Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hclean32.... please help [RESOLVED]


  • This topic is locked This topic is locked

#1
fausto

fausto

    Member

  • Member
  • PipPip
  • 13 posts
Hello.
it seems i cannot get rid of hclean32 trojian. as soon as explorer starts, NAV detects the virus, quarantines it but then next time it starts all over again.
The baloon.wav file appers in c:\windows and even if I delete it... next time it shows up.

here is my HJT log: could somebody help me please?

reagards, fausto

Logfile of HijackThis v1.99.1
Scan saved at 13.36.01, on 01/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Programmi\Qualcomm\Eudora\Eudora.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\AboutBuster\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SIDeA
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
O4 - Global Startup: Finestra di stato di Canon iR1200-1300.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c24.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sidea.it.priv
O17 - HKLM\Software\..\Telephony: DomainName = sidea.it.priv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sidea.it.priv
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

Advertisements


#2
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Hello and Welcome to Geeks to Go!


your log looks clean.


Please download the trial version of Ewido Security Suite from
here. Install it and
update the program with the latest definitions. Setup the program
following the instructions here and then close it without running a scan.

Reboot into Safe Mode

Then please run Ewido security suite, and perform a full system scan.
Remove anything found,

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

* Click Save report
* Save the report to your desktop.


then reboot normally, and post a new HJT log, and the scan log from Ewido.
  • 0

#3
fausto

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
here are the two logs. they seem ok... but your advise will be gratefully accepter!!!

I manually removed the infected files (the whole zip archives) form the attachment folder.

---------------------------------------------------------
ewido security suite - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 16.09.58, 02/09/2005
+ Report-Checksum: 48F2EA9C

+ Risultati scansione:

HKLM\SOFTWARE\Classes\.s3D -> Spyware.BrilliantDigital : Pulito con Backup
HKLM\SOFTWARE\Classes\.s3D\ShellNew -> Spyware.BrilliantDigital : Pulito con Backup
C:\user\Fileudora\attachments\account-password.zip/account-password.doc .exe -> Worm.Mytob.bi : Errore durante la pulizia
C:\user\Fileudora\attachments\approved-password.zip/approved-password.htm .scr -> Worm.Mytob.bi : Errore durante la pulizia
C:\user\Fileudora\attachments\cdrz.zip/cdrz.txt .pif -> Worm.Mytob.bi : Errore durante la pulizia
C:\user\Fileudora\attachments\data.zip/data.pif -> Worm.Mytob : Errore durante la pulizia
C:\user\Fileudora\attachments\document.zip/document.htm .scr -> Worm.Mytob.bi : Errore durante la pulizia
C:\user\Fileudora\attachments\email-password.zip/email-password.doc .pif -> Worm.Mytob.bi : Errore durante la pulizia
C:\user\Fileudora\attachments\important-details.zip/important-details.htm .pif -> Worm.Mytob.bi : Errore durante la pulizia
C:\user\Fileudora\attachments\important-details1.zip/important-details.txt .pif -> Worm.Mytob.bi : Errore durante la pulizia
C:\user\Fileudora\attachments\test.zip/test.htm .pif -> Worm.Mytob : Errore durante la pulizia
C:\user\Fileudora\attachments\updated-password.zip/updated-password.htm .pif -> Worm.Mytob.bi : Errore durante la pulizia
C:\user\Fileudora\attachments\updated-password1.zip/updated-password.txt .scr -> Worm.Mytob.bi : Errore durante la pulizia
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Pulito con Backup
C:\WINDOWS\system32\gpsresl32.exe -> TrojanDownloader.Small.awa : Pulito con Backup
C:\WINDOWS\system32\hhk_temp.dll -> Trojan.Puper.t : Pulito con Backup
C:\WINDOWS\system32\syshelp.exe -> TrojanDownloader.Small.awa : Pulito con Backup
C:\WINDOWS\system32\sysprint.exe -> Dialer.Generic : Pulito con Backup
C:\WINDOWS\system32\uazzv.dll -> Spyware.SBSoft : Pulito con Backup
C:\WINDOWS\tmp.hta -> TrojanDownloader.Psyme.at : Pulito con Backup
C:\WINDOWS\wcx_ftp.ini:xtggyx -> Trojan.Agent.bi : Pulito con Backup


::Fine Rapporto

Logfile of HijackThis v1.99.1
Scan saved at 17.25.00, on 02/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Qualcomm\Eudora\Eudora.exe
C:\AboutBuster\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SIDeA
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
O4 - Global Startup: Finestra di stato di Canon iR1200-1300.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c24.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sidea.it.priv
O17 - HKLM\Software\..\Telephony: DomainName = sidea.it.priv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sidea.it.priv
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#4
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
I take it that " Errore durante la pulizia" means "error during cleanup"

please run PANDA ACTIVESCAN

do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it back here.
  • 0

#5
fausto

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
yes, your italian/english translation is correct!

as a matter of fact, I think something is still wrong, since NAV again detected the hclean32.exe, but this time ewido (in safe mode) gave a negative result....

here is the post of panda activescan.

thaks for any further help!



Incident Status Location

Dialer:dialer.cos No disinfected C:\DOCUMENTS AND SETTINGS\DISTANTE\PREFERITI\exsplorer.lnk
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Spyware:spyware/dyfuca No disinfected C:\DOCUMENTS AND SETTINGS\DISTANTE\Internet Optimizer
Adware:adware/mediatickets No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\distante\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-1d9334ff-1ac00303.zip[Dummy.class]
Adware:Adware/nCase No disinfected C:\Documents and Settings\distante\Impostazioni locali\Temporary Internet Files\Content.IE5\MF6ZEPCX\init[1].js
Adware:Adware/WUpd No disinfected C:\Documents and Settings\distante\Impostazioni locali\Temporary Internet Files\Content.IE5\MF6ZEPCX\loud[1].htm
Virus:Trj/Agent.AJZ Disinfected C:\WINDOWS\system32\trapi12.exe
  • 0

#6
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
run two online virus scans from any of the following locations :-

http://www.kaspersky...oduct=161744315 KASPERSKY
http://www.ravantivirus.com/scan/ - RAV
http://www.bitdefend...can/licence.php - BitDefender
(If using Kasperskey, please empty the quarantine sections of any AV or Anti-Spyware programs you have installed before running the scan.)


DISABLE SYSTEM RESTORE run your anti virus, when you get the all clear
restart your system restore.(same page).then create a new restore point :-

click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.


let us know if NAV detects it again.
  • 0

#7
fausto

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi.
I did as you suggeted but the results baffled me....

I cleaned up all the quarantine of the various programs and ran the kspersky... to find out that I still had NAv quarantine files, which NAV itself didn't show. (see post).

I removed those files by hand.

Bitdefender didn't find anything.

so i checked that system restore was disabled (it was never been anabled) and ran NAV (after an update)... and it didn't find anything... not even the one found in the system32 log file (see post).


what's happening?

right now the system SEEMS to run correctly... but I'm sure that in a while the hclean32 will show up and the icon saying "you computer is..... click on this baloon..." also.

I'll let you kown if this happens... but since the results of the scans are not "logical" I'm sure something is still wrong...

what do you think?

ciao (which in english can be traslated to "hi" :-) - I bet you knew this)

fausto


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, September 05, 2005 11:02:14
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 5/09/2005
Kaspersky Anti-Virus database records: 138893
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52668
Number of viruses found: 8
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 2840 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01180002.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ABC0000.VBN/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ABC0000.VBN/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ABC0000.VBN/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ABC0000.VBN Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ABC0002.VBN Infected: Trojan-Downloader.Win32.Small.awa
C:\Documents and Settings\distante\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-1d9334ff-1ac00303.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\distante\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-1d9334ff-1ac00303.zip/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\distante\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-1d9334ff-1ac00303.zip Infected: Trojan.Java.ClassLoader.ak
C:\user\Fileudora\attachments\certiftutor.doc.pif Infected: Email-Worm.Win32.Tanatos.b.dam2
C:\WINDOWS\system32\LogFiles\S7131900.so Infected: Trojan-Clicker.Win32.Agent.eg

Scan process completed.
  • 0

#8
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
I think the quarantine files showed up because you didn't reboot before running KAV, hopefully this will sort it. :tazz:

1. From the Start button, click Settings> Control Panel
2. In the Control Panel, open the "Java Plug-in Control Panel"
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory



Then boot up in SAFE MODE

Then navigate to and delete these files\folders in BOLD


C:\user\Fileudora\attachments\certiftutor.doc.pif
C:\WINDOWS\system32\LogFiles\S7131900.so
C:\WINDOWS\system32\trapi12.exe
C:\DOCUMENTS AND SETTINGS\DISTANTE\Internet Optimizer
C:\WINDOWS\rdt.ini
C:\DOCUMENTS AND SETTINGS\DISTANTE\PREFERITI\exsplorer.lnk

then boot up normally and scan with KAV again and post the log back here.
  • 0

#9
fausto

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I did as you suggested in safe mode.
Aftewards, to speed up the job,I just scanned the "critical" folders... (I hope it didn't compormise anything)

here is the log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, September 05, 2005 14:47:40
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 5/09/2005
Kaspersky Anti-Virus database records: 138934
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\Documents and Settings\
C:\Programmi\
C:\System Volume Information\
C:\WINDOWS\

Scan Statistics:
Total number of scanned objects: 40129
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 2061 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.



...let's see what happens!

I'll let you know.

Ciao
fausto
  • 0

#10
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
keep your fingers crossed :tazz:
  • 0

Advertisements


#11
fausto

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
hi bricat.

I kept all I could crossed... not only fingers... bu.. no use.

this morning as soon as I acrtivated Explorere... hclean32 was detected by NAV and the "you sistem.... click this baloon..." msg came up .....

here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10.03.29, on 06/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\Qualcomm\Eudora\Eudora.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\AboutBuster\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SIDeA
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
O4 - Global Startup: Finestra di stato di Canon iR1200-1300.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sidea.it.priv
O17 - HKLM\Software\..\Telephony: DomainName = sidea.it.priv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sidea.it.priv
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


the main difference from before is:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

(the sistem never crashed recently)

??? what do you suggest?

fausto
  • 0

#12
fausto

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
hi bricat.

I kept all I could crossed... not only fingers... bu.. no use.

this morning as soon as I acrtivated Explorere... hclean32 was detected by NAV and the "you sistem.... click this baloon..." msg came up .....

here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10.03.29, on 06/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\Qualcomm\Eudora\Eudora.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\AboutBuster\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SIDeA
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Programmi\NETGEAR\MA401 Wireless PC Card\Config.exe
O4 - Global Startup: Finestra di stato di Canon iR1200-1300.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sidea.it.priv
O17 - HKLM\Software\..\Telephony: DomainName = sidea.it.priv
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sidea.it.priv
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


the main difference from before is:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

(the sistem never crashed recently)

??? what do you suggest?

fausto
  • 0

#13
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure....light/try.shtml
Double-click BLbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
If any items show, have blacklite rename them except for "wbemtest.exe"
Do not rename "wbemtest.exe" its a windows file!!
The tool will ask if you want to reboot (restart) choose yes.

After you have rebooted :-


Copy the bold text below to NOTEPAD.

call it fix.REG

save it to your desktop.

on your desktop double click on fix.REG and allow it to merge with the registry when it asks.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""



Download WINPFIND.ZIP and extract it to your C:\ folder. This will create a folder called WinPFind
in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe.
Double-click on this file to launch the program. Once it is launched,
click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer
for known patterns so please be patient while it works as it can
take a while.
When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of the log in your next post.
  • 0

#14
fausto

fausto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
done.
blbeta found 6 items (including the woindows file) i renamed them (windows file excluded)

done reg "merge"


here is the log of winPFind
=================================
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 19/08/2004 14.00.00 41144 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 19/08/2004 14.00.00 729600 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 06/09/2005 10.02.16 45568 C:\WINDOWS\SYSTEM32\ntfsnlpa.exe.ren
Umonitor 19/08/2004 14.00.00 674816 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 06/09/2005 10.02.16 4608 C:\WINDOWS\SYSTEM32\rdsndin.exe.ren
winsync 19/08/2004 14.00.00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 03/08/2004 22.41.38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
06/09/2005 10.56.10 S 2048 C:\WINDOWS\bootstat.dat
21/07/2005 0.23.54 HS 7680 C:\WINDOWS\Thumbs.db
28/08/2005 20.43.24 S 64 C:\WINDOWS\CSC\00000001
30/07/2005 1.06.24 S 64 C:\WINDOWS\CSC\00000002
06/09/2005 10.56.50 H 1024 C:\WINDOWS\system32\config\default.LOG
06/09/2005 10.56.10 H 8192 C:\WINDOWS\system32\config\SAM.LOG
06/09/2005 10.56.50 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
06/09/2005 10.59.42 H 1024 C:\WINDOWS\system32\config\software.LOG
06/09/2005 10.57.18 H 1024 C:\WINDOWS\system32\config\system.LOG
31/08/2005 14.13.08 H 0 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
19/07/2005 0.05.12 HS 368 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\e3d8dc0b-9f40-47e9-827c-39c302f1264d
19/07/2005 0.05.14 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
06/09/2005 10.56.12 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 19/08/2004 14.00.00 70656 C:\WINDOWS\SYSTEM32\access.cpl
ALi 04/07/2005 9.18.26 65536 C:\WINDOWS\SYSTEM32\alipanel.cpl
Microsoft Corporation 19/08/2004 14.00.00 553472 C:\WINDOWS\SYSTEM32\appwiz.cpl
21/06/1999 5.10.00 183808 C:\WINDOWS\SYSTEM32\BDEADMIN.CPL
Microsoft Corporation 19/08/2004 14.00.00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Logitech Inc. 25/02/2004 17.05.08 274432 C:\WINDOWS\SYSTEM32\CamCpl.cpl
Microsoft Corporation 19/08/2004 14.00.00 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 19/08/2004 14.00.00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 19/08/2004 14.00.00 156160 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 19/08/2004 14.00.00 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 19/08/2004 14.00.00 132608 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 19/08/2004 14.00.00 380928 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 19/08/2004 14.00.00 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 19/11/2003 17.48.12 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 19/08/2004 14.00.00 188928 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 19/08/2004 14.00.00 623616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 19/08/2004 14.00.00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 19/08/2004 14.00.00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 19/08/2004 14.00.00 259072 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 19/08/2004 14.00.00 37376 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 19/08/2004 14.00.00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 19/08/2004 14.00.00 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 19/08/2004 14.00.00 301568 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 19/08/2004 14.00.00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 19/08/2004 14.00.00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 19/08/2004 14.00.00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 19/08/2004 14.00.00 162816 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 19/08/2004 14.00.00 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 19/08/2004 14.00.00 553472 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 19/08/2004 14.00.00 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 19/08/2004 14.00.00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 19/08/2004 14.00.00 156160 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 19/08/2004 14.00.00 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 19/08/2004 14.00.00 132608 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 19/08/2004 14.00.00 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 19/08/2004 14.00.00 188928 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 19/08/2004 14.00.00 623616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 19/08/2004 14.00.00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 19/08/2004 14.00.00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 19/08/2004 14.00.00 259072 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 19/08/2004 14.00.00 37376 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 19/08/2004 14.00.00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 19/08/2004 14.00.00 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 19/08/2004 14.00.00 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 19/08/2004 14.00.00 301568 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 19/08/2004 14.00.00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 19/08/2004 14.00.00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 19/08/2004 14.00.00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 19/08/2004 14.00.00 162816 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
04/07/2005 9.45.24 1804 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Acrobat Assistant.lnk
06/07/2005 20.04.36 1750 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Configuration Utility.lnk
01/07/2005 16.58.50 HS 84 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini
08/07/2005 16.54.30 1063 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Finestra di stato di Canon iR1200-1300.LNK
04/07/2005 10.18.10 1498 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\WinZip Quick Pick.lnk.disabled

Checking files in %ALLUSERSPROFILE%\Application Data folder...
01/07/2005 18.28.34 HS 62 C:\Documents and Settings\All Users\Dati applicazioni\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
01/07/2005 16.58.50 HS 84 C:\Documents and Settings\distante\Menu Avvio\Programmi\Esecuzione automatica\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
01/07/2005 18.28.32 HS 62 C:\Documents and Settings\distante\Dati applicazioni\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programmi\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Programmi\File comuni\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Blocco menu Start = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Programmi\File comuni\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Suggerimenti = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programmi\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Programmi\Yahoo!\Messenger\yhexbmesit.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo : %SystemRoot%\system32\browseui.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programmi\google\googletoolbar1.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = Co&llegamenti : %SystemRoot%\system32\SHELL32.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programmi\google\googletoolbar1.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
LogitechVideoRepair C:\Programmi\Logitech\Video\ISStart.exe
LogitechVideoTray C:\Programmi\Logitech\Video\LogiTray.exe
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
KernelFaultCheck %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoHTMLWallPaper 1
NoComponents 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0
NoActiveDesktop 1
ForceStartMenuLogOff 1
NoRecentDocsNetHood 1
NoActiveDesktopChanges 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 06/09/2005 11.02.16
  • 0

#15
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
hopefully the alerts are gone. :tazz:

let me know how it is running.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP