Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log


  • Please log in to reply
7 replies to this topic

#1 drumset

drumset

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 27 April 2005 - 06:44 PM

Hi to all of you and thanks you for all you do.
I hava a problem with a dialler that installs an exe file in the C:\WINNT\system32\ShellExt folder.
The file name is ucfdt.exe
When i am connect to internet it starts and create a new connection, then disconnects my connection and tries to start another one.
Obviously I stop that procedure.
I can't solve this problem, help me!
I've scanned my PC with my antivirus (NOD32) with Spybot and with Microsoft Antispyware, but nothing has changed.
Here is my HJT log.
I hope you can help me.
Bye, Paolo

Logfile of HijackThis v1.99.1
Scan saved at 1.41.29, on 28/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\Programmi\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\mgabg.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\SymTray.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Programmi\ahead\InCD\InCD.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\TYPING~2\KBOOST.EXE
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\ctfmon.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\Libero 6x\liberoaccel.exe
C:\Programmi\KeyText\KeyText.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\taskmgr.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Programmi\Libero 6x\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINNT\dd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ramexp] C:\WINNT\ramex.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINNT\winagent.exe /i
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [TypingSatellite] "C:\PROGRA~1\TYPING~2\KBOOST.EXE"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: KeyText.lnk = C:\Programmi\KeyText\KeyText.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Libero Web Accelerator.lnk = C:\Programmi\Libero 6x\liberoaccel.exe
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Mostra immagine originale - res://C:\Programmi\Libero 6x\liberoaccel.exe/227
O8 - Extra context menu item: Mostra tutte le immagini originali - res://C:\Programmi\Libero 6x\liberoaccel.exe/250
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.yeak.net
O15 - Trusted IP range: 213.159.117.133
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/nd/nd03020.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/contr...media/Swdir.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamdr-it/itd/games3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49B34C44-8EA0-460A-93F6-5DD47013653B}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINNT\system32\vbsys2.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\DiskeeperWorkstation\DKService.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:36 PM

Posted 28 April 2005 - 12:04 AM

Hello drumset and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Close ALL open windows including this one.

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINNT\dd.dll
O4 - HKLM\..\Run: [ramexp] C:\WINNT\ramex.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINNT\winagent.exe /i
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.yeak.net
O15 - Trusted IP range: 213.159.117.133
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/nd/nd03020.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamdr-it/itd/games3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49B34C44-8EA0-460A-93F6-5DD47013653B}: NameServer = 193.70.152.15 193.70.152.25
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINNT\system32\vbsys2.dll

Now click the Fix Checked button to finish the repair.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINNT\dd.dll
C:\WINNT\ramex.exe
C:\WINNT\winagent.exe
C:\WINNT\system32\vbsys2.dll
c:\eied_s7.cab
c:\ex.cab

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 drumset

drumset
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 29 April 2005 - 10:44 AM

Hi OT, first of all I would really thank you for your reply.
I have to tell you that was on line for not more than 15 minutes after i did all the stuff you wrote me, so I don't know if we succeeded in fixing the dialer yet.
I have to tell you that it is about 15 days i have been having the problem with that terrible dialer, but in the last three days my modem (a sporster message plus) has stopped sounding the typical free line tone before connecting. Do you think this could be related to the dialer thing?
Anyway, this is my new HJT LOG.
Thanks again, Paolo

Logfile of HijackThis v1.99.1
Scan saved at 17.27.57, on 29/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:WINNTsystem32crypserv.exe
C:ProgrammiDiskeeperWorkstationDKService.exe
C:WINNTSystem32svchost.exe
C:ProgrammiFile comuniMicrosoft SharedVS7Debugmdm.exe
C:WINNTSystem32mgabg.exe
C:ProgrammiEset
od32krn.exe
C:ProgrammiNorton SystemWorksNorton UtilitiesNPROTECT.EXE
C:WINNTsystem32
egsvc.exe
C:WINNTsystem32MSTask.exe
C:WINNTExplorer.EXE
C:PROGRA~1NORTON~2SPEEDD~1
opdb.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTSystem32mspmspsv.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32svchost.exe
C:ProgrammiFile comuniSymantec SharedSymTray.exe
C:WINNTsystem32devldr32.exe
C:WINNTSystem32spoolDRIVERSW32X86 pdisp4.exe
C:ProgrammiaheadInCDInCD.exe
C:WINNTSystem32PDeskPDesk.exe
C:WINNTSystem32spooldriversw32x86hpztsb08.exe
C:ProgrammiHewlett-PackardDigital Imaginginhpotdd01.exe
C:ProgrammiEset
od32kui.exe
C:ProgrammiMicrosoft AntiSpywaregcasServ.exe
C:ProgrammiLogitechMouseWaresystemem_exec.exe
C:PROGRA~1TYPING~2KBOOST.EXE
C:ProgrammiMicrosoft ActiveSyncWCESCOMM.EXE
C:ProgrammiMicrosoft AntiSpywaregcasDtServ.exe
C:WINNTsystem32ctfmon.exe
C:ProgrammiNikonNkView6NkvMon.exe
C:ProgrammiLibero 6xliberoaccel.exe
C:ProgrammiKeyTextKeyText.exe
C:HijackthisHijackThis.exe
C:WINNTsystem32wuauclt.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.it/
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.it/
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Collegamenti
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:ProgrammiLibero 6xPBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTSystem32msdxm.ocx
O4 - HKLM..Run: [FinePrint Dispatcher v4] C:WINNTSystem32spoolDRIVERSW32X86 pdisp4.exe
O4 - HKLM..Run: [InCD] C:ProgrammiaheadInCDInCD.exe
O4 - HKLM..Run: [Matrox Powerdesk] C:WINNTSystem32PDeskPDesk.exe /Autolaunch
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINNTSystem32spooldriversw32x86hpztsb08.exe
O4 - HKLM..Run: [DeviceDiscovery] C:ProgrammiHewlett-PackardDigital Imaginginhpotdd01.exe
O4 - HKLM..Run: [SymTray - Norton SystemWorks] C:ProgrammiFile comuniSymantec SharedSymTray.exe SetReg
O4 - HKLM..Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..Run: [nod32kui] "C:ProgrammiEset
od32kui.exe" /WAITSERVICE
O4 - HKLM..Run: [gcasServ] "C:ProgrammiMicrosoft AntiSpywaregcasServ.exe"
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..RunServices: [RegisterDropHandler] C:PROGRA~1TEXTBR~1.0BinREGIST~1.EXE
O4 - HKLM..RunOnce: [SymTray - Norton SystemWorks] C:ProgrammiFile comuniSymantec SharedSymtrdr.exe
O4 - HKCU..Run: [TypingSatellite] "C:PROGRA~1TYPING~2KBOOST.EXE"
O4 - HKCU..Run: [H/PC Connection Agent] "C:ProgrammiMicrosoft ActiveSyncWCESCOMM.EXE"
O4 - HKCU..Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: KeyText.lnk = C:ProgrammiKeyTextKeyText.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:ProgrammiFile comuniAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:ProgrammiLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:ProgrammiFile comuniAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:ProgrammiNikonNkView6NkvMon.exe
O4 - Global Startup: Libero Web Accelerator.lnk = C:ProgrammiLibero 6xliberoaccel.exe
O8 - Extra context menu item: Download with GetRight - C:ProgrammiGetRightGRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:ProgrammiGetRightGRbrowse.htm
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MICROS~4INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MICROS~4INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MICROS~4INetRepl.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINNTsystem32Shdocvw.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/contr...media/Swdir.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: nwprovau - C:WINNTSYSTEM32
wprovau.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:WINNTSYSTEM32crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:ProgrammiDiskeeperWorkstationDKService.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:WINNTSystem32mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:ProgrammiEset
od32krn.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:ProgrammiNorton SystemWorksNorton UtilitiesNPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:PROGRA~1NORTON~2SPEEDD~1
opdb.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:36 PM

Posted 29 April 2005 - 01:20 PM

Hi drumset. It looks like your HijackThis is not working properly. Please following the directions below and post me a new log:

Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 drumset

drumset
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 29 April 2005 - 02:14 PM

This is my new HJT log.
I won't make any change.
Bye and thanks, Paolo

Logfile of HijackThis v1.99.1
Scan saved at 21.10.29, on 29/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\Programmi\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\mgabg.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\SymTray.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Programmi\ahead\InCD\InCD.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\TYPING~2\KBOOST.EXE
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\ctfmon.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\Libero 6x\liberoaccel.exe
C:\Programmi\KeyText\KeyText.exe
C:\WINNT\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Programmi\Libero 6x\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [TypingSatellite] "C:\PROGRA~1\TYPING~2\KBOOST.EXE"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: KeyText.lnk = C:\Programmi\KeyText\KeyText.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Libero Web Accelerator.lnk = C:\Programmi\Libero 6x\liberoaccel.exe
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Mostra immagine originale - res://C:\Programmi\Libero 6x\liberoaccel.exe/227
O8 - Extra context menu item: Mostra tutte le immagini originali - res://C:\Programmi\Libero 6x\liberoaccel.exe/250
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/contr...media/Swdir.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49B34C44-8EA0-460A-93F6-5DD47013653B}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\DiskeeperWorkstation\DKService.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:36 PM

Posted 29 April 2005 - 06:54 PM

Hi drumset. Now that log is clean. Good job! How are things running? Are you still having problems with the dialer?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 drumset

drumset
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 05 May 2005 - 01:16 PM

Dear OT, i have to thank you so much becouse now my PC seems to be cleaned.
I don't have any dialer starting when i'm connected so... you did it!!
The only strange thing is in the last days (from before cleaning the pc) my modem (a sporster message plus) has stopped sounding the typical free line tone before connecting. What do you think this could be related with? How can i fix it? Maybe this is not the right forum to post this question to but maybe it is relatyed with the dialer thing. How can I fix it?
Again, thank you
Paolo

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:36 PM

Posted 05 May 2005 - 06:23 PM

Hi drumset. The dialer you had probably turned the speaker off so you would not know that it was using your computer. Check the modem's properties in the Device Manager and make sure that the volume control is not turned off.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users