Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.coreservice And Command Service Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 canesciolto

canesciolto

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 31 August 2008 - 10:48 AM

Dear Bleeping computer,
I've tried to remove in all ways the smitfraud and command service malware my computer is infected with. Spybot recognizes the infections but when i reboot the problem is still there.
This is the hijack log, I really hope someone can come to the rescue...
Thanks for you precious time,
Francesco

the hijack Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.02.41, on 01/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O3 - Toolbar: Toolbar &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] C:\Programmi\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Avvio veloce di Microsoft Office OneNote 2003.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15320607-1001-1831-1000-118599957123} - ms-its:mhtml:file://C:\PATH.MHT!http://195.225.176.5//d//luwdsej//wxjcuec//xgzgvoe//irkqpg//IT//arct.chm::/painter.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198727678500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198729427140
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: IpManager (IPtable) - Unknown owner - C:\WINDOWS\ipconfg32.exe (file missing)
O23 - Service: MS Ins Config (MSiCFG) - Unknown owner - C:\WINDOWS\msiconfig.exe (file missing)
O23 - Service: Word Process (msproc) - Unknown owner - C:\WINDOWS\mswinpad.exe (file missing)

--
End of file - 5741 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:03 PM

Posted 01 September 2008 - 06:41 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, please uninstall the Crawler Toolbar since this one is not recommended.
Reboot afterwards.

After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 canesciolto

canesciolto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 01 September 2008 - 07:09 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, please uninstall the Crawler Toolbar since this one is not recommended.
Reboot afterwards.

After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


Hi,
first of all thanks for your involvement.
I scanned my system in save mode several times using Combofix (after disabling spybot my antivirus and uninstalling the crawler toolbar).
After this i scanned my drives in save mode with Spybot and all malware was gone from my computer.
Lastly I did a virus scan wich brought out a large amount of virusus ranging from trojans to malware which for one reason or onother did not come out before.
To put the story straight I'm glad everything is ok now. I appreciated you taking time to answer me you’re all doing a great job!
Best wishes,
Francesco

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:03 PM

Posted 01 September 2008 - 07:18 AM

Hi Francesco,

Can you please post the Combofix log as requested? This because everything *may appear OK again, but that doesn't mean that your problem is really solved. Keep in mind that malware also installs quietly in the background, doing its thing (for example collecting passwords etc) and it makes sure that you don't notice anything.
So if you want to be sure that all malware is gone, then please post the Combofix log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 canesciolto

canesciolto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 04 September 2008 - 01:58 PM

Hello Miekemoes,
sorry I couldn't get back to you earlier, I was out for work and could not post the log.
Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.56.15, on 05/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] C:\Programmi\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] C:\Programmi\MSN Messenger\msnmsgr.exe /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB4784] command /c del C:\WINDOWS\system32\drivers\core.cache.dsk
O4 - HKCU\..\RunOnce: [SpybotDeletingD2632] cmd /c del C:\WINDOWS\system32\drivers\core.cache.dsk
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - Startup: Avvio veloce di Microsoft Office OneNote 2003.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {15320607-1001-1831-1000-118599957123} - ms-its:mhtml:file://C:\PATH.MHT!http://195.225.176.5//d//luwdsej//wxjcuec//xgzgvoe//irkqpg//IT//arct.chm::/painter.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198727678500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198729427140
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: IpManager (IPtable) - Unknown owner - C:\WINDOWS\ipconfg32.exe (file missing)
O23 - Service: MS Ins Config (MSiCFG) - Unknown owner - C:\WINDOWS\msiconfig.exe (file missing)
O23 - Service: Word Process (msproc) - Unknown owner - C:\WINDOWS\mswinpad.exe (file missing)

--
End of file - 5434 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:03 PM

Posted 04 September 2008 - 02:02 PM

Hi,

Can you ppst the Combofix log as requested?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 canesciolto

canesciolto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 05 September 2008 - 12:21 PM

Hi,

Can you ppst the Combofix log as requested?


Hi,
I'm sorry I misunderstood. Her is the Combofix log.
Thanks for your patience!


ComboFix 08-09-04.09 - Friso & Sonia 2008-09-06 18.21.46.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.116 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Tony1\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Programmi\File comuni\{5437B~1

.
((((((((((((((((((((((((( Files Creati Da 2008-08-06 al 2008-09-06 )))))))))))))))))))))))))))))))))))
.

2008-09-06 18:17 . 2008-09-06 18:17 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-01 22:12 . 2008-09-06 18:16 <DIR> d-------- C:\Programmi\ComboFix
2008-08-31 22:39 . 2008-08-31 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PCPitstop
2008-08-31 21:37 . 2008-08-31 21:37 <DIR> d-------- C:\Programmi\BillP Studios
2008-08-31 21:37 . 2008-08-31 21:37 <DIR> d-------- C:\Documents and Settings\Tony1\Dati applicazioni\WinPatrol
2008-08-31 20:53 . 2008-08-31 20:53 <DIR> d-------- C:\Programmi\Trend Micro
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-08-25 20:53 . 2006-04-12 19:25 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-08-25 20:53 . 2007-01-05 11:58 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-08-25 20:53 . 2008-09-06 18:24 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-08-25 20:53 . 2008-08-25 20:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-21 18:51 . 2008-08-31 21:01 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-08-21 01:39 . 2008-08-21 01:39 39,200 --a------ C:\WINDOWS\system32\msg391.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 18:22 --------- d-----w C:\Programmi\Mozilla Thunderbird
2008-08-31 20:50 --------- d-----w C:\Programmi\Lavasoft
2008-08-31 20:49 --------- d-----w C:\Programmi\Google
2008-08-31 20:29 --------- d-----w C:\Programmi\File comuni\Adobe
2008-08-31 20:29 --------- d-----w C:\Programmi\DivX
2008-08-26 06:30 --------- d-----w C:\Programmi\ParallelGraphics
2008-08-22 06:43 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-08-21 21:41 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-08-02 16:56 --------- d-----w C:\Programmi\Songbird
2008-07-27 20:39 --------- d-----w C:\Documents and Settings\Giulia\Dati applicazioni\Songbird2
2008-07-27 19:56 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\SongbirdVLC
2008-07-26 09:58 --------- d-----w C:\Documents and Settings\Tony1\Dati applicazioni\Songbird2
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 -c--a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-16 00:29 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:15 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:39 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-01-13 12:19 92,064 -c--a-w C:\Documents and Settings\Tony1\mqdmmdm.sys
2008-01-13 12:19 9,232 -c--a-w C:\Documents and Settings\Tony1\mqdmmdfl.sys
2008-01-13 12:19 79,328 -c--a-w C:\Documents and Settings\Tony1\mqdmserd.sys
2008-01-13 12:19 66,656 -c--a-w C:\Documents and Settings\Tony1\mqdmbus.sys
2008-01-13 12:19 6,208 -c--a-w C:\Documents and Settings\Tony1\mqdmcmnt.sys
2008-01-13 12:19 5,936 -c--a-w C:\Documents and Settings\Tony1\mqdmwhnt.sys
2008-01-13 12:19 4,048 -c--a-w C:\Documents and Settings\Tony1\mqdmcr.sys
2008-01-13 12:19 25,600 -c--a-w C:\Documents and Settings\Tony1\usbsermptxp.sys
2008-01-13 12:19 22,768 -c--a-w C:\Documents and Settings\Tony1\usbsermpt.sys
2005-01-28 15:17 54,970,723 ----a-w C:\Programmi\PinnaclePCTVUpdate550.exe
2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot_2008-09-01_18.03.54.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-30 18:19:10 271,224 ----a-w C:\WINDOWS\LastGood\system32\mucltui.dll
+ 2007-07-30 18:18:34 207,736 ----a-w C:\WINDOWS\LastGood\system32\muweb.dll
- 2007-07-30 18:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 20:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 20:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-07-30 18:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2008-07-18 20:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-07-30 18:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 20:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 20:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2008-07-18 20:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-18 20:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-18 20:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-18 20:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"msnmsgr"="C:\Programmi\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]
"WinPatrol"="C:\Programmi\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]

C:\Documents and Settings\Tony1\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Microsoft Office OneNote 2003.lnk - C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.VOXACM118"= vdk32118.acm
"MSACM.NSX83"= nsx83p32.acm
"MSACM.NSX723"= sx5363s.acm
"MSACM.NSPAC"= NSPAC32.ACM
"vidc.xvid"= xvid.dll
"msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.PIM1"= PCLEPIM1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"mlp"= C:\dinst.exe
"Windows Firewall Monitor"= C:\\http1.exe
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-27 22336]
R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 9344]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-19 45376]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 6400]
R3 Usr79n51;U.S. Robotics 10/100 PCI NIC TX Driver;C:\WINDOWS\system32\DRIVERS\Usr79n51.sys [2003-01-04 45696]
S1 robvvv;robvvv;C:\WINDOWS\system32\drivers\robvvv.sys [ ]
S2 IPtable;IpManager;C:\WINDOWS\ipconfg32.exe [ ]
S2 MSiCFG;MS Ins Config;C:\WINDOWS\msiconfig.exe [ ]
S2 msproc;Word Process;C:\WINDOWS\mswinpad.exe [ ]
S3 ax88772;ASIX ax88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2004-08-06 17216]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Tony1\Dati applicazioni\Mozilla\Firefox\Profiles\4d82hnvn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.corriere.it/
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 18:24:40
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-09-06 18:29:07
ComboFix-quarantined-files.txt 2008-09-06 16:28:16
ComboFix2.txt 2008-09-01 18:05:29
ComboFix3.txt 2008-09-01 16:13:51
ComboFix4.txt 2008-09-01 16:04:55
ComboFix5.txt 2008-09-06 16:20:53

Pre-Run: 52,979,802,112 byte disponibili
Post-Run: 52,973,137,920 byte disponibili

160 --- E O F --- 2008-09-01 15:48:54

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:03 PM

Posted 05 September 2008 - 12:31 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Suspect::[8]
C:\WINDOWS\system32\msg391.dll
Driver::
msproc
MSiCFG
robvvv
IPtable
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"mlp"=-
"Windows Firewall Monitor"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.
If the window didn't open, just submit the [8]-Submit_Date_Time.zip file here

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 canesciolto

canesciolto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 05 September 2008 - 12:52 PM

I'm the worst student you could get..
In the previous log I did not disable Tea Timer as you requested so please don't take it into consideration.
Here is the correct one without Spybot running:

ComboFix 08-09-04.09 - Friso & Sonia 2008-09-06 18.53.50.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.74 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Tony1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Creati Da 2008-08-06 al 2008-09-06 )))))))))))))))))))))))))))))))))))
.

2008-09-01 22:12 . 2008-09-06 18:16 <DIR> d-------- C:\Programmi\ComboFix
2008-08-31 22:39 . 2008-08-31 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PCPitstop
2008-08-31 21:37 . 2008-08-31 21:37 <DIR> d-------- C:\Programmi\BillP Studios
2008-08-31 21:37 . 2008-08-31 21:37 <DIR> d-------- C:\Documents and Settings\Tony1\Dati applicazioni\WinPatrol
2008-08-31 20:53 . 2008-08-31 20:53 <DIR> d-------- C:\Programmi\Trend Micro
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-08-25 20:53 . 2006-04-12 19:25 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-08-25 20:53 . 2007-01-05 11:58 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-08-25 20:53 . 2008-09-06 18:58 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-08-25 20:53 . 2008-08-25 20:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-21 18:51 . 2008-08-31 21:01 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-08-21 01:39 . 2008-08-21 01:39 39,200 --a------ C:\WINDOWS\system32\msg391.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 18:22 --------- d-----w C:\Programmi\Mozilla Thunderbird
2008-08-31 20:50 --------- d-----w C:\Programmi\Lavasoft
2008-08-31 20:49 --------- d-----w C:\Programmi\Google
2008-08-31 20:29 --------- d-----w C:\Programmi\File comuni\Adobe
2008-08-31 20:29 --------- d-----w C:\Programmi\DivX
2008-08-26 06:30 --------- d-----w C:\Programmi\ParallelGraphics
2008-08-22 06:43 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-08-21 21:41 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-08-02 16:56 --------- d-----w C:\Programmi\Songbird
2008-07-27 20:39 --------- d-----w C:\Documents and Settings\Giulia\Dati applicazioni\Songbird2
2008-07-27 19:56 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\SongbirdVLC
2008-07-26 09:58 --------- d-----w C:\Documents and Settings\Tony1\Dati applicazioni\Songbird2
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 -c--a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-16 00:29 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:15 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:39 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-01-13 12:19 92,064 -c--a-w C:\Documents and Settings\Tony1\mqdmmdm.sys
2008-01-13 12:19 9,232 -c--a-w C:\Documents and Settings\Tony1\mqdmmdfl.sys
2008-01-13 12:19 79,328 -c--a-w C:\Documents and Settings\Tony1\mqdmserd.sys
2008-01-13 12:19 66,656 -c--a-w C:\Documents and Settings\Tony1\mqdmbus.sys
2008-01-13 12:19 6,208 -c--a-w C:\Documents and Settings\Tony1\mqdmcmnt.sys
2008-01-13 12:19 5,936 -c--a-w C:\Documents and Settings\Tony1\mqdmwhnt.sys
2008-01-13 12:19 4,048 -c--a-w C:\Documents and Settings\Tony1\mqdmcr.sys
2008-01-13 12:19 25,600 -c--a-w C:\Documents and Settings\Tony1\usbsermptxp.sys
2008-01-13 12:19 22,768 -c--a-w C:\Documents and Settings\Tony1\usbsermpt.sys
2005-01-28 15:17 54,970,723 ----a-w C:\Programmi\PinnaclePCTVUpdate550.exe
2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot_2008-09-01_18.03.54.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-30 18:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 20:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 20:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-07-30 18:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2008-07-18 20:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-07-30 18:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 20:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 20:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2008-07-18 20:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-18 20:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-18 20:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-18 20:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Programmi\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]

C:\Documents and Settings\Tony1\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Microsoft Office OneNote 2003.lnk - C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.VOXACM118"= vdk32118.acm
"MSACM.NSX83"= nsx83p32.acm
"MSACM.NSX723"= sx5363s.acm
"MSACM.NSPAC"= NSPAC32.ACM
"vidc.xvid"= xvid.dll
"msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.PIM1"= PCLEPIM1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"mlp"= C:\dinst.exe
"Windows Firewall Monitor"= C:\\http1.exe
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-27 22336]
R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 9344]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-19 45376]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 6400]
R3 Usr79n51;U.S. Robotics 10/100 PCI NIC TX Driver;C:\WINDOWS\system32\DRIVERS\Usr79n51.sys [2003-01-04 45696]
S1 robvvv;robvvv;C:\WINDOWS\system32\drivers\robvvv.sys [ ]
S2 IPtable;IpManager;C:\WINDOWS\ipconfg32.exe [ ]
S2 MSiCFG;MS Ins Config;C:\WINDOWS\msiconfig.exe [ ]
S2 msproc;Word Process;C:\WINDOWS\mswinpad.exe [ ]
S3 ax88772;ASIX ax88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2004-08-06 17216]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Tony1\Dati applicazioni\Mozilla\Firefox\Profiles\4d82hnvn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.corriere.it/
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - C:\Programmi\Java\j2re1.4.2_03\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 18:58:57
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-09-06 19:04:04
ComboFix-quarantined-files.txt 2008-09-06 17:03:26
ComboFix2.txt 2008-09-06 16:29:09
ComboFix3.txt 2008-09-01 18:05:29
ComboFix4.txt 2008-09-01 16:13:51
ComboFix5.txt 2008-09-06 16:53:11

Pre-Run: 52,986,851,328 byte disponibili
Post-Run: 52,973,064,192 byte disponibili

150 --- E O F --- 2008-09-01 15:48:54

#10 canesciolto

canesciolto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 05 September 2008 - 02:01 PM

I have send the .zip file to bleepingcomputer.com
Nogmaals dankjewel!

This is the new Combofix log:

ComboFix 08-09-04.09 - Friso & Sonia 2008-09-06 19:38:08.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.102 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Tony1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tony1\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPTABLE
-------\Legacy_MSICFG
-------\Legacy_MSPROC
-------\Legacy_ROBVVV
-------\Service_IPtable
-------\Service_MSiCFG
-------\Service_msproc
-------\Service_robvvv


((((((((((((((((((((((((( Files Creati Da 2008-08-06 al 2008-09-06 )))))))))))))))))))))))))))))))))))
.

2008-09-01 22:12 . 2008-09-06 18:16 <DIR> d-------- C:\Programmi\ComboFix
2008-08-31 22:39 . 2008-08-31 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PCPitstop
2008-08-31 21:37 . 2008-08-31 21:37 <DIR> d-------- C:\Programmi\BillP Studios
2008-08-31 21:37 . 2008-08-31 21:37 <DIR> d-------- C:\Documents and Settings\Tony1\Dati applicazioni\WinPatrol
2008-08-31 20:53 . 2008-08-31 20:53 <DIR> d-------- C:\Programmi\Trend Micro
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-08-25 20:53 . 2006-04-12 19:25 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-08-25 20:53 . 2007-01-05 11:58 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-08-25 20:53 . 2008-09-06 19:40 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-08-25 20:53 . 2004-06-03 23:33 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-08-25 20:53 . 2008-08-25 20:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-21 18:51 . 2008-08-31 21:01 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-08-21 01:39 . 2008-08-21 01:39 39,200 --a------ C:\WINDOWS\system32\msg391.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 18:22 --------- d-----w C:\Programmi\Mozilla Thunderbird
2008-08-31 20:50 --------- d-----w C:\Programmi\Lavasoft
2008-08-31 20:49 --------- d-----w C:\Programmi\Google
2008-08-31 20:29 --------- d-----w C:\Programmi\File comuni\Adobe
2008-08-31 20:29 --------- d-----w C:\Programmi\DivX
2008-08-26 06:30 --------- d-----w C:\Programmi\ParallelGraphics
2008-08-22 06:43 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-08-21 21:41 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-08-02 16:56 --------- d-----w C:\Programmi\Songbird
2008-07-27 20:39 --------- d-----w C:\Documents and Settings\Giulia\Dati applicazioni\Songbird2
2008-07-27 19:56 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\SongbirdVLC
2008-07-26 09:58 --------- d-----w C:\Documents and Settings\Tony1\Dati applicazioni\Songbird2
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 -c--a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-16 00:29 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:15 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:39 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-01-13 12:19 92,064 -c--a-w C:\Documents and Settings\Tony1\mqdmmdm.sys
2008-01-13 12:19 9,232 -c--a-w C:\Documents and Settings\Tony1\mqdmmdfl.sys
2008-01-13 12:19 79,328 -c--a-w C:\Documents and Settings\Tony1\mqdmserd.sys
2008-01-13 12:19 66,656 -c--a-w C:\Documents and Settings\Tony1\mqdmbus.sys
2008-01-13 12:19 6,208 -c--a-w C:\Documents and Settings\Tony1\mqdmcmnt.sys
2008-01-13 12:19 5,936 -c--a-w C:\Documents and Settings\Tony1\mqdmwhnt.sys
2008-01-13 12:19 4,048 -c--a-w C:\Documents and Settings\Tony1\mqdmcr.sys
2008-01-13 12:19 25,600 -c--a-w C:\Documents and Settings\Tony1\usbsermptxp.sys
2008-01-13 12:19 22,768 -c--a-w C:\Documents and Settings\Tony1\usbsermpt.sys
2005-01-28 15:17 54,970,723 ----a-w C:\Programmi\PinnaclePCTVUpdate550.exe
2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot_2008-09-01_18.03.54.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-30 18:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 20:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 20:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-07-30 18:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2008-07-18 20:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-07-30 18:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 20:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 20:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2008-07-18 20:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-18 20:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-18 20:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-18 20:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Programmi\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]

C:\Documents and Settings\Tony1\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Microsoft Office OneNote 2003.lnk - C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.VOXACM118"= vdk32118.acm
"MSACM.NSX83"= nsx83p32.acm
"MSACM.NSX723"= sx5363s.acm
"MSACM.NSPAC"= NSPAC32.ACM
"vidc.xvid"= xvid.dll
"msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.PIM1"= PCLEPIM1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-27 22336]
R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 9344]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-19 45376]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 6400]
R3 Usr79n51;U.S. Robotics 10/100 PCI NIC TX Driver;C:\WINDOWS\system32\DRIVERS\Usr79n51.sys [2003-01-04 45696]
S3 ax88772;ASIX ax88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2004-08-06 17216]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 19:40:24
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


C:\DOCUME~1\Tony1\IMPOST~1\Temp\RGI5.tmp

Scansione completata con successo
Files nascosti: 1

**************************************************************************
.
Ora fine scansione: 2008-09-06 19:45:15
ComboFix-quarantined-files.txt 2008-09-06 17:44:24
ComboFix2.txt 2008-09-06 17:04:05
ComboFix3.txt 2008-09-06 16:29:09
ComboFix4.txt 2008-09-01 18:05:29
ComboFix5.txt 2008-09-06 17:15:58

Pre-Run: 52,921,176,064 byte disponibili
Post-Run: 52,907,991,040 byte disponibili

147 --- E O F --- 2008-09-01 15:48:54

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:03 PM

Posted 06 September 2008 - 12:18 AM

Hi,

It looks like you were doing a Windows update in between. Anyway, no problem here.

Navigate to and delete the following file:

C:\WINDOWS\system32\msg391.dll

Do not delete any similar looking files.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 canesciolto

canesciolto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 07 September 2008 - 10:16 AM

Hi,

It looks like you were doing a Windows update in between. Anyway, no problem here.

Navigate to and delete the following file:

C:\WINDOWS\system32\msg391.dll

Do not delete any similar looking files.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.


Hi Miekiemoes,
everything is fine now.
Thanks a lot for your great help and patience.
Wish you all the best,
Francesco.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:03 PM

Posted 07 September 2008 - 02:43 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:03 PM

Posted 17 September 2008 - 04:26 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users