\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "E:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "E:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "E:\Programmi\File comuni\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Dial-Up Monitor] C:\BACKUP\dunmon\DUNMon
O4 - HKCU\..\Run: [Free Download Manager] E:\Programmi\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: freepopsd.lnk = E:\Programmi\FreePOPs\freepopsd.exe
O4 - Startup: WinDates.lnk = E:\Programmi\WinDates\WinDates.exe
O4 - Global Startup: Service Manager.lnk = E:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://E:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://E:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Download all by Free Download Manager - file://E:\Programmi\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://E:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\Programmi\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pagine simili - res://E:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://E:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121343265134
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF874E90-5159-4797-A114-1915EDD46287}: NameServer = 62.94.0.1 62.94.0.2
O23 - Service: ewido security suite control - ewido networks - E:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: Servizio di framework di McAfee (McAfeeFramework) - Network Associates, Inc. - E:\Programmi\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - E:\Programmi\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\Programmi\Network Associates\VirusScan\VsTskMgr.exe