Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer Restart Continously


  • This topic is locked This topic is locked
2 replies to this topic

#1 Sverd

Sverd

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 18 May 2008 - 05:42 PM

Hello, my pc continously restart explorer every few seconds.
SpyBot found Virtumonde, but I am not sure it is the (only) problem.
Using SDFIX seemed to get things working, but after some time and a reboot the problem is still here.

Sverd




Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-19 00:12:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-05-18 22:13:12 UTC - RP459 - Deckard's System Scanner Restore Point
22: 2008-05-18 21:57:16 UTC - RP458 - Last known good configuration
21: 2008-05-18 21:56:25 UTC - RP457 - Last known good configuration
20: 2008-05-18 21:56:23 UTC - RP456 - Software Distribution Service 3.0
19: 2008-05-18 21:56:23 UTC - RP455 - Last known good configuration


-- First Restore Point --
1: 2008-05-18 21:56:18 UTC - RP437 - Punto di arresto del sistema


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.17.49, on 19/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\hijackthis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {1D0D5BAD-D4E6-4761-8FF2-C0D00AA10668} - C:\WINDOWS\system32\ddcAsspQ.dll
O2 - BHO: (no name) - {3C7E1963-EB72-48EF-9129-4504B0C0F858} - C:\WINDOWS\system32\geBuUnnn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {88EBBE0B-5FF8-4B84-B043-71A216374A5B} - C:\WINDOWS\system32\opnmMeCr.dll
O2 - BHO: (no name) - {BDD32E7E-4C00-41E1-87AA-75029A884922} - C:\WINDOWS\system32\hgGvsroO.dll
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Programmi\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [SetDefPrt] C:\Programmi\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D77941B-5FFC-4924-9C9D-79C2F4D9D4CD}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: opnmMeCr - C:\WINDOWS\SYSTEM32\opnmMeCr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

--
End of file - 4542 bytes

-- HijackThis Fixed Entries (C:\hijackthis\backups\) ---------------------------

backup-20080517-153348-332 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
backup-20080517-153443-756 O2 - BHO: BurstWriting module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Programmi\BurstWriting\BurstWriting.dll
backup-20080517-153443-956 O2 - BHO: (no name) - {E8B80D70-3309-4792-8B4C-DD67639AC20A} - C:\WINDOWS\system32\urqOHBuT.dll (file missing)
backup-20080517-160714-144 O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_6] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\msnetobj.dll"
backup-20080517-160714-162 O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_1] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\drmstor.dll"
backup-20080517-160714-163 O2 - BHO: (no name) - {4D1147D5-461B-40E4-B39D-73CE99E7DD49} - C:\WINDOWS\system32\jkkHWPig.dll (file missing)
backup-20080517-160714-178 O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_2] C:\WINDOWS\System32\regsvr32 /s C:\WINDOWS\System32\wmp.dll
backup-20080517-160714-196 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_10] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmsdmoe2.dll"
backup-20080517-160714-198 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_24] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmsdmod.dll"
backup-20080517-160714-218 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_8] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmspdmoe.dll"
backup-20080517-160714-236 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_32] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmvcore.dll"
backup-20080517-160714-256 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_23] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\mp4sdmod.dll"
backup-20080517-160714-276 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_4] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmvdmod.dll"
backup-20080517-160714-278 O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_1] "C:\Programmi\Windows Media Player\migrate.exe" /s
backup-20080517-160714-299 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_21] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\mpg4dmod.dll"
backup-20080517-160714-386 O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_2] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\drmclien.dll"
backup-20080517-160714-394 O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Programmi\Web Accelerator\components\NOWImaging.dll (file missing)
backup-20080517-160714-406 O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_9] C:\WINDOWS\System32\regsvr32 /s C:\WINDOWS\System32\wmpasf.dll
backup-20080517-160714-444 O20 - Winlogon Notify: opnmMeCr - C:\WINDOWS\SYSTEM32\opnmMeCr.dll
backup-20080517-160714-448 O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_4] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\drmv2clt.dll"
backup-20080517-160714-522 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_3] C:\WINDOWS\System32\regsvr32 /s /u "C:\WINDOWS\System32\wmv8dmod.dll"
backup-20080517-160714-528 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_2] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmnetmgr.dll"
backup-20080517-160714-530 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_31] "C:\WINDOWS\System32\logagent.exe" /RegServer
backup-20080517-160714-537 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_5] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmvdmoe2.dll"
backup-20080517-160714-636 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_30] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\laprxy.dll"
backup-20080517-160714-647 O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_20] C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
backup-20080517-160714-661 O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
backup-20080517-160714-701 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_6] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmadmoe.dll"
backup-20080517-160714-732 O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_5] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\blackbox.dll"
backup-20080517-160714-744 O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_8] C:\WINDOWS\System32\regsvr32 /s C:\WINDOWS\System32\wmpshell.dll
backup-20080517-160714-757 O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_7] C:\WINDOWS\System32\regsvr32 /s C:\WINDOWS\System32\mspmsnsv.dll
backup-20080517-160714-793 O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_10] C:\WINDOWS\System32\regsvr32 /s C:\WINDOWS\System32\wmpdxm.dll
backup-20080517-160714-860 O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
backup-20080517-160714-861 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_9] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmsdmoe.dll"
backup-20080517-160714-903 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_22] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\mp43dmod.dll"
backup-20080517-160714-907 O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_0] C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
backup-20080517-160714-925 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_20] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmadmod.dll"
backup-20080517-160714-942 O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_7] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\wmspdmod.dll"
backup-20080517-160714-978 O2 - BHO: (no name) - {88ebbe0b-5ff8-4b84-b043-71a216374a5b} - C:\WINDOWS\system32\opnmMeCr.dll
backup-20080517-160715-480 O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll
backup-20080517-161134-263 O2 - BHO: (no name) - {88EBBE0B-5FF8-4B84-B043-71A216374A5B} - C:\WINDOWS\system32\opnmMeCr.dll
backup-20080518-090915-488 O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programmi\Winamp Toolbar\winamptb.dll (file missing)
backup-20080518-091259-127 O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
backup-20080518-091259-317 O2 - BHO: (no name) - {88EBBE0B-5FF8-4B84-B043-71A216374A5B} - C:\WINDOWS\system32\opnmMeCr.dll
backup-20080518-091259-507 O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programmi\Winamp Toolbar\winamptb.dll (file missing)
backup-20080518-091259-692 O3 - Toolbar: SlipStream Web Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Programmi\SlipStream Web Accelerator\Toolband.dll (file missing)
backup-20080518-091259-860 O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
backup-20080518-091259-969 O2 - BHO: (no name) - {FB650F37-76C6-42E4-8BC8-51BEC33315BA} - C:\WINDOWS\system32\geBsstTK.dll (file missing)
backup-20080518-091303-901 O20 - Winlogon Notify: opnmMeCr - C:\WINDOWS\SYSTEM32\opnmMeCr.dll
backup-20080518-091304-847 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-091612-597 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-091808-107 O4 - HKLM\..\RunOnce: [SpybotDeletingC3910] cmd /c del "C:\WINDOWS\system32\geBsstTK.dll_old"
backup-20080518-091808-280 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-091808-631 O20 - Winlogon Notify: opnmMeCr - C:\WINDOWS\SYSTEM32\opnmMeCr.dll
backup-20080518-091808-636 O4 - HKLM\..\RunOnce: [SpybotDeletingA2376] command /c del "C:\WINDOWS\system32\geBsstTK.dll_old"
backup-20080518-091930-524 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-092048-595 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-093058-514 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-115719-586 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-115854-496 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winamp.com/player
backup-20080518-120444-645 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-133413-497 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-135100-499 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080518-235309-797 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BsStor (InCD Storage Helper Driver) - c:\windows\system32\drivers\bsstor.sys <Not Verified; B.H.A Co.,Ltd.; >
R2 BsUDF (InCD UDF Driver) - c:\windows\system32\drivers\bsudf.sys <Not Verified; ahead software; UDF File System Driver (WindowsNT5.x)>
R3 Stmatm (ATM/ADSL miniport) - c:\windows\system32\drivers\stmatm.sys <Not Verified; STMicroelectronics; Unicorn ADSL>
R3 TaurusUsb (ADSL Modem USB Service 1.09a) - c:\windows\system32\drivers\torususb.sys

S0 Agm64 - c:\windows\system32\drivers\agm64.sys (file missing)
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 gusvc (Google Updater Service) - "c:\programmi\google\common\google updater\googleupdaterservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: Nodo interfaccia NT Apm/Legacy
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: Nodo interfaccia NT Apm/Legacy
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Controller Fast Ethernet integrato 3Com 3C918 (3C905B-TX compatibile)
Device ID: PCI\VEN_10B7&DEV_9055&SUBSYS_00821028&REV_24\2&EBB567F&0&88
Manufacturer: 3Com
Name: Controller Fast Ethernet integrato 3Com 3C918 (3C905B-TX compatibile)
PNP Device ID: PCI\VEN_10B7&DEV_9055&SUBSYS_00821028&REV_24\2&EBB567F&0&88
Service: EL90XBC


-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-19 00:09:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-19 00:09:22 0 d-------- C:\WINDOWS\LastGood
2008-05-18 23:56:07 344 --ahs---- C:\WINDOWS\system32\nnnUuBeg.ini2
2008-05-18 23:55:59 319872 --a------ C:\WINDOWS\system32\geBuUnnn.dll
2008-05-18 20:06:50 319872 --a------ C:\WINDOWS\system32\hgGvsroO.dll
2008-05-18 18:34:33 319872 --a------ C:\WINDOWS\system32\ddcAsspQ.dll
2008-05-18 15:49:34 0 d-------- C:\cmdcons
2008-05-17 16:16:56 0 d-------- C:\WINDOWS\Prefetch
2008-05-17 15:18:09 0 d-------- C:\hijackthis
2008-05-12 23:38:00 0 d-------- C:\Programmi\Startup Inspector for Windows
2008-05-12 23:18:15 0 d--hs---- C:\WINDOWS\CSC
2008-05-12 22:37:26 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-12 22:37:24 68096 --a------ C:\WINDOWS\zip.exe
2008-05-12 22:37:24 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-12 22:37:24 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-12 22:37:24 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-12 22:37:24 98816 --a------ C:\WINDOWS\sed.exe
2008-05-12 22:37:24 80412 --a------ C:\WINDOWS\grep.exe
2008-05-12 22:37:24 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-12 20:28:13 0 d-------- C:\WINDOWS\ERUNT
2008-05-11 20:42:09 2 --a------ C:\-319901445
2008-05-11 20:39:03 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-05-11 20:37:57 29824 --a------ C:\WINDOWS\system32\opnmMeCr.dll
2008-04-24 20:10:14 0 d-------- C:\Programmi\File comuni\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-05-18 20:15:41 0 d-------- C:\Documents and Settings\Administrator\Dati applicazioni\uTorrent
2008-05-18 20:04:15 0 d-------- C:\Documents and Settings\Administrator\Dati applicazioni\wsInspector
2008-05-18 19:54:05 0 d-------- C:\Programmi\uTorrent
2008-05-18 13:48:55 0 d-------- C:\Programmi\regclean
2008-05-14 20:50:10 425432 --a----c- C:\WINDOWS\system32\perfh010.dat
2008-05-14 20:50:09 63180 --a----c- C:\WINDOWS\system32\perfc010.dat
2008-05-13 23:52:59 10 --a----c- C:\WINDOWS\popcinfo.dat
2008-05-13 00:08:01 0 d-------- C:\Programmi\EasyClean
2008-05-11 16:36:38 0 d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Adobe
2008-05-06 18:38:45 0 d-------- C:\Programmi\Java
2008-05-03 16:19:59 0 d-------- C:\Programmi\Torrent Harvester
2008-05-02 11:43:48 28152 --a------ C:\Documents and Settings\Administrator\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-04-27 18:16:14 0 dr------- C:\Documents and Settings\Administrator\Dati applicazioni\Brother
2008-04-24 22:48:36 0 d-------- C:\Programmi\Winamp
2008-04-24 20:24:04 0 d-------- C:\Programmi\Lavasoft
2008-04-24 20:10:14 0 d-------- C:\Programmi\File comuni
2008-04-24 19:48:12 0 d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Lavasoft
2008-04-24 19:19:45 0 d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Macromedia
2008-04-24 19:19:19 0 d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Google
2008-04-24 19:02:02 0 d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Sun
2008-04-24 18:44:13 0 d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D0D5BAD-D4E6-4761-8FF2-C0D00AA10668}]
18/05/2008 18.34 319872 --a------ C:\WINDOWS\system32\ddcAsspQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C7E1963-EB72-48EF-9129-4504B0C0F858}]
18/05/2008 23.56 319872 --a------ C:\WINDOWS\system32\geBuUnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88EBBE0B-5FF8-4B84-B043-71A216374A5B}]
11/05/2008 20.37 29824 --a------ C:\WINDOWS\system32\opnmMeCr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDD32E7E-4C00-41E1-87AA-75029A884922}]
18/05/2008 20.06 319872 --a------ C:\WINDOWS\system32\hgGvsroO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Programmi\Winamp Toolbar\winamptb.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefPrt"="C:\Programmi\Brother\Brmfl05a\BrStDvPt.exe" [26/01/2005 18.02]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04.25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88EBBE0B-5FF8-4B84-B043-71A216374A5B}"= C:\WINDOWS\system32\opnmMeCr.dll [11/05/2008 20.37 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmMeCr]
opnmMeCr.dll 11/05/2008 20.37 29824 C:\WINDOWS\system32\opnmMeCr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBuUnnn

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Agm64.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Picasa Media Detector"=C:\Programmi\Picasa2\PicasaMediaDetector.exe
"ControlCenter2.0"=C:\Programmi\Brother\ControlCenter2\brctrcen.exe /autorun




-- End of Deckard's System Scanner: finished at 2008-05-19 00:23:20 ------------

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Italian

CPU 0: Processore Intel Pentium III
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 255.55 MiB / 93.8 MiB
Pagefile Memory (total/avail): 836.53 MiB / 641.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.51 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 14.3 GiB total, 5.61 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 91531U3 - 14.31 GiB - 1 partition
\PARTITION0 (bootable) - File system installabile - 14.3 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.8.1201 [VPS 080518-1] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\Alwil Software\\Avast4\\ashAvast.exe"="C:\\Programmi\\Alwil Software\\Avast4\\ashAvast.exe:*:Enabled:avast! Antivirus"
"C:\\Programmi\\Alwil Software\\Avast4\\aswUpdSv.exe"="C:\\Programmi\\Alwil Software\\Avast4\\aswUpdSv.exe:*:Enabled:aswUpdSv.exe"
"C:\\Programmi\\Chess\\Chess.exe"="C:\\Programmi\\Chess\\Chess.exe:*:Disabled:Chess"
"C:\\Programmi\\Messenger\\msmsgs.exe"="C:\\Programmi\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Programmi\\NetMeeting\\conf.exe"="C:\\Programmi\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\uTorrent\\uTorrent.exe"="C:\\Programmi\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Dati applicazioni
CLIENTNAME=Console
CommonProgramFiles=C:\Programmi\File comuni
COMPUTERNAME=A
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\A
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\wbem;C:\PROGRA~1\ERL2000\BIN
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 7 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0703
ProgramFiles=C:\Programmi
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Administrator\Impostazioni locali\Temp
TMP=C:\DOCUME~1\Administrator\Impostazioni locali\Temp
USERDOMAIN=A
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

bc (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type995 / Error
Event Submitted/Written: 05/18/2008 09:47:37 AM
Event ID/Source: 1000 / Application Error
Event Description:
Applicazione che ha provocato l'errore BN3.tmp, versione 0.0.0.0, modulo che ha provocato l'errore BN3.tmp, versione 0.0.0.0, indirizzo errore 0x0000104b.
Elaborazione evento specifico al supporto per [BN3.tmp!ws!] in corso

Event Record #/Type993 / Error
Event Submitted/Written: 05/18/2008 09:09:02 AM
Event ID/Source: 1000 / Application Error
Event Description:
Applicazione che ha provocato l'errore BN5.tmp, versione 0.0.0.0, modulo che ha provocato l'errore BN5.tmp, versione 0.0.0.0, indirizzo errore 0x0000104b.
Elaborazione evento specifico al supporto per [BN5.tmp!ws!] in corso

Event Record #/Type989 / Error
Event Submitted/Written: 05/17/2008 07:00:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Applicazione che ha provocato l'errore BNB.tmp, versione 0.0.0.0, modulo che ha provocato l'errore BNB.tmp, versione 0.0.0.0, indirizzo errore 0x0000104b.
Elaborazione evento specifico al supporto per [BNB.tmp!ws!] in corso

Event Record #/Type988 / Warning
Event Submitted/Written: 05/17/2008 04:19:40 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
Un provider, Rsop Planning Mode Provider, è stato registrato nello spazio dei nomi WMI, root\RSOP, ma non ha specificato la proprietà richiesta HostingModel. Questo provider userà l'account LocalSystem. L'account è privilegiato e il provider può causare una violazione di protezione se non rappresenta correttamente le richieste utente. Accertarsi che il provider sia stato controllato e soddisfi i requisiti di protezione e aggiornare la proprietà HostingModel della registrazione del provider impostandola su un account con privilegi corrispondenti al minimo indispensabile per la funzionalità necessaria.

Event Record #/Type987 / Warning
Event Submitted/Written: 05/17/2008 04:19:40 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
Un provider, Rsop Planning Mode Provider, è stato registrato nello spazio dei nomi WMI, root\RSOP, ma non ha specificato la proprietà richiesta HostingModel. Questo provider userà l'account LocalSystem. L'account è privilegiato e il provider può causare una violazione di protezione se non rappresenta correttamente le richieste utente. Accertarsi che il provider sia stato controllato e soddisfi i requisiti di protezione e aggiornare la proprietà HostingModel della registrazione del provider impostandola su un account con privilegi corrispondenti al minimo indispensabile per la funzionalità necessaria.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type28126 / Error
Event Submitted/Written: 05/18/2008 11:48:09 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
Il servizio BrSplService ha riportato lo stato non valido corrente 0.

Event Record #/Type28125 / Error
Event Submitted/Written: 05/18/2008 11:46:47 PM
Event ID/Source: 1003 / System Error
Event Description:
Codice errore 1000008e, parametro1 c0000005, parametro2 80563ed6, parametro3 f6e46c30, parametro4 00000000.

Event Record #/Type28102 / Error
Event Submitted/Written: 05/18/2008 11:37:59 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM ha ricevuto l'errore "%%1084" durante il tentativo di avviare il servizio EventSystem con gli argomenti ""
per eseguire il server
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type28097 / Error
Event Submitted/Written: 05/18/2008 11:16:58 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM ha ricevuto l'errore "%%1084" durante il tentativo di avviare il servizio EventSystem con gli argomenti ""
per eseguire il server
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type28093 / Error
Event Submitted/Written: 05/18/2008 11:16:52 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
All'avvio non è stato possibile caricare i seguenti driver:
Aavmker4
aswSP
Fips



-- End of Deckard's System Scanner: finished at 2008-05-19 00:23:20 ------------

BC AdBot (Login to Remove)

 


#2 Sverd

Sverd
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 27 May 2008 - 03:25 PM

Hi everybody,
I was in a hurry so, while waiting for help, I tried by myself and now my pc is working fine. :thumbsup:

I used HijackThis to find and remove bad registry entries, and Spybot utilities for BHO and running processes, looking for dll involved and deleting them.

Of course this had to be repeated some times, because some entries and some dll recreated under new
names, and some files were locked. I used the win console to delete them.

At the end I scanned everything with avast, ad-aware and spybot.

I think I had some good luck, anyway, I am grateful to this site for all helpful information I found here.

Bye

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:27 AM

Posted 27 May 2008 - 10:04 PM

Thanks for informing us.

Should you find other problems, please start a new topic.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users